Install led to potential virus

I was without virus protection at work (a new Windows 8 machine) and decided to go and install Avast! on it. I googled Avast Windows 8 and that sent me to a download page that looked authentic. During the install it offered to install something like a direct-search tool bar. I cleared the checkbox and continued with the install. During the install Internet Explorer blocked an attempt to change it’s home page. However Google Chrome was not so lucky. Everytime I run the application it started up with Direct-Search. I cleared the settings and wiped out the registry entries and it returned. No matter what.

In the registry it was in a key named bProtectStartPage or something like that. Doing a google for that I found reference to PUP.bProtect. So I assume this disgusting company used a virus to inject itself in my browser using an avast install. So how do I eliminate bProtect from my system???

Hi let me help. What site did you download from ?

Please download Junkware Removal Tool to your desktop.

[]Right-mouse click JRT.exe and select “Run as Administrator” the tool will open and start scanning your system
[
]please be patient as this can take a while to complete depending on your system’s specifications
[]On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
[
]post the contents of JRT.txt into your next message.

THEN

Download OTL to your Desktop
Secondary link

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

https://dl.dropbox.com/u/73555776/OTL_Main_Tutorial.gif

[*]Select All Users
[*]Under the Custom Scan box paste this in

netsvcs
BASESERVICES
%SYSTEMDRIVE%*.exe
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
dir “%systemdrive%*” /S /A:L /C
CREATERESTOREPOINT

[*]Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Attach both logs

I’ll continue to update this as I get more data.

I’m sorry to say I do not know the website. As I said, I googled for avast for windows 8 and then just clicked and let it run.
Near as I can tell they used a vulnerability in the installer you are using to add the toolbar in your install. Then injected their virus instead.

I do not have the first run results of JRT because there were quite a few keys it could not touch. I reran it as admin but forgot to back up the file first. However the only main item that stuck out was the presense of Babylon. Also during the first run it kicked off the virus as it tried to insert it’s stuff into IE once again. This event did not happen the second run.

The OLT run did not create an Extras.txt file.

As an added note: after reviewing the pinned topic I downloaded and ran Rogue Killer and it found and cleaned out some suspicious files on my system as well.
I suspect that the reinfection of Chrome is occurring by a fake file posing as a windows file. As the last time I uninstalled Chrome, ran regedit and killed any and all entries containing the search webpage, and after a reboot reinstalled Chrome. The next day like around 2 or so it ran again and started going to that webpage once again.

If I start my system and can use Chrome all day without issues for 2 days then it could be safe to say that we got it. Cross your fingers.

Before I progress did you knowingly install BitGuard as it has a dubious reputation

I should imagine that you were offered a download manager to help in the download . Reasons not to use them
http://blog.avast.com/2013/07/09/shady-practices-of-free-download-servers/If you let me know that you do not want Bitguard then I will kill it

Not only did I not install BitGuard but it isn’t in my Program List for uninstalls.

OK lets go on a killing spree :slight_smile:

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:Commands
[CREATERESTOREPOINT]

:OTL
SRV - [2013/09/13 10:02:00 | 003,029,472 | ---- | M] () [Auto | Running] -- C:\ProgramData\BitGuard\2.6.1673.238\{c16c1ccb-1111-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe -- (BitGuard)
SRV - [2013/08/29 21:16:32 | 000,206,632 | ---- | M] (WebConnect) [Auto | Running] -- C:\Program Files (x86)\WebConnect\updateWebConnect.exe -- (Update WebConnect)
IE - HKU\S-1-5-21-28766344-215306656-4137363297-1001\..\SearchScopes,bProtectorDefaultScope = {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}
[2013/06/13 20:45:26 | 000,034,048 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\mozilla firefox\plugins\npMeetingJoinPluginOC.dll
O20 - AppInit_DLLs: (c:\progra~3\bitguard\261673~1.238\{c16c1~1\bitguard.dll) - c:\ProgramData\BitGuard\2.6.1673.238\{c16c1ccb-1111-4e5c-a2f3-533ad2fec8e8}\BitGuard.dll ()
[2013/09/13 13:22:15 | 000,000,000 | ---D | C] -- C:\Users\Consult2\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\BitGuard
[2013/09/13 13:22:11 | 000,000,000 | ---D | C] -- C:\ProgramData\BitGuard
[2013/09/05 11:39:23 | 000,000,000 | ---D | C] -- C:\Users\Consult2\AppData\Roaming\0S1F1O2Z0S2Y1H1T
[2013/09/05 11:39:19 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\searchplugins
[2013/09/05 11:39:19 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\Extensions
[2013/09/05 11:39:09 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\WebConnect

:Files
C:\Program Files (x86)\WebConnect

:Commands
[resethosts]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Running an important test for our product right now. I’ll run this after lunch and send the results.
BTW : The one key in the script looks similar to the registry key I found that had pointed at the website.
And here is the website URL that keeps reappearing:
www2.delta-search.com/?babsrc=HP_ss&mntrld=3C2300216AB57B7C&affID=119351&tsp=4996

If that is in Chrome you will need to manually remove it as none of my tools work there

Okay! Here is the results.

I cleaned Chrome right at the point that restart was requested. But it must be aimed at injecting at the Closing event instead of the Opening event. However after reboot and purging the page from my start page list, Chrome has remained clean. Yeah. I think I’ll let Google know of their one week spot. :slight_smile:

Here are the logs, I see the after report still finds BitGuard in there…

Hmm little bugger is persistent isn’t it

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:OTL
O20 - AppInit_DLLs: (c:\progra~3\bitguard\261673~1.238\{c16c1~1\bitguard.dll) - c:\ProgramData\BitGuard\2.6.1673.238\{c16c1ccb-1111-4e5c-a2f3-533ad2fec8e8}\BitGuard.dll ()
[2013/09/13 13:22:11 | 000,000,000 | ---D | C] -- C:\ProgramData\BitGuard


:Commands
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

This was interesting. I did not run the fix but what I did do was go to delete the folder manually. It didn’t delete because “it was opened by another file”. I used one of my dev tools and it is opened by Moto. The only thing on my machine related to that was the Motorola drivers and device manager. I uninstalled those and was able to delete the nasty bugger manually. I’ve run several tests and reboots and — that bugger website no longer shows up!!! I think we can call this a fix. Whew.

Are Motorola bundling this rubbish now ?

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Delete JRT from the desktop

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

Clear Restore Points

Go Start > All Programmes > Accessories > System tools
Right click Disc Cleanup and select run as administrator
When it pops up at the first prompt select OK after it has done some calculations the tabs will appear
Select More Options tab
Press Sytem Restore and Shadow Copies Cleanup button

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

Malwarebytes.

Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

If you use on-line banking then as an added layer of protection install Trusteer Rapport

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?Keep safe :wave: