bprotect - multiple versions/variations

[needviruscure]

Help with getting rid of multiple forms of bprotect is appreciated.

Steps taken:
- Ran Avast (Root)
- Avast unable to do anything except ignore
- Ran MBAM
- First time MBAM failed and closed when I went to export log, not certain log was outputted - attached
- Ran MBAM again, output file (*afternoon*.*) - attached
- Ran OTL, both logs attached
- aswMBR scan in process

Thanks in advance for the help.

[update:  removed logs.  will repost if needed]

[needviruscure]

[Update 1]
- aswMBR scan completed - log attached

[update - removed aswmbr log.txt.  will re-upload if needed]

[argus]

Re-run OTL.exe.

• Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.
  
  

Code: [Select]


:OTL
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}: "URL" = http://search.ask.com/web?q={searchterms}&l=dis&o=HPNTDF
IE - HKLM\..\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}: "URL" = http://search.ask.com/web?q={searchterms}&l=dis&o=HPNTDF
IE - HKU\S-1-5-21-1346717094-2233745643-1086611274-1005\..\SearchScopes,DefaultScope = {CFF4DB9B-135F-47c0-9269-B4C6572FD61A}
IE - HKU\S-1-5-21-1346717094-2233745643-1086611274-1005\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://www.claro-search.com/?q={searchTerms}&affID=117454&tt=091212_9101_5012_7&babsrc=SP_ss&mntrId=ea25a1d1000000000000ac8112b29b1e
IE - HKU\S-1-5-21-1346717094-2233745643-1086611274-1005\..\SearchScopes\{1911BB4B-E300-4CAB-9594-5F84F06F3161}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3247429
IE - HKU\S-1-5-21-1346717094-2233745643-1086611274-1005\..\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}: "URL" = http://search.ask.com/web?q={searchterms}&l=dis&o=HPNTDF
IE - HKU\S-1-5-21-1346717094-2233745643-1086611274-1005\..\SearchScopes\{C7D9D327-FB2B-4D86-8F65-0FD03FA8D1F2}: "URL" = http://websearch.ask.com/redirect?client=ie&tb=ORJ&o=&src=kw&q={searchTerms}&locale=&apn_ptnrs=&apn_dtid=OSJ000&apn_uid=D5B13EFF-A1EB-46A7-8BA4-79FBA90F64C4&apn_sauid=30E9B725-CE59-47F6-8C46-7F420446A172
IE - HKU\S-1-5-21-1346717094-2233745643-1086611274-1005\..\SearchScopes\{CFF4DB9B-135F-47c0-9269-B4C6572FD61A}: "URL" = http://mystart.incredibar.com/mb203?a=6OyWzKIE5E&loc=skw&search={searchTerms}&i=26
IE - HKU\S-1-5-21-1346717094-2233745643-1086611274-1005\..\SearchScopes\5BB1778B80BD4C76944A3ACC1EF1DFB2: "URL" = http://mystart.incredibar.com/mb185/?search={searchTerms}&loc=IB_DS&a=6R8NCOyTsd&i=26
CHR - default_search_provider: MyStart (Enabled)
CHR - default_search_provider: search_url = http://mystart.incredibar.com/mb203?a=6OyWzKIE5E&loc=skw&search={searchTerms}
CHR - default_search_provider: suggest_url = ,
CHR - homepage: http://mystart.incredibar.com/mb203?a=6OyWzKIE5E&loc=skw
O3:[b]64bit:[/b] - HKLM\..\Toolbar: (WOT) - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll ()
O3 - HKLM\..\Toolbar: (WOT) - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files (x86)\WOT\WOT.dll ()
O3:[b]64bit:[/b] - HKU\S-1-5-21-1346717094-2233745643-1086611274-1005\..\Toolbar\WebBrowser: (WOT) - {71576546-354D-41C9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll ()
O3 - HKU\S-1-5-21-1346717094-2233745643-1086611274-1005\..\Toolbar\WebBrowser: (WOT) - {71576546-354D-41C9-AAE8-31F2EC22BF0D} - C:\Program Files (x86)\WOT\WOT.dll ()
O2 - BHO: (WOT Helper) - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files (x86)\WOT\WOT.dll ()
O18:[b]64bit:[/b] - Protocol\Handler\wot {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dll ()
O18 - Protocol\Handler\wot {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files (x86)\WOT\WOT.dll ()
O33 - MountPoints2\{de0bae24-140c-11e1-9f67-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{de0bae24-140c-11e1-9f67-806e6f6e6963}\Shell\AutoRun\command - "" = F:\setup.exe
[2014/04/19 09:14:18 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\ljkb
[2014/04/19 09:14:18 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\jmdp

:commands
[CREATERESTOREPOINT]
[emptytemp]




• Then click the Run Fix button at the top.
  
• Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.

If the log doesn't appear, it can be found here:

c:\_OTL\MovedFiles\mmddyyyy_hhmmss.log
.







***********************








Please download AdwCleaner by Xplode and save to your Desktop.

Double click on AdwCleaner.exe to run the tool.

• Click on the Scan button.
  
• After the scan has finished click on the Clean button.

Press OK when asked to close all programs and follow the onscreen prompts.
Press OK again to allow AdwCleaner to restart the computer and complete the removal process.

• After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
  
• Post logfile will also be saved in the C:\AdwCleaner folder.

[needviruscure]

Re-run OTL.exe.

• Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.
  
  
• Then click the Run Fix button at the top.
  
• Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.

******************

Here is the log after running the OTL log after Run Fix.

Also attached  Adw Cleaner log in case it is needed.

[Update - removed logs]

[argus]

Please download Farbar Recovery Scan Tool () by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

• Double-click to run it. When the tool opens click Yes to disclaimer.
  
• Press Scan button.
  
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

.



*********** Next **************





Please download Malwarebytes AntiRootkit (MBAR) and save it to your desktop.
For full instructions how MBAR works, read this article


> Doubleclick on the MBAR file () and allow it to run.
•  Click OK on the next screen, to allow the package to extract the contents of the file to its own folder named mbar.
•  mbar.exe will launch automatically. On some systems, this may take a few extra seconds. Please be patient and wait for the program to open.
•  After reading the Introduction, click Next if you agree.

•  On the Update Database screen, click on the Update button. Once you see 'Success: Database was successfully updated' click on Next
•  Under Scan Targets ensure all boxes are ticked. Then click the Scan button.

Notice: with some infections, you may see two messages boxes:
-  'Could not load protection driver'. Click 'OK'.
-  'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.

>>  If malware is not detected, click the Exit button to close the program and post the mbar-log-year-month-day.txt and system-log.txt reports.

>>  If an infection/s are found ensure Create Restore Point are ticked. Then select the "Cleanup! button to remove threats.
•  The clean up procedure will be scheduled for process, pop-up will be shown.
Select the Yes button and the system should re-boot to complete the cleaning process.


>>  Notice: only if an RootKit are detected, ensure to run fixdamage.exe tool located in mbar folder, \Plugins\fixdamage.exe
- Run fixdamage.exe, at the black window to continue type Y (alias for Yes). Wait few seconds for execution ...
- When you see "press any key to exit" fix is completed, press any key to close the window. Reboot the system.




> The following reports will be created in mbar folder:
1. mbar-log-year-month-day (hour-minute-second).txt
2. system-log.txt

Please post both logs in your next reply.

[needviruscure]

Attached are:

- FBAR logs - FRST and Addition
- MBAR logs (no malware detected) - mbar and system logs

[Update - Removed logs]

[argus]

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Code: [Select]

Start
GroupPolicyUsers\S-1-5-21-1346717094-2233745643-1086611274-1007\User: Group Policy restriction detected <======= ATTENTION
SearchScopes: HKCU - DefaultScope 5BB1778B80BD4C76944A3ACC1EF1DFB2 URL = http://mystart.incredibar.com/mb185/?search={searchTerms}&loc=IB_DS&a=6R8NCOyTsd&i=26
SearchScopes: HKCU - 5BB1778B80BD4C76944A3ACC1EF1DFB2 URL = http://mystart.incredibar.com/mb185/?search={searchTerms}&loc=IB_DS&a=6R8NCOyTsd&i=26
SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: WOT Helper - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files\WOT\WOT.dll ()
Toolbar: HKLM - WOT - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll ()
C:\Program Files\WOT\WOT.dll
CHR RestoreOnStartup: "hxxp://mystart.incredibar.com/mb203?a=6OyWzKIE5E&loc=skw"
CHR DefaultSearchKeyword: mystart.incredibar.com/
CHR DefaultSearchProvider: MyStart
CHR DefaultSearchURL: http://mystart.incredibar.com/mb203?a=6OyWzKIE5E&loc=skw&search={searchTerms
CHR Extension: (Chrome In-App Payments service) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-09-14]
Task: {A29883B7-61C3-4730-9C47-F4DBAE6C8BAF} - \Funmoods No Task File <==== ATTENTION
CMD: DEL %TEMP%\*.* /F /S /Q
End
2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.


3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.
.

[needviruscure]

Ran FRST64
- FRST64.exe is in downloads folder
- saved fixlist.txt to downloads folder (rather than desktop) so file was in same location as executable
   - Please let me know if that was incorrect.
   - FRST64 ran very quickly, ie seconds not minutes
- uploaded fixlog.txt from download folder (rather than desktop.  assume that is because it is saved to the same folder as the executable).

[Update - removed log]

[argus]

How is the situation now?

[needviruscure]

GREAT!!!

- Did a boot time scan, clean
- Did a full system scan, clean
- log in to windows account went from 2.5+ minutes to 1 minute

Very grateful and appreciate the help!

[argus]

• The following will implement some post-cleanup procedures:

=> Please download DelFix by Xplode to your Desktop.

Run the tool and check the following boxes below;
Remove disinfection tools
Create registry backup
Purge System Restore
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:\DelFix.txt)

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.

[needviruscure]

Done. Thank you.  Is there anything else?

[argus]

No, it's all.