I am hoping somebody can help me to cleanse my daughter’s laptop of the BProtect trojans and adware. So far, I have found the following variants whilst performing a boot scan with Avast Internet Security:
Troubleshooting (note: I have followed the guide posted by essexboy in this forum):
Boot scan with Avast - will not allow any action on these files other than ignore, so I did not allow it to complete. This is how I identified the problem.
Scan with Malwarebytes Anti-Malware -
a. First scan found 220 infected files, I exported the log, and was about to attach it to this post however it seems that I may have overwritten it with a more recent scan :/, and selected ‘Apply actions’, and rebooted.
b. Subsequent scans with this tool produce 0 infected files - see attached log ‘mbam.txt’, however Avast boot scan still picks up BProtect.
Updated all programs with Avast - including Java.
Quick scan with Avast - Found a handful of JS:SaveByClick-A [Adw], and moved them to the Chest.
Scan with Farbar Recovery Scan tool - attached both FRST and Addition logs, but did not select ‘fix’ after the scan…because the guide in this forum did not mention whether to ‘fix’ or not after the scan.
Scan with aswMBR - attached log, but did not select ‘FixMBR’ or ‘Fix’ after the scan…because the guide in this forum did not mention whether to or not.
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
HKLM\...\Run: [] => [X]
HKLM-x32\...\Run: [mobilegeni daemon] => C:\Program Files (x86)\Mobogenie\DaemonProcess.exe
URLSearchHook: HKCU - (No Name) - {55d7c7bc-12a7-4f9b-81c0-600d9a182395} - No File
SearchScopes: HKLM-x32 - {9bd172ba-3f40-4303-bca1-0484b5ba2a7b} URL = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?p2=^YJ^yyyyyy^YY^au&ptb=31027D04-540F-4E4C-B229-1F02746EB2E5&psa=&ind=2013041102&st=sb&n=77fc91ce&searchfor={searchTerms}
SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File
Toolbar: HKLM-x32 - No Name - {98889811-442D-49dd-99D7-DC866BE87DBC} - No File
Toolbar: HKCU - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
Toolbar: HKCU - No Name - {55D7C7BC-12A7-4F9B-81C0-600D9A182395} - No File
AlternateDataStreams: C:\Users\Antonia\Downloads\License.avastlic:com.apple.metadata?kMDLabel_ok4gb6gmp5lg7lwjxaardoix2e
AlternateDataStreams: C:\Users\Antonia\Downloads\License.avastlic:com.apple.quarantine
C:\Program Files (x86)\Mobogenie
EmptyTemp:
CMD: bitsadmin /reset /allusers
Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that
THEN
Please download AdwCleaner by Xplode onto your desktop.
[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.
Ran the Avast boot scan and came back with only 1 infected file. The irony is that it was Quarantine.txt from the AdwCleaner application (downloaded from bleepingcomputer.com)
08/13/2014 16:28
Scan of all local drives
File C:\Users\Antonia\AppData\Roaming.technic\bigdig\cache\nei-v1.5.2.21.zip|>coremods\NotEnoughItems 1.5.2.21.jar Error 42125 {ZIP archive is corrupted.}
File C:\Users\Antonia\AppData\Roaming.technic\modpacks\dlc-pack\cache\dlc-pack-Beta 1.7.6.zip|>coremods\CodeChickenCore 0.8.1.jar Error 42125 {ZIP archive is corrupted.}
File C:\Users\Antonia\AppData\Roaming.technic\tekkit\cache\matmos-v12.zip|>resources\newsound\matmos_hl\wind\wind_snippet4.ogg Error 42125 {ZIP archive is corrupted.}
File C:\Users\Antonia\Downloads\ei_win_1.0.1_2492 (1).zip|>EpicInventor.exe Error 42125 {ZIP archive is corrupted.}
File C:\Users\Antonia\Downloads\ei_win_1.0.1_2492.zip.qmqfszr.partial|>EpicInventor.exe Error 42125 {ZIP archive is corrupted.}
File C:\AdwCleaner\Quarantine\Quarantine.txt is infected by NSIS:NextLive-A [Adw], Moved to chest
Number of searched folders: 38147
Number of tested files: 2866006
Number of infected files: 1
WARNING:Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article
I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disableJava in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
CryptoPrevent install this programme to lock down and prevent crypto ransome ware
