Malware, trojan, and browser hijacking

Viruses and worms
1

My wonderful child downloaded a program that came with all sorts of goodies. First thing I did was remove all the programs and toolbars that were installed. Apparently, he downloaded Cheat Engine 6.1, along with that was Reg Clean Pro and Advanced System Protector. Along with that came toolbars for something called babylon, mystart.incredibar, and the funweb/mywebsearch thing- all removed using the add/remove programs, but obviously not all were successfully removed.

Second thing I did was a full system scan with Avast. It found a threat listed at Win32:Alureon-AUH [Trj]. I put that in the chest, and Avast requested I do a boot-time scan. The boot-time scan found 18 additional items, 5 of which would not go into the chest.

Since then, I ran all the scans posted here on the forums, and am wondering if there is a way to get rid of all this junk and reclaim my browser, which adamantly suggests my home page be mystart.incredibar, all searches not done directly through Google are directing through mystart.incredibar, and anything typed into the url bar directly also go through mystart.

Attached are the mbam, OTL, and aswMBR logs.

Thank you

2

if you password protect the admin account…and then give your child the guest account, then he/she will not be able to download all the crap

maware remover are notified. it may take many hours before one arrive so be patient

3

You are right Pondus 8)

Hi elebrun

Re-run OTL.exe.

[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.


:OTL
SRV - File not found [Auto | Stopped] -- C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\003797~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -- (0037971265334042mcinstcleanup)
IE - HKU\S-1-5-21-842751856-3121206664-703656033-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://mystart.incredibar.com/mb178?a=6PQFRTJQig&i=26
IE - HKU\S-1-5-21-842751856-3121206664-703656033-500\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://search.babylon.com/?q={searchTerms}&affID=112051&tt=3212_5&babsrc=SP_ss&mntrId=9abd07c600000000000000248187b055
IE - HKU\S-1-5-21-842751856-3121206664-703656033-500\..\SearchScopes\{44f44034-6036-4f06-9336-74ec4620edab}: "URL" = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=RGxdm003YYus&ptb=C7D8120E-5CB7-49CC-B146-5B2AA661F6D8&ind=2011101713&ptnrS=RGxdm003YYus&si=CLKvhpmK8KsCFWsEQAodeUiMHw&n=77defa11&psa=&st=sb&searchfor={searchTerms}
IE - HKU\S-1-5-21-842751856-3121206664-703656033-500\..\SearchScopes\{CFF4DB9B-135F-47c0-9269-B4C6572FD61A}: "URL" = http://mystart.incredibar.com/mb178/?search={searchTerms}&loc=IB_DS&a=6PQFRTJQig&i=26
FF - prefs.js..browser.search.defaultthis.engineName: "Oryte Games 1.13 Customized Web Search"
FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT2644241&SearchSource=3&q={searchTerms}"
FF - prefs.js..browser.search.order.1: "Search the web (Babylon)"
FF - prefs.js..extensions.enabledItems: {942cd1d4-9cc1-4d31-876a-ea8f489f7a59}:3.2.5.2
FF - prefs.js..keyword.URL: "http://search.babylon.com/?affID=112051&tt=3212_5&babsrc=KW_ss&mntrId=9abd07c600000000000000248187b055&q="
[2012/08/07 17:25:44 | 000,000,000 | ---D | M] (incredibar.com) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\q02gzv63.default\extensions\ffxtlbr@incredibar.com
[2012/08/07 17:24:31 | 000,002,349 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\babylon.xml
CHR - homepage: http://search.babylon.com/?affID=112051&tt=3212_5&babsrc=HP_ss&mntrId=9abd07c600000000000000248187b055
CHR - homepage: http://search.babylon.com/?affID=112051&tt=3212_5&babsrc=HP_ss&mntrId=9abd07c600000000000000248187b055
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Web Assistant) - {336D0C35-8A85-403a-B9D2-65C292C39087} - C:\Program Files\Web Assistant\Extension32.dll ()
O3 - HKLM\..\Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - No CLSID value found.
FF - prefs.js..browser.search.defaultenginename: "MyStart Search"
FF - prefs.js..browser.search.selectedEngine: "MyStart Search"
[2012/08/07 17:24:32 | 000,000,000 | ---D | M] (Browser Companion Helper) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\q02gzv63.default\extensions\bbrs_002@blabbers.com

:commands
[CREATERESTOREPOINT]
[emptytemp]
[EMPTYFLASH]
[EMPTYJAVA]
[Reboot]

[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.

Step2

[]Download AdwCleaner (by Xplode) on your desktop.
[*]Launch it, click on [Search] and wait for the scan.
[]When the scan ends, notepad with the report will appears.

[*] Click on the [Delete] Wait for the programme completes his work.
The program will close all active programs. Click OK to confirm that.
On the next two windows that open ( Informations and Restart required ) click OK
[*] The computer will restart and open a notepad ( C:\AdwCleaner[S1].txt ) with the report.
[*] Save the notepad report on the Desktop
[*] Please attach here C:\AdwCleaner[S1].txt

Note: The report will also be stored on C:\AdwCleaner[S1].txt

4

i guess you found a nice toolbar collection here argus. ;D

5

Here in Serbia, on all the computers ;D

6

like this ;D

http://faildesk.net/wp-content/uploads/2011/05/Too_many_toolbars-1024x837.jpg

7

Ahahaha wow ;D

8

I’ve tried this in the past, but ended up losing complete access to the admin account and everything on the computer.

Argus- Thank you for your reply. I am having trouble with OTL moving past the Killing Processes step. The first attempt, I forgot to exit mbam, and an error popped up that wouldn’t go away. I forced a reboot after an hour and tried again, this time making sure everything was closed first. I set it to run again and went to sleep. 4 hours later, I forced another reboot as it was still stuck on Killing Processes. Any suggestions?

9 
Right-click on the MBAM icon in the System Tray and uncheck  Enable Protection.

When asked, "Are you sure you want to disable the MBAM Protection Module?", click Yes.

Right-click on the MBAM icon again and then uncheck Start with Windows.

The Protection Module is now disabled and will not restart.

Re-run OTL fix.

Have you done Step2?

Opss corrected fix :slight_smile:

10

Left OTL on while I was at work, and came home to it still sitting on Killing Processes. Forced reboot and went to step 2. Log attached.

No more redirects when opening a new tab. No more mystery searches. No more random browser opening up when clicking on a link from outside of the browser (such as in skype). And the browser loads so fast now. Thank you very much for that. Will it stay gone?

Is there a next step? Do I still need to do step 1?

11

Just a little update…

I opened Chrome and it said the profile was corrupted. Pages still redirect to the mystart.incredibar site in Chrome.

12

Uninstall chrome through Add of Remove (control panel).

Go to the Start menu > Run.
In the line of text type in (Copy) the following:

%USERPROFILE%\Local Settings\Application Data\Google

Delete the folder Chrome

Install the new Google Chrome https://www.google.com/intl/en/chrome/browser/?hl=en

Another way:

Type in the address bar: chrome://extensions
Remove anything that is in itself Incredibar. Do the same on the address chrome:// plugins