Well few weeks back i was infected too, whenever i
mistype the url IE led me to Incredfind.net, i tried
all sort of things but the tools never helped me out,
so i found a few suspicious files by manaul search in
my temp folder, while examining the files i found that
it had installed a exe file in the system folder, and
it has maded changes in the windows registry like
"Blog.Incrid*.*" so manually i deleted the entires
made by it in the registry and atlast my computer is
disinfected from that Blog
so now you manually disinfect your machine
bye
Raj
> > -----Original Message-----
> > From: Jeff [mailto:Jeff (at) Not_A_Real_Address (dot) com [email concealed]]
> > Sent: Monday, June 28, 2004 1:15 PM
> > To: security-basics (at) securityfocus (dot) com [email concealed]
> > Subject: New Trojan?
> >
> > PLEASE READ ... I feel violated and need much
> help, if not for
> > the PC, for my nerves.
> >
> > The PC is a WinXP box, fully patched, routinely
> checked with
> > Spybot 1.3 and AdAware 6. I run SpywareBlaster as
> well. I also
> > use Thunderbird 0.6 and Firefox 0.8. All other
> family members
> > run Thunderbird on this box. IE6 has not bee
> removed but is
> > fully patched.
> >
> > Norton Antivirus Corporate Edition 9.0, AV file
> 6/25/2004 r19
> > is running. (I purposely purchased the licenses at
> work for
> > our home users also so that they WOULD stay up to
> date -- a
> > practice I learned from Sprint a long, long time
> ago.)
> >
> > I use a Netgear FVS318 to interface to my Verizon
> DSL account.
> >
> > The events as they happened.
> >
> > 1. My son read his email via the web. It included
> e-cards.
> > He read them. Doesn't remember where they took
> him, nor
> > does he remember if he used IE6 or Firefox.
> >
> > 2. Long screaming session about things TO do and
> things NOT
> > to do while on the internet. 278th time.
> Disabled his account.
> >
> > 3. Mis-typing a URL will now take me automatically
> to
> > www.netidentity.com with the mistaken URL
> clearly
> > identified inside. Identical results on IE6
> and Firefox.
> > Java and Javascript are disabled on Firefox. I
> leave IE6
> > alone because I use it when I absolutely must
> go to some
> > bogus activex site, oh, and windowsupdate. But
> I don't use
> > it otherwise. I always use Firefox.
> >
> > URLs that caused this include: mapblast,
> mapquest, abc, def
> > ... through xyz.
> >
> > Please note: I had typed "mapblast" but had
> hit Enter rather
> > than Ctrl-Enter, by mistake. The URLs entered
> are literally
> > those listed, just the word.
> >
> > They are then transformed to http://mapblast/
> >
> > 4. SAV CE, Spybot, AdAware, SypwareBlaster were
> all checked for
> > updates and the entire system was scanned.
> Nothing found.
> >
> > ** My immediate thought was that Network Solutions
> was up to thier
> > ** old tricks with it's Site Finder business. A
> quick check of
> > ** another PC in the house eliminated that.
> >
> > 5. I checked my syslogs and NULL routed the IP
> address being used
> > to access www.netidentity.com. The same page
> comes up sans the
> > graphics and the flash. The web page is still
> there though, just
> > looking sad. Another check of the syslogs
> brings up 64.15.175.5
> > as generating the pages, an open proxy.
> >
> > 6. Also ran HiJackThis and went through ALL of the
> items on it.
> > Nada. Couldn't find the IP addresses or domain
> names in the
> > registry. I also ran them in reverse notation.
> Nada.
> >
> > 7. Checked my network settings to make certain
> that some new DNS
> > server wasn't stuck in. Nope, still set to use
> the Netgear box.
> > Put 4 different DNS servers in -- still get
> that stupid site.
> >
> > 8. That was all at lunchtime. Haven't had a chance
> to run netstat
> > or Ethereal to gain any additional clues.
> >
> > ZOIKS!!!
> >
> > The PC is off. But NOT knowing what is going on is
> driving me insane.
> >
> > So while I <ahem> work this afternoon, I thought I
> would see if any
> > of this sounds, smells or <insert fav sense here)
> like anything that
> > anyone has seen before!
> >
> > Jeff
> >
> >
> >
> >
>
------------------------------------------------------------------------
---
> > Ethical Hacking at the InfoSec Institute. Mention
> this ad and get $545 off
> > any course! All of our class sizes are guaranteed
> to be 10 students or less
> > to facilitate one-on-one interaction with one of
> our expert instructors.
> > Attend a course taught by an expert instructor
> with years of in-the-field
> > pen testing experience in our state of the art
> hacking lab. Master the
> > skills
> > of an Ethical Hacker to better assess the security
> of your organization.
> > Visit us at:
> >
>
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> >
>
------------------------------------------------------------------------
----
> >
> >
> >
> >
>
------------------------------------------------------------------------
---
> > Ethical Hacking at the InfoSec Institute. Mention
> this ad and get $545 off
> > any course! All of our class sizes are guaranteed
> to be 10 students or less
> > to facilitate one-on-one interaction with one of
> our expert instructors.
> > Attend a course taught by an expert instructor
> with years of in-the-field
> > pen testing experience in our state of the art
> hacking lab. Master the skills
> > of an Ethical Hacker to better assess the security
> of your organization.
> > Visit us at:
> >
>
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> >
>
------------------------------------------------------------------------
----
> >
> >
> >
>
>
>
------------------------------------------------------------------------
---
> Ethical Hacking at the InfoSec Institute. Mention
> this ad and get $545 off
> any course! All of our class sizes are guaranteed to
> be 10 students or less
> to facilitate one-on-one interaction with one of our
> expert instructors.
> Attend a course taught by an expert instructor with
> years of in-the-field
> pen testing experience in our state of the art
> hacking lab. Master the skills
> of an Ethical Hacker to better assess the security
> of your organization.
> Visit us at:
>
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
>
------------------------------------------------------------------------
----
>
>
=== message truncated ===
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - Send 10MB messages!
http://promotions.yahoo.com/new_mail
------------------------------------------------------------------------
---
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------
----
Well few weeks back i was infected too, whenever i
mistype the url IE led me to Incredfind.net, i tried
all sort of things but the tools never helped me out,
so i found a few suspicious files by manaul search in
my temp folder, while examining the files i found that
it had installed a exe file in the system folder, and
it has maded changes in the windows registry like
"Blog.Incrid*.*" so manually i deleted the entires
made by it in the registry and atlast my computer is
disinfected from that Blog
so now you manually disinfect your machine
bye
Raj
> > -----Original Message-----
> > From: Jeff [mailto:Jeff (at) Not_A_Real_Address (dot) com [email concealed]]
> > Sent: Monday, June 28, 2004 1:15 PM
> > To: security-basics (at) securityfocus (dot) com [email concealed]
> > Subject: New Trojan?
> >
> > PLEASE READ ... I feel violated and need much
> help, if not for
> > the PC, for my nerves.
> >
> > The PC is a WinXP box, fully patched, routinely
> checked with
> > Spybot 1.3 and AdAware 6. I run SpywareBlaster as
> well. I also
> > use Thunderbird 0.6 and Firefox 0.8. All other
> family members
> > run Thunderbird on this box. IE6 has not bee
> removed but is
> > fully patched.
> >
> > Norton Antivirus Corporate Edition 9.0, AV file
> 6/25/2004 r19
> > is running. (I purposely purchased the licenses at
> work for
> > our home users also so that they WOULD stay up to
> date -- a
> > practice I learned from Sprint a long, long time
> ago.)
> >
> > I use a Netgear FVS318 to interface to my Verizon
> DSL account.
> >
> > The events as they happened.
> >
> > 1. My son read his email via the web. It included
> e-cards.
> > He read them. Doesn't remember where they took
> him, nor
> > does he remember if he used IE6 or Firefox.
> >
> > 2. Long screaming session about things TO do and
> things NOT
> > to do while on the internet. 278th time.
> Disabled his account.
> >
> > 3. Mis-typing a URL will now take me automatically
> to
> > www.netidentity.com with the mistaken URL
> clearly
> > identified inside. Identical results on IE6
> and Firefox.
> > Java and Javascript are disabled on Firefox. I
> leave IE6
> > alone because I use it when I absolutely must
> go to some
> > bogus activex site, oh, and windowsupdate. But
> I don't use
> > it otherwise. I always use Firefox.
> >
> > URLs that caused this include: mapblast,
> mapquest, abc, def
> > ... through xyz.
> >
> > Please note: I had typed "mapblast" but had
> hit Enter rather
> > than Ctrl-Enter, by mistake. The URLs entered
> are literally
> > those listed, just the word.
> >
> > They are then transformed to http://mapblast/
> >
> > 4. SAV CE, Spybot, AdAware, SypwareBlaster were
> all checked for
> > updates and the entire system was scanned.
> Nothing found.
> >
> > ** My immediate thought was that Network Solutions
> was up to thier
> > ** old tricks with it's Site Finder business. A
> quick check of
> > ** another PC in the house eliminated that.
> >
> > 5. I checked my syslogs and NULL routed the IP
> address being used
> > to access www.netidentity.com. The same page
> comes up sans the
> > graphics and the flash. The web page is still
> there though, just
> > looking sad. Another check of the syslogs
> brings up 64.15.175.5
> > as generating the pages, an open proxy.
> >
> > 6. Also ran HiJackThis and went through ALL of the
> items on it.
> > Nada. Couldn't find the IP addresses or domain
> names in the
> > registry. I also ran them in reverse notation.
> Nada.
> >
> > 7. Checked my network settings to make certain
> that some new DNS
> > server wasn't stuck in. Nope, still set to use
> the Netgear box.
> > Put 4 different DNS servers in -- still get
> that stupid site.
> >
> > 8. That was all at lunchtime. Haven't had a chance
> to run netstat
> > or Ethereal to gain any additional clues.
> >
> > ZOIKS!!!
> >
> > The PC is off. But NOT knowing what is going on is
> driving me insane.
> >
> > So while I <ahem> work this afternoon, I thought I
> would see if any
> > of this sounds, smells or <insert fav sense here)
> like anything that
> > anyone has seen before!
> >
> > Jeff
> >
> >
> >
> >
>
------------------------------------------------------------------------
---
> > Ethical Hacking at the InfoSec Institute. Mention
> this ad and get $545 off
> > any course! All of our class sizes are guaranteed
> to be 10 students or less
> > to facilitate one-on-one interaction with one of
> our expert instructors.
> > Attend a course taught by an expert instructor
> with years of in-the-field
> > pen testing experience in our state of the art
> hacking lab. Master the
> > skills
> > of an Ethical Hacker to better assess the security
> of your organization.
> > Visit us at:
> >
>
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> >
>
------------------------------------------------------------------------
----
> >
> >
> >
> >
>
------------------------------------------------------------------------
---
> > Ethical Hacking at the InfoSec Institute. Mention
> this ad and get $545 off
> > any course! All of our class sizes are guaranteed
> to be 10 students or less
> > to facilitate one-on-one interaction with one of
> our expert instructors.
> > Attend a course taught by an expert instructor
> with years of in-the-field
> > pen testing experience in our state of the art
> hacking lab. Master the skills
> > of an Ethical Hacker to better assess the security
> of your organization.
> > Visit us at:
> >
>
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> >
>
------------------------------------------------------------------------
----
> >
> >
> >
>
>
>
------------------------------------------------------------------------
---
> Ethical Hacking at the InfoSec Institute. Mention
> this ad and get $545 off
> any course! All of our class sizes are guaranteed to
> be 10 students or less
> to facilitate one-on-one interaction with one of our
> expert instructors.
> Attend a course taught by an expert instructor with
> years of in-the-field
> pen testing experience in our state of the art
> hacking lab. Master the skills
> of an Ethical Hacker to better assess the security
> of your organization.
> Visit us at:
>
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
>
------------------------------------------------------------------------
----
>
>
=== message truncated ===
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - Send 10MB messages!
http://promotions.yahoo.com/new_mail
------------------------------------------------------------------------
---
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------
----
[ reply ]