My computer was getting sluggish so I started a boot-time scan. It found several files infected by win32: Bprotect-A [PUP] in my temporary internet files/IE5 area. However the only selection that seems to work is Ignore. I know these are technically not Malware, but they are slowing down my computer and I want to get rid of them but Avast IS does not seem to want to do that. How can I get rid of them?
Thanks.
Hi,
Let’s check what is running. Abort boot time scanning.
Please download DDS and save it to your Desktop from here:
http://www.bleepingcomputer.com/download/dds/dl/104/
Double click to run the tool, click the Start button.
Save both reports to your desktop. DDS.txt and Attach.txt attach back to topic.
Hi. I downloaded DDS and ran it and here are the two files you mentioned.
Hi,
Have you been changed anything by yourself in these reports?
Fist, you need to uninstall the following:
uTorrentControl2 Toolbar
THEN…
Please download zoek.zip or zoek.rar by smeenk (
http://www.mcshield.net/personal/magna86/Images/Zoek_icon.png
) from here or here and save it to your Desktop.
Unpack the archive…
[*]Close any open browsers
[*] Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this or this Instruction.
[*]Double click on zoek.exe to run the tool .
Please wait while the tool does not start…
[*]Copy the text present inside the code box below and paste it into the large window in the zoek tool:
uTorrentControl2 Toolbar;u
iedefaults;
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks];r
"{687578b9-7132-4a7a-80e4-30ee31099e03}"=-;r
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks];r
"{687578b9-7132-4a7a-80e4-30ee31099e03}"=-;r
emptyalltemp;
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{687578b9-7132-4a7a-80e4-30ee31099e03}];r
[-HKEY_CLASSES_ROOT\CLSID\{687578b9-7132-4a7a-80e4-30ee31099e03}];r
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar];r
"{687578B9-7132-4A7A-80E4-30EE31099E03}"=-;r
c:\program files\utorrentcontrol2;fs
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows];r
"AppInit_DLLs"="";r
c:\progra~2\browse~1;fs
firefoxlook;
chromelook;
[*] Click on
http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png
button.
Please wait until a logreport will open (this can be after reboot)
[*]Save notepad to your Desktop and attach here zoek-results.log
Note: It will also create a log in the C:\ directory named “zoek-results.log”
NEXT …
Temporarily disable your AntiVirus program and re-run DDS and attach here fresh DDS.txt logreport.
note: do NOT change contents of the report.
Wow, that is quite a bit to do and this is the first time a boot-time scan with Avast did not remove potential problems that Avast itself identified. I should find some time later today for this but there are a couple of things that happened in the interim:
When I read the instructions created by DDS, it mentioned zipping the attach.txt file. Since I use WinRar, I downloaded WinZip and when installing it also installed something from AVS - AVS search. I uninstalled that then ran SuperAntiSpyware and Malwarebytes - they found and removed 512 and 13 instances of adware and spyware respectively but when I looked at the file descriptions they did not match the file names identified by the Avast boot time scan. Then when I reread your instructions you made no mention of uploading a zipped version of attach.txt so in the end I did not use WinZip.
I really appreciate your help and instructions but I have a question - can the code script for zoek that you wrote be used again if I have the same problem again or was it written specifically for the results from this DDS? This particular computer is used ONLY for downloads. And I mostly download using utorrent. However there are times I am directed to a DDL site and I know a lot of them are sketchy - finding the correct download button is a problem at times and I suspect the vast majority of the malware I get come from these sites. While most of these are adware issues there have been a couple of occasions where a particularly persistent problem occurred but an Avast boot-time scan had always removed them in the past. So I suspect these issues will continue to pop up on this particular computer. To protect the other computers in my home network, they are never turned on when I am doing a download so they don’t get infected over the home network, and I usually run the boot-time scan and the other 2 programs monthly.
Anyway thanks again for all the help.
Wow, that is quite a bit to do ...Max ~ 10 minutes, 15 tops...
I downloaded WinZip and when installing it also installed something from AVS - AVS search...You did not download WinZip from official website and you did not pay attention what you are installing as additional.
I uninstalled that then ran [b]SuperAntiSpyware[/b] and Malwarebytes...SAS is the past.
...can the code script for zoek that you wrote be used again if I have the same problem again...Absolutely not. That can be dangerous.
...was it written specifically for the results from this DDS?Yes. Next DDS result may be little different or significantly. Running zoekscript again on another computer, or for some other problem without supervision may lead computer or some program related for that registry change or it's settings to damage.
... ...So I suspect these issues will continue to pop up on this particular computer.No, it shall not when I'm done with him.
OK, I followed your instructions and I think it was successful, but there were some issues along the way.
When I followed your links to zoek, there were two versions 4.0.0.4 and 4.0.0.5 so I downloaded the later version. However when I first downloaded the rar file, there was no zoek.exe just a zoek.com. When I clicked that on, a cmd screen briefly popped up and closed. After a few minutes nothing seemed to happen so I downloaded the rar file of the earlier version, but once again it only had the com file. So I downloaded the zip file and that had both the com and exe versions.
I first attempted the exe file with Avast shields still on. That did not work and Avast moved the exe file to the Chest. So I turned off Avast shields and ran the exe file again.
After a couple of minutes I got some error message about some missing script file. I thought that meant it had failed but a minute later I got the large window.
I copy/pasted your script onto the window and pressed the Run Script button. I got a message that said zoek was already running and the script disappeared. Once again I thought that meant failure so I tried again and got the same results After a few more minutes I got a message saying zoek had completed and for me to reboot the machine.
After the reboot the zoek-results.log file popped up. Looking at the results it looked like your script actually ran despite the message (above). So I reran DDS and here are the two files - zoek-results.log and DDS.txt
Thanks again.
Hi,
You seem kind of tense while doing this. Please, feel free to relax, and leave the tools to do their job. Sometimes it takes time.
You might disable AV softwere while running these security tools.
=> Re-run zoek as you did before. We shall run one more zoek script. This script shall remove large number of adware and toolbar (bad software)…
When you run an Zoek, feel free to click on any Zoek icon … any one of these shall launches Zoek tool.
Please wait while the tool does not start...
[*] Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this or this Instruction.
[*]Double click on zoek.exe to run the tool .
Please wait while the tool does not start…
[*]Copy the text present inside the code box below and paste it into the large window in the zoek tool:
emptyclsid;
torntv@torntv.com.xpi;ff
jbpkiefagocgkmemidfngdkamloieekf;chr
pacgpkgadgmibnhpdidcnfafllnmeomc;chr
C:\Program Files\TornTV.com;fs
C:\Users\SudioH140G\AppData\Local\CRE\pacgpkgadgmibnhpdidcnfafllnmeomc.crx;f
pacgpkgadgmibnhpdidcnfafllnmeomc;chr
C:\Users\SudioH140G\AppData\Local\CRE\pacgpkgadgmibnhpdidcnfafllnmeomc.crx;f
pacgpkgadgmibnhpdidcnfafllnmeomc;chr
FFdefaults;
chrdefaults;
{0E6EAC85-8AD4-4742-9027-E9F138D4D000};c
{483830EE-A4CD-4b71-B0A3-3D82E62A6909};c
{CF739809-1C6C-47C0-85B9-569DBB141420};c
ipconfig /flushdns >> %temp%\log.txt;b
autoclean;
[*] Click on
http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png
button.
Please wait until a logreport will open (this can be after reboot)
[*]Save notepad to your Desktop and attach here zoek-results.log
Note: It will also create a log in the C:\ directory named “zoek-results.log”
Now I want you to run mighty tool. One who own great knowledge of the large number of active malware, ComboFix. ComboFix as addition will delete temp & junk files and create a report for future review.
Just follow the instructions, everything will be okay. 
Scan with Combofix:
[*] Please download ComboFix by sUBs and save it to your Desktop.
You may read how Combofix works here.
[*] Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
If you are unsure how to do this please read this or this Instruction.
[*] Run ComboFix. Click on I Agree! & follow the prompts.
Note: If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart your computer.
[*] When finished, it will produce a report for you. Please attach log reports (ComboFix.txt) back to topic.
(typical log location: C:\ComboFix.txt )
Tense? Well in RL, yesterday was a really bad day for me and since I don’t like American network TV, I have to download foreign entertainment and while I was attempting that this issue popped up. Plus I used to work in an industry where patience is considered a dirty word so I will admit I lack patience.
Anyway since the zoek program looks for a file called zoekscript.txt I created one with your new script and ran it. Afterwards I ran ComboFix and I have attached the results.
BTW, I am a little curious about why you don’t think I will have another similar problem once I am finished with your instructions? Are you going to have me install something that will block a re-occurrence?
Thanks again.
...yesterday was a really bad day for me ...Sorry to hear that ... :(
Anyway since the zoek program looks for a file called zoekscript.txt I created one with your new script and ran it.Have you used the first script for zoek? We'll try again, using the method that you have already try. Running zoek.exe via zoekscript.txt
BTW, I am a little curious about why you don't think I will have another similar problem once I am finished with your instructions?I can not know. What I see in logs is that inexperting installation varius software also been load all sorts of things (adware,malware extensions...etc) at the system, and the first step is to clean up your computer.
Are you going to have me install something that will block a re-occurrence?It is the job for antivirus. I can recommend software as additional help to your current security setup but know that there is no protection against improper handling.
We shall re-run zoek one more time via zoekscript.
Download attached zoekscript.txt …
http://www.mcshield.net/personal/magna86/Images/zoekscript.gif
Following gif, drag zoekscript.txt on zoek.exe. This shall re-run zoek.exe for preforming fixing…
Here is the latest log file for zoek using your last script file I downloaded.
Generally speaking I don’t add any new software to this particular computer, but I notice with the constant updates (which seem to be more frequent) for Java, adobe, and now even utorrent, there are constant additional software options that are by default clicked on which I have to disable. I’ve learned to do this for Java and adobe but I will admit when it pops up on some other update, I don’t know whether it is required or not. For example I knew I had the utorrent2control toolbar but I didn’t know if I had to have it to use utorrent or not so I left it alone. However I think most of my problems come from some of the sketchy download sites I get redirected to - the ads that populate these sites have a myriad of download buttons that don’t tell you what you are downloading and it is sometimes hard to distinguish between the ads and the actual download I am looking for - I am getting better at discernment but I will admit I have made mistakes in the past - but I had always relied on Avast boot-time scans with a combination of SAS and Malwarebytes to fix my mistakes. This is the first time that combination has failed me. Since my ISP meters my usage I prefer DDL over using torrents, but perhaps I should just stick with torrents.
Prior to the last reboot I had been getting warnings from SAS about an attempt to change my default browser page to some Microsoft page which I have SAS block but that did not happen with this last reboot. It did happen on the prior 2 reboots though. Once more, I really appreciate you doing all this.
Hi,
Prior to the last reboot I had been getting warnings from SAS about an attempt to change my default browser page to some Microsoft page which I have SAS block but that did not happen with this last reboot.This one was zoek. Zoek has trying to restore default IE settings back to Microsoft settings (as IE belongs to zoek).
Anyway, posted zoek log looks good. Your PC should be running faster too. How is it running?
It does run significantly faster. I am able to run 4 torrents simultaneously without my mouse movements being jerky. Before if I ran more than one at a time, my machine would slow down and I would get a windows message about moving to Windows Basic video. Now this had happened in the past and as I said before I had used a combination of an Avast boot-time scan followed by SAS and malwarebytes to clear things up.
Years ago I only used Norton (I had really bad experiences with McAfee locking up my computer) but sometime around 2008 or so Norton was taking up too much of my computer resources. I talked to my IT people at work and they recommended I use Avast. I had never heard of Avast before but it kind of made sense to use a lesser known product since most malware programmers would not bother to try to fool a lesser known program. Then in 2010 I was shocked when some malware attempted to emulate an Avast message. It was poorly done and easy to spot but the fact that someone had bothered to write a piece of malware that could identify that you had Avast and try to fool you bothered me. When I went back to my IT guys they recommended that I use multiple anti-malware programs that used different kinds of engines to spot different types of programs and that is when I added SAS and malwarebytes and that combination with Avast has served me quite well until this incident. However since my old company no longer exists I could not go back to my IT guys so I came to this forum.
Anyway thanks a bunch. You really spent a lot of time and effort on this and I really appreciate it!
SAS is the past…feel free to remove it. SAS can’t deal with latest malware infections. Keep Malwarebytes as it is one of the best tool. MBAM will work together with the antivirus program.
As additional, I recommended to use MCShield if you will.
You may download MCShield from one of the following links:
MyCity - Official download link
Softpedija - Mirror download link
It will prevent infection by computer via USB flash drive, mobile phone or any other memory card.
And not only will prevent infection, but it will immediately clean flash drive, memory card or external HDD.
I shall remove used tools.
It is necessary to uninstall ComboFix :
[*] Click Start (or
http://amf.mycity.rs/pg/images/VistaStartButton.png
) then Run.
On Windows7 or Vista you may use Start Search field if Run is not available.
[*] In the line of text type in (Copy) the following:
ComboFix /Uninstall
Note that there is a space between " ComboFix " and " /Uninstall " .
[*] then click OK (or press Enter ).
Wait for the uninstall process is complete.
THEN…
Please download DelFix by “Xplode” to your Desktop.
Run the tool and check the following boxes below;
[] Remove disinfection tools
[] Create registry backup
[*] Purge System Restore
Now click on “Run” button. Wait for the programme completes his work.
All the tools we used should be gone.
Tool will create and open an log report (DelFix.txt)
Note: The report will also be stored on C:\DelFix.txt
I don’t need DelFix log report.
OK, Done. Thanks again.
Back in 2010 when I first started using SAS and Malwarebytes, for the first several months, I alternated between them when deciding what to run first. At that time I only had Avast AV not IS. SAS consistently spotted more Adware back then. When I ran MBAM first and then SAS, SAS would pick up some additional adware, but when I ran SAS first and then MBAM, MBAM would not report anything new. Despite that I did continue to use MBAM after SAS but lately I noticed it had picked up some additional issues that SAS did not spot. So I will remove SAS and replace that with MCShield.