Name: IGetNet Category: Browser Hijacker Alias: INetSpeak Advice: Remove Risk: Elevated Risk Elevated threats are usually threats that fall into the range of adware in which data about a user's habits are tracked and sent back to a server for analysis without your consent or knowledge. Description: IGetNet is a browser hijacker that is implemented as an Internet Explorer BHO. When you enter something into the address bar, IGetNet checks to see whether it includes keyword they have sold to one of their advertisers. If so, it redirects you to that site; if not it forwards you to a search engine using an IGetNet affiliate code. searchresult.net, qcksearch.com (which is apps.webservicehost.com) and overture.com have been seen to be used. The IGetNet process runs at Windows start-up (WinStart.exe or WinStart001.exe) which writes to the Hosts file. Once this modification has occurred, every time you try to contact MSN or Netscape's search sites you are re-routed though IGetNet's servers. The IGetNet server checks to see whether your search includes a keyword they have sold to one of their advertisers, and if so, redirects you to that site. If not they forward you to the real MSN or Netscape Search so you shouldn't notice the difference. In addition, if IGetNet is running, and you enter auto.search.msn.com, search.netscape.com, or ieautosearch in the Address field, you will find yourself at http://www.igetnet.com IGetNet version 4, which is the original variant, installs files 'BHO.DLL', 'rsp.dll' and 'Winstart.exe' into the 'System' folder in the Windows folder. 'Winstart.exe', run at start-up, writes entries to the Hosts file to redirect all access to MSN or Netscape search sites through to IGetNet's servers instead. (ignkeywords.com, rspsearch.com.) IgetNet version 5 works the same as version 4, but the files are now called 'BHO001.DLL', 'rsp001.dll' and 'Winstart001.exe' and they use new class IDs internally. You can tell if you have v5 as new IE windows will show the text 'Enter Keyword or Web Address here' in the address bar. IGetNet is bundled with P2P applications and software downloaded from 'Blue Haven Media'. Installed by vCatch KazBlock and FavoriteMan. May also be installed by ActiveX drive-by-download. IGetNet reportedly runs an affiliate program at plugusin4cash.com to get third parties to install the software. Its browser hijacking violates the IGetNet privacy Plolicy (see http://www.igetnet.com/IGNPrivacyPolicy.asp for IGetNet's policy statement). Modifies the "Hosts" file. Windows uses the Hosts file for domain name lookups. When a domain name is entered in the address field of a Web browser, by default, Windows first attempts to resolve the domain name by looking in this file. IGetNet inserts the following lines in the Hosts file: 216.177.73.139 auto.search.msn.com 216.177.73.139 search.netscape.com 216.177.73.139 Ieautosearch This action causes the browser to go to the IP address, 216.177.73.139, when any of the following domain names are entered: auto.search.msn.com search.netscape.com Ieautosearch The IP address, 216.177.73.139, belongs to the server for www.igetnet.com. When a search is entered here, IGetNet.com checks whether the keyword has been paid for. If so, the browser will be redirected to the advertiser that paid for the keyword. If such a keyword was not entered, the browser will be redirected to the search page to which it initially tried to go. Signatures: process: nlnp13.exe: MD5 Hash: 5ea7432d0670f7e3ca9... process: nlnupgradev4_6p28.exe: MD5 Hash: 910682e8f18775e9567... process: winstart.exe: MD5 Hash: bed3bb6820db6ca111e... process: winstart001.exe: MD5 Hash: e12960e1ab263bbe1d3... process: nlnp41.exe: MD5 Hash: ... process: nlnp38.exe: MD5 Hash: ... process: nlnp29.exe: MD5 Hash: ... process: winstart001.exe: MD5 Hash: ... process: Winstart.exe: MD5 Hash: ... process: winstart001.exe: MD5 Hash: ... process: nlnp29.exe: MD5 Hash: ... process: nlnp0w.exe: MD5 Hash: 9a90bd9956f3cd09fb1... process: winstart.exe: MD5 Hash: ec1dc41329c12c45459.. Type: Browser Hijacker - Spyware's primary purpose is to collect demographic and usage information from your computer, usually for advertising purposes. Spyware usually that 'sneaks' onto a system or performs other activities hidden to the user. Spyware programs are usually bundled as a hidden component and downloaded from the Internet. These modules are almost always installed on the system secretively and try to run secretively as well.