MyStart Search/Incredibar.com Redirect Virus

[TedTM]

Good afternoon,

I recently reinstalled Windows on my machine and have been hunting down drivers, and I think I picked up a redirect virus along the way.

I've dealt with MyStart Search and Incredibar before, but despite my efforts, I cannot seem to get rid of the last bits of this infection.

Things I've done already:

- Run scans with both Malwarebytes and Microsoft Security Essentials

- Followed other site's instructions for locating rogue files in locations like System32, Temp, and ProgramData

- Located and terminated several mystartsearch/incredibar registry enteries

- Uninstalled Incredibar.com toolbar from all of my browsers/the AddRemove Programs list

- Rebooted after many/all of these steps

The only indication remaining that I have an infection is that when I go to duckduckgo.com, it redirects me to mystartsearch. All other websites and search engines I've encountered are functioning normally. My home pages are normal. My search bars are normal. I don't get redirected away from Google or Yahoo. It's only duckduckgo that's giving me the problem.

As requested, here are the DDS log files:

Attach.txt

DDS.txt

Thank you for your assitance.

Ted

[D-FRED-BROWN]

Hello TedTM and welcome to Malwarebytes!

I am D-FRED-BROWN and I will be helping you.

Please print or save this topic: it will make it easier for you to follow the instructions and complete all of the necessary steps.

-------------

Please download to your Desktop:

• TDSSKiller.zip from here and extract it (right click on it => "Extract here").
  

>>> TDSSKiller: Double-click on TDSSKiller.exe to run the application.

• Click on the Start Scan button and wait for the scan and disinfection process to be over.
  
• If an infected file is detected, the default action will be Cure, click on Continue
  
• If a suspicious file is detected, the default action will be Skip, click on Continue
  
• If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  
• If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.
  

In your next reply, please include the following (you may need to use two posts to get it all in):

• TDSSKiller_log.txt
  

how the PC is running now?

-------------

Please download ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

***IMPORTANT: save ComboFix to your Desktop***

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please go here to see a list of programs that should be disabled.

**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall**

Please include the C:\ComboFix.txt in your next reply for further review.

Also, please let me know if any problems still remain.

-------------

Please download Security Check by screen317 from here or here.

• Save it to your Desktop.
  
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.
  

-------------

In your next reply, please include:

• TDSSKiller logfile
  
• C:\ComboFix.txt
  
• Security Check checkup.txt
  

How is your computer running now?

[TedTM]

Good afternoon, D-FRED-BROWN. Thank you for your assistance.

I hope this doesn't create a problem--but when I ran ComboFix (following all the on-site instructions), I locked my computer and went to go run an errand. While I was gone, the computer rebooted as a part of ComboFix's sequence. I came back to a lock screen, two hours later, unaware that it had rebooted, and opened up to what I thought was a hung up ComboFix. I assumed it had been running the whole time and had frozen, so I closed it before it gave me a log file and ran it again. I wasn't aware that it had actually rebooted until it did so again partway through the second run.

Again, my apologies, and I hope that didn't screw anything up. If it did, I can go try to fix the problem myself and won't bother you any longer.

Here are the text files saved by the respective scanners. After running all of them, I attempted to navigate to duckduckgo.com but was again redirected to mystart.incredibar.com.

Text files:

ComboFix_log.txt

SecurityCheck_checkup.txt

TDDSKiller_log.txt

[D-FRED-BROWN]

I hope this doesn't create a problem--but when I ran ComboFix (following all the on-site instructions), I locked my computer and went to go run an errand. While I was gone, the computer rebooted as a part of ComboFix's sequence. I came back to a lock screen, two hours later, unaware that it had rebooted, and opened up to what I thought was a hung up ComboFix. I assumed it had been running the whole time and had frozen, so I closed it before it gave me a log file and ran it again. I wasn't aware that it had actually rebooted until it did so again partway through the second run.

I wouldn't worry about it. Sometimes, ComboFix has minor "hiccups" like that.

Again, my apologies, and I hope that didn't screw anything up. If it did, I can go try to fix the problem myself and won't bother you any longer.

You're doing fine!

-----------

Let's see if we can fix those redirect issues:

Please open Firefox.

In the address bar, type the following (in bold): about:config

Select I'll be carefull, I promise!

In the top left-hand corner of the newly loaded page, copy and paste each of the following entries (in black bold). (ignore the ---- lines)

browser.search.defaultengine ----------------- Google

browser.search.defaultenginename ------------- Google

browser.search.order.1 ----------------------- Google

browser.search.selectedengineURL ------------- www.google.com

browser.startup.homepage --------------------- www.google.com

keyword.URL ---------------------------------- http://www.google.com/search?btnI=I%27m+Feeling+Lucky&ie=UTF-8&oe=UTF-8&q=

Right-Click, and select Modify on each of the Preference Names I have included above..

When the popup titled Enter String Value appears, copy and paste each respective Value located to the left of each Preference Name (in green bold).

You will have to do this for each of the entries I have listed. Make sure that in keyword.URL, you've typed the entire address I've included above.

When you have finished, please restart Firefox. Let me know if that helps.

-----------

Next,

Please do the following:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

ClearJavaCache::

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I shall require in your next reply.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Please include the newly-created C:\ComboFix.txt in your next reply, and let me know how things are running now

[TedTM]

I wouldn't worry about it. Sometimes, ComboFix has minor "hiccups" like that.

You're doing fine!

Thank you.

1. I made the requested changes in Firefox's about:config, and alas, I am still having redirecting issues.

I'd also like to note that the redirecting issue is only present in Google Chrome and Mozilla Firefox, but NOT Internet Explorer.

I'm not sure if this has always been the case, as I only checked Chome and Firefox when I started noticing this issue.

2. Here is the new ComboFix log:

ComboFix_log_2.txt

Thanks again,

TedTM

[D-FRED-BROWN]

Let's try to erase any remaining traces of Incredibar:

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  

  
  :folderfind 
  *incredibar*
  
  :filefind 
  *incredibar*
  
  :regfind 
  *incredibar*
  

  
  

• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  

Note: The log can also be found at on your Desktop entitled SystemLook.txt

---------

Sometimes program removals don't go as planned. Revo Uninstaller is helpful for removing any traces that Windows may have missed when removing certain programs:

Please download and install Revo Uninstaller (Freeware) from here. Then please run Revo Uninstaller and select Incredibar (or anything related to Incredibar).

Please click Uninstall icon to uninstall the selected program.

Please choose Advanced.

Then click Next and follow the prompts.

Please click Select All (1.) and Delete (2.)

to delete all registry items, folders and files listed by Revo.

If asked to restart the computer, please do so immediately.

Let me know how things go .

[TedTM]

Here is the log for SystemLook:

SystemLook.txt

Getting rid of Incredibar Toolbar for IE using Revo with Advanced Removal was actually one of the first things I did to try to get rid of it. I just checked again and there is no trace of anything Incredibar or MyStart related in the installations list.

Thanks,

TedTM

[D-FRED-BROWN]

Question: would you be willing to reinstall Chrome and Firefox? I've encountered nasty toolbars like this in the past, and oftentimes the only sure-fire way to fix it was to just wipe the browser and start over. If you can't do that (keep in mind we can try to keep as much of your data as we can), we can explore some other methods, but I really think that reinstalling both browsers would the quickest and most effecient thing we could to at this point.

Let me know how you wish to proceed .

----------

In the meantime, let's run an online scan to verify there's no traces left of the main infection that we may have missed:

Please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

1. Tick the box next to YES, I accept the Terms of Use.
   
2. Click Start
   
3. When asked, allow the ActiveX control to install
   
4. Click Start
   
5. Make sure that the options Remove found threats is Unchecked and the option Scan unwanted applications is checked
   
6. Click Scan
   Wait for the scan to finish
   
7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
   
8. Copy and paste that log as a reply to this topic
   

[TedTM]

I un/reinstalled both browswers, and incredibar is gone! It doesn't redirect me away from duckduckgo anymore. Thank you so much!

When I ran ESET, it scanned my attached drives, which have some password recovery tools and such that most AV programs consider threatening, so I stopped scanning, restored all the quarantined files (which were all legitimate), and re-ran the scan on only my C drive. On the second run, no threats were found.

Here is the log for ESET:

ESETSmartInstaller@High as CAB hook log:

OnlineScanner64.ocx - registred OK

OnlineScanner.ocx - registred OK

esets_scanner_update returned -1 esets_gle=53251

# version=7

# iexplore.exe=9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)

# OnlineScanner.ocx=1.0.0.6583

# api_version=3.0.2

# EOSSerial=89cd51306fbe4a4a801c91259529aa6f

# end=stopped

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2012-05-27 01:07:22

# local_time=2012-05-26 09:07:22 (-0500, Eastern Daylight Time)

# country="United States"

# lang=1033

# osver=6.1.7601 NT Service Pack 1

# compatibility_mode=5893 16776574 100 94 0 89619224 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=261199

# found=7

# cleaned=7

# scan_time=5089

H:\Customer Backups\WinXP Backup\Amy Sadler\Amy Sadler's Documents\Downloads\CouponPrinter.exe probably a variant of Win32/Adware.Softomate.AD application (deleted - quarantined) 00000000000000000000000000000000 C

S:\Installations and Zips\Wyatt's Toolkit\HardDVD\Hard Core\Anti virus~Spyware - Worms -Hijacks -\Removers\NNuninstall.exe a variant of Win32/Adware.NdotNet.AA application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

S:\Installations and Zips\Wyatt's Toolkit\HardDVD\Hard Core\Anti virus~Spyware - Worms -Hijacks -\Removers\ps_uninstaller.exe probably a variant of Win32/Adware.MediaTickets application (deleted - quarantined) 00000000000000000000000000000000 C

S:\Installations and Zips\Wyatt's Toolkit\HardDVD\Hard Core\Backup tools (email as well)\Portable Driver_Genius_9_Pro\App\SetKey.exe probably a variant of Win32/Agent.BJSCQS trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

S:\Installations and Zips\Wyatt's Toolkit\HardDVD\Hard Core\hacktools\keyloggers\GKL 380.exe Win32/Spy.GhostKeyLogger.C trojan (deleted - quarantined) 00000000000000000000000000000000 C

S:\Installations and Zips\Wyatt's Toolkit\HardDVD\Hard Core\hacktools\keyloggers\Perfect.Keylogger\i_bpk2007.exe multiple threats (deleted - quarantined) 00000000000000000000000000000000 C

S:\Installations and Zips\Wyatt's Toolkit\HardDVD\Hard Core\hacktools\keyloggers\Perfect.Keylogger\keygen.exe probably a variant of Win32/Agent.DBUKGYL trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

esets_scanner_update returned -1 esets_gle=53251

# version=7

# iexplore.exe=9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)

# OnlineScanner.ocx=1.0.0.6583

# api_version=3.0.2

# EOSSerial=89cd51306fbe4a4a801c91259529aa6f

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2012-05-27 01:57:14

# local_time=2012-05-26 09:57:14 (-0500, Eastern Daylight Time)

# country="United States"

# lang=1033

# osver=6.1.7601 NT Service Pack 1

# compatibility_mode=5893 16776574 100 94 0 89624592 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=240030

# found=0

# cleaned=0

# scan_time=2712

Thank you again for your time and your help. It's been greatly appreciated. The work that you all do here is wonderful for the IT world, both professional and lay. Please continue it for as long as you can.

Sincerely,

TedTM

[D-FRED-BROWN]

That is great news!

Thank you again for your time and your help. It's been greatly appreciated. The work that you all do here is wonderful for the IT world, both professional and lay. Please continue it for as long as you can.

Thank you very much, I appreciate it .

-------

Before we move on, let's update some of your programs.

Program updates are a crucial step in preventing malware, as outdated applications are often used by the cybercriminals to gain a foothold on your system.

Java is out of date and older versions contain vulnerabilities. Please update to the newest version.

Download the newest version from here http://www.oracle.co...oads/index.html.

It's important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.

Go to Start > Control Panel and open Add or Remove Programs.

Search in the list for all previous installed versions of Java. (J2SE Runtime Environment).

They will have this icon next to them:

Select each in turn and click Remove.

Once old versions are gone, please install the newest version.

-------

Let me know how the program updates go, as failed updates may be a sign of additional malware.

[TedTM]

Thank you very much, I appreciate it .

You're most welcome.

I uninstalled/updated Java successfully, as well as both IE and non-IE versions of Adobe Flash Player.

On a side note, is it odd that when an external program tries to open a new window/tab for me (like after an installation), it says that there was an "error sending a command to the program" but opens the new tab anyway?

Thanks,

TedTM

[TedTM]

(Sorry to double post, but I can't find the edit button if there is one)

I forgot to mention that I could not locate Java RE in the link you sent me, but I managed to find it here: http://java.com/en/download/index.jsp

The Oracle page you gave me wanted me to download the Java developer's kits.

Thanks,

TedTM

[D-FRED-BROWN]

On a side note, is it odd that when an external program tries to open a new window/tab for me (like after an installation), it says that there was an "error sending a command to the program" but opens the new tab anyway?

Is that a reoccurring event? It sure would be if it was. If it happens all the time, please let me know and we'll do what we can to fix that.

(Sorry to double post, but I can't find the edit button if there is one)

No worries! It's actually easier for me if you double-post... that way, I don't potentially miss anything that you've edited into a previous post.

I forgot to mention that I could not locate Java RE in the link you sent me, but I managed to find it here: http://java.com/en/download/index.jsp

The Oracle page you gave me wanted me to download the Java developer's kits.

Thanks for letting me know, I'll go ahead and adjust that link for future use.

I'm glad to hear the updates went well! Unless there are any further issues, I will now provide you with some suggestions for security software.

First, let's remove ComboFix:

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

-------------

Please consider using these ideas to help secure your computer. While there is no way to guarantee safety when you use a computer, these steps will make it much less likely that you will need to endure another infection. While we really like to help people, we would rather help you protect yourself so that you won't need that help in the future.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates or get into the habit of checking Windows Update regularly. They usually have security updates every month. You can set Windows to notify you of Updates so that you can choose, but only do this if you believe you are able to understand which ones are needed. This is a crucial security measure.

It is really dangerous to go online without an antivirus. Without one, you are extremely likely to get infected and the consequences could be even worse next time. All of the following are excellent free antiviruses. Be sure to only install one.

avast!.

AntiVir

AVG

Please consider installing and running some of the following programs; they are either free or have free versions of commercial programs:

Spybot-Search & Destroy

A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features if you don't have the resident part of another anti-spyware program running.

SpywareBlaster

A tutorial on using SpywareBlaster to prevent malware from ever installing on your computer may be found here.

SpywareGuard

A tutorial on using SpywareGuard for real-time protection against spyware and hijackers may be found here.

Please, consider maintaining a firewall with HIPS (Host Intrusion Prevention Systems). Firewalls are extremely important and are the first part of your computer's defense. HIPS stops malware by monitoring its behavior and it's very important, too.

A firewall is a software program or piece of hardware that helps screen out hackers, viruses, and worms that try to reach your computer over the Internet.

If you are using the Windows Firewall please note that it doesn't monitor or block outbound traffic and is therefore less effective than other free alternatives.

These firewalls are good and do have free versions available

• Outpost Firewall Free
  
• Online Armor Firewall
  

A tutorial on understanding and using firewalls may be found here.

If you use Internet Explorer, it is a good idea to use IE-Spyad for ZonedOut which provides protections against malicious websites. (Requires 2 downloads)

Please keep these programs up-to-date and run them whenever you suspect a problem to prevent malware problems. A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time. Passive protectors, like SpywareBlaster and IE-Spyad can be run with any of them.

Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:

http://www.spywarewa...nti-spyware.htm

A similar category of programs is now called "scareware." Scareware programs are active infections that will pop-up on your computer and tell you that you are infected. If you look closely, it will usually have a name that looks like it might be legitimate, but it is NOT one of the programs you installed. It tells you to click and install it right away. If you click on any part of it, including the 'X' to close it, you may actually help it infect your computer further. Keeping protection updated and running resident protection can help prevent these infections. If it happens anyway, get offline as quickly as you can. Pull the internet connection cable or shut down the computer if you have to. Contact someone to help by using another computer if possible. These programs are also sometimes called 'rogues', but they are different than the older version of rogues mentioned above.

Please consider using an alternate browser. Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScripts, can make it even more secure. Opera is another good option.

If you are interested, Firefox may be downloaded from here

Opera is available here: http://www.opera.com/download/

For much more useful information, please also read Tony Klein's excellent article: How did I get infected in the first place

Hopefully these steps will help to keep you error free. If you run into more difficulty, we will certainly do what we can to help.

[TedTM]

On a side note, is it odd that when an external program tries to open a new window/tab for me (like after an installation), it says that there was an "error sending a command to the program" but opens the new tab anyway?

Is that a reoccurring event? It sure would be if it was. If it happens all the time, please let me know and we'll do what we can to fix that.

It happens occasionally, but I can't get it to do it again. Should I post on here if it does?

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

ComboFix successfully uninstalled.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates or get into the habit of checking Windows Update regularly. They usually have security updates every month. You can set Windows to notify you of Updates so that you can choose, but only do this if you believe you are able to understand which ones are needed. This is a crucial security measure.

Already done and double-checked regularly.

It is really dangerous to go online without an antivirus. Without one, you are extremely likely to get infected and the consequences could be even worse next time. All of the following are excellent free antiviruses. Be sure to only install one.

I have used both AVG and Avast! Antivirus suites, but for the past two years I have been using Microsoft Security Essentials, which I have found to be more accurate in virus and spyware detection than the other systems I have used. It integrates seamlessly with Windows, updates regularly through Windows Update, and uses little background resources.

Please consider installing and running some of the following programs; they are either free or have free versions of commercial programs:

Is Malwarebytes Anti-Malware sufficient for my anti-spyware needs? I've found it effective for the several years I've used it. Or should I add another one of the mentioned programs to my arsenal?

Please, consider maintaining a firewall with HIPS (Host Intrusion Prevention Systems). Firewalls are extremely important and are the first part of your computer's defense. HIPS stops malware by monitoring its behavior and it's very important, too.

A firewall is a software program or piece of hardware that helps screen out hackers, viruses, and worms that try to reach your computer over the Internet.

If you are using the Windows Firewall please note that it doesn't monitor or block outbound traffic and is therefore less effective than other free alternatives.

I downloaded and am about to install Outpost Security Suite. Thank you!

Please consider using an alternate browser. Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScripts, can make it even more secure. Opera is another good option.

I have been using Mozilla Firefox for a long time now, and am very happy with it. I also use Google Chrome as a backup browser when something in Firefox goes awry, so I never have to open IE unless it's for something very specific.

Hopefully these steps will help to keep you error free. If you run into more difficulty, we will certainly do what we can to help.

They have, and thank you so much.

[D-FRED-BROWN]

It happens occasionally, but I can't get it to do it again. Should I post on here if it does?

If it starts occuring often, let me know. Otherwise, I think it's just a bug or something software-related. I wouldn't worry about it at this point.

Is Malwarebytes Anti-Malware sufficient for my anti-spyware needs? I've found it effective for the several years I've used it. Or should I add another one of the mentioned programs to my arsenal?

Malwarebytes is designed to work with your existing antivirus program. If you're running MSE + Malwarebytes, you should be just fine.

I downloaded and am about to install Outpost Security Suite. Thank you!

That's a good program! and you're welcome!

I have been using Mozilla Firefox for a long time now, and am very happy with it. I also use Google Chrome as a backup browser when something in Firefox goes awry, so I never have to open IE unless it's for something very specific.

Same here, I'm a big Firefox fan .

They have, and thank you so much.

My pleasure!

Glad to hear things are well! If you have any other questions or concerns, don't hesitate to ask.

Otherwise, I will have this thread closed. You can still reach me by private message here on the site if you need anything.

Kind regards,

-DFB

[TedTM]

I believe I am all set. Thanks agian for your help and your patience. Have a good one!

[D-FRED-BROWN]

Sounds good. and likewise.

[D-FRED-BROWN]

Glad to hear things are well! If you have any other questions or concerns, don't hesitate to ask.

Otherwise, I will have this thread closed. You can still reach me by private message here on the site if you need anything.

Kind regards,

-DFB

[Maurice Naggar]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!