IncrediBar Re-direct on New Tab windows Chrom and FireFox

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Nikone, Aug 10, 2012.

  1. Nikone

    Nikone Private E-2

    I have incredibar redirecting my new tabs in both chrome and firefox, i dont load IE anymore so probably that one too!
     

    Attached Files:

  2. thisisu

    thisisu Malware Consultant

    [​IMG] Please download OTL by OldTimer.

    • Save it to your desktop.
    • Double click on the OTL icon on your desktop.
    • Check the "Scan All Users" checkbox.
    • Check the "Standard Output".
    • Change the setting of "Drivers" and "Services" to "All"
    • Copy the text in the code box below and paste it into the [​IMG] text-field.
      Code:
      activex
      netsvcs
      
    • Now click the [​IMG] button.
    • One report will be created:
      • OTL.txt <-- Will be opened
    • Attach OTL.txt to your next message. (How to attach)
     
  3. Nikone

    Nikone Private E-2

    Thanks for your help!
     

    Attached Files:

  4. thisisu

    thisisu Malware Consultant

    [​IMG] Fix items using OTL by OldTimer

    Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
    Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
    Copy the text in the code box below and paste it into the [​IMG] text-field.
    Code:
    [COLOR="DarkRed"]:processes[/COLOR]
    killallprocesses
    [COLOR="DarkRed"]:otl[/COLOR]
    IE - HKU\S-1-5-21-1960408961-1844823847-1417001333-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://mystart.incredibar.com/mb178?a=6OyKD3lA0q&i=26
    IE - HKU\S-1-5-21-1960408961-1844823847-1417001333-1003\..\SearchScopes\{CFF4DB9B-135F-47c0-9269-B4C6572FD61A}: "URL" = http://mystart.incredibar.com/mb178/?search={searchTerms}&loc=IB_DS&a=6OyKD3lA0q&i=26
    [2012/08/10 14:08:51 | 000,000,000 | ---D | M] (incredibar.com) -- C:\Documents and Settings\New\Application Data\Mozilla\Firefox\Profiles\mf3bdpx1.default\extensions\ffxtlbr@incredibar.com
    [COLOR="DarkRed"]:commands[/COLOR]
    [clearallrestorepoints]
    [emptyjava]
    [emptyflash]
    
    Now click the [​IMG] button.
    If the fix needed a reboot please do it.
    Click the OK button (upon reboot).
    When OTL is finished, Notepad will open. Close Notepad.
    A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
    Attach this log to your next message. (How to attach)
     
  5. Nikone

    Nikone Private E-2

    Still infected in firefox and chrome when i open a new tab it still redirects me to the: mystart.incredibar.c*m search page
     

    Attached Files:

  6. thisisu

    thisisu Malware Consultant

    Hrm, in this case since there are not any other traces of incredibar in your logs, you will need to uninstall both FireFox and Google Chrome. Then reinstall them.
     
  7. Nikone

    Nikone Private E-2

    So following your suggestion, but wanting to poke around first. I am pretty tech aware or savvy... so I poked around my Program Files and noticed a folder called C:\Program Files\Perion\NewTab ... in this folder there are two files one has a text file called data.txt and the other file is newtab.crx... my hunch is the confirmed. The txt file has the targeted URL in it: {"url": "h**p://mystart.incredibar.com/mb178?a=6OyKD3lA0q&loc=CH_NT"}

    I am assuming the .crx file inside has the commands to load the txt file.

    Hoping this helps a little bit, in figuring out what the problem is.
     
    Last edited: Aug 14, 2012
  8. Nikone

    Nikone Private E-2

    So a little digging and I uncovered a few more details... when changing the address in the txt file I was able to change it to any website I wanted and it would work only after I reloaded Chrome. Now I did a google search on the newtab.crx its a extension available to download via the chrome store. It allows users to customize their new tab. So it looks like the creators found a loop hole into running a page in Chrome with out permission. Taking it a little further it is actually installed on Chrome as an extension disabling allows me to stop the program and remove it from chrome.

    Here comes the interesting part, after changing the website in the txt file, FireFox does not reflect the change I made, it still has the old url loading but this time for some reason it is not opening the page correctly, the images are a little messed up and some are not even loading, the css of the page is thrown off. I am very confused at this point. FireFox currently does not show this extension loaded so it must be pulling the information from a different location. But then why would the CSS of the page be distorted?

    Lets try to figure this out together!
     
  9. thisisu

    thisisu Malware Consultant

    Yes we'll think about it some more. Do you recall ever installing

    Perion => NewTab ?

    I haven't heard of it before but I will do some research on my end when I get a chance and report any findings.
     
  10. Nikone

    Nikone Private E-2

    No I never installed it or OK'ed the installation of such a program. I can reassure you 100% that that looks like my problem on Chrome, but in FireFox is has messed up the loading of some pages CSS and even loading in general. I think it has some sort of control over the way the browser is rendering each page I visit.

    For example if I go to login to my Expedia account, I get an error that Expedia is down for maintenance while that not actually being the case. Expedia has not been down at all.

    I do not know how to get rid of this issue.
     
  11. thisisu

    thisisu Malware Consultant

    [​IMG] Please download and run ComboFix and attach its log.
    Read these instructions on how to use it: How to use ComboFix
    Do not uninstall ComboFix yet as we may need it to fix remaining malware issues.
     
  12. Nikone

    Nikone Private E-2

    Combo I ran it twice just to be sure.
     

    Attached Files:

  13. thisisu

    thisisu Malware Consultant

    Nice, ComboFix found it. :)

    [​IMG] Fixing items using ComboFix
    Make sure that ComboFix.exe that you previously downloaded is on your desktop -- but do not run it.
    If it is not on your desktop, the below will not work.
    Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
    Open Notepad and copy/paste the text in the below code box into Notepad:
    Code:
    [COLOR="DarkRed"]KillAll::[/COLOR]
    [COLOR="DarkRed"]ClearJavaCache::[/COLOR]
    [COLOR="DarkRed"]FireFox::[/COLOR]
    FF - ProfilePath - c:\documents and settings\New\Application Data\Mozilla\Firefox\Profiles\swnj9ijx.default-1343227761859\
    FF - prefs.js: browser.search.selectedEngine - MyStart Search
    FF - prefs.js: keyword.URL - hxxp://mystart.incredibar.com/mb178/?loc=IB_DS&a=6OyKD3lA0q&&i=26&search=
    FF - user.js: extensions.incredibar_i.newTab - false
    FF - user.js: extensions.incredibar_i.tlbrSrchUrl - hxxp://mystart.Incredibar.com/?a=6OyKD3lA0q&loc=IB_TB&i=26&search=
    FF - user.js: extensions.incredibar_i.id - 20db6f5700000000000000219b2bbab7
    FF - user.js: extensions.incredibar_i.instlDay - 15562
    FF - user.js: extensions.incredibar_i.vrsn - 1.5.11.14
    FF - user.js: extensions.incredibar_i.vrsni - 1.5.11.14
    FF - user.js: extensions.incredibar_i.vrsnTs - 1.5.11.1414:08
    FF - user.js: extensions.incredibar_i.prtnrId - Incredibar
    FF - user.js: extensions.incredibar_i.prdct - incredibar
    FF - user.js: extensions.incredibar_i.aflt - orgnl
    FF - user.js: extensions.incredibar_i.smplGrp - none
    FF - user.js: extensions.incredibar_i.tlbrId - base
    FF - user.js: extensions.incredibar_i.instlRef - 
    FF - user.js: extensions.incredibar_i.dfltLng - 
    FF - user.js: extensions.incredibar_i.excTlbr - false
    FF - user.js: extensions.incredibar_i.ms_url_id - 
    FF - user.js: extensions.incredibar_i.upn2 - 6OyKD3lA0q
    FF - user.js: extensions.incredibar_i.upn2n - 92261908042926802
    FF - user.js: extensions.incredibar_i.productid - 26
    FF - user.js: extensions.incredibar_i.installerproductid - 26
    FF - user.js: extensions.incredibar_i.did - 10643
    FF - user.js: extensions.incredibar_i.ppd - 35
    Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.exe on your desktop.
    Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.
    [​IMG]
    This will launch ComboFix.
    Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
    Allow ComboFix to update itself if prompted.
    When ComboFix finishes, a log will be produced at C:\ComboFix.txt
    Attach this log to your next message. (How to attach)
     
  14. Nikone

    Nikone Private E-2

    combo file attached... let me know...

    Firefox still opens new tab with myserch.incredibar.com/****

    :-:)
     

    Attached Files:

  15. thisisu

    thisisu Malware Consultant

    [​IMG] Fixing items using ComboFix
    Make sure that ComboFix.exe that you previously downloaded is on your desktop -- but do not run it.
    If it is not on your desktop, the below will not work.
    Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
    Open Notepad and copy/paste the text in the below code box into Notepad:
    Code:
    [COLOR="DarkRed"]KillAll::[/COLOR]
    [COLOR="DarkRed"]DirLook::[/COLOR]
    c:\documents and settings\All Users\Application Data\PCDr
    c:\documents and settings\New\Application Data\PCDr
    [COLOR="DarkRed"]FireFox::[/COLOR]
    FF - ProfilePath - c:\documents and settings\New\Application Data\Mozilla\Firefox\Profiles\swnj9ijx.default-1343227761859\
    FF - prefs.js: browser.startup.homepage - about:home
    [COLOR="darkRed"]Folder::[/COLOR]
    C:\Program Files\Perion
    
    Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.exe on your desktop.
    Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.
    [​IMG]
    This will launch ComboFix.
    Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
    Allow ComboFix to update itself if prompted.
    When ComboFix finishes, a log will be produced at C:\ComboFix.txt
    Attach this log to your next message. (How to attach)
     
  16. Nikone

    Nikone Private E-2

    Still infected... this thing doesn't want to go away!!!!

    Sorry had to zip it it was too large
     

    Attached Files:

  17. thisisu

    thisisu Malware Consultant

    It is stubborn, hopefully manual removal will be possible in the future. In the meantime, uninstall and reinstall FireFox. Let me know if that fixes the problem.
     
  18. Nikone

    Nikone Private E-2

    OMG! This thing just doesn't want to go away I uninstalled and re-installed and its still there!!!

    I am sorry to be a pain in the a**.

    _____________


    Ok here goes, I did a little more research to remove it from FireFox completley I needed to enter into about:config and did a search for mystart, then reset all values found that contained the string mystart. That was the only way to get rid of it to my knowledge.

    Thanks thisisu for all your help in trying to get this thing removed! Your awesome work is appreciated!
     
    Last edited: Aug 15, 2012
  19. thisisu

    thisisu Malware Consultant

  20. Nikone

    Nikone Private E-2

  21. thisisu

    thisisu Malware Consultant

    Good to know ;)

    browser.search.defaultenginename needs to be added to CF and OTL. I will let the developers know.
     
  22. thisisu

    thisisu Malware Consultant

    If you are not having any other malware related problems, it is time to do our final steps:
    • Any programs we had you download and/or install can be removed at this time.
    • If we had you download and run ComboFix, here is how to uninstall it:
      • Press and hold the Windows key [​IMG] and then press the letter R on your keyboard.
      • This opens the Run dialog box.
      • Copy and paste the below text inside the text-field:
        • "%userprofile%\desktop\ComboFix" /uninstall
      • Now press ENTER
      • ComboFix will extract its files one last time and you should receive a notification that ComboFix has been uninstalled shortly after.
    • You can re-enable your Disk Emulation software at this time via DeFogger.
    • If we had you create or download a registry patch or "fix" script, these can be deleted at this time.
    • Go into the C:\MGtools folder and run the MGclean.bat file to remove additional traces of our tools.
    • Now we will toggle System Restore to remove any infected system restore points.
    • Lastly, here is a guide to protect you from future infections: How to Protect yourself from malware!
    • Be safe :)
     
  23. Nikone

    Nikone Private E-2

    Thanks again, it really feels good to give back to the community by having the developers update there software scanners. Its was truly fun figuring out how to get rid of this infection!
     
  24. thisisu

    thisisu Malware Consultant

    Yes, thank you as well :)
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds