Incredibar Removal & OTL too

[StrongManBR]

Hi,

I somehow managed to get the irritating My Start Incredibar donwloaded on my laptop. I downloaded the OTL program and ran it, but dont know how to get Incredibar removed. What is the procedure to use OTL please?

[mchain]

Hi StrongManBR,

Could you also run and attach the logs for Malwarebytes, aswMBR.exe?  You can find these programs here:  http://forum.avast.com/index.php?topic=53253.0 and also a guide on how to proceed.  There is a possibility there is more to it than Incredibar on your system.

OTL can be like a sledgehammer to kill a gnat; and worse still, it can damage your system, if run in the wrong hands.  A malware specialist will be along soon to look at your logs.

[essexboy]

This should kill it

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  

  :OTL
  IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://start.funmoods.com/?f=1&a=iron2&chnl=iron2&cd=2XzuyEtN2Y1L1QzuyDyEtDyE0AyC0DzytAyEzy0E0D0ByB0BtN0D0Tzu0StBtBtBtN1L2XzutBtFtCtFtCtFtAtCtB&cr=63096674
  IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
  IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=iron2&chnl=iron2&cd=2XzuyEtN2Y1L1QzuyDyEtDyE0AyC0DzytAyEzy0E0D0ByB0BtN0D0Tzu0StBtBtBtN1L2XzutBtFtCtFtCtFtAtCtB&cr=63096674
  IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://start.funmoods.com/?f=1&a=iron2&chnl=iron2&cd=2XzuyEtN2Y1L1QzuyDyEtDyE0AyC0DzytAyEzy0E0D0ByB0BtN0D0Tzu0StBtBtBtN1L2XzutBtFtCtFtCtFtAtCtB&cr=63096674
  IE - HKLM\..\SearchScopes,Backup.Old.DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
  IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
  IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=iron2&chnl=iron2&cd=2XzuyEtN2Y1L1QzuyDyEtDyE0AyC0DzytAyEzy0E0D0ByB0BtN0D0Tzu0StBtBtBtN1L2XzutBtFtCtFtCtFtAtCtB&cr=63096674
  IE - HKU\.DEFAULT\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
  IE - HKU\S-1-5-18\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
  IE - HKU\S-1-5-21-493578736-2699321852-2876254052-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Backup.Old.Start Page = http://mystart.incredibar.com/mb167?a=6OyHeoKjqa&i=26
  IE - HKU\S-1-5-21-493578736-2699321852-2876254052-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://start.funmoods.com/?f=1&a=iron2&chnl=iron2&cd=2XzuyEtN2Y1L1QzuyDyEtDyE0AyC0DzytAyEzy0E0D0ByB0BtN0D0Tzu0StBtBtBtN1L2XzutBtFtCtFtCtFtAtCtB&cr=63096674
  IE - HKU\S-1-5-21-493578736-2699321852-2876254052-1000\..\SearchScopes,Backup.Old.DefaultScope = {CFF4DB9B-135F-47c0-9269-B4C6572FD61A}
  IE - HKU\S-1-5-21-493578736-2699321852-2876254052-1000\..\SearchScopes,DefaultScope = {CFF4DB9B-135F-47c0-9269-B4C6572FD61A}
  IE - HKU\S-1-5-21-493578736-2699321852-2876254052-1000\..\SearchScopes\{2C3EDA03-637F-2333-42C5-4986C6D8E1EB}: "URL" = http://mystart.incredibar.com/mb167/?search={searchTerms}&loc=IB_DS&a=6OyHeoKjqa&i=26
  IE - HKU\S-1-5-21-493578736-2699321852-2876254052-1000\..\SearchScopes\{CFF4DB9B-135F-47c0-9269-B4C6572FD61A}: "URL" = http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=iron2&chnl=iron2&cd=2XzuyEtN2Y1L1QzuyDyEtDyE0AyC0DzytAyEzy0E0D0ByB0BtN0D0Tzu0StBtBtBtN1L2XzutBtFtCtFtCtFtAtCtB&cr=63096674
  FF - prefs.js..keyword.URL: "http://mystart.incredibar.com/mb167/?loc=IB_DS&a=6OyHeoKjqa&&i=26&search="
  [2012/07/07 12:08:53 | 000,002,203 | ---- | M] () -- C:\Users\wandrey\AppData\Roaming\Mozilla\Firefox\Profiles\k9rm65cf.default\searchplugins\MyStart Search.xml
  [2012/08/10 22:08:24 | 000,002,335 | ---- | M] () -- C:\Users\wandrey\AppData\Roaming\Mozilla\Firefox\Profiles\k9rm65cf.default\searchplugins\Search.xml
  [2012/08/10 22:06:08 | 000,384,844 | ---- | C] () -- C:\Users\wandrey\AppData\Local\funmoods-speeddial.crx
  
  :Files
  ipconfig /flushdns /c
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [CREATERESTOREPOINT]
  [Reboot]
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

[StrongManBR]

Thanks for helping me.
Dont work at all yet.
See attachments

[StrongManBR]

Hi StrongManBR,

Could you also run and attach the logs for Malwarebytes, aswMBR.exe?  You can find these programs here:  http://forum.avast.com/index.php?topic=53253.0 and also a guide on how to proceed.  There is a possibility there is more to it than Incredibar on your system.

OTL can be like a sledgehammer to kill a gnat; and worse still, it can damage your system, if run in the wrong hands.  A malware specialist will be along soon to look at your logs.

Dont work, nothing is catched.

[essexboy]

Could you confirm it is just Firefox

Also there should be a user.js file on the root c drive

Could you copy that
Change the extension to .txt and attach that

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  

  :OTL
  FF - prefs.js..browser.search.defaultenginename: "v9"
  FF - prefs.js..browser.search.order.1: "v9"
  FF - prefs.js..browser.search.selectedEngine: "v9"
  [2012/08/11 00:40:49 | 000,000,402 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\v9.xml
  
  :Files
  ipconfig /flushdns /c
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [CREATERESTOREPOINT]
  [Reboot]
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

[StrongManBR]

Confirmed, only firefox.
user.js attached.
Tks a lot.
I will run otl again with new params.

[StrongManBR]

Could you confirm it is just Firefox

Also there should be a user.js file on the root c drive

Could you copy that
Change the extension to .txt and attach that

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  

  :OTL
  FF - prefs.js..browser.search.defaultenginename: "v9"
  FF - prefs.js..browser.search.order.1: "v9"
  FF - prefs.js..browser.search.selectedEngine: "v9"
  [2012/08/11 00:40:49 | 000,000,402 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\v9.xml
  
  :Files
  ipconfig /flushdns /c
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [CREATERESTOREPOINT]
  [Reboot]
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

After first run, only firefox problem, after second firefox continue with incredibar, see attachments please.
Thks again, it almost fixing.

[essexboy]

Delete that user.js it is full of incredibar then retry firefox

[StrongManBR]

Delete that user.js it is full of incredibar then retry firefox

Deleted user.js file on c:. Dont work yet. Incredibar continue on firefox, see attachments.
Tks for try help me. The fight continue

[essexboy]

Are you able to change the start page in FF ?

Could you run a fresh OTL quick scan please

[StrongManBR]

Ok, start page is set to inicial mozila firefox page.
New OTL run attached.

[essexboy]

Could you confirm that it is now fixed ?

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  

  :OTL
  IE - HKU\S-1-5-21-493578736-2699321852-2876254052-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.v9.com/?utm_source=b&utm_medium=ism&from=ism&uid=12078201000006890A84_CorsairForceGT&ts=1344656448
  IE - HKU\S-1-5-21-493578736-2699321852-2876254052-1000\..\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}: "URL" = http://search.v9.com/web/?q={searchTerms}
  
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

[StrongManBR]

Do i restart after this third run?

On mozila firefox start ok, but after one new tab, incredibar persist.
Start firefox with page blank, new tab incredibar continue boring.
Please, see attachments e new olt fresh run.

[essexboy]

OK there is an extension or addon hiding in Firefox that I cannot see...  By the way this is why I never use firefox

Start firefox in safe mode please and change the start page
http://support.mozilla.org/en-US/kb/troubleshoot-firefox-issues-using-safe-mode

Enable addons and extensions one at a time unitl the problem re-occurs then let me know which one it was