Hosting Provided By

Re: 030 ignkeywords igetnet follow up

From: Ryan Yagatich <ryany(at)pantek.com>
Date: Thu Nov 14 2002 - 13:48:13 EST

It appears that the uninstaller does the following (at first glance)

Removes the following files:

	c:\Program Files\Internet Explorer\winstart.exe
	c:\program files\internet explorer\bho.dll
	c:\progra~1\intern~1\bho.dll
	c:\WinIE\winstart.exe
	c:\WinIE\bho.dll
	c:\WinIe\bho.dll

	%windir%\system\winstart.exe
	%windir%\system32\shell322.exe
	%windir%\system32\IGNinstaller.exe
	%windir%\system32\winstart.exe
	%windir%\winfile2.dat
	%windir%\system\rsp.dl
	%windir%\system\bho.dll
	%windir%\system32\bho.dll

Removes the following registry keys:

HKEY_(LOCALMACHINE|CURRENT_USER)\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{730F2451-A3FE-4A72-938C-FC8A74F15978}

HKEY_(LOCALMACHINE|CURRENT_USER)\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA76C2D7-15A9-4E80-A942-191F02BDCA91}

HKEY_(LOCALMACHINE|CURRENT_USER)\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0740576F-730B-11D6-8A8B-0050BA8452C0}

HKEY_(LOCALMACHINE|CURRENT_USER)\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E6B67CDC-81F8-11D6-8A8C-0050BA8452C0}

Do you need help?

It then appears to modify:

	%windir%\hosts or %windir%\system32\drivers\etc\hosts
	to remove the lines:
		ieautosearch
		search.netscape.com
		auto.search.msn.com

and finally, creates an uninstall log in %systemdrive%

Like I mentioned, this is only a first glance, of it, and more is possible.

<OPINION>
In my experience, people that have these things installed on their systems are always 'i never installed it...'. Thats how some of these companies get their stuff on the target systems. Now, my theory is that everyone is so used to windows popping up on their screen that says 'are you sure you would like to save this' or 'are you really certain you would like to delete this file' or 'i know ive already popped up to ask you this question, but are you REALLY sure?', and while browsing figure 'Hey, its just one of those' and subconsciously click the yes button, or sometimes the OK button. This in turn allows certain vendors to use the MS ActiveX questions to their advantage because there are many people who "just click yes, even though they don't know what they are clicking". and by God, I'd even bet that they know that most of the people using their software don't really know about it, just for that same purpose. This clicking yes thing, the only real way to avoid it is to not have it pop up to begin with, which in that case can take away the functionality of legit traffic. In the meantime, I usually tell my clients to install zone alarm (or other personal firewall) to aide in protecting them. I also inform them about the whole clicking yes thing too. Zone Alarm kind of does the same thing 'internet access requested by "foo".., Yes/No'. What happens? people just click yes and say 'Yeah, i didnt know what it was talking about, so i just clicked on yes and hoped for the best. It then kept comming up with the same message, so i clicked on the 'dont ask me anymore' thingie...This just defeats the purpose of installing the personal firewall to begin with, which makes it almost a waste of my time to recommend it.
So, we're back at square one again with 'how can i keep these people from clicking buttons'. You could take away all input devices and leave them with a monitor that is blinking 'don't touch that' in the corner, or you can take the approach of getting rid of the material so you don't have to trust them any further. Things like Zone Alarm, just do the same thing which can render them useless, which in turn puts you back to performing the suggestions previously mentioned in earlier posts.

</OPINION>

Thanks,
Ryan Yagatich <support@pantek.com>

Pantek, Incorporated
(877) LINUX-FIX - (440) 519-1802

9C 80 D8 81 D4 D3 79 05 85 37 BE 21
F5 2F 14 FA 63 54 C1 1A C5 77 34 FB

If builders built buildings they
way programmers wrote programs, the
first woodpecker that comes along
would destroy civilization

On 11 Nov 2002, Waitman C. Gobble wrote:

Do you need more help?

>
>Hello all,

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Sat Nov 16 00:18:59 2002

This message: [ Message body ]
Next message: David Lawson: "Re: Port 5552?"
Previous message: Information Security: "RE: Unicode Attack"
In reply to Waitman C. Gobble: "030 ignkeywords igetnet follow up"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:51 EDT