I was without virus protection at work (a new Windows 8 machine) and decided to go and install Avast! on it. I googled Avast Windows 8 and that sent me to a download page that looked authentic. During the install it offered to install something like a direct-search tool bar. I cleared the checkbox and continued with the install. During the install Internet Explorer blocked an attempt to change it’s home page. However Google Chrome was not so lucky. Everytime I run the application it started up with Direct-Search. I cleared the settings and wiped out the registry entries and it returned. No matter what.
In the registry it was in a key named bProtectStartPage or something like that. Doing a google for that I found reference to PUP.bProtect. So I assume this disgusting company used a virus to inject itself in my browser using an avast install. So how do I eliminate bProtect from my system???
[]Right-mouse click JRT.exe and select “Run as Administrator” the tool will open and start scanning your system
[]please be patient as this can take a while to complete depending on your system’s specifications
[]On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
[]post the contents of JRT.txt into your next message.
[*]Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Attach both logs
I’m sorry to say I do not know the website. As I said, I googled for avast for windows 8 and then just clicked and let it run.
Near as I can tell they used a vulnerability in the installer you are using to add the toolbar in your install. Then injected their virus instead.
I do not have the first run results of JRT because there were quite a few keys it could not touch. I reran it as admin but forgot to back up the file first. However the only main item that stuck out was the presense of Babylon. Also during the first run it kicked off the virus as it tried to insert it’s stuff into IE once again. This event did not happen the second run.
As an added note: after reviewing the pinned topic I downloaded and ran Rogue Killer and it found and cleaned out some suspicious files on my system as well.
I suspect that the reinfection of Chrome is occurring by a fake file posing as a windows file. As the last time I uninstalled Chrome, ran regedit and killed any and all entries containing the search webpage, and after a reboot reinstalled Chrome. The next day like around 2 or so it ran again and started going to that webpage once again.
If I start my system and can use Chrome all day without issues for 2 days then it could be safe to say that we got it. Cross your fingers.
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
Running an important test for our product right now. I’ll run this after lunch and send the results.
BTW : The one key in the script looks similar to the registry key I found that had pointed at the website.
And here is the website URL that keeps reappearing: www2.delta-search.com/?babsrc=HP_ss&mntrld=3C2300216AB57B7C&affID=119351&tsp=4996
I cleaned Chrome right at the point that restart was requested. But it must be aimed at injecting at the Closing event instead of the Opening event. However after reboot and purging the page from my start page list, Chrome has remained clean. Yeah. I think I’ll let Google know of their one week spot.
Here are the logs, I see the after report still finds BitGuard in there…
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
This was interesting. I did not run the fix but what I did do was go to delete the folder manually. It didn’t delete because “it was opened by another file”. I used one of my dev tools and it is opened by Moto. The only thing on my machine related to that was the Motorola drivers and device manager. I uninstalled those and was able to delete the nasty bugger manually. I’ve run several tests and reboots and — that bugger website no longer shows up!!! I think we can call this a fix. Whew.
I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems
Now the best part of the day ----- Your log now appears clean
A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:
Delete JRT from the desktop
Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.
Clear Restore Points
Go Start > All Programmes > Accessories > System tools
Right click Disc Cleanup and select run as administrator
When it pops up at the first prompt select OK after it has done some calculations the tabs will appear
Select More Options tab
Press Sytem Restore and Shadow Copies Cleanup button
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link
If you use on-line banking then as an added layer of protection install Trusteer Rapport
It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit
[*]Microsoft Windows Update