This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I've been having a strange malware problem with something called the Incredibar. I've been working with someone from Malwarebytes. We are still working on it but we haven't been able to solve it yet. Meanwhile, I heard about Wire Shark through a friend and wanted to see if it could be applied to this situation. I am running XP Home Edition on my computer for my OS. I've been using IE8, Chrome and Mozilla Firefox browsers. Initially all the browsers on my machine were infected. I was able to uninstall the Incredibar from add/remove programs then remove it from the browsers manually. We have run Malwarebytes, Spybot, Adware and even Combofix and scanned the registry for related files. After all this - whenever we open Youtube, Facebook or Yahoo, a small bar called the "Incredibar" just below the address bar. This only happens in IE8, not Chrome or Firefox. I wondered if WireShark can help me step through the process of opening one of the pages in IE8 and determine what process is executing to open the Incredibar when I go to one of the pages mentioned. Any info would be appreciated. Thanks, Matt

asked 20 Aug '12, 22:06

presto327's gravatar image

presto327
1112
accept rate: 0%


I wondered if WireShark can help me step through the process of opening one of the pages in IE8 and determine what process is executing to open the Incredibar

Wireshark cannot help in this case, as it's a network sniffer. It cannot show who created a packet.

You need something like Sysinternals Process Monitor or Process Explorer. Please ask the Sysinternals community how to use those tools to track down the malware.

Regards
Kurt

permanent link

answered 21 Aug '12, 00:30

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Thanks Kurt - I'll inquire. Appreciate the information! Matt

(21 Aug '12, 22:36) presto327

Googling for "incredibar" finds, in addition to what appears to be the Web site for the Incredibar itself (I didn't go to that site, as I have no idea whether it'd inject the Incredibar into a non-Windows OS or a non-IE browser, and won't give the domain name, as I suspect nobody else should go there either), a bunch of pages that purport to say how to remove the Incredibar. That might be easier than trying to figure out with Wireshark what process is responsible for the Incredibar and removing the program it's running - especially if, for example, the program is your Web browser and the Incredibar code is a DLL loaded by the browser as a plugin.

permanent link

answered 21 Aug '12, 12:31

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Guy, Thanks for the comment. I wondered if it might be something along those lines - Your suggestion sounds good. Thanks again, Matt

(21 Aug '12, 22:42) presto327
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×27
×4
×1

question asked: 20 Aug '12, 22:06

question was seen: 2,007 times

last updated: 21 Aug '12, 22:42

p​o​w​e​r​e​d by O​S​Q​A