dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
7267
Gas Guzzler
join:2005-09-17
Los Angeles, CA

Gas Guzzler

Member

Inqwire Search: Full Screen Hijack

I was hit twice over the weekend by Inqwire/Search Inqwire a browser hijacker that creates a full screen page and blasts you with all kinds of ads and banners inside of it.

TM's PC-Cillin 2005, BO Cleaner, Ad-Aware SE+, Spy-Bot, Hijack This and CW Shredder (all current) did not pick it up.

The System Config Util (msconfig) listed under 'Services' just one entry I didn't recognize:
- InstallDriver Table Manager
Hijack This! listed one new entry I've never seen on my system before too:
- IDriverT.exe

The DIR that the file was installed in had 6 other .dll's. I deleted it.

The IDriverT.exe had about 40 entries in the registry, all of which I tried to remove.

John2g
Qui Tacet Consentit
Premium Member
join:2001-08-10
England

John2g

Premium Member

IDriverT - IDriverT.exe - Process Information
Process File: IDriverT or IDriverT.exe
Process Name: InstallDriver Module

Description:
IDriverT.exe is a process which belongs to the InstallShield product installation service which should only appear when you are installing a new piece of software. This program is non-essential process to the running of the system, but should not be terminated unless suspected to be causing problems.

fatdcuk
Premium Member
join:2005-02-20
England

fatdcuk to Gas Guzzler

Premium Member

to Gas Guzzler
This scarey stuff:(
Did you submit any files for research or run them past a online scanner such as Jotti ?

John2g
Qui Tacet Consentit
Premium Member
join:2001-08-10
England

John2g to Gas Guzzler

Premium Member

to Gas Guzzler
This might help

»help.lockergnome.com/lof ··· 601.html
sharpy merc
join:2003-01-28
England

sharpy merc to Gas Guzzler

Member

to Gas Guzzler
said by Gas Guzzler:

... PC-Cillin 2005, BO Cleaner, Ad-Aware SE+, Spy-Bot, Hijack This and CW Shredder (all current) ...
You mention BO Cleaner do you mean BOClean cuz BO Cleaner looks dodgy.

maartena
Elmo
Premium Member
join:2002-05-10
Orange, CA

1 edit

maartena to Gas Guzzler

Premium Member

to Gas Guzzler
I just noticed the Inqwire popup on my home computer as well, that and a registry scan popup that keeps coming back.

I use Symantec Corporate Edition v 10.0 which does detect spyware also to protect me, and have Ad-Aware SE and SpyBot as well to search for adware.

All 3 of them did not pick anything up, except for a few tracking cookies.

Symantec did block an attempt to install 180-solutions or something like that a few weeks back, but it appears my system is totally clean at this moment besides this Inqwire popup screen that comes back every now and then.

It doesnt appear to be full screen, its 1024x768 by default but my screen resolution is 1280x1024 so it may appear full screen on a lesser resolution.

Any ideas?

fatdcuk
Premium Member
join:2005-02-20
England

fatdcuk

Premium Member

Hmmm,IMO well there must be something lurking to produce the pop up:(
I would follow the instructions on the following link inorder to discover if you have any malware lurking on your system that your current security tools cannot detect.
»www3.dslreports.com/faq/8428
Gas Guzzler
join:2005-09-17
Los Angeles, CA

Gas Guzzler to maartena

Member

to maartena
Maartena,

This is what I've done to try to fight Search Inqwire.

Ran all my systems 'defensive software' in Win XP's Safe Mode.

Deleted the principle DIR's where I surf, they end in...\Temporary Internet Files\*.* and also deleted the sub-directories and the index.dat file(s) AND the DIR \Content.IE5 too. Windows will naturally recreate these when it reboots.

Rebooted into Safe Mode -> Command Prompt (the old dos mode) and went looking into the the Downloaded Program Files DIR. I found 3 directories named CONFLICT1, CONFLICT2 & CONFLICT3. I deleted all 3.

I opened the RUN box and started the REGEDT32.exe program and used the 'Find' option for all of the entries where the word CONFLICT can be found, and removed those entries referring to these same directories.

Using 'Hijack This' in Safe Mode I deleted 2 entries labled:
'HKCU\Software\Microsoft\Internet Explorer\Main,Local Page='

Changed IE6->Security Settings (Custom) options:
Initialize & Script Active X Controls Not Marked As Safe: Disable
Allow Scripting of IE Webbrowser control: Disable
Allow webpages to use restricted protocols for active content: Disable
Allow Paste Operations Via Script: Disable

Changed Internet Options -> Privacy->Sites (added these w/ Always Block):
inqwire.com
empnads.com
adecn.com
ru4.com
zedo.com

Finally I modified my Flash Settings here link: »www.macromedia.com/suppo ··· r03.html
as I suspect this Search Inqwire bug may be a Flash security hole in my system...somewhere.

I've had no Search Inqwire hijacks in 5 days since. I'd like to know what you've found too, and what worked for you, so if you don't mind please share your experience with us. Thanks.
vienge
join:2004-02-04
Salinas, CA

vienge

Member

I've also had this crap plaguing my computers lately and unfortunately found it hard to get rid of until your post. I didn't find any conflict dirs though.

terminal27
@61.8.x.x

terminal27 to Gas Guzzler

Anon

to Gas Guzzler
a couple of questions:

1)Any idea which URL you got this infection from {if at all it is a drive-by infection}, so i can check it out.

2)Which browser were you using at the time? ie? if so, why?!
onoma_
join:2002-02-19
Carbondale, IL

onoma_

Member

Well, I was just hit with an Inqwuire popup a bit ago. I'd been seeing them on a fairly regular basis for the last week and a half or so. I followed the steps listed above, and didn't see anything for the last two days. However, this evening I was scanning the Everquest 2 forums when, lo and behold, I got an Inqwire popup. (And yes, I was using IE, which has given me no problems until this dastardly Inqwire business).

*sigh*

Anyone else having this issue? How is this slipping by all the biggies (Adaware, Spybot, etc.)...?
Gas Guzzler
join:2005-09-17
Los Angeles, CA

Gas Guzzler

Member

I was hit by 'Inqwire' again tonight.

3 windows popped up 2 full screen and 1 small. I immediately halted all 'incoming traffic' with TM's PC-Cillin 2006. I own the Verizon provided Westell wireless VersaLink 327W Router-Modem.

IE6 version 6.0.2900.2180.xpsp_sp2_gdr2.050301-1519

I've just spent the last 2 hours playing Half-Life2 and listening to my private radio station at the same time.
I'll list my online history tonight and and some cookies that looked odd (to me anyway).

from: History->Today {dir} (alphabetically order: last 2 hours on-line)

boards.theforce.net
computing.net (page location where I was hit tonight)
www.dbsforums.com
www.drudgereport.com
www.dslreports.com
forums.steampowered.com
www.inqwire.com
launch.groups.yahoo.com
music.yahoo.com
my.yahoo.com
radio.launch.yahoo.com
www.rage3d.com
search.yahoo.com (searching a banner-ad I saw 'Titan Spyware')
www.spywarewarrior.com
theforce.net
www.titanspyware.com

I didn't recognize these cookies either:

hurricanedigitalmedia.com/
hits.clickandtrack.net/
testbounce "testing" ad.yieldmanager.com/

Search Inqwire's 3 pop up windows had these addresses listed (PLEASE BE CAREFUL HERE):
1.) http://www.inqwire.com/homepage.precision.asp?sd=1&group=troika1b&lpt=18&pops=yes&pop=no&float=yes&poponlpt=no&floatonlpt=yes&cb=70

2.) res://C:\WINDOWS\system32\shdoclc.dll/dnserror.htm#http://www.swbtk.net/def/45/5004.html

3.) http://www.swbtk.net/def/45/5014.html

Once again my systems defenses were blind to this 'bug-ware', PC-Cillin, Ad-Aware SE, Spybot, BO Clean, and Hijack This found nothing unusual.

As a temporary response I deleted every sub-directory and file in the \Temporary Internet Files and \User Data and \Local Settings\History dir's just for some kind of relief.

And I added swbtk.net & travelzoo.com to my 'Always Block' list.

If anyone out there can help, or sees where the problem could be, or has a solution, by all means share it with us here. Thanks.

Cudni
La Merma - Vigilado
MVM
join:2003-12-20
Someshire

Cudni to Gas Guzzler

MVM

to Gas Guzzler
Did you disable java, javascript and activex in all zones expect Trusted Zone in IE?

Cudni

Smoke5
@optonline.net

Smoke5

Anon

I did find a url in my favorites directory called , simply enough Search Inqwire.

I deleted it and have not seen it since. Don't know if that cured it or not.

K McAleavey
Premium Member
join:2003-11-12
Voorheesville, NY

K McAleavey to Gas Guzzler

Premium Member

to Gas Guzzler
I was just directed here since the O.P. has BOClean and a number of other programs - this one is strictly a scripting thing and doesn't actually drop any files or memory resident items. Thus nothing for BOClean or the others to find on the system. I suspect it's probably Drudge report that's serving it up but can't guarantee it.

This is definitely being served up as an advertising link on a third party basis and there are some remaining flaws in Microsoft's scripting that permits a "clickthrough" on setting a favorite (many sites have a link you can click on to set a favorite and this is how the scripting does that) ... all of it though within the browser itself rather than an actual trojan attack.

If you can block the site, that'll help a lot. If you'd like to email me down below, we can use your copy of BOClean to do a deep check of the system with a special tool we use here for such occasions which is an alternative to HJT ... but I doubt we'll find anything. Let a few of our lab rats have at it and nothing actually downloaded for us so far.
K McAleavey

1 recommendation

K McAleavey to Gas Guzzler

Premium Member

to Gas Guzzler
OK, we've figured it out. It's a javascript "exit console" trick. There's no infection although if you agree to the scan, then the javascript WILL allow you to download an oldie but goodie as far as BOClean goes, called "FAKEREGCLEAN" which will *definitely* be detected if you actually had it downloaded from ZEDO there. That one's been around for months.

So what you've got there is a very annoying site with a javascript that's apparently buying a lot of banner ads. But we've checked it out, the "Registry cleaner" is a hosejob and had it actually downloaded, you would have watched BOClean nail it to the hull.
Gas Guzzler
join:2005-09-17
Los Angeles, CA

Gas Guzzler

Member

Thank you Kevin (and Cudni) for your insight on this. This appears to be best fought by further tightening up of browser options, and I have. AND WILL CONTINUE TO DO SO...

Changes to my Tools->Internet Options->Security->Internet->Custom Level include these:

- Allow Scripting of IE Webbrowser control: (NOW Disabled)
- Allow Script initiated windows w/o size or pos constraints: (NOW Disabled)
- Allow Paste Operations Via Script: (NOW Disabled)
- Scripting Of Java Applets: (NOW Disabled)

We'll try these new options through the weekend, and I'll have an update on my results the middle of next week.

And yes I'm still open minded for other solutions too.

K McAleavey
Premium Member
join:2003-11-12
Voorheesville, NY

1 recommendation

K McAleavey to Gas Guzzler

Premium Member

to Gas Guzzler
We finally isolated the source of those ...

media.fastclick.net ...

Throw this one in your block pile and that should be the end of seeing those.
onoma_
join:2002-02-19
Carbondale, IL

onoma_

Member

Thanks for your efforts! I've tightened IE up a bit and added the above to my blocked sites, and now have yet to see an Inqwire popup for several days. What a relief, as this thing was driving me nuts...
Gas Guzzler
join:2005-09-17
Los Angeles, CA

Gas Guzzler to K McAleavey

Member

to K McAleavey
Thank you very much Kevin.

I was able to isolate about 5 different cookies Search Inqwire leaves behind and found some interesting things inside them. Two different Registry locations:

1.) D27CDB6E-AE6D-11cf-96B8-444553540000
2.) 7DD95801-9882-11CF-9FA9-00AA006C42C4

and references to files that it uses to create the harmful Java Script instructions it executes on your browser.

1.) msxml3.dll
2.) mshtml.dll

For the Registry entries I simply deleted all of them. Its left my Shockwave ActiveX Control showing 0kb size and a version of 0,0,0,1. I'm just going to remove this altogether. Shockwave Flash Object is still there in \Win\DL Prog Files 8kb/version 8,0,22,0.

The .dll files I decided to limit their Security->Properties settings (right-click on each file) by eliminating the USERS and POWER USERS access and leaving Admin's and SYSYTEM access only.

I've seen no attacks or drawbacks since.

And finally these sites are now 'Always Blocked' by my browsers Privacy->Sites list:
adknowledge.com
clickandtrack.net
empnads.com
inqwire.com
adecn.com
adserver.com
clickandtrack.net
ecreditrepair.com
FASTCLICK.NET
imixserver.com
ru4.com
swbtk.net
trafficmp.com
travelzoo.com
tribalfusion.com
yieldmanager.com
zedo.com
hamlet
join:2001-05-23
Naval Air Station/ Jrb, TX

3 edits

hamlet

Member

Guzzler, you might want to check out IE Spyad. It will add a BUNCH of known spyware, adware, etc. sites to Internet Explorer's restricted zone. I checked and, sure enought, it had fastclick.net in the restricted zone. I have been using IE Spyad for a year or so now and have not had any problems with redirects and the like. I consider this one of my essential layers of security along with Kaspersky antivirus and the ultimate backup BOClean!

ps. I found that all but five or six of those domains you listed were in my restricted zone already thanks to IE Spyad. I need to add the others in.

marijane
@cox.net

marijane to terminal27

Anon

to terminal27
i got the inquire popup from myspace
Gar4016
join:2005-12-30
Iowa City, IA

Gar4016 to Gas Guzzler

Member

to Gas Guzzler
So I've had this for two months and nothing seemed to work. Then I found this thread and tried the things previously mentioned, still didn't work for me. But I finally got rid of it yesterday.

I had noticed that defrag had found a folder under program files that it could not do anything with earlier, it had some random name that would change every time I'd boot up and I could not access it even when I show hidden&system files under folder options. Thought this was strange.

Norton AV 2005 found "Spyware.Apropos.C" yesterday in my system32 folder under the filename "atiprdim.dll" which is a random generated name.
some info on this at
http://securityresponse.symantec.com/avcenter/venc/data/spyware.apropos.c.html sort of helped.
I renamed this .dll and put on my desktop since it could not be deleted.
I restarted in safe mode to find that it no longer worked so I deleted it and I could now access the once hidden folder.
Inside I found what the previous webpage described. One .exe file had an icon with an "a" on it so I looked up references to it in registrar lite(regedit may work too) and I found the name of what the webpage calls "HKEY_LOCAL_MACHINE\SOFTWARE\[RANDOM NAME]"
I deleted it, and I deleted the program files folder of a different name. It is GONE! Woohoo!

It is interesting to note that the registry entry did mention that contextplus address, whom I think is responsible for all of these popunders. If any of these steps are unclear please ask. Thanks to all of you on this webpage who inspired me to figure it out instead of reformatting!

Anonymous88
Premium Member
join:2004-06-01
IA

Anonymous88 to Gas Guzzler

Premium Member

to Gas Guzzler
inqwire page is nothing but ads. They even have banners on their Privacy Policy page
Murph74
join:2004-11-10
Fenton, MO

Murph74

Member

Follow the lead of post #13 on this link, cured me in minutes! It's a VX2 virus, which renames itself on each boot, so is tricky to actually capture!

Murph

»www.computing.net/securi ··· 257.html

CalamityJane
Premium Member
join:2002-08-27
Eustis, FL

CalamityJane

Premium Member

Hi Murph

This thread is really, really old (Started in October 2005) and the advice contained in it is now outdated. (So is that link you've posted.) It would really be best to follow the guidelines here to make sure you have got it all:
»Security Cleanup FAQ »Mandatory Steps Before Requesting Assistance