#$%&-ing Incredifind Worm!

Discussion in 'Trading Software' started by pisspotpete, Mar 13, 2004.

  1. Sanjuro

    Sanjuro

    It's time for another reformat and reinstall of windows again.
    My friend gave me a link and somehow, it hijacked my browser.
    There are constant popups on every page i go to.

    When you reboot, your browser will be set to this search page.
    res://mshp.dll/index.html#22776

    This executable will be found in either C:\ or C:\Windows
    Q250204.exe
    There were also more than one files newly created including some txt files.

    I tried Spybot S&D and ran the update and it was no help.
    I tried HijackThis and it fixed some stuff but my main page
    is still back to their search page after I reboot.
    My IE was on medium security and I had prompt on ActiveX.
    I can't believe IE is such a piece of crap to allow web pages
    to run .exes on your computer and change files.

    See attached file for details/pictures but don't click on links.

    If anyone knows a better program that can fix this or some
    program that can protect against this, I'm all ears. My friend
    had Norton Antivirus and disabled his Internet Options for IE
    and he still got hijacked.

    Microsoft has to really make a better browser.
     
    #11     Mar 20, 2004
  2. Neither of the links you gave in the document infect anything. At least not at the time I went there. (I tried it in an isolated VM)

    was there some other link that you went to?
     
    #12     Mar 20, 2004
  3. i got one of these recently, a different redirect one i think. i had to fix it in the registry. i first searched for the redirect url's, but those werent in there... then i noticed on the status bar in IE, it was hitting an intermediate page before the redirect, and when I swiped that from the registry and also changed default url prefixes back to normal, it was fine. i think it also dumped in an undeletable favorite, which i had to delete in dos.
     
    #13     Mar 20, 2004
  4. Sanjuro

    Sanjuro

    I'm positive it was one of those two.
    Did you try clicking on enter on the sites?

    I'm using Windows XP sp1 and IE 6.0.2800.1106
    I don't surf any other pages except ET and
    other trading sites.

    I reported the info to Spybot S&D Detections.
     
    #14     Mar 21, 2004
  5. Sanjuro

    Sanjuro

    YAY!

    I was searching the internet and found some message board that someone was having the same problem. Another person recommended CWShredder.

    I found and downloaded it here:
    http://www.computercops.biz/downloads-cat-14.html
    CWShredder.exe (v1.53.0002)
    It's Free!

    I ran it, reset my browser to www.msn.com and rebooted.
    My browser is back to normal and no more annoying popups!
     
    #15     Mar 21, 2004
  6. What is the registry key that redirect urls of this type are stored under and what sorts of files are undeletable in Windows and how do they get created?

    I'll answer my own question.

    This Symantec security alert describes how the registry url redirect trick works:
    http://securityresponse.symantec.com/avcenter/venc/data/spyware.dotcomtoolbar.html

    When Spyware.Dotcomtoolbar runs, it does following:
    Adds the value:
    "redirect"="<path to executable file>"
    on the registry key:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    If a user accesses a Web site, it hooks the URL and changes it to:
    www.dotcomtoolbar.com/redirect/url.asp?url=<URL the user would like to visit>
    Which allows www.dotcomtoolbar.com to log your IP address and visiting URL.

    On XP I have a similar reg key under a slightly different entry:
    HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

    If anyone else knows of any other types of registry keys that can do nasty stuff like this, post here.


     
    #16     Mar 21, 2004