OS is Win98SE
Computer in question is used by more than one person.
I have heard of Incredimail, but only from a friend that uses it for email. It sounded like just another email client. True?
A couple of days ago, an icon appeared on the desktop,
"Complete Incredimail Installation".
Deleted it. Crossed fingers.
It reappeared the next day.
One of the users of the computer is elderly. In her email, I found a forwarded email from another elderly friend, with mention of Incredimail, and a big ol' "Click here" button.
She uses a web interface for accessing email. Using IE v.6
No need to press and ask. I can make a reasonable assumption that it was clicked, and somehow it downloaded and installed an installation program.
I started looking around.
Found it in C:\Windows\Temp\ImInstaller\IncrediMail
An executable, a .cab file and a text file or two.
I have not deleted that stuff yet.
Because it reappears, I looked some more.
Rebooted, and there it was.... again.
Using the Search function in regedit, I found it a few times.
HKEY_LOCAL_MACHINE\Software\ImInstaller
name=IncrediMail_iver data={a hex number here}
HKEY_LOCAL_MACHINE\Software\ImInstaller\IncrediMail
name=Root
data=www5l.incredimail.com/contents/setup/2007032901/downloader_nu
name=ScriptUrl
data=www5l.incredimail.com/contents/setup/2007032901/downloader_nu/setupscript.xml
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
zzz_ImInstaller_IncrediMail
C:\WINDOWS\TEMP\ImInstaller\IncrediMail\INCREDIMAIL_INSTALL[1].EXE -startup -product IncrediMail -cluster 2
Questions:
1.) What do you think happened?
2.) What would you do?
This is the bottom line, main question.
I am curious about some things while we are at it though.
3.) At first I thought it would be ok to delete the files in the temp dir .
Wouldn't that cause some sort of burp at boot time though? ... since
apparently the registry entries are looking for them.
4.) Would it be ok to delete those registry entries with regedit?
In other words, would the combination of deleting the files in the
temp dir and deleting those keys, be the proper fix?
5.) Other than politely advising not to click on things found in emails, is
there any other preventative action I can take?
Any and all comments/thought/ideas greatly appreciated.
Need more info regarding the system, ask and I'll get it.
Thanks