How to Safely Install iMesh Without Spyware, etc.
by Xtreme
Complete the following steps to install iMesh safely. Complete these steps IMMEDIATELY after installing iMesh. Do NOT run iMesh before completing these 19 steps. THIS INFORMATION IS BASED ONLY ON MY OWN HACKING; ADDITIONAL STEPS MAY BE NEEDED TO CONTROL FUTURE RELEASES OF IMESH.
IMESH ITSELF
-------------
1. When iMesh installer finishes, go to Windows Task Manager, highlight "topsys.exe" and click "End Process". This applet is used to download parasites like MY SEARCH and GATOR.
2. Search For And Delete File: topsys.exe
3. In REGEDIT, Delete Registry Setting:
"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\...topsys.exe"
4. DO NOTHING - JUST KNOW ITS THERE: "C:\WINDOWS\System32\Roodyc\"
(Ad Cache Folder. If you delete it, iMesh will recreate it. Path is different on 9x)
5. DO NOTHING - JUST KNOW ITS THERE: "C:\WINDOWS\System32\AdCache\"
(Ad Cache Folder. If you delete it, iMesh will recreate it. Path is different on 9x)
MY SEARCH
6. This parasite is installed after reboot:
See KEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
KEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
KEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
Look for a file named "mysearch.exe" or something very similar
(Sorry, I deleted my entry before writing it down :( )
NEW.NET
7. Delete this app using "Add/Remove Programs" then delete "C:\Program Files\NewDotNet"
GAIN/GMT/GATOR
8. Not installed if you get rid of topsys.exe as described in the "IMESH ITSELF" section.
SAHAGENT / GOLDEN RETRIEVER
9. IP found in SETUP.INF - http://199.221.131.134/agent/mfc42.cab
C:\...\...>tracert 199.221.131.134
Tracing route to winston.shopathome.com [199.221.131.134]
over a maximum of 30 hops:
1 6 ms 5 ms 5 ms .........................
2 7 ms 7 ms 8 ms .........................
3 16 ms 15 ms 16 ms .........................
4 15 ms 16 ms 15 ms .........................
5 19 ms 23 ms 20 ms .........................
6 19 ms 20 ms 20 ms .........................
7 20 ms 19 ms 20 ms sl-bb23-atl-10-2.sprintlink.net [144.232.8.209]
8 21 ms 19 ms 19 ms sl-bb20-atl-9-0.sprintlink.net [144.232.12.13]
9 40 ms 39 ms 38 ms sl-bb23-chi-11-1.sprintlink.net [144.232.8.134]
10 56 ms 56 ms 56 ms sl-bb20-che-4-2.sprintlink.net [144.232.19.193]
11 59 ms 59 ms 59 ms sl-gw11-che-9-0.sprintlink.net [144.232.15.150]
12 97 ms 96 ms 98 ms sl-csd-9-0-0.sprintlink.net [160.81.226.14]
13 98 ms 100 ms 103 ms winston.shopathome.com [199.221.131.134]
We'll ban this domain name in step 20.
10. Search For And Delete File: C:\WINDOWS\Downloaded Program Files\WEBInstaller.dll
11. Search For And Delete File: lsp.dll
12. Search For And Delete File: SahAgent.exe
13. Search For And Delete File: xmlparse.dll
14. Search For And Delete File: xmltok.dll
15. Search For And Delete File: sporder.dll
16. Search For And Delete File: SAHUninstall.exe
17. Search For And Delete File: SahHtml.exe
18. Search For And Delete File: v.dat
19. Search For And Delete File: vg.dat
MODIFY HOSTS FILE TO CONTROL BANNERS (DOESN'T WORK 100%) AND PARASITE DOWNLOADS
20. Add the following entries to your Hosts file (Search for "Hosts.sam" and rename it to "Hosts")
This list isn't complete some banners still get through.
0.0.0.0 shopathome.com
0.0.0.0 tribalfusion.com
0.0.0.0 fastclick.net
0.0.0.0 addynamix.com
0.0.0.0 media.fastclick.net
0.0.0.0 a.tribalfusion.com
0.0.0.0 ad.doubleclick.net
0.0.0.0 doubleclick.net
0.0.0.0 gozing.com
0.0.0.0 gozingcellular.com
0.0.0.0 cydoor.com
0.0.0.0 bezeqint.net
0.0.0.0 cust.bezeqint.net
0.0.0.0 bzq-179-66-17.cust.bezeqint.net
0.0.0.0 oberon-media.com
0.0.0.0 akamaitechnologies.net
0.0.0.0 deploy.akamaitechnologies.net
0.0.0.0 a205-188-221-78.deploy.akamaitechnologies.net
|