Infected with multiple BProtect variants - help please!!

[hzearz]

Hi,

I am hoping somebody can help me to cleanse my daughter's laptop of the BProtect trojans and adware. So far, I have found the following variants whilst performing a boot scan with Avast Internet Security:

JS:BProtect-C [Trj]
XML:BProtect-B [Adw]
JS:BProtect-A [Trj]
Win32:BProtect-BRS [Adw]
Win32:BProtect-D [Trj]

Troubleshooting (note: I have followed the guide posted by essexboy in this forum):
1. Boot scan with Avast - will not allow any action on these files other than ignore, so I did not allow it to complete. This is how I identified the problem.

2. Scan with Malwarebytes Anti-Malware -
a. First scan found 220 infected files, I exported the log, and was about to attach it to this post however it seems that I may have overwritten it with a more recent scan :/, and selected 'Apply actions', and rebooted.
b. Subsequent scans with this tool produce 0 infected files - see attached log 'mbam.txt', however Avast boot scan still picks up BProtect.

3. Updated all programs with Avast - including Java.

4. Quick scan with Avast - Found a handful of JS:SaveByClick-A [Adw], and moved them to the Chest.

5. Scan with Farbar Recovery Scan tool - attached both FRST and Addition logs, but did not select 'fix' after the scan....because the guide in this forum did not mention whether to 'fix' or not after the scan.

6. Scan with aswMBR - attached log, but did not select 'FixMBR' or 'Fix' after the scan....because the guide in this forum did not mention whether to or not.

7. Created this post

Any help would be greatly appreciated!

Simon

[Asyn]

Good job, now you've to wait a bit...

[hzearz]

Thanks Asyn

[Asyn]

You're welcome. (Please be patient...)

[essexboy]

Let me know if this kills it

CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 

HKLM\...\Run: [] => [X]
HKLM-x32\...\Run: [mobilegeni daemon] => C:\Program Files (x86)\Mobogenie\DaemonProcess.exe
URLSearchHook: HKCU - (No Name) - {55d7c7bc-12a7-4f9b-81c0-600d9a182395} - No File
SearchScopes: HKLM-x32 - {9bd172ba-3f40-4303-bca1-0484b5ba2a7b} URL = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?p2=^YJ^yyyyyy^YY^au&ptb=31027D04-540F-4E4C-B229-1F02746EB2E5&psa=&ind=2013041102&st=sb&n=77fc91ce&searchfor={searchTerms}
SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} -  No File
Toolbar: HKLM-x32 - No Name - {98889811-442D-49dd-99D7-DC866BE87DBC} -  No File
Toolbar: HKCU - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
Toolbar: HKCU - No Name - {55D7C7BC-12A7-4F9B-81C0-600D9A182395} -  No File
AlternateDataStreams: C:\Users\Antonia\Downloads\License.avastlic:com.apple.metadata?kMDLabel_ok4gb6gmp5lg7lwjxaardoix2e
AlternateDataStreams: C:\Users\Antonia\Downloads\License.avastlic:com.apple.quarantine
C:\Program Files (x86)\Mobogenie
EmptyTemp:
CMD: bitsadmin /reset /allusers

 
Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

• Close all open programs and internet browsers.
• Double click on AdwCleaner.exe to run the tool.
  
• Click on Scan.
  
• After the scan is complete click on "Clean"
• Confirm each time with Ok.
  
• Your computer will be rebooted automatically. A text file will open after the restart.
• Please post the content of that logfile with your next answer.
• You can find the logfile at C:\AdwCleaner[S1].txt as well.
  

[hzearz]

Thanks essexboy,

I have attached the output log from the frst tool after running the fixlist.txt file.

Am about to download and run AdwCleaner and will post log shortly.

Simon

[hzearz]

....attached AdwCleaner logs (AdwCleaner[S0].txt was the log that opened after reboot), am going to Avast boot scan now and will post outcome.

[hzearz]

Hey, that sorted it out good n' proper.

Ran the Avast boot scan and came back with only 1 infected file. The irony is that it was Quarantine.txt from the AdwCleaner application (downloaded from bleepingcomputer.com)

08/13/2014 16:28
Scan of all local drives

File C:\Users\Antonia\AppData\Roaming\.technic\bigdig\cache\nei-v1.5.2.21.zip|>coremods\NotEnoughItems 1.5.2.21.jar Error 42125 {ZIP archive is corrupted.}
File C:\Users\Antonia\AppData\Roaming\.technic\modpacks\dlc-pack\cache\dlc-pack-Beta 1.7.6.zip|>coremods\CodeChickenCore 0.8.1.jar Error 42125 {ZIP archive is corrupted.}
File C:\Users\Antonia\AppData\Roaming\.technic\tekkit\cache\matmos-v12.zip|>resources\newsound\matmos_hl\wind\wind_snippet4.ogg Error 42125 {ZIP archive is corrupted.}
File C:\Users\Antonia\Downloads\ei_win_1.0.1_2492 (1).zip|>EpicInventor.exe Error 42125 {ZIP archive is corrupted.}
File C:\Users\Antonia\Downloads\ei_win_1.0.1_2492.zip.qmqfszr.partial|>EpicInventor.exe Error 42125 {ZIP archive is corrupted.}
File C:\AdwCleaner\Quarantine\Quarantine.txt is infected by NSIS:NextLive-A [Adw], Moved to chest
Number of searched folders: 38147
Number of tested files: 2866006
Number of infected files: 1

Thank you so much for your help

[essexboy]

Aye that is where adwcleaner stores the files it kills

How is the computer behaving now ?

[hzearz]

Ah cool

Computer is well behaved now, daughter less so haha...now that computer is 'locked down'!!

[essexboy]

In that case methinks I will send you on your merry way

Subject to no further problems   

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems 

Now the best part of the day ----- Your log now appears clean  :thumbsup:

A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset  System Restore points:


Download and run Delfix




: Keep Java Updated :

WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article

I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware



Malwarebytes.

Update and run weekly to keep your system clean


It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide  Best security practices Keep safe  :wave: