win32:bprotect-d and js-protect-b

Hi I am running an avast full system scan, the system rebooted and is currently scanning outside of windows. It has reported some issues, most worryingly around Bprotect-b and d dand has moved infected files to the chest. Reading other threads I get the impression this is just the start of the process and I need to run some scans and cleanup tools then report back. Could someone point me in the right direction to start this process please.

Attach your basic logs. (MBAM, FRST and aswMBR…!!)
Instructions: https://forum.avast.com/index.php?topic=53253.0

Thanks Asyn but I appear to be having problems running Malwarebytes. On the Filesystem Objects scan it is sticking on small files. Initially it was stuck after reviewing 79000 files so I tried pausing and then restarting without success then cancelling and restarting, again without success. I rebooted the pc and this time it is stuck on a 2kb HTML file after reviewing 72000 items. Is this a known issue (I can here that the disc drive is working and task manager shows mbam using CPU).

For into I am on a windows 7 desktop

Thanks
Richard

Try it in safe mode.

Thanks but failed again, this time at 71645 objects, seems to be getting stuck earlier. It is stuck on an opf for in my local temp area. Would it be worth clearing all temp data and disconnecting my external drive to give the job less to do?

OK, skip MBAM for now. Continue with the other logs.

Hi Asyn - I have attached the FRST and ADDITION logs; that process completed successfully; the aswMBR process seemed to hang on one file so I’m running again but have attached the log at the point it got to. If it runs to completion I will attach the full log.
Regards, Richard

Addition.txt and FRST.txt

Hi you seem to like toolbars :slight_smile:

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

HKLM-x32\...\Run: [] => [X] HKLM-x32\...\Run: [TaskTray] => [X] AppInit_DLLs: C:\PROGRA~2\SEARCH~2\Datamngr\x64\datamngr.dll => C:\PROGRA~2\SEARCH~2\Datamngr\x64\datamngr.dll File Not Found AppInit_DLLs: C:\PROGRA~2\WI3C8A~1\Datamngr\x64\IEBHO.dll => C:\Program Files (x86)\Windows iLivid Toolbar\Datamngr\x64\IEBHO.dll [1530808 2012-12-10] (Bandoo Media Inc) AppInit_DLLs: C:\PROGRA~2\WI3C8A~1\Datamngr\x64\datamngr.dll => C:\Program Files (x86)\Windows iLivid Toolbar\Datamngr\x64\datamngr.dll [1778584 2011-06-01] (Bandoo Media, inc) AppInit_DLLs: C:\PROGRA~2\WI3C8A~1\Datamngr\x64\IEBHO.dll => C:\Program Files (x86)\Windows iLivid Toolbar\Datamngr\x64\IEBHO.dll [1530808 2012-12-10] (Bandoo Media Inc) AppInit_DLLs: C:\PROGRA~3\Wincert\WIN64C~1.DLL => C:\PROGRA~3\Wincert\WIN64C~1.DLL File Not Found AppInit_DLLs-x32: c:\progra~3\wincert\win32c~1.dll => "c:\progra~3\wincert\win32c~1.dll" File Not Found HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://feed.helperbar.com/?publisher=YahooTR&dpid=YahooTR&co=GB&userid=45431517-116d-47ad-81fb-ac7fc4119207&searchtype=ds&p={searchTerms}&fr=linkury-tb&installDate=23/02/2013&type=hp2000 HKCU\Software\Microsoft\Internet Explorer\Main,bProtector Start Page = http://www.delta-search.com/?affID=119529&babsrc=HP_ss&mntrId=ec9b44650000000000007071bc55151f HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://feed.helperbar.com/?publisher=YahooTR&dpid=YahooTR&co=GB&userid=45431517-116d-47ad-81fb-ac7fc4119207&searchtype=ds&p={searchTerms}&fr=linkury-tb&installDate=23/02/2013&type=hp2000 URLSearchHook: HKLM-x32 - (No Name) - {c44f9e21-d93f-490c-b41c-b3548bdd19fc} - No File SearchScopes: HKLM - DefaultScope {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL = http://dts.search-results.com/sr?src=ieb&gct=ds&appid=394&systemid=406&apn_dtid=BND406&apn_ptnrs=AG6&o=APN10645&apn_uid=1202001071504803&q={searchTerms} SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKLM - {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL = http://dts.search-results.com/sr?src=ieb&gct=ds&appid=394&systemid=406&apn_dtid=BND406&apn_ptnrs=AG6&o=APN10645&apn_uid=1202001071504803&q={searchTerms} SearchScopes: HKLM-x32 - DefaultScope {6D2B9A53-81AC-4A6E-8AC0-CE01BBDA2644} URL = SearchScopes: HKLM-x32 - {006ee092-9658-4fd6-bd8e-a21a348e59f5} URL = http://feed.helperbar.com/?publisher=YahooTR&dpid=YahooTR&co=GB&userid=45431517-116d-47ad-81fb-ac7fc4119207&searchtype=ds&p={searchTerms}&fr=linkury-tb&installDate=23/02/2013&type=hp2000 SearchScopes: HKLM-x32 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKCU - bProtectorDefaultScope {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} SearchScopes: HKCU - {006ee092-9658-4fd6-bd8e-a21a348e59f5} URL = http://feed.helperbar.com/?publisher=YahooTR&dpid=YahooTR&co=GB&userid=45431517-116d-47ad-81fb-ac7fc4119207&searchtype=ds&p={searchTerms}&fr=linkury-tb&installDate=23/02/2013&type=hp2000 SearchScopes: HKCU - {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} URL = http://www.delta-search.com/?q={searchTerms}&affID=119529&babsrc=SP_ss&mntrId=ec9b44650000000000007071bc55151f SearchScopes: HKCU - {483830EE-A4CD-4b71-B0A3-3D82E62A6909} URL = SearchScopes: HKCU - {5B6FF2D7-C57F-4EE7-8C7F-B319A06881A5} URL = SearchScopes: HKCU - {6D2B9A53-81AC-4A6E-8AC0-CE01BBDA2644} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3298566&CUI=UN25482074877280253&UM=2 BHO: DataMngr -> {9D717F81-9148-4f12-8568-69135F087DB0} -> C:\Program Files (x86)\Windows iLivid Toolbar\Datamngr\x64\BrowserConnection.dll (Bandoo Media, inc) BHO-x32: No Name -> {61e0ef7a-9bc0-45ea-9b2f-f3e9f02692bd} -> No File BHO-x32: Searchqu Toolbar -> {99079a25-328f-4bd4-be04-00955acaa0a7} -> C:\Program Files (x86)\Searchqu Toolbar\Datamngr\ToolBar\searchqudtx.dll () BHO-x32: DataMngr -> {9D717F81-9148-4f12-8568-69135F087DB0} -> C:\Program Files (x86)\Windows iLivid Toolbar\Datamngr\BrowserConnection.dll (Bandoo Media Inc) BHO-x32: delta Helper Object -> {C1AF5FA5-852C-4C90-812E-A7F75E011D87} -> C:\Program Files (x86)\Delta\delta\1.8.10.0\bh\delta.dll (Delta-search.com) BHO-x32: DataMngr -> {C1ED9DA0-AFD0-4b90-AC6A-D3874F591014} -> C:\Program Files (x86)\Windows iLivid Toolbar\Datamngr\BrowserConnection.dll (Bandoo Media Inc) BHO-x32: No Name -> {c44f9e21-d93f-490c-b41c-b3548bdd19fc} -> No File BHO-x32: Zoom Downloader -> {E5C66DD8-308B-4a4f-AF0A-3D04F25B5343} -> C:\Windows\SysWOW64\mscoree.dll (Microsoft Corporation) BHO-x32: Search-Results Toolbar -> {f34c9277-6577-4dff-b2d7-7d58092f272f} -> C:\Program Files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\searchresultsDx.dll (APN LLC) Toolbar: HKLM-x32 - No Name - {b278d9f8-0fa9-465e-9938-0c392605d8e3} - No File Toolbar: HKLM-x32 - Searchqu Toolbar - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\Program Files (x86)\Searchqu Toolbar\Datamngr\ToolBar\searchqudtx.dll () Toolbar: HKLM-x32 - Search-Results Toolbar - {f34c9277-6577-4dff-b2d7-7d58092f272f} - C:\Program Files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\searchresultsDx.dll (APN LLC) Toolbar: HKCU - No Name - {D4027C7F-154A-4066-A1AD-4243D8127440} - No File Toolbar: HKCU - No Name - {C44F9E21-D93F-490C-B41C-B3548BDD19FC} - No File Toolbar: HKCU - No Name - {91DA5E8A-3318-4F8C-B67E-5964DE3AB546} - No File FF NewTab: hxxp://feed.helperbar.com/?publisher=YahooTR&dpid=YahooTR&co=GB&userid=45431517-116d-47ad-81fb-ac7fc4119207&searchtype=nt&fr=linkury-tb&installDate=23/02/2013&type=hp2000 FF DefaultSearchEngine: Search Results FF SearchPlugin: C:\Users\Fuller main computer\AppData\Roaming\Mozilla\Firefox\Profiles\snw32nnc.default\searchplugins\conduit.xml FF SearchPlugin: C:\Users\Fuller main computer\AppData\Roaming\Mozilla\Firefox\Profiles\snw32nnc.default\searchplugins\Web Search.xml FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\searchplugins\babylon.xml FF Extension: Bandoo for Firefox - C:\Users\Fuller main computer\AppData\Roaming\Mozilla\Firefox\Profiles\snw32nnc.default\Extensions\ffox@bandoo.com [2011-08-03] FF Extension: Delta Toolbar - C:\Users\Fuller main computer\AppData\Roaming\Mozilla\Firefox\Profiles\snw32nnc.default\Extensions\ffxtlbr@delta.com [2013-02-19] FF Extension: Funmoods.com - C:\Users\Fuller main computer\AppData\Roaming\Mozilla\Firefox\Profiles\snw32nnc.default\Extensions\ffxtlbr@funmoods.com [2012-04-14] FF Extension: No Name - C:\Users\Fuller main computer\AppData\Roaming\Mozilla\Firefox\Profiles\snw32nnc.default\Extensions\nostmp [2011-05-04] FF Extension: PlayBryte - C:\Users\Fuller main computer\AppData\Roaming\Mozilla\Firefox\Profiles\snw32nnc.default\Extensions\playbryte@playbryte.com [2012-03-16] FF Extension: Yontoo - C:\Users\Fuller main computer\AppData\Roaming\Mozilla\Firefox\Profiles\snw32nnc.default\Extensions\plugin@yontoo.com [2012-03-16] FF Extension: PricePeep - C:\Users\Fuller main computer\AppData\Roaming\Mozilla\Firefox\Profiles\snw32nnc.default\Extensions\pricepeep@getpricepeep.com [2012-09-16] FF Extension: MixiDJ V30 - C:\Users\Fuller main computer\AppData\Roaming\Mozilla\Firefox\Profiles\snw32nnc.default\Extensions\{1122b43d-30ee-403f-9bfa-3cc99b0caddd} [2013-06-30] FF Extension: PriceGong - C:\Users\Fuller main computer\AppData\Roaming\Mozilla\Firefox\Profiles\snw32nnc.default\Extensions\{8A9386B4-E958-4c4c-ADF4-8F26DB3E4829} [2012-09-16] FF Extension: Searchqu Toolbar - C:\Users\Fuller main computer\AppData\Roaming\Mozilla\Firefox\Profiles\snw32nnc.default\Extensions\{99079a25-328f-4bd4-be04-00955acaa0a7} [2012-06-03] FF Extension: Search-Results Toolbar - C:\Users\Fuller main computer\AppData\Roaming\Mozilla\Firefox\Profiles\snw32nnc.default\Extensions\{f34c9277-6577-4dff-b2d7-7d58092f272f} [2012-12-12] FF Extension: DivX Web Player - C:\Users\Fuller main computer\AppData\Roaming\Mozilla\Firefox\Profiles\snw32nnc.default\Extensions\DivXWebPlayer@divx.com.xpi [2011-08-03] FF Extension: PricePeep - C:\Users\Fuller main computer\AppData\Roaming\Mozilla\Firefox\Profiles\snw32nnc.default\Extensions\pricepeep@getpricepeep.com.xpi [2012-07-30] FF HKCU\...\Firefox\Extensions: [ffox@bandoo.com] - C:\Users\Fuller main computer\AppData\Roaming\Mozilla\Firefox\Profiles/snw32nnc.default\extensions\ffox@bandoo.com FF Extension: Bandoo for Firefox - C:\Users\Fuller main computer\AppData\Roaming\Mozilla\Firefox\Profiles/snw32nnc.default\extensions\ffox@bandoo.com [2011-08-03] FF HKCU\...\Firefox\Extensions: [{58bd07eb-0ee0-4df0-8121-dc9b693373df}] - C:\ProgramData\BrowserProtect\2.6.1095.52\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\FirefoxExtension FF Extension: DataMngr - C:\Program Files (x86)\Windows iLivid Toolbar\Datamngr\FirefoxExtension [2012-12-12] CHR Extension: (FLV Runner) - C:\Users\Fuller main computer\AppData\Local\Google\Chrome\User Data\Default\Extensions\ahilkiibpgjnonbhdfkkgjddddmapala [2014-08-14] CHR Extension: (Delta Toolbar) - C:\Users\Fuller main computer\AppData\Local\Google\Chrome\User Data\Default\Extensions\eooncjejnppfjjklapaamhcdmjbilmde [2014-08-14] CHR Extension: (MixiDJ V30) - C:\Users\Fuller main computer\AppData\Local\Google\Chrome\User Data\Default\Extensions\fdkednngfjmpnljkolbapdednncafhen [2014-08-14] CHR HKCU\...\Chrome\Extension: [ahilkiibpgjnonbhdfkkgjddddmapala] - C:\Users\Fuller main computer\AppData\Local\CRE\ahilkiibpgjnonbhdfkkgjddddmapala.crx [2013-03-27] CHR HKCU\...\Chrome\Extension: [amfclgbdpgndipgoegfpkkgobahigbcl] - C:\Users\Fuller main computer\AppData\Local\Smartbar/Application\1Extension.crx [2013-03-27] CHR HKCU\...\Chrome\Extension: [fdkednngfjmpnljkolbapdednncafhen] - C:\Users\Fuller main computer\AppData\Local\CRE\fdkednngfjmpnljkolbapdednncafhen.crx [2013-06-26] CHR HKLM-x32\...\Chrome\Extension: [ahilkiibpgjnonbhdfkkgjddddmapala] - C:\Users\Fuller main computer\AppData\Local\CRE\ahilkiibpgjnonbhdfkkgjddddmapala.crx [2013-03-27] CHR HKLM-x32\...\Chrome\Extension: [beclljdbfeppdjkhomkbnfhhkacalaca] - C:\Program Files (x86)\OApps\chrome-sl.crx [2013-06-30] CHR HKLM-x32\...\Chrome\Extension: [eooncjejnppfjjklapaamhcdmjbilmde] - C:\Users\Fuller main computer\AppData\Roaming\Delta\delta.crx [2012-11-25] CHR HKLM-x32\...\Chrome\Extension: [fdkednngfjmpnljkolbapdednncafhen] - C:\Users\Fuller main computer\AppData\Local\CRE\fdkednngfjmpnljkolbapdednncafhen.crx [2013-06-26] CHR HKLM-x32\...\Chrome\Extension: [fdloijijlkoblmigdofommgnheckmaki] - C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsOEM.crx [2013-06-26] CHR HKLM-x32\...\Chrome\Extension: [niapdbllcanepiiimjjndipklodoedlc] - C:\Users\FULLER~1\AppData\Local\Temp\YontooLayers.crx [2013-10-09] CHR HKLM-x32\...\Chrome\Extension: [nneajnkjbffgblleaoojgaacokifdkhm] - C:\Program Files (x86)\DivX\DivX Plus Web Player\chrome\DivXHTML5\DivXHTML5.crx [2013-05-06] CHR HKLM-x32\...\Chrome\Extension: [pgafcinpmmpklohkojmllohdhomoefph] - C:\ProgramData\BrowserProtect\2.6.1095.52\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BrowserProtect.crx [2013-05-06] CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION CHR HKCU\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION 2014-09-03 14:48 - 2013-06-21 15:39 - 00000322 _____ () C:\Windows\Tasks\DSite.job 2014-09-03 12:41 - 2012-12-12 23:37 - 00000000 ____D () C:\ProgramData\Wincert Task: {1AFE9E5E-5630-44A6-BDBE-7F5ADE7072F8} - System32\Tasks\BrowserProtect => Sc.exe start BrowserProtect <==== ATTENTION Task: {C723E268-73F3-4057-9B40-391565A59980} - System32\Tasks\DSite => C:\Users\FULLER~1\AppData\Roaming\DSite\UPDATE~1\UPDATE~1.EXE <==== ATTENTION Task: C:\Windows\Tasks\DSite.job => C:\Users\FULLER~1\AppData\Roaming\DSite\UPDATE~1\UPDATE~1.EXE <==== ATTENTION C:\PROGRA~2\SEARCH~2\Datamngr C:\Program Files (x86)\Windows iLivid Toolbar C:\Program Files (x86)\Searchqu Toolbar C:\Program Files (x86)\Search Results Toolbar EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

Thanks Essexboy but you’re wrong - I hate toolbars - I’ve found out how to disable them but seem to go round in circles when I try and delete them >:(

Many thanks for the help, I’ve attached the two logs (the adwarecleaner log name was [S0] but I assume this is okay).

Just to give a bit of background, I started looking in detail at my PC when a friend said that a link I emailed them sent them to a page which had a link in it that downloaded a nuclear rootkit and I want to be sure I didn’t have it too. I ran Avast full check last night (including the scan done outside of Windows) and that came out clean (my initial run the day before had moved everything found to the chest); my concern is whether Avast would find this type of virus.

Thanks again
Richard (also from Essex)

Well you should now be toolbar free :slight_smile:

a link I emailed them sent them to a page which had a link in it that downloaded a nuclear rootkit
Do you use an online web mail e.g. google, Hotmail etc.. If so change that password now as it has been hacked

Everything you had was adware nothing serious

How is the computer behaving now ?

All seems pretty good now but I will go ahead and change some passwords.

Many thanks to you and Asyn for your help - you provide an invaluable service to those of us who are dangerously light on expertise.

cheers

Richard

your almost done … essexboy will remove the tools used when all is OK

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Download and run Delfix

https://dl.dropboxusercontent.com/u/73555776/delfix.JPG

: Keep Java Updated :

WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article

I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware

https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG

Malwarebytes.

Update and run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe :wave:

Thanks

I’ll take your advice on Java and the other security software. I’ve successfully run Delfix (see below)

cheers

Richard

DelFix v10.8 - Logfile created 04/09/2014 at 16:09:55

Updated 29/07/2014 by Xplode

Username : Fuller main computer - LOUNGE

Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)

~ Removing disinfection tools …

Deleted : C:\FRST
Deleted : C:\AdwCleaner
Deleted : C:\Users\Fuller main computer\Downloads\Addition.txt
Deleted : C:\Users\Fuller main computer\Downloads\AdwCleaner.exe
Deleted : C:\Users\Fuller main computer\Downloads\aswmbr.exe
Deleted : C:\Users\Fuller main computer\Downloads\aswMBR.txt
Deleted : C:\Users\Fuller main computer\Downloads\aswMBR2.txt
Deleted : C:\Users\Fuller main computer\Downloads\aswMBR3.txt
Deleted : C:\Users\Fuller main computer\Downloads\Fixlog.txt
Deleted : C:\Users\Fuller main computer\Downloads\FRST.txt
Deleted : C:\Users\Fuller main computer\Downloads\FRST64 (1).exe
Deleted : C:\Users\Fuller main computer\Downloads\FRST64.exe
Deleted : C:\Users\Fuller main computer\Downloads\MBR.dat
Deleted : HKLM\SOFTWARE\AdwCleaner
Deleted : HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ASWMBR

~ Creating registry backup … OK

~ Cleaning system restore …

Deleted : RP #2169 [Windows Update | 08/28/2014 20:13:42]
Deleted : RP #2170 [Windows Update | 08/29/2014 20:49:05]
Deleted : RP #2171 [Windows Update | 08/30/2014 21:21:49]
Deleted : RP #2172 [Windows Update | 09/01/2014 02:00:23]
Deleted : RP #2173 [Windows Update | 09/01/2014 10:32:57]
Deleted : RP #2174 [Windows Backup | 09/01/2014 20:00:08]
Deleted : RP #2175 [Windows Update | 09/01/2014 21:48:58]
Deleted : RP #2176 [Windows Update | 09/03/2014 11:03:30]
Deleted : RP #2177 [Windows Update | 09/03/2014 13:44:42]
Deleted : RP #2179 [Removed service pack backup files | 09/03/2014 16:45:16]
Deleted : RP #2180 [Windows Update | 09/04/2014 02:00:20]

New restore point created !

~ Resetting system settings … OK

########## - EOF - ##########

You can now just delete Delfix :slight_smile: