help for Mystart Incredibar

Viruses and worms
1

My child downloaded a game from internet and now I have to deal with Incredibar…
I followed instruction from
http://forum.avast.com/index.php?topic=53253.0
Malwerbytes removed 2 files
I attached logs of OTL, malwerbytes and aswMBR
In this moment when I open a new tab in Firefox I found Mystart page. I do not know how to remove this. Can you help me?
Except this, do you think Incredibar is removed?

Malwarebytes Anti-Malware (Prova) 1.62.0.1300
www.malwarebytes.org

Versione database: v2012.07.18.08

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Andreolli :: NEUTRINO-PC [amministratore]

Protezione: Attivata

18/07/2012 21:21:03
mbam-log-2012-07-18 (21-21-03).txt

Tipo di scansione: Scansione veloce
Opzioni di scansione attive: Memoria | Esecuzione automatica | Registro | File system | Euristica/Extra | Euristica/Shuriken | PUP | PUM
Opzioni di scansione disattivate: P2P
Elementi esaminati: 192815
Tempo impiegato: 3 minuti, 7 secondi

Processi rilevati in memoria: 0
(non sono stati rilevati elementi nocivi)

Moduli di memoria rilevati: 0
(non sono stati rilevati elementi nocivi)

Chiavi di registro rilevate: 0
(non sono stati rilevati elementi nocivi)

Valori di registro rilevati: 0
(non sono stati rilevati elementi nocivi)

Voci rilevate nei dati di registro: 0
(non sono stati rilevati elementi nocivi)

Cartelle rilevate: 0
(non sono stati rilevati elementi nocivi)

File rilevati: 2
C:$Recycle.Bin\S-1-5-21-3126821588-40386997-737668875-1001$R8Y2TJT.exe (PUP.ToolbarDownloader) → Spostato in quarantena ed eliminato con successo.
C:$Recycle.Bin\S-1-5-21-3126821588-40386997-737668875-1001$RSTS14U.exe (PUP.ToolbarDownloader) → Spostato in quarantena ed eliminato con successo.

(fine)

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-07-18 21:58:08

21:58:08.772 OS Version: Windows x64 6.1.7601 Service Pack 1
21:58:08.772 Number of processors: 4 586 0x100
21:58:08.772 ComputerName: NEUTRINO-PC UserName: Andreolli
21:58:10.263 Initialize success
21:58:10.637 AVAST engine defs: 12071800
21:58:41.197 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\0000006e
21:58:41.197 Disk 0 Vendor: ST950032 0003 Size: 476940MB BusType: 11
21:58:41.260 Disk 0 MBR read successfully
21:58:41.275 Disk 0 MBR scan
21:58:41.275 Disk 0 Windows 7 default MBR code
21:58:41.291 Disk 0 Partition 1 00 1C Hidd FAT32 LBA MSDOS5.0 25600 MB offset 2048
21:58:41.307 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 205084 MB offset 52430848
21:58:41.322 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 246255 MB offset 472442880
21:58:41.369 Disk 0 scanning C:\Windows\system32\drivers
21:58:49.013 Service scanning
21:59:06.563 Modules scanning
21:59:06.563 Disk 0 trace - called modules:
21:59:06.626 ntoskrnl.exe CLASSPNP.SYS disk.sys amd_xata.sys storport.sys hal.dll amd_sata.sys
21:59:06.641 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0xfffffa8008070060]
21:59:06.657 3 CLASSPNP.SYS[fffff8800196643f] → nt!IofCallDriver → [0xfffffa8007e2c040]
21:59:06.657 5 amd_xata.sys[fffff8800107ed2c] → nt!IofCallDriver → \Device\0000006e[0xfffffa8007e27460]
21:59:07.281 AVAST engine scan C:\Windows
21:59:09.309 AVAST engine scan C:\Windows\system32
22:01:38.180 AVAST engine scan C:\Windows\system32\drivers
22:01:46.448 AVAST engine scan C:\Users\Andreolli
22:06:13.179 AVAST engine scan C:\ProgramData
22:07:29.183 Scan finished successfully
22:13:00.342 Disk 0 MBR has been saved successfully to “D:\Software\MBR.dat”
22:13:00.357 The log file has been saved successfully to “D:\Software\aswMBR.txt”

2

welcome to the forum. a malware expert will check those logs and give you instruction on how to proceed. i think you have not attached the otl log in there please do so.

3

The file is attached, it is called OTLANSI.txt

I attach it again

4

OK lets get shot of the lot… Do you want to keep sweetim ?

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:OTL SRV:64bit: - [2012/06/06 09:14:32 | 000,185,856 | ---- | M] () [Auto | Running] -- C:\Program Files\Web Assistant\ExtensionUpdaterService.exe -- (Web Assistant Updater) IE:64bit: - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}: "URL" = http://dts.search-results.com/sr?src=ieb&appid=390&systemid=406&sr=0&q={searchTerms} IE - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}: "URL" = http://dts.search-results.com/sr?src=ieb&appid=390&systemid=406&sr=0&q={searchTerms} IE - HKU\S-1-5-21-3126821588-40386997-737668875-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://mystart.incredibar.com/mb164?a=6PQDz1YZp8&i=26 IE - HKU\S-1-5-21-3126821588-40386997-737668875-1001\..\SearchScopes,DefaultScope = {CFF4DB9B-135F-47c0-9269-B4C6572FD61A} IE - HKU\S-1-5-21-3126821588-40386997-737668875-1001\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}: "URL" = http://dts.search-results.com/sr?src=ieb&appid=390&systemid=406&sr=0&q={searchTerms} IE - HKU\S-1-5-21-3126821588-40386997-737668875-1001\..\SearchScopes\{CFF4DB9B-135F-47c0-9269-B4C6572FD61A}: "URL" = http://mystart.incredibar.com/mb164/?search={searchTerms}&loc=IB_DS&a=6PQDz1YZp8&i=26 FF - prefs.js..browser.search.defaultenginename: "MyStart Search" FF - prefs.js..keyword.URL: "http://mystart.incredibar.com/mb164/?loc=IB_DS&a=6PQDz1YZp8&&i=26&search=" FF - prefs.js..sweetim.toolbar.previous.browser.search.selectedEngine: "My Web Search" FF - prefs.js..browser.startup.homepage: "http://home.mywebsearch.com/index.jhtml?ptb=ED105BAB-E41C-4AA2-BA41-EE810A6E4F0E&n=77edc466&ptnrS=Z7xdm189YYit&si=jenya" 64bit-FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{336D0C35-8A85-403a-B9D2-65C292C39087}: C:\PROGRAM FILES\WEB ASSISTANT\FIREFOX [2012/07/15 20:40:34 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\webbooster@iminent.com: C:\Program Files (x86)\Iminent\webbooster@iminent.com FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\emoticoons-toolbar@emoticoons.com: C:\Users\Public\Documents\Emoticoons\emoticoons-toolbar@emoticoons.com [2012/07/10 11:00:11 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{336D0C35-8A85-403a-B9D2-65C292C39087}: C:\Program Files\Web Assistant\Firefox [2012/07/15 20:40:34 | 000,000,000 | ---D | M] [2012/07/10 14:36:56 | 000,009,629 | ---- | M] () -- C:\Users\Andreolli\AppData\Roaming\Mozilla\Firefox\Profiles\2zdv2dii.default\searchplugins\my-web-search.xml [2012/07/08 13:05:30 | 000,002,519 | ---- | M] () -- C:\Users\Andreolli\AppData\Roaming\Mozilla\Firefox\Profiles\2zdv2dii.default\searchplugins\Search_Results.xml O2:64bit: - BHO: (Web Assistant) - {336D0C35-8A85-403a-B9D2-65C292C39087} - C:\Program Files\Web Assistant\Extension64.dll () O2:64bit: - BHO: (DataMngr) - {9D717F81-9148-4f12-8568-69135F087DB0} - C:\PROGRA~2\SEARCH~1\Datamngr\x64\BROWSE~1.DLL (Bandoo Media, inc) O2 - BHO: (Web Assistant) - {336D0C35-8A85-403a-B9D2-65C292C39087} - C:\Program Files\Web Assistant\Extension32.dll () O2 - BHO: (Searchqu Toolbar) - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\PROGRA~2\SEARCH~1\Datamngr\ToolBar\searchqudtx.dll () O2 - BHO: (DataMngr) - {9D717F81-9148-4f12-8568-69135F087DB0} - C:\PROGRA~2\SEARCH~1\Datamngr\BROWSE~1.DLL (Bandoo Media, inc) O3:64bit: - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found. O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found. O3 - HKLM\..\Toolbar: (Searchqu Toolbar) - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\PROGRA~2\SEARCH~1\Datamngr\ToolBar\searchqudtx.dll () O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found. O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found. O3 - HKU\S-1-5-21-3126821588-40386997-737668875-1001\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found. O4 - HKLM..\Run: [DATAMNGR] C:\PROGRA~2\SEARCH~1\Datamngr\DATAMN~1.EXE (Bandoo Media, inc) O20:64bit: - AppInit_DLLs: (C:\PROGRA~2\SEARCH~1\Datamngr\x64\datamngr.dll) - C:\PROGRA~2\SEARCH~1\Datamngr\x64\datamngr.dll (Bandoo Media, inc) O20:64bit: - AppInit_DLLs: (C:\PROGRA~2\SEARCH~1\Datamngr\x64\IEBHO.dll) - C:\PROGRA~2\SEARCH~1\Datamngr\x64\IEBHO.dll (Bandoo Media, inc) O20 - AppInit_DLLs: (C:\PROGRA~2\SEARCH~1\Datamngr\datamngr.dll) - C:\PROGRA~2\SEARCH~1\Datamngr\datamngr.dll (Bandoo Media, inc) O20 - AppInit_DLLs: (C:\PROGRA~2\SEARCH~1\Datamngr\IEBHO.dll) - C:\PROGRA~2\SEARCH~1\Datamngr\IEBHO.dll (Bandoo Media, inc) [2012/07/10 11:12:43 | 000,000,000 | ---D | C] -- C:\ProgramData\Tarma Installer [2012/07/10 11:00:20 | 000,000,000 | ---D | C] -- C:\Users\Andreolli\AppData\Roaming\EmoticoonsToolbar [2012/07/10 11:00:11 | 000,000,000 | ---D | C] -- C:\Users\Andreolli\AppData\Local\SoftwareUpdater [2012/07/10 11:00:11 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Emoticoons [2012/07/10 11:00:09 | 000,000,000 | ---D | C] -- C:\Users\Public\Documents\Emoticoons [2012/07/08 13:20:46 | 000,000,000 | ---D | C] -- C:\Users\Andreolli\AppData\Local\Ilivid Player [2012/07/08 13:05:30 | 000,000,000 | ---D | C] -- C:\ProgramData\boost_interprocess [2012/07/08 13:05:29 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Searchqu Toolbar

:Files
ipconfig /flushdns /c
C:\Program Files (x86)\Searchqu Toolbar
C:\Program Files\Web Assistant
C:\Users\Andreolli\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlnembnfbcpjnepmfjmngjenhhajpdfd
C:\Users\Andreolli\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlnembnfbcpjnepmfjmngjenhhajpdfd
C:\Program Files (x86)\Iminent
C:\Users\Public\Documents\Emoticoons
C:\PROGRA~2\SEARCH~1

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

5

Sorry but it is not clear or not present the script to paste in the lower box, without it OTO does not start to fix

6

what do you mean…that you cant see the script?

it is in essexboys post above here in the blue box…copy and paste it in

7

Do you mean this part?

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

8

everything inside the blue box… posting it below this line

:OTL
SRV:64bit: - [2012/06/06 09:14:32 | 000,185,856 | ---- | M] () [Auto | Running] – C:\Program Files\Web Assistant\ExtensionUpdaterService.exe – (Web Assistant Updater)
IE:64bit: - HKLM..\SearchScopes{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}: “URL” = http://dts.search-results.com/sr?src=ieb&appid=390&systemid=406&sr=0&q={searchTerms}
IE - HKLM..\SearchScopes{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}: “URL” = http://dts.search-results.com/sr?src=ieb&appid=390&systemid=406&sr=0&q={searchTerms}
IE - HKU\S-1-5-21-3126821588-40386997-737668875-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://mystart.incredibar.com/mb164?a=6PQDz1YZp8&i=26
IE - HKU\S-1-5-21-3126821588-40386997-737668875-1001..\SearchScopes,DefaultScope = {CFF4DB9B-135F-47c0-9269-B4C6572FD61A}
IE - HKU\S-1-5-21-3126821588-40386997-737668875-1001..\SearchScopes{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}: “URL” = http://dts.search-results.com/sr?src=ieb&appid=390&systemid=406&sr=0&q={searchTerms}
IE - HKU\S-1-5-21-3126821588-40386997-737668875-1001..\SearchScopes{CFF4DB9B-135F-47c0-9269-B4C6572FD61A}: “URL” = http://mystart.incredibar.com/mb164/?search={searchTerms}&loc=IB_DS&a=6PQDz1YZp8&i=26
FF - prefs.js…browser.search.defaultenginename: “MyStart Search”
FF - prefs.js…keyword.URL: “http://mystart.incredibar.com/mb164/?loc=IB_DS&a=6PQDz1YZp8&&i=26&search=
FF - prefs.js…sweetim.toolbar.previous.browser.search.selectedEngine: “My Web Search”
FF - prefs.js…browser.startup.homepage: “http://home.mywebsearch.com/index.jhtml?ptb=ED105BAB-E41C-4AA2-BA41-EE810A6E4F0E&n=77edc466&ptnrS=Z7xdm189YYit&si=jenya
64bit-FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\{336D0C35-8A85-403a-B9D2-65C292C39087}: C:\PROGRAM FILES\WEB ASSISTANT\FIREFOX [2012/07/15 20:40:34 | 000,000,000 | —D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\webbooster@iminent.com: C:\Program Files (x86)\Iminent\webbooster@iminent.com
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\emoticoons-toolbar@emoticoons.com: C:\Users\Public\Documents\Emoticoons\emoticoons-toolbar@emoticoons.com [2012/07/10 11:00:11 | 000,000,000 | —D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\{336D0C35-8A85-403a-B9D2-65C292C39087}: C:\Program Files\Web Assistant\Firefox [2012/07/15 20:40:34 | 000,000,000 | —D | M]
[2012/07/10 14:36:56 | 000,009,629 | ---- | M] () – C:\Users\Andreolli\AppData\Roaming\Mozilla\Firefox\Profiles\2zdv2dii.default\searchplugins\my-web-search.xml
[2012/07/08 13:05:30 | 000,002,519 | ---- | M] () – C:\Users\Andreolli\AppData\Roaming\Mozilla\Firefox\Profiles\2zdv2dii.default\searchplugins\Search_Results.xml
O2:64bit: - BHO: (Web Assistant) - {336D0C35-8A85-403a-B9D2-65C292C39087} - C:\Program Files\Web Assistant\Extension64.dll ()
O2:64bit: - BHO: (DataMngr) - {9D717F81-9148-4f12-8568-69135F087DB0} - C:\PROGRA~2\SEARCH~1\Datamngr\x64\BROWSE~1.DLL (Bandoo Media, inc)
O2 - BHO: (Web Assistant) - {336D0C35-8A85-403a-B9D2-65C292C39087} - C:\Program Files\Web Assistant\Extension32.dll ()
O2 - BHO: (Searchqu Toolbar) - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\PROGRA~2\SEARCH~1\Datamngr\ToolBar\searchqudtx.dll ()
O2 - BHO: (DataMngr) - {9D717F81-9148-4f12-8568-69135F087DB0} - C:\PROGRA~2\SEARCH~1\Datamngr\BROWSE~1.DLL (Bandoo Media, inc)
O3:64bit: - HKLM..\Toolbar: (no name) - 10 - No CLSID value found.
O3:64bit: - HKLM..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM..\Toolbar: (Searchqu Toolbar) - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\PROGRA~2\SEARCH~1\Datamngr\ToolBar\searchqudtx.dll ()
O3 - HKLM..\Toolbar: (no name) - 10 - No CLSID value found.
O3 - HKLM..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-3126821588-40386997-737668875-1001..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O4 - HKLM…\Run: [DATAMNGR] C:\PROGRA~2\SEARCH~1\Datamngr\DATAMN~1.EXE (Bandoo Media, inc)
O20:64bit: - AppInit_DLLs: (C:\PROGRA~2\SEARCH~1\Datamngr\x64\datamngr.dll) - C:\PROGRA~2\SEARCH~1\Datamngr\x64\datamngr.dll (Bandoo Media, inc)
O20:64bit: - AppInit_DLLs: (C:\PROGRA~2\SEARCH~1\Datamngr\x64\IEBHO.dll) - C:\PROGRA~2\SEARCH~1\Datamngr\x64\IEBHO.dll (Bandoo Media, inc)
O20 - AppInit_DLLs: (C:\PROGRA~2\SEARCH~1\Datamngr\datamngr.dll) - C:\PROGRA~2\SEARCH~1\Datamngr\datamngr.dll (Bandoo Media, inc)
O20 - AppInit_DLLs: (C:\PROGRA~2\SEARCH~1\Datamngr\IEBHO.dll) - C:\PROGRA~2\SEARCH~1\Datamngr\IEBHO.dll (Bandoo Media, inc)
[2012/07/10 11:12:43 | 000,000,000 | —D | C] – C:\ProgramData\Tarma Installer
[2012/07/10 11:00:20 | 000,000,000 | —D | C] – C:\Users\Andreolli\AppData\Roaming\EmoticoonsToolbar
[2012/07/10 11:00:11 | 000,000,000 | —D | C] – C:\Users\Andreolli\AppData\Local\SoftwareUpdater
[2012/07/10 11:00:11 | 000,000,000 | —D | C] – C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Emoticoons
[2012/07/10 11:00:09 | 000,000,000 | —D | C] – C:\Users\Public\Documents\Emoticoons
[2012/07/08 13:20:46 | 000,000,000 | —D | C] – C:\Users\Andreolli\AppData\Local\Ilivid Player
[2012/07/08 13:05:30 | 000,000,000 | —D | C] – C:\ProgramData\boost_interprocess
[2012/07/08 13:05:29 | 000,000,000 | —D | C] – C:\Program Files (x86)\Searchqu Toolbar

:Files
ipconfig /flushdns /c
C:\Program Files (x86)\Searchqu Toolbar
C:\Program Files\Web Assistant
C:\Users\Andreolli\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlnembnfbcpjnepmfjmngjenhhajpdfd
C:\Users\Andreolli\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlnembnfbcpjnepmfjmngjenhhajpdfd
C:\Program Files (x86)\Iminent
C:\Users\Public\Documents\Emoticoons
C:\PROGRA~2\SEARCH~1

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

9

ok,
done, reboot and quick start.

In attach the log.

10

essexboy is in bed now so check back tomorrow :wink:

11

HAs it totally gone now ?

12

looks so.

Thank you very much for your help

13

he is not done yet…come back later and he will remove the tools used

14

Ok as this was an easy one and it was only a toolbar

Run OTL and hit the cleanup button to remove the programme

15

Done…

Is it really done?

16

As long as it has disappeared then yes