win32:bprotect-D Malware

Avast has found this on my computer, and I’ve followed the instructions in ‘Logs to assist in cleaning malware’.

Attached is the log from MBAM - is anyone able to check it for me?!

Please also attach the other log files as instructed:
https://forum.avast.com/index.php?topic=53253.0

Just running the others now (I have to go through instruction by instruction or I’ll lose myself!)

Here are the Farbar logs…

Also just re-ran MBAM and found one more nasty - log attachedalong with aswMBR log.

Oops- think aswmbr is still running - I’ll re-send the log once it’s done!

Take your time, there is no need to rush.

Have a little patience, someone will soon help you with the logs files.

Thanks Eddy - short attention span so there’s a danger I’ll wander off to do something else and forget what I was doing. The logs post is excellent, even an idiot like me can follow it! Very grateful for the help here :smiley:

Let me know if this stops the alerts

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

HKLM-x32\...\Run: [] => [X] HKLM-x32\...\Run: [AnyProtect Tray] => C:\Program Files (x86)\AnyProtectEx\AnyProtectTray.exe /scanner HKLM-x32\...\Run: [AnyProtect] => C:\Program Files (x86)\AnyProtectEx\AnyProtect.exe Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File Toolbar: HKCU - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File FF DefaultSearchEngine: Mysearchdial FF SelectedSearchEngine: Mysearchdial FF user.js: detected! => C:\Users\EMD\AppData\Roaming\Mozilla\Firefox\Profiles\66joyelm.default\user.js C:\Users\EMD\chromeinstall-7u17.exe C:\Program Files (x86)\AnyProtectEx EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

Thanks essexboy! Should I let the aswMBR scan finish before I do this?

Might as well seeing as it has started :slight_smile:

It’s been running for nearly two hours now - does it normally take this long?! Or have I ballsed it up…?! (B is most likely :-[ )

Is it still running through files as this will be a full scan ?

If not then cancel it and continue with the other instructions

It’s been scanning the C drive for a while- might be easier to stop it and follow your instructions then if needs be I’ll run again later…

Ok, here’s the FRST log - also screengrab of a popup that appeared whilst it was running.

Running the AdwCleaner now.

Here’s the log for AdwCleaner:

AdwCleaner v3.307 - Report created 19/08/2014 at 19:52:40

Updated 17/08/2014 by Xplode

Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)

Username : EMD - EMD-PC

Running from : C:\Users\EMD\Desktop\AdwCleaner.exe

Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\Ask
Folder Deleted : C:\ProgramData\Babylon
Folder Deleted : C:\ProgramData\DSearchLink
Folder Deleted : C:\Program Files (x86)\Ask.com
Folder Deleted : C:\windows\installer{86d4b82a-abed-442a-be86-96357b70f4fe}
Folder Deleted : C:\Users\EMD\AppData\Local\apn
Folder Deleted : C:\Users\EMD\AppData\LocalLow\AskToolbar
Folder Deleted : C:\Users\EMD\AppData\Roaming\Babylon
File Deleted : C:\Users\EMD\AppData\Local\AnyProtectScannerSetup.exe
File Deleted : C:\Users\EMD\AppData\Roaming\Mozilla\Firefox\Profiles\66joyelm.default\searchplugins\bingp.xml
File Deleted : C:\Users\EMD\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www2.delta-search.com_0.localstorage

***** [ Scheduled Tasks ] *****

Task Deleted : Scheduled Update for Ask Toolbar

***** [ Shortcuts ] *****

Shortcut Disinfected : C:\Users\EMD\Desktop\Search.lnk

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\aaaaojmikegpiepcfdkkjaplodkpfmlo
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\bopakagnckmlgajfccecajhnimjiiedh
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\eofcbnmajmjmplflapaojjnihcjkigck
Key Deleted : HKLM\SOFTWARE\Classes\AppID\GenericAskToolbar.DLL
Key Deleted : HKLM\SOFTWARE\Classes\Prod.cap
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility{74F475FA-6C75-43BD-AAB9-ECDA6184F600}
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\TaskScheduler_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\TaskScheduler_RASMANCS
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [ApnUpdater]
Key Deleted : HKLM\SOFTWARE\58edc8fbd3eb814
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SoftonicDownloader_for_pdf-xchange-viewer_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SoftonicDownloader_for_pdf-xchange-viewer_RASMANCS
Key Deleted : HKLM\SOFTWARE\Classes\AppID{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}
Key Deleted : HKCU\Software\AnyProtect
Key Deleted : HKCU\Software\APN
Key Deleted : HKCU\Software\Ask.com
Key Deleted : HKCU\Software\BABSOLUTION
Key Deleted : HKCU\Software\Delta
Key Deleted : HKCU\Software\Softonic
Key Deleted : HKCU\Software\AppDataLow\Software\AskToolbar
Key Deleted : HKLM\SOFTWARE\APN
Key Deleted : HKLM\SOFTWARE\AskToolbar
Key Deleted : HKLM\SOFTWARE\Delta
Key Deleted : HKLM\SOFTWARE\InstallCore
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall{79A765E1-C399-405B-85AF-466F52E918B0}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall{86D4B82A-ABED-442A-BE86-96357B70F4FE}
Key Deleted : HKLM\SOFTWARE\Classes\Installer\Features\A28B4D68DEBAA244EB686953B7074FEF
Key Deleted : HKLM\SOFTWARE\Classes\Installer\Products\A28B4D68DEBAA244EB686953B7074FEF
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\08121C32A9C319F4CB0C11FF059552A4
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0CFE535C35F99574E8340BFA75BF92C2
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0E12F736682067FDE4D1158D5940A82E
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1A24B5BB8521B03E0C8D908F5ABC0AE6
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\261F213D1F55267499B1F87D0CC3BCF7
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\2B0D56C4F4C46D844A57FFED6F0D2852
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\49D4375FE41653242AEA4C969E4E65E0
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6AA0923513360135B272E8289C5F13FA
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6F7467AF8F29C134CBBAB394ECCFDE96
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\741B4ADF27276464790022C965AB6DA8
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\7DE196B10195F5647A2B21B761F3DE01
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\922525DCC5199162F8935747CA3D8E59
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\9D4F5849367142E4685ED8C25E44C5ED
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A5875B04372C19545BEB90D4D606C472
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A876D9E80B896EC44A8620248CC79296
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\B66FFAB725B92594C986DE826A867888
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\BCDA179D619B91648538E3394CAC94CC
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\D677B1A9671D4D4004F6F2A4469E86EA
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\DD1402A9DD4215A43ABDE169A41AFA0E
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E36E114A0EAD2AD46B381D23AD69CDDF
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\EF8E618DB3AEDFBB384561B5C548F65E
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\A28B4D68DEBAA244EB686953B7074FEF
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\F928123A039649549966D4C29D35B1C9

***** [ Browsers ] *****

-\ Internet Explorer v11.0.9600.17239

-\ Mozilla Firefox v30.0 (en-US)

[ File : C:\Users\EMD\AppData\Roaming\Mozilla\Firefox\Profiles\66joyelm.default\prefs.js ]

Line Deleted : user_pref(“browser.search.defaultengine”, “Ask.com”);
Line Deleted : user_pref(“extensions.asktb.ff-original-keyword-url”, “”);
Line Deleted : user_pref(“extensions.irmysearch.aflt”, “frg01_14_24_ch”);
Line Deleted : user_pref(“extensions.irmysearch.cd”, "2XzuyEtN2Y1L1Qzu0EzztDtAzy0AtDzztAyCtD0AzytB0D0EtN0D0Tzu0SzzzytBtN1L2XzutBtFtBtDtFtCzytFtCtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StCtA0C0CzytCyC0FtG0DtB0Fz[…]
Line Deleted : user_pref(“extensions.irmysearch.cr”, “1116348149”);
Line Deleted : user_pref(“extensions.irmysearch.instlRef”, “142905_a”);

-\ Google Chrome v

[ File : C:\Users\EMD\AppData\Local\Google\Chrome\User Data\Default\preferences ]

Deleted [Search Provider] : hxxp://uk.ask.com/web?q={searchTerms}
Deleted [Search Provider] : hxxp://en.softonic.com/s/{searchTerms}
Deleted [Search Provider] : hxxp://help.orange.co.uk/orangeuk/support/personal/search.action?DoSearch=1&SearchDocId=&Keyword={searchTerms}&SearchTaxId=10&x=0&y=0
Deleted [Search Provider] : hxxp://www.pizzaexpress.com/our-restaurants/search-results.aspx?search_term={searchTerms}&submit=Search
Deleted [Search Provider] : hxxp://websearch.ask.com/redirect?client=cr&src=kw&tb=ORJ&o=&locale=&apn_uid=8B80765E-22E5-46BA-846F-8DBA2F6E3B98&apn_ptnrs=U3&apn_sauid=B1D8B212-D904-40E0-B1FC-6A856B44EBD1&apn_dtid=OSJ000YYGB&q={searchTerms}
Deleted [Search Provider] : hxxp://start.mysearchdial.com/results.php?f=4&q={searchTerms}&a=frg01_14_24_ch&cd=2XzuyEtN2Y1L1Qzu0EzztDtAzy0AtDzztAyCtD0AzytB0D0EtN0D0Tzu0SzzzytBtN1L2XzutBtFtBtDtFtCzytFtCtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StCtA0C0CzytCyC0FtG0DtB0FzztGtCyD0C0FtGtAtC0EtBtGtCyB0FzztA0E0B0D0B0CyEyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2StA0EtDyCtCtBzytDtG0EzzyBtCtG0DzyyC0EtGtCzy0E0AtGtA0AyCzzyDtDyE0E0C0F0DtA2QtN1B1L1H1Ezu1O2U1M1B&cr=1116348149&ir=
Deleted [Search Provider] : hxxp://www.southernrailway.com/search-results/?sitesearch={searchTerms}&gobut.x=0&gobut.y=0
Deleted [Startup_urls] : hxxp://start.mysearchdial.com/?f=1&a=frg01_14_24_ch&cd=2XzuyEtN2Y1L1Qzu0EzztDtAzy0AtDzztAyCtD0AzytB0D0EtN0D0Tzu0SzzzytBtN1L2XzutBtFtBtDtFtCzytFtCtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StCtA0C0CzytCyC0FtG0DtB0FzztGtCyD0C0FtGtAtC0EtBtGtCyB0FzztA0E0B0D0B0CyEyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2StA0EtDyCtCtBzytDtG0EzzyBtCtG0DzyyC0EtGtCzy0E0AtGtA0AyCzzyDtDyE0E0C0F0DtA2QtN1B1L1H1Ezu1O2U1M1B&cr=1116348149&ir=
Deleted [Extension] : aaaaojmikegpiepcfdkkjaplodkpfmlo
Deleted [Extension] : bopakagnckmlgajfccecajhnimjiiedh
Deleted [Extension] : eofcbnmajmjmplflapaojjnihcjkigck
Deleted [Extension] : iagcajndpnfncplednpbnkahadegklfa
Deleted [Extension] : ieakfmpjhljbpbfpldjkddkjmmgjmgon


AdwCleaner[R0].txt - [8627 octets] - [19/08/2014 19:50:11]
AdwCleaner[S0].txt - [9516 octets] - [19/08/2014 19:52:40]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [9576 octets] ##########

Ahh that was because FRST emptied your temp folders

How is the computer behaving now ?

Seems to be running a bit faster and I’m not having the issues I was before (have been having trouble with the internet connection on startup for a while). Should I run something again to check…?! I’ve lost count of what does what now!

You could run a fresh FRST scan but I do not believe that anything is lingering :slight_smile:

Thanks so much for your help! I’m completely swamped with work right now so I really need this little machine to be behaving itself! Thank goodness someone has an idea what’s going on, I’d be in tears otherwise. Nearly like having a new computer it’s so much faster.

Thanks again ;D

OK lets now remove my rubbish for you

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Download and run Delfix

https://dl.dropboxusercontent.com/u/73555776/delfix.JPG

: Keep Java Updated :

WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article

I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware

https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG

Malwarebytes.

Update and run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe :wave: