Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Help with FBI windowlock encrypt ransomware $300 virus


  • Please log in to reply

#46
wharriss

wharriss

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 105 posts

I think when you activate a norton product, it automatically contacts norton, but the activation screen kept saying I didn't have internet connection which I do right now and had at the time the problems began. I may be paranoid, but I have suspected some hanky panky when communicating with norton support in asia. This fellow today wanted me to use a norton rep to check my computer for virus.


  • 0

Advertisements


#47
wharriss

wharriss

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 105 posts

When I opened safe mode, the error box  came up saying the problem was blue screen and gave some BCP codes which I tried to copy copy and paste but that won't work on this


  • 0

#48
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,016 posts
  • MVP

Can you get Norton's Removal tool?

 

ftp://ftp.symantec.com/public/english_us_canada/removal_tools/Norton_Removal_Tool.exe

 

Save it then right click and Run As Admin.

 

 

I don't remember seeing a proxy but you can turn it off:

 

In IE, Tools, Internet Options, Connections, LAN Settings, then uncheck all boxes and OK. Close IE and restart IE.
 
In FireFox, (Tools or the Firefox button), Options, Advanced, Settings, check No Proxy then OK.  Close Firefox and restart Firefox.
 
In Chrome, Wrench, Options, Under the Hood, Change Proxy Settings, uncheck all boxes, OK.

  • 0

#49
wharriss

wharriss

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 105 posts

Ron

 

My proxy setting in Firefox was "use system proxy settings"  I changed the setting to "no proxy" and restarted firefox.  

I did this procedure 3 times but the connection under advanced options keeps going back to "use system options"

 

I have run the norton " remove and reinstall " tool. The latest norton product has downloaded and is waiting for me to restart the computer at which time the installation will start automatically........

 

Maybe I should just have just run their "uninstall tool" like you gave me the link but I already had the remove and reinstall tool on my desktop. I screwed up, didn't follow instructions.

 

Should I go ahead and reboot knowing I have the system proxy connection?

 

And assuming I will have to get back into safe mode?


Edited by wharriss, 17 February 2015 - 05:17 PM.

  • 0

#50
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,016 posts
  • MVP

FF is just saying it is using whatever Internet Explorer has set so if IE is not using a proxy then it won't either.

 

Were you able to get a ntbtlog without Norton installed?


  • 0

#51
wharriss

wharriss

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 105 posts

No I was not able to get a log with norton uninstalled but here is the ntbtlog.txt with the new norton product installed

Attached File  ntbtlog.txt   376.08KB   28 downloads


  • 0

#52
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,016 posts
  • MVP

The no name drivers are gone in the last boot.    You can turn off the boot logging now.  Just go back into msconfig and uncheck the boot log option.  OK.

 

You can also delete C:\windows\ntbtlog.txt if you want to.

 

Let's check the alarms now:

 

 

 

 
Right click on (My) Computer and select Manage (Continue) Then click on the arrow in front of Event Viewer. Next Click on the arrow in front of Windows Logs Right click on System and Clear Log, Clear. Repeat for Application.
 
Reboot. 
 
2. Right-click VEW.exe and Run AS Administrator
3. Under 'Select log to query', select:
 
* System
4. Under 'Select type to list', select:
* Error
* Warning
 
 
Then use the 'Number of events' as follows:
 
 
1. Click the radio button for 'Number of events'
Type 20 in the 1 to 20 box
Then click the Run button.
Notepad will open with the output log.
 
 
Please post the Output log in your next reply then repeat but select Application.
 
How is it running now?
 
 

  • 0

#53
wharriss

wharriss

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 105 posts

All instructions your last post completed

Here are the logs

I think the computer is running fine. I haven't seen anything weird lately.

 

Vino's Event Viewer v01c run on Windows 2008 in English
Report run at 17/02/2015 10:25:45 PM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Critical Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 18/02/2015 3:22:39 AM
Type: Warning Category: 0
Event: 4001 Source: Microsoft-Windows-WLAN-AutoConfig
WLAN AutoConfig service has successfully stopped.
 

 

Vino's Event Viewer v01c run on Windows 2008 in English
Report run at 17/02/2015 10:30:47 PM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Critical Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 18/02/2015 3:24:24 AM
Type: Error Category: 100
Event: 1000 Source: Application Error
Faulting application name: NOBuClient.exe, version: 2.1.17869.0, time stamp: 0x4c056071 Faulting module name: NOBuClient.exe, version: 2.1.17869.0, time stamp: 0x4c056071 Exception code: 0xc0000005 Fault offset: 0x0000000000019f6f Faulting process id: 0x1550 Faulting application start time: 0x01d04b2a634deca7 Faulting application path: C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe Faulting module path: C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe Report Id: a25d2490-b71d-11e4-b1c9-643150227862

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 18/02/2015 3:22:38 AM
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.     DETAIL -   5 user registry handles leaked from \Registry\User\S-1-5-21-4215829332-950673753-2765580295-1001:
Process 640 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-4215829332-950673753-2765580295-1001
Process 640 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-4215829332-950673753-2765580295-1001
Process 640 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-4215829332-950673753-2765580295-1001\Software\Microsoft\SystemCertificates\My
Process 640 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-4215829332-950673753-2765580295-1001\Software\Microsoft\SystemCertificates\CA
Process 640 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-4215829332-950673753-2765580295-1001\Software\Microsoft\SystemCertificates\Disallowed

 


  • 0

#54
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,016 posts
  • MVP

You do have one new error from Norton:

 

Log: 'Application' Date/Time: 18/02/2015 3:24:24 AM
Type: Error Category: 100
Event: 1000 Source: Application Error
Faulting application name: NOBuClient.exe, version: 2.1.17869.0, time stamp: 0x4c056071 Faulting module name: NOBuClient.exe, version: 2.1.17869.0, time stamp: 0x4c056071 Exception code: 0xc0000005 Fault offset: 0x0000000000019f6f Faulting process id: 0x1550 Faulting application start time: 0x01d04b2a634deca7 Faulting application path: C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe Faulting module path: C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe Report Id: a25d2490-b71d-11e4-b1c9-643150227862

 

 

So I assume something didn't quite install correctly.  Norton Online backup is I think just a trial version.  Perhaps you can uninstall it or turn it off.  See:

 

https://www.backup.c...backup-faq.html


  • 0

#55
wharriss

wharriss

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 105 posts

Ok I think the problem was that I had never signed into the backup with username and password, so I think that error can be ignored.

 

Here is latest view files

 

Vino's Event Viewer v01c run on Windows 2008 in English
Report run at 17/02/2015 11:41:41 PM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Critical Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 18/02/2015 3:22:39 AM
Type: Warning Category: 0
Event: 4001 Source: Microsoft-Windows-WLAN-AutoConfig
WLAN AutoConfig service has successfully stopped.
 

 

Vino's Event Viewer v01c run on Windows 2008 in English
Report run at 17/02/2015 11:43:24 PM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Critical Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 18/02/2015 3:24:24 AM
Type: Error Category: 100
Event: 1000 Source: Application Error
Faulting application name: NOBuClient.exe, version: 2.1.17869.0, time stamp: 0x4c056071 Faulting module name: NOBuClient.exe, version: 2.1.17869.0, time stamp: 0x4c056071 Exception code: 0xc0000005 Fault offset: 0x0000000000019f6f Faulting process id: 0x1550 Faulting application start time: 0x01d04b2a634deca7 Faulting application path: C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe Faulting module path: C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe Report Id: a25d2490-b71d-11e4-b1c9-643150227862

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 18/02/2015 3:22:38 AM
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.     DETAIL -   5 user registry handles leaked from \Registry\User\S-1-5-21-4215829332-950673753-2765580295-1001:
Process 640 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-4215829332-950673753-2765580295-1001
Process 640 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-4215829332-950673753-2765580295-1001
Process 640 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-4215829332-950673753-2765580295-1001\Software\Microsoft\SystemCertificates\My
Process 640 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-4215829332-950673753-2765580295-1001\Software\Microsoft\SystemCertificates\CA
Process 640 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-4215829332-950673753-2765580295-1001\Software\Microsoft\SystemCertificates\Disallowed

 


Edited by wharriss, 17 February 2015 - 10:45 PM.

  • 0

Advertisements


#56
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,016 posts
  • MVP

The problem may be on their end.  I just went to the Norton Online Backup page to see if you could download it separately and got:

 

 

 

 


Nobu is busy doing maintenance.

We are sorry but Norton Online Backup is currently down for scheduled improvements; please check back with us again soon.

NOTE: If you are attempting to activate your account for the first time, please try again later.

 

 

 

 

 

Perhaps it needs to talk to the mother ship and its off in never-never land.

 

I definitely think you should switch to Kaspersky.  You get a lot better protection and I doubt they will try and rip you off like Norton just did with their Norton Online Backup.

 

I think we are about as done as we can get.  I'm going to give you my canned goodbye.  Please note the stuff in bold.  That's something you could have used to prevent the FBI infection.

 

 
OK.  It looks like it worked OK.  Unless you see other problems I think we are done and can clean up
 
Copy the following:
 
 
:Commands
[CLEARALLRESTOREPOINTS]
[Reboot]
 
Right click on OTL and Run As Administrator.   In the Custom Scans/Fixes box at the bottom, paste in the copied text (Ctrl + v) and then hit Run Fix.
 
That will get the last of the malware off the system.
 
 
 
You can uninstall or delete any tools we had you download and their logs. 
 
If we ran Combofix:To uninstall combofix, copy the next line:
 
"%userprofile%\Desktop\combofix.exe" /Uninstall
 
Start, All Programs, Accessories then right click on Command Prompt and Run As Administrator.
then right click, Paste, then hit Enter.
 
 
 
OTL has a cleanup tab but DO NOT USE IT!.  There are reports that it leaves the PC unbootable.  Instead just delete  OTL.exe and the folder c:\_OTL.
 
To hide hidden files again:
 
Vista or Win7
 
# Open the Control Panel menu and click Folder Options.
# After the new window appears select the View tab.
# Remove the check in the  checkbox labeled Display the contents of system folders.
# Under the Hidden files and folders section select the radio button labeled Do not Show hidden files and folders.
# Check the checkbox labeled Hide protected operating system files.
# Press the Apply button and then the OK button and exit My Computer. 
 
Also make sure you have the latest versions of any adobe.com products you use like Shockwave, Flash or Acrobat.  
 
Whether you use adobe reader, acrobat or fox-it to read pdf files you need to disable Javascript in the program.  There is an exploit out there now that can use it to get on your PC.  For Adobe Reader:  Start, All Programs, Adobe Reader, Edit, Preferences, Click on Javascript in the left column and uncheck Enable Acrobat Javascript.  OK Close program.  It's the same for Foxit reader except you uncheck Enable Javascript Actions. 
 
Unless you have the latest version of Avast which has its own update checker:  To help keep your programs up-to-date you should download and run the UpdateChecker: 
(You don't need to download Betas and if there is a program you don't use you can just uninstall it rather than update it.  Exception is MSN messenger which appears to be part of Windows.)
If you get a blocked program notice after installing updatechecker then change it to not run at start then manually run it once a week.
 Seems to work best if Firefox is the default browser.  Windows always hides its icon so you need to unhide it.  Click on the up arrow to the left of the clock.  Then click on Customize.  Maximize the window so you can see all of the options.  Scroll Down and find the File Hippo UpdateChecker and change its Behaviors to Show Icon and Notifications.  OK.  When you reboot you should see the icon.  It will take it a minute to finish checking then it will put up a bubble if you need to update something. Click on the bubble and it should open in your browser.  (Seems to work best if it uses Firefox.  If you do not use Firefox as your default browser then right click on the icon and click on Settings. Then on Results.  Change the Open Results in Default Browser to Custom Browser and then select the line that has Firefox.exe in it.  While there, also check Hide Beta Versions.  OK. )  You will see a list of programs that have updates with green down arrows next to them.  You do not need to download any Beta Versions.  There is an option Settings to Hide Beta Versions.  I do not advise updating Windows Messenger unless you really use it so I right click on the Icon and Customize Results then find Microsoft Messenger and change Show All Releases to Hide All Releases.  OK. 
 
 
If you use Chrome/Firefox/IE then get the AdBlock Plus Add-on.  Go to adblockplus.org with each browser and get the add-on.  I always go into the options and turn off allowing well behaved adware.  Apparently adware is considered well-behaved if they give adblock some money.
 
If Chrome/Firefox is slow loading make sure it only has the current Java add-on.  Then download and run Speedy Fox.
http://www.crystalidea.com/speedyfox .  Close Chrome/Firefox. Hit Optimize.   You can run it any time that Chrome/Firefox seems slow.
 
Be warned:  If you use Limewire, utorrent or any of the other P2P programs you will almost certain be coming back to the Malware Removal forum.  If you must use P2P then submit any files you get to http://virustotal.com before you open them.
 
Due to a recent rise in the number of Crytolocker infections I am now recommending you install:
 
CryptoPrevent
 
 
The free version does not update on its own so you should check for updated versions once in a while.
 
 
 
If you have a router, log on to it today and change the default password!  If using a Wireless router you really should be using encryption on the link.  Use the strongest (newest) encryption method that your router and PC wireless adapter support especially if you own a business.  See http://www.king5.com...-120637284.html and http://www.seattlepi...ted-1344185.php for why encryption is important.  If you don't know how, visit the router maker's website.  They all have detailed step by step instructions or a wizard you can download.
 
Special note on Java.  Old Java versions should be removed after first clearing the Java Cache by following the instructions in:
Then remove the old versions by going to Control Panel, Programs and Features and Uninstall all Java programs which are not Java Version 7 update 25 or better.  These may call themselves: Java Runtime, Runtime Environment, Runtime, JRE, Java Virtual Machine, Virtual Machine, Java VM, JVM, VM, J2RE, J2SE.  Get the latest version from Java.com.  They will usually attempt to foist some garbage like the Ask toolbar, Yahoo toolbar or McAfee Security Scan on you as part of the download.  Just uncheck the garbage before the download (or install) starts.  If you use a 64-bit browser and want the 64-bit version of Java you need to use it to visit java.com.
Due to multiple security problems with Java we are now recommending that it not be installed unless you absolutely know you need it.  IF that is the case then go to Control Panel, Java, Security and slide it up to the highest level.  OK.
 
Make sure Windows Updates is turned and that it works.  Go to Control panel, Windows Updates and see if it works.  
 
 
My help is free but if you wish to show your appreciation, please donate to Kwiaht instead of me. It's a local environmental organization that I volunteer with: http://www.kwiaht.org/donate.htm
(The name means something like "clean place" in one of the local native-American dialects)
 
Ron

  • 0

#57
wharriss

wharriss

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 105 posts

Ron

Thank you for all your work on my problem.

You are amazingly proficient at this...like the top athletes these days do things that just don't seem possible.

This is the second computer you have cleaned for me.

I hope I won't be back soon, but I enjoyed following your very clear instructions to the completion.

Rich Harriss

Henderson NC down the road from Greensboro on I-85


  • 0

#58
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,016 posts
  • MVP

I used to work for AT&T just east of Greensboro at exit 132 off I-85.  My oldest daughter still lives in Greensboro.  


  • 0

#59
wharriss

wharriss

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 105 posts

Good morning Ron

Computer is running good. No problems with computer or  firefox browser running properly as far as I can see, however

One thing I am questioning

Every time I run MBAM I get 21 instances of PUP.incredibar. MBAM give me the option to quarantine, which I do, but I can immediately run MBAM again and get  the 21 warnings again..

Here is the MBAM scan results. Thank you for checking and advising

 

Thanks

Rich

 

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 2/20/2015
Scan Time: 9:12:29 AM
Logfile: MBAMscan.txr.txt
Administrator: Yes

Version: 2.00.4.1028
Malware Database: v2015.02.20.05
Rootkit Database: v2015.02.03.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Rich

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 514657
Time Elapsed: 10 min, 42 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 21
PUP.Optional.Incredibar.A, C:\Users\Rich\AppData\Roaming\Mozilla\Firefox\Profiles\f3ykms63.default\prefs.js, Good: (), Bad: (user_pref("extensions.incredibar_i.aflt", "orgnl");), ,[476e0e121971ac8abbc8a4609d6903fd]
PUP.Optional.Incredibar.A, C:\Users\Rich\AppData\Roaming\Mozilla\Firefox\Profiles\f3ykms63.default\prefs.js, Good: (), Bad: (ences

/* Do not edit this file.
 *
 * If you), ,[2b8ad84872184bebf291c83cd92ded13]
PUP.Optional.Incredibar.A, C:\Users\Rich\AppData\Roaming\Mozilla\Firefox\Profiles\f3ykms63.default\prefs.js, Good: (), Bad: (erences

/* Do not edit this file.
 *
 * If yo), ,[7540d947b5d50630b4cf2dd7f70fb54b]
PUP.Optional.Incredibar.A, C:\Users\Rich\AppData\Roaming\Mozilla\Firefox\Profiles\f3ykms63.default\prefs.js, Good: (), Bad: (rences

/* Do not edit this file.
 *
 * If you m), ,[ad082000e5a5320493f052b217ef20e0]
PUP.Optional.Incredibar.A, C:\Users\Rich\AppData\Roaming\Mozilla\Firefox\Profiles\f3ykms63.default\prefs.js, Good: (), Bad: (nces

/* Do not edit this file.
 *
 * If you make changes to this file w), ,[c5f0f12ffc8e082e83002dd7ae5807f9]
PUP.Optional.Incredibar.A, C:\Users\Rich\AppData\Roaming\Mozilla\Firefox\Profiles\f3ykms63.default\prefs.js, Good: (), Bad: (his file.
 *
 * If you make changes to this file while the a), ,[12a32bf5d7b3989e572cd52f25e1a060]
PUP.Optional.Incredibar.A, C:\Users\Rich\AppData\Roaming\Mozilla\Firefox\Profiles\f3ykms63.default\prefs.js, Good: (), Bad: ( Do not edit this file.
 *
 * If you make changes to ), ,[bff6918f3d4ddf577e0539cb7c8abe42]
PUP.Optional.Incredibar.A, C:\Users\Rich\AppData\Roaming\Mozilla\Firefox\Profiles\f3ykms63.default\prefs.js, Good: (), Bad: (s

/* Do not edit this file.
 *
 * If you make), ,[bff6d44ca1e9b086b4cf25df010543bd]
PUP.Optional.Incredibar.A, C:\Users\Rich\AppData\Roaming\Mozilla\Firefox\Profiles\f3ykms63.default\prefs.js, Good: (), Bad: (rences

/* Do not edit this file.
 *
 * If you ), ,[6451140c4347d1652063d0343ec822de]
PUP.Optional.Incredibar.A, C:\Users\Rich\AppData\Roaming\Mozilla\Firefox\Profiles\f3ykms63.default\prefs.js, Good: (), Bad: (ences

/* Do not edit this file.
 *
 * If you m), ,[cfe6140c7b0f8ea833500afa33d36898]
PUP.Optional.Incredibar.A, C:\Users\Rich\AppData\Roaming\Mozilla\Firefox\Profiles\f3ykms63.default\prefs.js, Good: (), Bad: (ences

/* Do not edit this file.
 *
 * If you make ch), ,[f8bd5dc3593180b6a4df39cb5babe41c]
PUP.Optional.Incredibar.A, C:\Users\Rich\AppData\Roaming\Mozilla\Firefox\Profiles\f3ykms63.default\prefs.js, Good: (), Bad: (

/* Do not edit this file.
 *
 * If you make chan), ,[7d3859c7088272c4afd44eb6e2245aa6]
PUP.Optional.Incredibar.A, C:\Users\Rich\AppData\Roaming\Mozilla\Firefox\Profiles\f3ykms63.default\prefs.js, Good: (), Bad: (ces

/* Do not edit this file.
 *
 * If you make change), ,[efc6a77997f39e98fd86d52f8e787090]
PUP.Optional.Incredibar.A, C:\Users\Rich\AppData\Roaming\Mozilla\Firefox\Profiles\f3ykms63.default\prefs.js, Good: (), Bad: (
/* Do not edit this file.
 *
 * If you make change), ,[585dad73f5952a0c0380669ed72f7d83]
PUP.Optional.Incredibar.A, C:\Users\Rich\AppData\Roaming\Mozilla\Firefox\Profiles\f3ykms63.default\prefs.js, Good: (), Bad: (ces

/* Do not edit this file.
 *
 * If you make), ,[caeb29f7f19965d1dca7d430c046e31d]
PUP.Optional.Incredibar.A, C:\Users\Rich\AppData\Roaming\Mozilla\Firefox\Profiles\f3ykms63.default\prefs.js, Good: (), Bad: (nces

/* Do not edit this file.
 *
 * If you make changes to this file while the application is running,
 * the ch), ,[476ef030d5b5db5b156e45bfa6602dd3]
PUP.Optional.Incredibar.A, C:\Users\Rich\AppData\Roaming\Mozilla\Firefox\Profiles\f3ykms63.default\prefs.js, Good: (), Bad: (is file while the application is running,
 * the change), ,[4c69ac747e0c81b5e99a1ce80cfa0bf5]
PUP.Optional.Incredibar.A, C:\Users\Rich\AppData\Roaming\Mozilla\Firefox\Profiles\f3ykms63.default\prefs.js, Good: (), Bad: (

/* Do not edit this file.
 *
 * If you make changes to thi), ,[2d88ea367f0bdb5b255e9272c34302fe]
PUP.Optional.Incredibar.A, C:\Users\Rich\AppData\Roaming\Mozilla\Firefox\Profiles\f3ykms63.default\prefs.js, Good: (), Bad: (o not edit this file.
 *
 * If you make changes to th), ,[1d98a17f56346ec8bdc6d43028dee719]
PUP.Optional.Incredibar.A, C:\Users\Rich\AppData\Roaming\Mozilla\Firefox\Profiles\f3ykms63.default\prefs.js, Good: (), Bad: (s

/* Do not edit this file.
 *
 * If you make changes to thi), ,[fdb852cee3a74de9166d33d12adc60a0]
PUP.Optional.Incredibar.A, C:\Users\Rich\AppData\Roaming\Mozilla\Firefox\Profiles\f3ykms63.default\prefs.js, Good: (), Bad: ( not edit this file.
 *
 * If you make changes to this), ,[971e63bde7a3fd39f192a95b877f6e92]

Physical Sectors: 0
(No malicious items detected)


(end)


  • 0

#60
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,016 posts
  • MVP

Are you closing Firefox before you let MBAM remove the incredibar?

 

Have you looked in the Settings (3 horizontal bars in the upper right of Firefox) Add-ons, Extensions?  Can you disable Incredibar or trashcan it?

 

I would think adwcleaner would get it

 

Download : ADWCleaner to your desktop.  Make sure you get the correct Download button.  Sometimes the ads on BleepingComputer will mimic the real Download button which should say: Download Now @BleepingComputer
 
NOTE: If using Internet Explorer and you get an alert that stops the program downloading, click on the warning and allow the download to complete.
 
Close  all programs, pause your anti-virus and run AdwCleaner (Vista or Win 7 => right click and Run As Administrator).
 
scan-results.jpg
 
Click on Scan  and follow the prompts. Let it run unhindered. When done, click on the Clean button, and follow the prompts. Allow the system to reboot. You will then be presented with the report. Copy & Paste this report on your next reply.
 
The report will be saved in the C:\AdwCleaner folder.
 
 
 

but if not you can run FRST and we can hunt it down.

 

Please download Farbar Recovery Scan Tool and save it to your Desktop. 
 
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. 
 
  •  
  • Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer. 
  • Press Scan button. 
  • It will produce a log called FRST.txt in the same directory the tool is run from.  
  • Please copy and paste log back here. 
  • The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the FRST.txt into your reply. 

    • 0






    Similar Topics

    0 user(s) are reading this topic

    0 members, 0 guests, 0 anonymous users

    As Featured On:

    Microsoft Yahoo BBC MSN PC Magazine Washington Post HP