This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Incredibar problems

0

I've been having a strange malware problem with something called the Incredibar. I've been working with someone from Malwarebytes. We are still working on it but we haven't been able to solve it yet. Meanwhile, I heard about Wire Shark through a friend and wanted to see if it could be applied to this situation. I am running XP Home Edition on my computer for my OS. I've been using IE8, Chrome and Mozilla Firefox browsers. Initially all the browsers on my machine were infected. I was able to uninstall the Incredibar from add/remove programs then remove it from the browsers manually. We have run Malwarebytes, Spybot, Adware and even Combofix and scanned the registry for related files. After all this - whenever we open Youtube, Facebook or Yahoo, a small bar called the "Incredibar" just below the address bar. This only happens in IE8, not Chrome or Firefox. I wondered if WireShark can help me step through the process of opening one of the pages in IE8 and determine what process is executing to open the Incredibar when I go to one of the pages mentioned. Any info would be appreciated. Thanks, Matt

asked 20 Aug '12, 22:06

presto327's gravatar image

presto327
1112
accept rate: 0%


2 Answers:

1

I wondered if WireShark can help me step through the process of opening one of the pages in IE8 and determine what process is executing to open the Incredibar

Wireshark cannot help in this case, as it's a network sniffer. It cannot show who created a packet.

You need something like Sysinternals Process Monitor or Process Explorer. Please ask the Sysinternals community how to use those tools to track down the malware.

Regards
Kurt

answered 21 Aug '12, 00:30

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Thanks Kurt - I'll inquire. Appreciate the information! Matt

(21 Aug '12, 22:36) presto327

1

Googling for "incredibar" finds, in addition to what appears to be the Web site for the Incredibar itself (I didn't go to that site, as I have no idea whether it'd inject the Incredibar into a non-Windows OS or a non-IE browser, and won't give the domain name, as I suspect nobody else should go there either), a bunch of pages that purport to say how to remove the Incredibar. That might be easier than trying to figure out with Wireshark what process is responsible for the Incredibar and removing the program it's running - especially if, for example, the program is your Web browser and the Incredibar code is a DLL loaded by the browser as a plugin.

answered 21 Aug '12, 12:31

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Guy, Thanks for the comment. I wondered if it might be something along those lines - Your suggestion sounds good. Thanks again, Matt

(21 Aug '12, 22:42) presto327