Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Help with FBI windowlock encrypt ransomware $300 virus


  • Please log in to reply

#61
wharriss

wharriss

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 105 posts

I had not been closing firefox to run the mbam

No references to incredibar were showing in addons extensions or plugins

 

I did close firefox and ran the scan. Got the same 21 instances. Quarantined  them.

Ran MBAM again immediately with firefox still closed and got the same 21 instances

 

closed everything including pausing norton. Norton will not let me download and save adwcleaner.

 

I ran adwcleaner and here is the report. Appears to me adwcleaner got it. After I make this post I will close firefos and run MBAM again

 

# AdwCleaner v4.111 - Logfile created 20/02/2015 at 11:48:49
# Updated 18/02/2015 by Xplode
# Database : 2015-02-18.3 [Server]
# Operating system : Windows 7 Home Premium Service Pack 1 (x64)
# Username : Rich - PAVILIONELITE
# Running from : C:\Users\Rich\Desktop\AdwCleaner.exe
# Option : Cleaning

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\Users\Guest\AppData\LocalLow\HPAppData
Folder Deleted : C:\Users\Rich\AppData\LocalLow\HPAppData
Folder Deleted : C:\Users\Rich\AppData\Roaming\pccustubinstaller
Folder Deleted : C:\Users\Rich\AppData\Roaming\Mozilla\Firefox\Profiles\f3ykms63.default\Extensions\[email protected]ant.com
File Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\eBay.lnk
File Deleted : C:\Users\Rich\AppData\Roaming\Mozilla\Firefox\Profiles\f3ykms63.default\invalidprefs.js
File Deleted : C:\Users\Guest\AppData\Roaming\Mozilla\Firefox\Profiles\n19k812j.default\searchplugins\safesearch.xml
File Deleted : C:\Users\norton\AppData\Roaming\Mozilla\Firefox\Profiles\gq6socfw.default\searchplugins\safesearch.xml
File Deleted : C:\Users\Rich\AppData\Roaming\Mozilla\Firefox\Profiles\f3ykms63.default\searchplugins\safesearch.xml
File Deleted : C:\Users\Rich\AppData\Roaming\Mozilla\Firefox\Profiles\f3ykms63.default\user.js

***** [ Scheduled tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{608D3067-77E8-463D-9084-908966806826}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6E993643-8FBC-44FE-BC85-D318495C4D96}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{A43DE495-3D00-47D4-9D2C-303115707939}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{D2CE3E00-F94A-4740-988E-03DC2F38C34F}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{8DCB7100-DF86-4384-8842-8FA844297B3F}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D2CE3E00-F94A-4740-988E-03DC2F38C34F}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D2CE3E00-F94A-4740-988E-03DC2F38C34F}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8DCB7100-DF86-4384-8842-8FA844297B3F}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D2CE3E00-F94A-4740-988E-03DC2F38C34F}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{8DCB7100-DF86-4384-8842-8FA844297B3F}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{8DCB7100-DF86-4384-8842-8FA844297B3F}]
Key Deleted : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{E7190224-F19B-4F52-A26D-F7259C9C0A65}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{E7190224-F19B-4F52-A26D-F7259C9C0A65}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{E7190224-F19B-4F52-A26D-F7259C9C0A65}
Key Deleted : HKCU\Software\IM
Key Deleted : HKCU\Software\visualbee
Key Deleted : HKLM\SOFTWARE\InfoAtoms
Key Deleted : HKLM\SOFTWARE\VBMZ
Key Deleted : HKLM\SOFTWARE\visualbee
Data Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyOverride] - *.local

***** [ Web browsers ] *****

-\\ Internet Explorer v10.0.9200.17229


-\\ Mozilla Firefox v35.0.1 (x86 en-US)

[f3ykms63.default\prefs.js] - Line Deleted : user_pref("extensions.incredibar_i.aflt", "orgnl");
[f3ykms63.default\prefs.js] - Line Deleted : user_pref("extensions.incredibar_i.dfltLng", "");
[f3ykms63.default\prefs.js] - Line Deleted : user_pref("extensions.incredibar_i.did", "10687");
[f3ykms63.default\prefs.js] - Line Deleted : user_pref("extensions.incredibar_i.excTlbr", false);
[f3ykms63.default\prefs.js] - Line Deleted : user_pref("extensions.incredibar_i.id", "5a0d9b2e0000000000001a659da7f5ba");
[f3ykms63.default\prefs.js] - Line Deleted : user_pref("extensions.incredibar_i.installerproductid", "26");
[f3ykms63.default\prefs.js] - Line Deleted : user_pref("extensions.incredibar_i.instlDay", "15722");
[f3ykms63.default\prefs.js] - Line Deleted : user_pref("extensions.incredibar_i.instlRef", "");
[f3ykms63.default\prefs.js] - Line Deleted : user_pref("extensions.incredibar_i.ms_url_id", "");
[f3ykms63.default\prefs.js] - Line Deleted : user_pref("extensions.incredibar_i.newTab", false);
[f3ykms63.default\prefs.js] - Line Deleted : user_pref("extensions.incredibar_i.ppd", "116303");
[f3ykms63.default\prefs.js] - Line Deleted : user_pref("extensions.incredibar_i.prdct", "incredibar");
[f3ykms63.default\prefs.js] - Line Deleted : user_pref("extensions.incredibar_i.productid", "26");
[f3ykms63.default\prefs.js] - Line Deleted : user_pref("extensions.incredibar_i.prtnrId", "Incredibar");
[f3ykms63.default\prefs.js] - Line Deleted : user_pref("extensions.incredibar_i.smplGrp", "none");
[f3ykms63.default\prefs.js] - Line Deleted : user_pref("extensions.incredibar_i.tlbrId", "base");
[f3ykms63.default\prefs.js] - Line Deleted : user_pref("extensions.incredibar_i.tlbrSrchUrl", "hxxp://mystart.Incredibar.com/?a=6R8Rz2FYaW&loc=IB_TB&i=26&search=");
[f3ykms63.default\prefs.js] - Line Deleted : user_pref("extensions.incredibar_i.upn2", "6R8Rz2FYaW");
[f3ykms63.default\prefs.js] - Line Deleted : user_pref("extensions.incredibar_i.upn2n", "92825760307120974");
[f3ykms63.default\prefs.js] - Line Deleted : user_pref("extensions.incredibar_i.vrsn", "1.5.11.14");
[f3ykms63.default\prefs.js] - Line Deleted : user_pref("extensions.incredibar_i.vrsnTs", "1.5.11.1423:08:20");
[f3ykms63.default\prefs.js] - Line Deleted : user_pref("extensions.incredibar_i.vrsni", "1.5.11.14");

*************************

AdwCleaner[R0].txt - [6183 bytes] - [11/02/2015 19:39:15]
AdwCleaner[R1].txt - [6242 bytes] - [11/02/2015 19:44:39]
AdwCleaner[R2].txt - [6301 bytes] - [11/02/2015 20:09:45]
AdwCleaner[R3].txt - [6138 bytes] - [20/02/2015 11:46:48]
AdwCleaner[S0].txt - [5949 bytes] - [20/02/2015 11:48:49]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [6008  bytes] ##########
 


  • 0

Advertisements


#62
wharriss

wharriss

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 105 posts

I had not been closing firefox to run mbam.

There was no reference to incredibar in firefox extensions or plugins

I closed firefox and ran mbam 2 times and got same results

 

I downloaded adwcleaner (had to disable norton---it thinks the file is unsafe and automatically deletes it

Looks to me like adwcleaner got it. I will run mbam again and post results

 

 

# AdwCleaner v4.111 - Logfile created 20/02/2015 at 11:48:49
# Updated 18/02/2015 by Xplode
# Database : 2015-02-18.3 [Server]
# Operating system : Windows 7 Home Premium Service Pack 1 (x64)
# Username : Rich - PAVILIONELITE
# Running from : C:\Users\Rich\Desktop\AdwCleaner.exe
# Option : Cleaning

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\Users\Guest\AppData\LocalLow\HPAppData
Folder Deleted : C:\Users\Rich\AppData\LocalLow\HPAppData
Folder Deleted : C:\Users\Rich\AppData\Roaming\pccustubinstaller
Folder Deleted : C:\Users\Rich\AppData\Roaming\Mozilla\Firefox\Profiles\f3ykms63.default\Extensions\[email protected]
File Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\eBay.lnk
File Deleted : C:\Users\Rich\AppData\Roaming\Mozilla\Firefox\Profiles\f3ykms63.default\invalidprefs.js
File Deleted : C:\Users\Guest\AppData\Roaming\Mozilla\Firefox\Profiles\n19k812j.default\searchplugins\safesearch.xml
File Deleted : C:\Users\norton\AppData\Roaming\Mozilla\Firefox\Profiles\gq6socfw.default\searchplugins\safesearch.xml
File Deleted : C:\Users\Rich\AppData\Roaming\Mozilla\Firefox\Profiles\f3ykms63.default\searchplugins\safesearch.xml
File Deleted : C:\Users\Rich\AppData\Roaming\Mozilla\Firefox\Profiles\f3ykms63.default\user.js

***** [ Scheduled tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{608D3067-77E8-463D-9084-908966806826}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6E993643-8FBC-44FE-BC85-D318495C4D96}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{A43DE495-3D00-47D4-9D2C-303115707939}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{D2CE3E00-F94A-4740-988E-03DC2F38C34F}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{8DCB7100-DF86-4384-8842-8FA844297B3F}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D2CE3E00-F94A-4740-988E-03DC2F38C34F}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D2CE3E00-F94A-4740-988E-03DC2F38C34F}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8DCB7100-DF86-4384-8842-8FA844297B3F}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D2CE3E00-F94A-4740-988E-03DC2F38C34F}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{8DCB7100-DF86-4384-8842-8FA844297B3F}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{8DCB7100-DF86-4384-8842-8FA844297B3F}]
Key Deleted : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{E7190224-F19B-4F52-A26D-F7259C9C0A65}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{E7190224-F19B-4F52-A26D-F7259C9C0A65}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{E7190224-F19B-4F52-A26D-F7259C9C0A65}
Key Deleted : HKCU\Software\IM
Key Deleted : HKCU\Software\visualbee
Key Deleted : HKLM\SOFTWARE\InfoAtoms
Key Deleted : HKLM\SOFTWARE\VBMZ
Key Deleted : HKLM\SOFTWARE\visualbee
Data Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyOverride] - *.local

***** [ Web browsers ] *****

-\\ Internet Explorer v10.0.9200.17229


-\\ Mozilla Firefox v35.0.1 (x86 en-US)

[f3ykms63.default\prefs.js] - Line Deleted : user_pref("extensions.incredibar_i.aflt", "orgnl");
[f3ykms63.default\prefs.js] - Line Deleted : user_pref("extensions.incredibar_i.dfltLng", "");
[f3ykms63.default\prefs.js] - Line Deleted : user_pref("extensions.incredibar_i.did", "10687");
[f3ykms63.default\prefs.js] - Line Deleted : user_pref("extensions.incredibar_i.excTlbr", false);
[f3ykms63.default\prefs.js] - Line Deleted : user_pref("extensions.incredibar_i.id", "5a0d9b2e0000000000001a659da7f5ba");
[f3ykms63.default\prefs.js] - Line Deleted : user_pref("extensions.incredibar_i.installerproductid", "26");
[f3ykms63.default\prefs.js] - Line Deleted : user_pref("extensions.incredibar_i.instlDay", "15722");
[f3ykms63.default\prefs.js] - Line Deleted : user_pref("extensions.incredibar_i.instlRef", "");
[f3ykms63.default\prefs.js] - Line Deleted : user_pref("extensions.incredibar_i.ms_url_id", "");
[f3ykms63.default\prefs.js] - Line Deleted : user_pref("extensions.incredibar_i.newTab", false);
[f3ykms63.default\prefs.js] - Line Deleted : user_pref("extensions.incredibar_i.ppd", "116303");
[f3ykms63.default\prefs.js] - Line Deleted : user_pref("extensions.incredibar_i.prdct", "incredibar");
[f3ykms63.default\prefs.js] - Line Deleted : user_pref("extensions.incredibar_i.productid", "26");
[f3ykms63.default\prefs.js] - Line Deleted : user_pref("extensions.incredibar_i.prtnrId", "Incredibar");
[f3ykms63.default\prefs.js] - Line Deleted : user_pref("extensions.incredibar_i.smplGrp", "none");
[f3ykms63.default\prefs.js] - Line Deleted : user_pref("extensions.incredibar_i.tlbrId", "base");
[f3ykms63.default\prefs.js] - Line Deleted : user_pref("extensions.incredibar_i.tlbrSrchUrl", "hxxp://mystart.Incredibar.com/?a=6R8Rz2FYaW&loc=IB_TB&i=26&search=");
[f3ykms63.default\prefs.js] - Line Deleted : user_pref("extensions.incredibar_i.upn2", "6R8Rz2FYaW");
[f3ykms63.default\prefs.js] - Line Deleted : user_pref("extensions.incredibar_i.upn2n", "92825760307120974");
[f3ykms63.default\prefs.js] - Line Deleted : user_pref("extensions.incredibar_i.vrsn", "1.5.11.14");
[f3ykms63.default\prefs.js] - Line Deleted : user_pref("extensions.incredibar_i.vrsnTs", "1.5.11.1423:08:20");
[f3ykms63.default\prefs.js] - Line Deleted : user_pref("extensions.incredibar_i.vrsni", "1.5.11.14");

*************************

AdwCleaner[R0].txt - [6183 bytes] - [11/02/2015 19:39:15]
AdwCleaner[R1].txt - [6242 bytes] - [11/02/2015 19:44:39]
AdwCleaner[R2].txt - [6301 bytes] - [11/02/2015 20:09:45]
AdwCleaner[R3].txt - [6138 bytes] - [20/02/2015 11:46:48]
AdwCleaner[S0].txt - [5949 bytes] - [20/02/2015 11:48:49]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [6008  bytes] ##########
 


  • 0

#63
wharriss

wharriss

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 105 posts

Here is the clean MBAM file

 

Attached File  MBAMscan2.txt   1.03KB   33 downloads

 

21 degrees here right now low last night about 10


Edited by wharriss, 20 February 2015 - 11:45 AM.

  • 0

#64
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,031 posts
  • MVP

Looks good.  Stupid Norton.  Doesn't it have  PUP prevention or removal?  


  • 0

#65
wharriss

wharriss

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 105 posts

evidently not. I am going to change to Kapersky when I have time.


  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP