PUP.bProtector

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by caisleyb, May 28, 2012.

  1. caisleyb

    caisleyb Private E-2

    Picking up PUP.bProtector with superantispyware.
    I remove it and reboot computer however it returns.
    Malwarebytes does not detect.
    Below is log form antispyware.
    Anybody, anyideas?
    PUP.bProtector
    HKU\S-1-5-21-602162358-1604221776-839522115-1003\Software\Microsoft\Internet Explorer\SearchScopes#bProtectorDefaultScope [ {6A1806CD-94D4-4689-BA73-E35EA1EA9990} ]
     
    Last edited by a moderator: May 29, 2012
  2. thisisu

    thisisu Malware Consultant

    Welcome to MajorGeeks, caisleyb :)

    Sounds like you may be infected with malware.

    Please read ALL of this message including the notes before doing anything.

    Please follow the instructions in the below link:

    READ & RUN ME FIRST. Malware Removal Guide


    and then attach the requested logs to your next reply when you finish these instructions.
    • **** If something does not run, write down the info to explain to us later but keep on going. ****
    • Do not assume that because one step does not work that they all will not. MGtools will frequently run even when all other tools will not.
    • After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!
    Helpful Notes:

    1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
    2. If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware and Malwarebytes ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes, you could use a flash drive too, but flash drives are writeable and infections can spread to them.
    3. If you cannot seem to login to an infected user account, try using a different user account (if you have one) in either normal or safe boot mode and running only SUPERAntiSpyware and Malwarebytes while logged into this other user account. Then reboot and see if you can log into the problem user account. If you can then run SUPERAntiSpyware, Malwarebytes, ComboFix and MGtools on the infected account as requested in the instructions.
    4. To avoid additional delay in getting a response, it is strongly advised that after completing the READ & RUN ME you also read this sticky:
    * Any additional post is a bump which will add more delay. Once you attach the logs, your thread will be in the work queue and as stated - our system works the oldest threads FIRST.
     
  3. caisleyb

    caisleyb Private E-2

    Ran through the list. Thanks.
    The Combofix stalled for a couple of hours after "Deleting Files"
    C:\Documents and Settings\Brent\Local Settings\temp\c25e8b3b-33a7-42bf-85e6-6880c6753136\CliSecurRT.dll
    I restarted my machine and continued with the rest of the instructions.
    Find attached logs:

    RootRepeal
    Malwarebytes
    Superantipsyware
    MGTools

    Regards
    Brent
     

    Attached Files:

  4. caisleyb

    caisleyb Private E-2

    Other logs.
    MBRCheck and
    TDSKiller
     

    Attached Files:

  5. caisleyb

    caisleyb Private E-2

    Refer logs attached.
    Combofix stalled. After a couple of hours i rebooted machine.
    It ahd stalled after "Deleting Files":
    C:Documents and Settings\Brent\Local Settings\temp\c25e8b3b-33a7-42bf-85e6-6680c6753136\ClieSecureRT.dll
     

    Attached Files:

  6. thisisu

    thisisu Malware Consultant

    Thanks for letting me know. We need to run a customized scan.

    [​IMG] Please download OTL by OldTimer.

    • Save it to your desktop.
    • Double click on the OTL icon on your desktop.
    • Check the "Scan All Users" checkbox.
    • Check the "Standard Output".
    • Change the setting of "Drivers" and "Services" to "All"
    • Copy the text in the code box below and paste it into the [​IMG] text-field.
      Code:
      activex
      netsvcs
      %systemdrive%\crauto.exe /s /md5
      %systemdrive%\protector.dll /s /md5
      %windir%\system32\drivers\*.sys /lockedfiles
      
    • Now click the [​IMG] button.
    • One report will be created:
      • OTL.txt <-- Will be opened
    • Attach OTL.txt to your next message. (How to attach)
     
  7. caisleyb

    caisleyb Private E-2

    Ran otl
    Attached is the log.

    Regards
    Brent
     

    Attached Files:

    • OTL.Txt
      File size:
      210.3 KB
      Views:
      10
  8. thisisu

    thisisu Malware Consultant

    [​IMG] From Add/Remove Programs (via Control Panel), please uninstall the below:
    • Java(TM) 6 Update 32
    • Registry Patrol


    [​IMG] Fix items using OTL by OldTimer

    Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
    Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
    Copy the text in the code box below and paste it into the [​IMG] text-field.
    Code:
    [COLOR="DarkRed"]:otl[/COLOR]
    O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
    O3 - HKU\S-1-5-21-602162358-1604221776-839522115-1003\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
    O20 - AppInit_DLLs: (protector.dll) - C:\WINDOWS\System32\protector.dll ()
    ActiveX: {ACC563BC-4266-43f0-B6ED-9D38C4202C7E} -
    [2012/05/13 18:58:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\bProtector
    [6 C:\*.tmp files -> C:\*.tmp -> ]
    [16 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
    [2012/05/13 18:58:07 | 000,795,128 | ---- | M] () -- C:\WINDOWS\System32\protector.dll
    [COLOR="DarkRed"]:files[/COLOR]
    C:\$VAULT$.AVG /d
    C:\WINDOWS\Tasks\bProtector.job /d
    C:\WINDOWS\Tasks\DriverPerformer_UPDATES.job
    [COLOR="DarkRed"]:reg[/COLOR]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]
    [COLOR="DarkRed"]:commands[/COLOR]
    [purity]
    [clearallrestorepoints]
    [emptytemp]
    [resethosts]
    
    Now click the [​IMG] button.
    If the fix needed a reboot please do it.
    Click the OK button (upon reboot).
    When OTL is finished, Notepad will open. Close Notepad.
    A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
    Attach this log to your next message. (How to attach)

    [​IMG] Now run C:\MGtools\GetLogs.bat by double-clicking it.
    This updates all of the logs inside MGlogs.zip.
    When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

    Let me know how the system is running after you have completed these steps.
     
  9. caisleyb

    caisleyb Private E-2

    Error appears when trying to uninstall Registry PAtrol.
    Refer attached
     

    Attached Files:

  10. thisisu

    thisisu Malware Consultant

    Ok, just skip that for now. Continue with the rest of my instructions.
     
  11. caisleyb

    caisleyb Private E-2

    Ran the OTL and rebooted as requested.
    Ran the MGtools - but realised the AVAST antivirus was on and it stated it had stopped a file executing. Missed the name pev???
    Atttached both logs
     

    Attached Files:

  12. thisisu

    thisisu Malware Consultant

    pevFind. Yes please disable Avast and then run the GetLogs.bat file again. Then attach newest MGlogs.zip.
     
  13. caisleyb

    caisleyb Private E-2

    Thought you were going to say that.
    Attached is rescanned log
     

    Attached Files:

  14. thisisu

    thisisu Malware Consultant

    The OTL fix was unsuccessful for the most part. We are going to try with another tool to fix the leftovers.

    [​IMG] Now download The Avenger by Swandog46 and unzip it.
    Shut down your protection software now to avoid possible conflicts.
    Run avenger.exe by double-clicking it. (Vista/7 right-click and select Run as Administrator)
    Click "OK" at the warning to continue to using the tool.
    Copy everything in the code box below, and paste it into the "Input script here:" text-field.
    Code:
    [COLOR="DarkRed"]Files to delete:[/COLOR]
    C:\WINDOWS\system32\protector.dll
    C:\WINDOWS\system32\config\systemprofile\Application Data\rgikns.dat
    [COLOR="DarkRed"]Folders to delete:[/COLOR]
    C:\Documents and Settings\All Users\Application Data\bProtector
    [COLOR="DarkRed"]Registry values to replace with dummy:[/COLOR]
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs
    
    Now click the "Execute" button.
    Click Yes when asked to "Reboot now?"
    If Avenger does not reboot the PC for you -- manually reboot.
    Upon rebooting into Windows, Notepad will open with the results of the fix (avenger.txt).
    Attach c:\avenger.txt to your next message. (How to attach)

    __

    [​IMG] Now run C:\MGtools\GetLogs.bat by double-clicking it.
    This updates all of the logs inside MGlogs.zip.
    When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)
     
  15. caisleyb

    caisleyb Private E-2

    Avenger log looks unusual - refer attached.
    MGtools ran - updated log attached
     

    Attached Files:

  16. thisisu

    thisisu Malware Consultant

    Yes it looks different than usual but is legible. Looks like it worked. Are you still having any trouble with the bProtector junk?
     
  17. caisleyb

    caisleyb Private E-2

    One of the signs of an issue was the redirection of my internet explorer homepage. After reading your reply I opened explorer and it did not redirect - excellent.
    Another was Chrome not responding - tried now - fantastic..

    Thanks heaps for your prompt replies today and your patience. You guys are an awesome resource. Much appreciated.
    I will see how the computer goes over the next couple of days. Any further issues I will contact you guys again.

    Kind Regards
    Brent
     
  18. thisisu

    thisisu Malware Consultant

    You're welcome. Tell your friends about us ;)

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis if it present
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work through the below link:
    Be safe :)
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds