 antdudeA Ninja AntPremium,VIP
join:2001-03-25
kudos:2
 ·RoadRunner Cable
| IGETNET (Ad-aware v6.0 false alarm?) I got the latest reference update for Ad-Aware v6 Personal b162 and ran a scan. It found something and I quarantined it (just in case). This is news to me:
IGETNET
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
obj[0]=RegValue : Software\Microsoft\Internet Explorer\URLSearchHooks
Where does this spyware come from? I don't recall installing anything lately nor do I rarely use IE6.0 SP1 (all updates) on my Windows 2000 SP3 (all updates) workstation. Maybe this is a false alarm?
Thank you in advance.
[text was edited by author 2003-06-11 14:18:33]
[text was edited by author 2003-06-11 14:59:00] |
|
 Lucky5Premium
join:2002-07-24
Desert Floor | Re: IGETNET? More info on your Hijacker:
Spyware-Guide.com (includes manual removal instructions): »www.spywareguide.com/product_show.php?id=422
Spybot S&D: »spybot.safer-networking.de/index···-igetnet
Doxdesk: »www.doxdesk.com/parasite/IGetNet.html
--
Devils 2003 Champs! (permission to get drunk and celebrate this awesome Championship provided by Garbs) |
|
Lucky5Premium
join:2002-07-24
Desert Floor | reply to antdude
After you've gotten rid of this nasty, install Spywareblaster from Javacool: »www.wilderssecurity.net/spywareblaster..[?]
--
Devils 2003 Champs! (permission to get drunk and celebrate this awesome Championship provided by Garbs) |
|
 dpPremium,MVM
join:2000-12-08
Greensburg, PA
kudos:7 | reply to antdude
I got the same thing on my WinME box. I don't have any of the files on my machine that is talked about at »www.doxdesk.com/parasite/IGetNet.html and Spybot scans clean so I don't know what to make of this yet.
--
Write your questions down on the back of a $20 dollar bill and send them to me |
|
Lucky5Premium
join:2002-07-24
Desert Floor | said by dp:
I got the same thing on my WinME box. I don't have any of the files on my machine that is talked about at »www.doxdesk.com/parasite/IGetNet.html and Spybot scans clean so I don't know what to make of this yet.
Did you check out the BHOs in Spybot tools section? Also did you check the spywareguide info?
--
Devils 2003 Champs! (permission to get drunk and celebrate this awesome Championship provided by Garbs) |
|
|
|
antdudeA Ninja AntPremium,VIP
join:2001-03-25
kudos:2 Reviews:
·RoadRunner Cable
| reply to dp
SpyBot found nada! said by dp:
I got the same thing on my WinME box. I don't have any of the files on my machine that is talked about at »www.doxdesk.com/parasite/IGetNet.html and Spybot scans clean so I don't know what to make of this yet.
Oooh! Good idea (SpyBot v1.2). I ran it with the latest update and it didn't find it (I restored the supposed IGetNet).
Here's my exported BHO report (nothing unusual):
Spybot-S&D Browser helper object report, 6/11/2003 11:41:29 AM
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
Class file: AcroIEHelper.dll
Attributes: archive
Date: 5/15/2003 12:47:54 AM
MD5: 0C0E1B2BCAED8DF401BE94D538BCB412
Path: C:\winstuff\AcrobatReader\Reader\ActiveX\
Short name: ACROIE~1.DLL
Size: 50376 bytes
Version: 0.6.0.0
Class name: AcroIEHlprObj Class
CLSID database: legitimate software
Description: Adobe Acrobat reader
Filename: ACROIEHELPER.OCX
{BDF3E430-B101-42AD-A544-FADC6B084872}
Class file: NavShExt.dll
Attributes: archive
Date: 11/15/2002 12:09:06 AM
MD5: 988409CE6ED638AAFDBECFB6EC863F4F
Path: C:\winstuff\NAV2003 - 68b\
Short name:
Size: 112248 bytes
Version: 0.9.0.5
Class name: CNavExtBho Class
CLSID database: legitimate software
Description: Norton Antivirus
Filename: NavShExt.dll
Name: NAV Helper
I think I found a bug! Something is fishy. I am pretty strict on what gets installed on my computers.
Please confirm this if this is false alarm or not. 
[text was edited by author 2003-06-11 14:42:14] |
|
| reply to antdude
Re: IGETNET? antdude:
If SpyBot S&D didn't find anything, then I'd suggest posting a question about that specific Reg key that AdAware identified over in the Lavasoft forums:
»www.lavasoftsupport.com/
Perhaps someone there could explain why that key is being flagged.
Best,
Eric L. Howes |
|
Lucky5Premium
join:2002-07-24
Desert Floor | reply to antdude
Willing to try the manufacturers uninstall : »www.igetnet.com/downloads/uninst···tnet.asp |
|
antdudeA Ninja AntPremium,VIP
join:2001-03-25
kudos:2 Reviews:
·RoadRunner Cable
| reply to eburger68
said by eburger68:
antdude:
If SpyBot S&D didn't find anything, then I'd suggest posting a question about that specific Reg key that AdAware identified over in the Lavasoft forums:
»www.lavasoftsupport.com/
Perhaps someone there could explain why that key is being flagged.
Eric, I will do that. I will also refer to this thread as well. I am waiting for my new forum account to be approved... Thanks.
--
-- Ant @ The Ant Farm: »antfarm.ma.cx |
|
| reply to antdude
I scanned clean yesterday, so this is obviously something added in the latest update. |
|
dpPremium,MVM
join:2000-12-08
Greensburg, PA
kudos:7 | reply to Lucky5
said by Lucky5:
said by dp:
I got the same thing on my WinME box. I don't have any of the files on my machine that is talked about at »www.doxdesk.com/parasite/IGetNet.html and Spybot scans clean so I don't know what to make of this yet.
Did you check out the BHOs in Spybot tools section? Also did you check the spywareguide info?
Not in Spybots BHO section and the guide at spywareguide pretty much states the same thing as the doxdesk site and I don't have any of the files that either site is talking about. I have not used Spybot to remove it in the past and I have Spywareblaster installed and up to date. I have a message in with Lavasoft.
--
Write your questions down on the back of a $20 dollar bill and send them to me |
|
Lucky5Premium
join:2002-07-24
Desert Floor | reply to antdude
Guessing DP might have beat you to it: »www.lavasoftsupport.com/index.ph···61a0eb43 (not sure if it's him )
(looped threads  )
--
Devils 2003 Champs! (permission to get drunk and celebrate this awesome Championship provided by Garbs) |
|
antdudeA Ninja AntPremium,VIP
join:2001-03-25
kudos:2 Reviews:
·RoadRunner Cable
| reply to antdude
My LavaSoft thread URL I just finished posting about this problem:
»www.lavasoftsupport.com/index.ph···3d223997
--
-- Ant @ The Ant Farm: »antfarm.ma.cx |
|
dpPremium,MVM
join:2000-12-08
Greensburg, PA
kudos:7 | reply to Lucky5
Re: IGETNET? said by Lucky5:
Guessing DP might have beat you to it: »www.lavasoftsupport.com/index.ph···61a0eb43 (not sure if it's him )
(looped threads )
I confess, tis me
--
Write your questions down on the back of a $20 dollar bill and send them to me |
|
antdudeA Ninja AntPremium,VIP
join:2001-03-25
kudos:2 Reviews:
·RoadRunner Cable
| reply to Lucky5
said by Lucky5:
Guessing DP might have beat you to it: »www.lavasoftsupport.com/index.ph···61a0eb43 (not sure if it's him )
(looped threads )
DOH!! I already posted a thread. Oh well. Thanks all. I will leave the find intact (not removed) for now. :>
--
-- Ant @ The Ant Farm: »antfarm.ma.cx |
|
| reply to antdude
If the Data for that registry Value is ""
... then isn't this registry item an anti-Lop entry that would have been added by a security program or by a purposeful user registry change?
I may be jumping to conclusions, but I think Ad-aware is identifying it in error.
(Edit) In this message, it is part of a registry tweak designed to thwart Lop.com:
»boards.cexx.org/spyware/messages/3654.html
(Edit) Note: My registry shows the data for that registry value as ""
... although my Ad-aware log shows the data for that registry value as (blank), if that makes any difference ...
[text was edited by author 2003-06-11 15:17:29] |
|
dpPremium,MVM
join:2000-12-08
Greensburg, PA
kudos:7 | said by Reverend Ike:
Note: My registry shows the data for that registry value as ""
... although my Ad-aware log shows the data for that registry value as (blank), if that makes any difference ...
I have the same entry:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"=""
I'm sure the LS people will be on it ASAP.
--
Write your questions down on the back of a $20 dollar bill and send them to me |
|
 John2gQui Tacet ConsentitPremium
join:2001-08-10
England | reply to antdude
Re: IGETNET (Ad-aware v6.0 false alarm?) I am glad this thread was started. I have this registry key detected in today's updated AdAware Ref files and didn't have it detected yesterday. There is nothing else on my system. It must be a false positive.
I have re-installed this key.
--
Never argue with an idiot, he'll drag you down to his level and beat you on experience! |
|
| reply to antdude
After re-reading some other stuff that makes reference to
Value: {CFBFAE00-17A6-11D0-99CB-00C04FD64497}
Data: ""
... that registry entry may simply be the default for URLSearchHooks, and what I thought was an anti-Lop tweak was actually just a registry reset.
In which case, this still looks like a false positive ... |
|
| reply to antdude
This does indeed look like a false-positive.
The registry value named "{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" with blank "" data is the default URLSearchHook value. I would highly recommend against removing it.
Best regards,
-Javacool |
|
