Sandi's Site
Intelligent Explorer aka IEPLUGIN aka IEPL
WARNING!! One of the pop-up advertisements generated
by the software bundled with Intelligent Explorer was extreme, high-end
pornography. Do NOT install this software, even for testing purposes, if your
computer can be accessed by anyone under 21, or anybody (including yourself)
that may be offended by the type of pictures that are generally only legally
viewable by adults.
REMOVAL:
Follow the troubleshooting steps I have outlined
here
9 January 2005... a long time has passed since I last tested Intelligent
Explorer. It is time to give it another go. I didn't think things
could get more complicated than my initial experience,
but they did. A year ago, Intelligent Explorer included a lot of spyware, BUT
the spyware was removable and did not automatically reinstall, like it does now
(see below).
I note that the email address privacy@ieplugin.com is no longer mentioned
in the "IE Plugin Limited License and Privacy Agreement" at
http://www.ieplugin.com/terms.html. Instead, we are told to use an online
form at
http://www.ieplugin.com/contact2.shtml?privacy. I also note that that the
contact pages capture "REMOTE_HOST,REMOTE_ADDR,HTTP_USER_AGENT".
Just like last time, I downloaded Intelligent Explorer from
www.ieplugin.com. My notes follow.
Spyware, crapware, malware detected by Adaware (over 11 megabytes):
180Solutions(TAC index:8):49 references
BargainBuddy(TAC index:8):252 references
ClipGenie(TAC index:4):1 reference
DownloadWare(TAC index:8):7 references
ImIServer IEPlugin(TAC index:5):73 references
MRU List(TAC index:0):60 references
NetworkEssentials(TAC index:7):58 references
Other(TAC index:5):35 references
Possible Browser Hijack attempt(TAC index:3):103 references
Rads01.Quadrogram(TAC index:6):1 reference
Roings(TAC index:5):1 reference
SahAgent(TAC index:9):20 references
SCBAR(TAC index:3):55 references
Search Relevancy(TAC index:5):14 references
SurfSideKickBHO(TAC index:7):1 reference
WindUpdates(TAC index:8):2 references
Winpup32(TAC index:6):1 reference
Control Panel (add/remove programs) listings and uninstallation behaviour:
IEPLUGIN - no add/remove program listing - used automatic uninstallation at
www.ieplugin.com
BMSE dbl (0.82 MB) (are you sure window) reappeared on reboot
IEC System (0.82 MB) (are you sure window) reappeared on reboot
SE Assistant (0.82 MB) (are you sure window) reappeared on reboot
SE Help (0.82 MB) (are you sure window) reappeared on reboot
Search Assistant (0.82 MB) (are you sure window)
Search Function (0.82 MB) (are you sure window) reappeared on reboot
IE Help (are you sure window) reappeared on reboot
Sidebar Search (0.82 MB) (are you sure window)
DeskAd Service (0.11 MB) Multiple prompt windows; opened window to
www.winupdates.com page advertising 'Adware Remover
Gold', 'Email Spam Block' and 'Data Shredder Gold' (note that Addware Remover
Gold, of www.adwareremovergold.com and
www.adremovergold.com is mentioned at
Spywarewarrior as a rogue antispyware application - you can find more
information here -
http://www.spywarewarrior.com/rogue_anti-spyware.htm.
Search Relevancy (0.25 MB). Uninstall wizard, 3 prompt windows, confusing text,
same advertising window as DeskAd Service, uninstall froze add/remove programs
and control panel.
CashBack by BargainBuddy [eXact Advertising) (0.33 MB) (uninstall wizard, 3
prompt windows, confusing text) Accessed internet during uninstall.
NaviSearch [eXact Advertising) (0.16 MB) Same uninstall wizard to Cashback by
BargainBuddy. Accessed internet during uninstall.
The BullsEye Network [eXact Advertising] (2.01 MB) same uninstall wizard,
confusing text, survey window, accessed internet.
DownloadWare (1.58 MB) (prompt window), Clipgenie survey window opened, new
window diverted to www.vegasfrontier.com, prompt
'download our FREE SOFTWARE while surfing our site'. Prompt 'Click ok to
download our free software while browsing the site and take advantage of our
Spectacular $225 bonus (Dragon Rouge Casino pop up window), uninstall froze.
Froze entire add/remove control panel.
Recommended Hotfix - 421701D (1.05 MB) prompt window 'This will change your
current browsing functions. Are you sure you wish to continue?' Accessed
internet during removal.
Uninstall 180searchAssistant (connected to internet during uninstall), popup
uninstall window.
Additional cleanup steps
I used the Microsoft Antispyware Beta to restore all IE default page
settings. Nothing left in control panel. Desktop Toolbar icon on desktop
(damaged spyware install) remains. Deleted manually.
Rebooted
Tests after reboot
SearchEnhancement tried to reinstall (blocked using Microsoft Antispyware
Beta)
Numerous attempts to change search engine settings from IE defaults captured
(blocked using Microsoft Antispyware Beta)
The following entries had reappeared in Control Panel (Add/Remove Programs):
BMSE dbl
IE Help
IEC System
SE Assistant
SE Help
Search Function
Malware favorites had not been removed.
Parasite detection script (http://aumha.org/a/noads.htm)
detected Transponder/BTGrab and ShopAtHomeSelect.
*****************************
Time to pull out the big guns
*****************************
Before the uninstall processes listed above Adaware detected 4 processes, 7
modules, 116 registry keys, 332 registry values, 222 files and 24 folders:
After attempted uninstalls above Adaware scans detects 1 process, 54 registry
keys, 101 registry values, 88 files and 7 folders:
180Solutions(TAC index:8):4 references
BargainBuddy(TAC index:8):47 references
BookedSpace(TAC index:10):12 references
ClipGenie(TAC index:4):1 reference
DownloadWare(TAC index:8):5 references
ImIServer IEPlugin(TAC index:5):46 references
MRU List(TAC index:0):60 references
NetworkEssentials(TAC index:7):21 references
Other(TAC index:5):13 references
Rads01.Quadrogram(TAC index:6):1 references
SahAgent(TAC index:9):20 references
SCBAR(TAC index:3):39 references
SurfSideKickBHO(TAC index:7):1 reference
Tracking Cookie(TAC index:3):32 references
Winpup32(TAC index:6):1 reference
In short, IEPLUGIN's 'automatic removal' does not touch any of the extra
software that the Intelligent Explorer site installed. To add insult to injury,
the individual uninstall protocols for the spyware/adware/malware that was
installed with Intelligent Explorer were worthless. It took a combination of
AdAware, HijackThis, CWShredder, Microsoft Antispyware Beta, unhack.def, some
specialised Windows process examination programs, and manual removal (in safe
mode) to get rid (I hope) of the malware. I also had to manually empty my 'temp'
files in various directories. A lot of the spyware in question was installed to,
and running from, temp file directories. Time will tell if I have (finally) been
successful after 4 hours of solid work.
HISTORICAL INSTALLATION EXPERIENCE
14 September 2003
My curiosity about this product was first aroused after discovering that
http://security.kolla.de/kbase.php?lang=en&sbi=spybots&kbase=ieplugin
no longer exists and that
http://www.doxdesk.com/parasite/IEPlugin.html has had all information
removed while a "legal response to its [ieplugin's] manufacturers" is worked out
[there's nothing like a hint of mystery to get the blood moving].
I installed "Intelligent Explorer" by downloading it direct from
http://www.ieplugin.com/. I ran various tests
before and after the installation, and after 'automatic' removal as supplied at
the same site, using several different products, including AdAware, HijackThis
and BHOCop.
Installation
The files involved (that I know of) are systb.dll, winobject.dll, wupdt.exe,
winserv.exe (accesses internet), lycos.exe (accesses internet), bargains.exe
(accesses internet), sidesearch1211.dll, apuc.dll. A massive system
slowdown caused by the installation of "Intelligent Explorer" left my computer
virtually un-useable. The system is a dual monitor Intel Pentium III 804
MHz with 384MB RAM and a NVIDIA GeForce4 Ti 4200 - admittedly its not top of the
range but it is certainly MORE than sufficient to run Outlook, FrontPage,
Outlook Express and Internet Explorer at the same time - something that it was
easily able to do before the install of "Intelligent Explorer" but which it was
unable to do afterwards.
Both monitors flashed constantly, seemingly trying to reduce all programmes to
the taskbar and expose the desktop. No matter what programme I was working in at
any given time, something in the background was constantly stealing focus - I'd
be typing an email, and suddenly the cursor was gone; I'd be editing this page
in FrontPage, and suddenly the cursor was gone; I'd be trying to use the right
click context menu in IE, but it kept disappearing. I couldn't even copy a URL
from the address bar because IE couldn't keep focus long enough to highlight the
address with the cursor. The massive slowdown is bad enough but at least
with patience things eventually happen... this flashing between programmes makes
the computer virtually impossible to use unless you have a LOT of patience and
run only one programme at a time.
New "Search" toolbar installed in the IE window.
Something called "Intelligent Desktop" (aka Onscreen Portal) was installed on
(of course) my desktop. It couldn't be moved but could be turned off (my
computer went completely haywire after I closed it - my monitors and both
desktops kept flashing, with a grey space where the "Intelligent Desktop" should
be on the main monitor).
Prompt window appeared titled "Add Item to Active Desktop" (which I don't even
use) - this window was hidden for nearly all of my testing - text follows:
You have chosen to make this channel available offline and add it to your Active
Desktop Interface (yadayadayada) Url: http://active.ieplugin.com/active.cdf
Lycos Sidepane shortcut on desktop (jeez, the monitor flashing is driving me up
the WALL!! Forgive me if this analysis is not as detailed as it could be - I've
GOT to get this cr*p off my system).
Home page settings seem to be unaffected.
The IE search pane took A VERY LONG TIME to open, but when it does the settings
have been changed to a new search engine "IEPL".
Here is a (cleaned up) HijackThis Log
BHOCop detected (when I could finally get it to RUN, which took about 5
minutes!!!):
Intelligent Explorer plugin (systb.dll); Sidesearch BHO (sidesearch1211.dll);
URL Catcher (apuc.dll).
Doxdesk parasite checker detected:
"Your browser appears to have the "BargainBuddy/Apuc" parasite installed. This
software can present you with unwanted advertising and compromise your
computer's security, and may invade your online privacy. It might have been
installed without your knowledge. Information and removal instructions at (the
system was flashing so badly I couldn't do a right click to copy the URL - had
to copy type it - thank god for dual monitor systems)
http://www.doxdesk.com/parasite/BargainBuddy.html
Add/Remove Programmes showed:
Bargain Buddy
Lycos Side Search
Removal
Removal instructions were originally at
http://ww2.ieplugin.com/uninstall2.html . I have preserved those
instructions, available HERE (if it
were me, I'd stick to AdAware etc).
Other removal instructions can be found at
http://www.ieplugin.com/uninstall2.html (as you will see below, their
"uninstall" was a waste of time!!!!)
While we're on the subject of removal, you will see that 'manual' removal
instructions are supplied at the above URL (preserved
here), but you will also see that the instructions make no reference to the
other files detected by AdAware and BHOCop - sidesearch1211.dll, apuc.dll, nor
does it make any mention of bargains.exe or lycos.exe.
I attempted removal as per the URL
http://www.ieplugin.com/uninstall2.html - I used the "click here to
use automatic uninstall" option, allowed the uninstaller to download, saw the
'successful' dialogue, clicked ok and rebooted.
At first, IE would not work at all!!! That settled down though. A lot of stuff
was NOT REMOVED. AdAware (jeez, what a mess it found) detected a stack of
stuff even after I used the 'uninstaller' provided at the "Intelligent
Explorer" website - it found 58 objects, 32 registry keys, 1 process, 10
registry value, 12 files, 3 folders (again, this is AFTER running the
uninstaller) - only 2 keys existed before I installed "Intelligent Explorer"
- one for Alexa (which is harmless, being the 'Related Links' option native to
Internet Explorer) and one for the Media Player playlist (which is not a
problem)).
Lycos SidePane shortcut on desktop was still there.
IE Toolbar was gone.
Search engine was still hijacked.
Pop-up windows were still happening.
AdAware found references to BargainBuddy, lmlserver, lycos sidesearch, hotbar. I
accepted the option to remove all the leftovers, and my computer froze after
AdAware had finished its business (y'know what's scary? I'm a pro - gawd help
those who aren't "computer savy").
All the uninstall at
http://www.ieplugin.com/uninstall2.html did was remove the search toolbar in
IE. You will need to run AdAware to get rid of the junk left by the
"uninstaller". Even though my system froze, AdAware has worked fine and cleaned
up my system nicely EXCEPT for an active desktop synchronisation setting for the
Intelligent Desktop "OnScreen Portal" which was not removed from Synchronisation
Manager; it had to be removed manually.
As a side note, check out the terms of service for "IE Plugin" (quotes taken
from the page preserved here)
- I encourage you to seriously consider whether you are willing to accept such
conditions if you are thinking about installing the malware that is Intelligent
Explorer.
"You grant to us the right, exercisable by us until you uninstall the
Software or this agreement is otherwise terminated, to provide to you the
Service of downloading and causing to be displayed advertising material on your
computer, through ‘pop-up’ or other display while you use your browser. You
acknowledge and agree that installation of the Software may automatically modify
toolbars and other settings of your browser. By installing the Software you
agree to such modifications."
"2. MINORS AND CHILDREN. If you are thirteen years old or younger, you are
prohibited from downloading, registering, or using the Service. If laws in your
country prohibit you from entering into a valid and enforceable agreement with
us because of your age – in many countries, because you are under eighteen years
of age - you are prohibited from downloading, registering, or using the Service.
BY USING THE SERVICE, YOU WARRANT TO IEPL THAT YOU ARE ABOVE THE AGE OF THIRTEEN
AND ENTITLED TO ENTER INTO A VALID AND ENFORCEABLE AGREEMENT WITH US.
In addition, parents or guardians of children over the age of thirteen should be
aware that the Service is designed to appeal to a broad audience. Accordingly,
it is your responsibility to determine whether any portion of the Service is
inappropriate for your child.
3. CONSENT TO THIRD PARTY USE. You agree that it is your sole responsibility to
inform all users of computer that you have caused the Software to reside on your
computer and that you will obtain their consent to this agreement before
allowing them to use the computer to connect to the internet
6. UPDATES. You grant IEPL permission to add/remove features and/or functions to
the Software and/or Service, or to install new applications, at any time, in
IEPL’s sole discretion with or without your knowledge and/or interaction. You
also grant IEPL permission to make any changes to the Software and/or Service
provided at any time.
7. SERVER INTERACTION. You understand and accept that when the Software is
installed, it periodically communicates with server(s) operated by IEPL and/or
third party servers.
8. COLLECTION AND USE OF YOUR PERSONAL INFORMATION AND
YOUR PRIVACY CONSENT. You understand and grant IEPL permission to assign a
unique software identify code to your copy of the Software. You also grant
IEPL permission to collect and store information of your internet usage habit,
including but not limited to information about every web page you view with
the full Uniform Resource Locators, and the content of web page. You
understand and accept that Uniform Resource Locators and the content of web
pages you view may include your personally identifiable information. You
grant IEPL permission to collect and store information on which toolbar
buttons you click on, your response to advertising, the search terms you entered
on the toolbar and/or all other information relates to your internet usage habit.
IEPL may at times ask you for your personally identifiable information, such as
name, address, email address, postal/zip code, and telephone number. You hereby
grant IEPL permission to store such information in a separate database. You
hereby grant IEPL permission to distribute your non personally identifiable
information, to the extent permitted by law, to our partners, agents, and/or any
third party in IEPL's sole discretion. IEPL does not currently enable users to
access, review, edit, or delete information, including internet usage
information, collected during use of the Service. By using the IEPL Software
and/or Service you agree, to the extent permitted by law, to waive any
constitutional, common law, statutory, or regulatory right of access to such
information that you might otherwise have or acquire. If you have any further
queries relating to our Privacy Policy, or you have a problem or complaint,
please contact us by e-mailing us at privacy@ieplugin.com."