Startup scan gives non-removable warning | dprotect-b trj

Hi,

Did a startup scan and Avast found a number of problems that could not be removed or put in the vault. Most had to do with dprotect-b.
After doing a Google search on dprotect-b, I was directed to this forum.

I’ve read through the instructions and attached you will find the requested logs. Really hoping someone can help me. Seems like my PC is all kinds of messed up at this moment.

Greets,
Nick

Hello crypton1te and welcome to avast!. I will be working on your Malware issues.

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the ‘all clear’ even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper


Malwarebytes has target the PUP program known as YUC as well as some other know to him adware entries. With FixList we will tell FRST to target the remains and preform some junk & temp file cleaning.

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Start
CreateRestorePoint:
File: C:\Program Files (x86)\Tor\tor.exe
Reg: reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\mountpoints2 /f
CMD: bitsadmin /reset /allusers

CloseProcesses:
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
URLSearchHook: HKLM-x32 - Default Value = {CCC7B159-1D8C-11E3-B2AD-F3EF3D58318D}
SearchScopes: HKLM -> DefaultScope {425ED333-6083-428a-92C9-0CFC28B9D1BF} URL = 
SearchScopes: HKLM-x32 -> DefaultScope {425ED333-6083-428a-92C9-0CFC28B9D1BF} URL = 
SearchScopes: HKU\.DEFAULT -> DefaultScope {425ED333-6083-428a-92C9-0CFC28B9D1BF} URL = 
SearchScopes: HKU\S-1-5-21-1807851072-2028520930-2935123870-1000 -> DefaultScope {425ED333-6083-428a-92C9-0CFC28B9D1BF} URL = 
FF DefaultSearchEngine: V9 
FF DefaultSearchUrl: hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2504091&SearchSource=3&q={searchTerms}
FF SearchEngineOrder.1: appbario8 Customized Web Search
FF SelectedSearchEngine: V9 
CHR HKLM-x32\...\Chrome\Extension: [bopakagnckmlgajfccecajhnimjiiedh] - http://clients2.google.com/service/update2/crx
R2 tor; C:\Program Files (x86)\Tor\tor.exe [3233806 2013-08-31] () [File not signed] <==== ATTENTION

Hosts:
C:\Program Files (x86)\Tor

RemoveProxy:
Task: {0553E049-C8B2-4DF3-9829-8CBDD3F68B60} - \RocketTab Update Task No Task File <==== ATTENTION
Task: {2A12797F-DF8A-412C-AB4C-D4FDA9C8C80E} - \AdobeFlashPlayerUpdate No Task File <==== ATTENTION
Task: {59A150F0-B1E7-4A40-B134-96D0AA6BEDC0} - \AdobeFlashPlayerUpdate 2 No Task File <==== ATTENTION
Task: {5B7CF35D-A401-4950-A7A4-03A0E93FFDB1} - \BitGuard No Task File <==== ATTENTION
Task: {6EC5EEF7-5F5C-46D0-B187-EFDE7583FBFA} - \RocketTab No Task File <==== ATTENTION

AlternateDataStreams: C:\ProgramData\TEMP:D282699C

EmptyTemp:
End

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

First of all, thanks for your help!

Did what you said and attached* “fixlog.txt”

*forgot to attach and attached it now…

Hello,

You had new malware still unknown to meny AV vendors. The specimen has been send to virustotal few days ago so soon all AV should target this very well.
Malware should be removed but we will chack that additionaly later.

Let’s preform some additional cleaning and some malware check first.

Please download Zoek tool by Smeenk (
http://www.mcshield.net/personal/magna86/Images/Zoek_icon.png
) from here and save it to your Desktop.
Unpack the archive…

[*]Close any open browsers and temporarily disable your AntiVirus program. (if it is necessary)
If you are unsure how to do this please read this or this Instruction.

[*]Double click on zoek.exe to run the tool. Please wait while the tool does not start…
[*]Copy the text present inside the code box below and paste it into the large window in the zoek tool:

Uninstall-List;
EmptyFoldersCheck;Delete 
EmptyCLSID;
C:\Windows\sysWOW64\config\systemprofile\appdata\local;vs
C:\WINDOWS\system32\rsaenh.dll;i
AutoClean;
Reboot;

[*] Click on
http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png
button.
Please wait until a logreport will open (this can be after reboot)

[*]Save notepad to your Desktop and attach here zoek-results.log
Note: It will also create a log in the C:\ directory named “zoek-results.log

Did what you asked. Here’s the zoek-results attached.

Ok, zoek had a lot of work there. Fortunately for us, he did a great job.

Could you now please run FRST tool again, press Scan button and post fresh created FRST.txt log for re-analysist.

Sorry for the wait, had to get some stuff done in the meantime. Here’s the fresh FRST file attached.

Well, logs looks clean and MBAM’s Protector is active in the backgraund so, this should be it.

Tell me, how is the computer running now? Do you still getting any alearts?

That sounds great. Your help is very much appreciated.

PC seems to be fine at the moment. There is however one remaining problem and it’s one that I’ve been having for a while now. I’m not sure if this is virus/malware related so I’ll try to explain it the best I can.

Every couple minutes it seems like my mouse or tab goes inactive by itself. This results in me having to retype parts of this post when it suddenly stops registering my keystrokes. Whenever I keep typing after it happens (when I don’t notice fast enough) it results in my internet disconnecting. Also it messes with the full screen viewing mode of my media players. Soon as it happens I’m pulled out of full screen viewing mode. Have you ever come across something like this? Or any idea what it could be / could be done?

Again, I’m not sure if this is virus/malware related but it’s very frustrating having to deal with it. Thought I might as well ask, since you’ve been a great help already.

Greets,
Nick

Have you ever come across something like this? Or any idea what it could be / could be done?

First time I hear this kind of problem. ;D This isn’t malware related issue, but maybe you have a problem with Drivers or Hardware.

Have you try diferent keyboard? Re-check your drivers (device manager) and/or update your graphics card drivers. But that does not explain why you’re losing your Internet connection.

I’ll think you have to call someone to investigate the computer and the system.

Since malware issue has been solved, I have post cleaning staff to post you as well as some usefull tips. You should be good to go …

We’re gonna remove my used tools now as well as carry out some further cleaning and security settings. To learn more about how to protect yourself I’ll give you a few tips for reading.

The following will implement some post-cleanup procedures:


http://www.mcshield.net/pg/images/arrow.png
Please download DelFix by Xplode to your Desktop.

Run the tool and check the following boxes below;
[i]
http://www.mcshield.net/personal/magna86/Images/checkmark.png
Remove disinfection tools

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Create registry backup

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Purge System Restore [/i]
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:[b]DelFix.txt[/b])

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.

Tip: Do not use security tools such as ComboFix, FRST, Zoek and the like. These are advanced security tool, should not be used without supervision.


Learn how to protect yourself:

=> In order to stay protected it is very important that you regularly update all of your software and Windows Operating System.

It is important that you visit Windows Update regularly.
How to configure and use Automatic Updates in Windows

It’s vital that you keep all your software up-to-date as older versions may have some security vulnerabilities. Keeping Java and Adobe update is priority.
Download and install latest version of Java
Download and install latest version of Adobe Reader

=> I recommend that you use one of the fantastic opportunities provided by
http://www.mcshield.net/pg/images/avast5.png
avast! AntiVirus.

For security protection, an active AntiVirus is required. If you want to reinforce your security setup I recommended additional security software and utilities:
Download and install Malwarebytes’ Anti-Malware and perform ‘Threat Scan’ from time to time. Malwarebytes will detect and remove all traces of known malware.
Download and install MCShield Anti-Malware Tool to prevent infections transmitted via removable drives.
Download and install Unchecky to keeps your checkboxes clear by preventing installing additional adware and other PUP bad software.
Download and install AdBlock for safe web browser surfing without annoying and malicious advertising ads.

Extra text for reading:

Please visit and review PC Safety and Security - What Do I Need? for some helpful information.

Please visit FAQ - Answers to common security questions - Best Practices to read tips how to protect yourself against malware infection.

You may also visit and read What to do if your Computer is running slowly? if you like to read some basic geek stuff.

The specific type of infection:

Meet CryptoPrevent. Security app that shall attempt to prevent dangerous malware that encrypts certain types of files stored on your disk, like CryptoWall, CryptoLocker and simular clones.

More information about this family of malicious software: CryptoLocker Ransomware Information Guide and FAQ ;
Cryptolocker Ransomware: What You Need To Know and CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ

Stay safe.

Best Regards,
magna86

Hello Magna,

Thanks so much for helping me! My computer works fine now, except for the little problem I was talking about. I’ll make sure to fix that!

Greets,
Nick