Threat Explorer

The Threat Explorer is a comprehensive resource consumers can turn to for daily, accurate, up-to-date information on the latest threats, risks and vulnerabilities.

Adware.Incredifind

Adware.Incredifind

Updated:
February 13, 2007
Version:
1.0.0.1
Publisher:
IncrediFind
Risk Impact:
High
File Names:
IncFindBHO.dll date.txt delupdat.exe wupdater.exe sui.exe data1.dat data2.dat (install file
Systems Affected:
Windows

Behavior


Adware.Incredifind is an adware program that installs an Internet Explorer Browser Helper Object (BHO) and modifies the hosts file to redirect searches made from the address bar.

Symptoms


Your Symantec program detects files as Adware.Incredifind.

Behavior


Adware.Incredifind is typically downloaded from the Internet.

Antivirus Protection Dates

  • Initial Rapid Release version October 02, 2014 revision 022
  • Latest Rapid Release version February 01, 2015 revision 020
  • Initial Daily Certified version March 29, 2004
  • Latest Daily Certified version January 26, 2015 revision 023
  • Initial Weekly Certified release date March 31, 2004
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

When Adware.Incredifind runs, it does the following:

  1. Creates the following files:
    • %ProgramFiles%\IncrediFind\BHO\IncFindBHO.dll (this file is detected as Adware.Incredifind)
    • %ProgramFiles%\IncrediFind\BHO\date.txt

      Note: %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.

  2. Creates the following files in the %ProgramFiles%\Common files\updater folder:
    • delupdat.exe
    • wupdater.exe
    • sui.exe
    • data1.dat
    • data2.dat

  3. Adds the value:

    "updater" = "%ProgramFiles%\Common files\updater\wupdater.exe"

    to the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that the Adware.Incredifind updater program runs every time Windows starts.

  4. Deletes the value:

    "{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" = "[no value]"

    from the registry key:

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks

    so that searching from the Internet Explorer address bar no long functions.

  5. Adds the value:

    "{5D60FF48-95BE-4956-B4C6-6BB168A70310}" = "[no value]"

    to the registry key:

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks

    so that searching from the Internet Explorer address bar is redirected to the domain incredifind.com.

  6. Adds the following registry keys:

    HKEY_CLASSES_ROOT\BHO.IncrediFindBHO
    HKEY_CLASSES_ROOT\BHO.IncrediFindBHO.1
    HKEY_CLASSES_ROOT\CLSID\{5D60FF48-95BE-4956-B4C6-6BB168A70310}
    HKEY_CLASSES_ROOT\Interface\{8B8F6968-2F24-41E3-B653-E9613226F14D}
    HKEY_CLASSES_ROOT\TypeLib\{DE289BFA-737B-4ABB-A4EC-F8753551B875}
    HKEY_LOCAL_MACHINE\Software\IncrediFind
    HKEY_LOCAL_MACHINE\Software\updater
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5D60FF48-95BE-4956-B4C6-6BB168A70310}

    so that the Adware.Incredifind BHO is loaded when Internet Explorer starts.

  7. Runs wupdater.exe in the background so that updates to Adware.Incredifind can be downloaded and installed.

  8. Copies the following file:

    %System%\drivers\etc\hosts

    to

    %System%\drivers\etc\hosts.bho

    so that the current hosts file can be saved.

    Notes:
    • This information is only applicable to Windows NT4 (Windows XP/2000) operating systems.
    • %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

  9. Adds the following text to the %System%\drivers\etc\hosts file:

    12.129.205.209 search.netscape.com
    12.129.205.209 sitefinder.verisign.com

    so that all access to those Web sites will be redirected. However, this may fail due to a formatting error.



The following instructions pertain to all Symantec antivirus products that support Security Risk detection.
  1. Update the definitions.
  2. Close all open Internet Explorer windows.
  3. Run a full system scan.
  4. Delete the values from the registry.
  5. Delete the installation folders.
  6. Manually edit the hosts file and remove all the entries added by the adware
  7. Delete the remaining file.
For specific details on each of these steps, read the following instructions.

1. To update the definitions
To obtain the most recent definitions, start your Symantec program and run LiveUpdate.


2. To close all open Internet Explorer windows
Because Adware.Incredifind functions as a Microsoft Internet Explorer plug-in, it is necessary to close all open Internet Explorer windows to remove it. If you are reading this writeup in Internet Explorer, print this writeup using our printer-friendly option at the top of the page, or write down the following instructions, and then close all Internet Explorer windows.


3. To run a full system scan
  1. Start your Symantec antivirus program, and then run a full system scan.
  2. If any files are detected as Adware.Incredifind and depending on which software version you are using, you may see one or more of the following options:

    Note: This applies only to versions of Norton AntiVirus that support Security Risk detection. If you are running a version of Symantec AntiVirus Corporate Edition that supports Security Risk detection, and Security Risk detection has been enabled, you will only see a message box that gives the results of the scan. If you have questions in this situation, contact your network administrator.
    • Exclude (Not recommended): If you click this button, it will set the threat so that it is no longer detectable. That is, the antivirus program will keep the security risk on your computer and will no longer detect it to remove from your computer.

    • Ignore or Skip: This option tells the scanner to ignore the threat for this scan only. It will be detected again the next time that you run a scan.

    • Cancel: This option is new to Norton Antivirus 2005. It is used when Norton Antivirus 2005 has determined that it cannot delete a security risk. This Cancel option tells the scanner to ignore the threat for this scan only, and thus, the threat will be detected again the next time that you run a scan.

      To actually delete the security risk:
      • Click its file name (under the Filename column).
      • In the Item Information box that displays, write down the full path and file name.
      • Then use Windows Explorer to locate and delete the file.

        If Windows reports that it cannot delete the file, this indicates that the file is in use. In this situation, complete the rest of the instructions on this page, restart the computer in Safe mode, and then delete the file using Windows Explorer.

    • Delete: This option will attempt to delete the detected files. In some cases, the scanner will not be able to do this.
      • If you see a message, "Delete Failed" (or similar message), manually delete the file.
      • Click the file name of the threat that is under the Filename column.
      • In the Item Information box that displays, write down the full path and file name.
      • Then use Windows Explorer to locate and delete the file.

        If Windows reports that it cannot delete the file, this indicates that the file is in use. In this situation, complete the rest of the instructions on this page, restart the computer in Safe mode, and then delete the file using Windows Explorer.

4. To delete the values from the registry
Important: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry ," for instructions.

  1. Click Start > Run.
  2. Type regedit

    Then click OK.

  3. Navigate to the key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

  4. In the right pane, delete the value:

    "updater" = "%ProgramFiles%\Common files\updater\wupdater.exe"

  5. Navigate to the key:

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks

  6. In the right pane, delete the value:

    "{5D60FF48-95BE-4956-B4C6-6BB168A70310}" = ""

  7. In the right pane, add the value:

    "{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" = ""

    to return the value to the default.

  8. Navigate to and delete the following subkeys:

    HKEY_CLASSES_ROOT\BHO.IncrediFindBHO
    HKEY_CLASSES_ROOT\BHO.IncrediFindBHO.1
    HKEY_CLASSES_ROOT\CLSID\{5D60FF48-95BE-4956-B4C6-6BB168A70310}
    HKEY_CLASSES_ROOT\Interface\{8B8F6968-2F24-41E3-B653-E9613226F14D}
    HKEY_CLASSES_ROOT\TypeLib\{DE289BFA-737B-4ABB-A4EC-F8753551B875}
    HKEY_LOCAL_MACHINE\Software\IncrediFind
    HKEY_LOCAL_MACHINE\Software\updater
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5D60FF48-95BE-4956-B4C6-6BB168A70310}

  9. Exit the Registry Editor.


5. To delete the installation folders
Navigate to and delete the following folders using Windows Explorer:
  • %ProgramFiles%\Common files\updater
  • %ProgramFiles%\IncrediFind

6. To manually edit the hosts file and remove all the entries added by the adware
Note: The location of the Hosts file may vary and some computers may not have this file. For example, if the file exists in Windows 98, it will usually be in C:\Windows; and it is located in the C:\WINNT\system32\drivers\etc folder in Windows 2000. There may also be multiple copies of this file in different locations.


Follow the instructions for your operating system:
  • Windows 95/98/Me/NT/2000
    1. Click Start, point to Find or Search, and then click Files or Folders.
    2. Make sure that "Look in" is set to (C:) and that "Include subfolders" is checked.
    3. In the "Named" or "Search for..." box, type:

      hosts

    4. Click Find Now or Search Now.
    5. For each Hosts file that you find, right-click the file, and then click Open With.
    6. Deselect the "Always use this program to open this program" check box.
    7. Scroll through the list of programs and double-click Notepad.
    8. When the file opens, delete all the entries in Step 9 of the "Technical Details" section.
    9. Close Notepad and save your changes when prompted.

  • Windows XP
    1. Click Start > Search.
    2. Click All files and folders.
    3. In the "All or part of the file name" box, type:

      hosts

    4. Verify that "Look in" is set to "Local Hard Drives" or to (C:).
    5. Click More advanced options.
    6. Check Search system folders.
    7. Check Search subfolders.
    8. Click Search.
    9. Click Find Now or Search Now.
    10. For each Hosts file that you find, right-click the file, and then click Open With.
    11. Deselect the Always use this program to open this program check box.
    12. Scroll through the list of programs and double-click Notepad.
    13. When the file opens, delete all the entries in Step 9 of the "Technical Details" section.
    14. Close Notepad and save your changes when prompted.

7. To delete the remaining file:

Navigate to and delete the following file using Windows Explorer:

%System%\drivers\etc\hosts.bho