MajorGeeks Support Forums

Go Back   MajorGeeks Support Forums > ----------= PC, Desktop and Laptop Support =---------- > Malware Removal
Register FAQ Members List Calendar Casino Mark Forums Read

Malware Removal Malware removal forum. Please see the READ ME FIRST thread before you post. Forum is staffed by a small number of volunteers, please be patient.


Reply
 
Thread Tools Display Modes
  #1  
Old 05-28-12, 21:49
caisleyb caisleyb is offline
Private E-2
 
Join Date: May 2012
Posts: 10
Thanks: 1
Thanked 0 Times in 0 Posts
Default PUP.bProtector

Picking up PUP.bProtector with superantispyware.
I remove it and reboot computer however it returns.
Malwarebytes does not detect.
Below is log form antispyware.
Anybody, anyideas?
PUP.bProtector
HKU\S-1-5-21-602162358-1604221776-839522115-1003\Software\Microsoft\Internet Explorer\SearchScopes#bProtectorDefaultScope [ {6A1806CD-94D4-4689-BA73-E35EA1EA9990} ]

Last edited by thisisu; 05-29-12 at 21:12.. Reason: removed inline log
Reply With Quote
Sponsored links
  #2  
Old 05-29-12, 21:12
thisisu's Avatar
thisisu thisisu is offline
Malware Consultant
 
Join Date: Apr 2006
Location: Houston, TX
Posts: 8,175
Thanks: 270
Thanked 1,437 Times in 1,356 Posts
Default Re: PUP.bProtector

Welcome to MajorGeeks, caisleyb

Sounds like you may be infected with malware.

Please read ALL of this message including the notes before doing anything.

Please follow the instructions in the below link:

READ & RUN ME FIRST. Malware Removal Guide


and then attach the requested logs to your next reply when you finish these instructions.
  • **** If something does not run, write down the info to explain to us later but keep on going. ****
  • Do not assume that because one step does not work that they all will not. MGtools will frequently run even when all other tools will not.
  • After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!
Helpful Notes:
  1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
  2. If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware and Malwarebytes ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes, you could use a flash drive too, but flash drives are writeable and infections can spread to them.
  3. If you cannot seem to login to an infected user account, try using a different user account (if you have one) in either normal or safe boot mode and running only SUPERAntiSpyware and Malwarebytes while logged into this other user account. Then reboot and see if you can log into the problem user account. If you can then run SUPERAntiSpyware, Malwarebytes, ComboFix and MGtools on the infected account as requested in the instructions.
  4. To avoid additional delay in getting a response, it is strongly advised that after completing the READ & RUN ME you also read this sticky:
* Any additional post is a bump which will add more delay. Once you attach the logs, your thread will be in the work queue and as stated - our system works the oldest threads FIRST.
__________________
Facebook . Twitter . Blog . VirusTotal
Reply With Quote
  #3  
Old 06-04-12, 19:10
caisleyb caisleyb is offline
Private E-2
 
Join Date: May 2012
Posts: 10
Thanks: 1
Thanked 0 Times in 0 Posts
Default Re: PUP.bProtector

Ran through the list. Thanks.
The Combofix stalled for a couple of hours after "Deleting Files"
C:\Documents and Settings\Brent\Local Settings\temp\c25e8b3b-33a7-42bf-85e6-6880c6753136\CliSecurRT.dll
I restarted my machine and continued with the rest of the instructions.
Find attached logs:

RootRepeal
Malwarebytes
Superantipsyware
MGTools

Regards
Brent
Attached Files
File Type: txt RRlog.txt (1.8 KB, 2 views)
File Type: txt mbam-log-2012-06-04 (17-07-26).txt (1.8 KB, 1 views)
File Type: log SUPERAntiSpyware Scan Log - 06-04-2012 - 16-47-34.log (582 Bytes, 5 views)
File Type: zip MGlogs.zip (274.5 KB, 0 views)
Reply With Quote
  #4  
Old 06-04-12, 19:12
caisleyb caisleyb is offline
Private E-2
 
Join Date: May 2012
Posts: 10
Thanks: 1
Thanked 0 Times in 0 Posts
Default Re: PUP.bProtector

Other logs.
MBRCheck and
TDSKiller
Attached Files
File Type: txt TDSSKiller.2.7.36.0_04.06.2012_15.01.59_log.txt (95.3 KB, 2 views)
File Type: txt MBRCheck_06.04.12_15.03.13.txt (10.4 KB, 1 views)
Reply With Quote
  #5  
Old 06-04-12, 19:16
caisleyb caisleyb is offline
Private E-2
 
Join Date: May 2012
Posts: 10
Thanks: 1
Thanked 0 Times in 0 Posts
Default Re: PUP.bProtector

Refer logs attached.
Combofix stalled. After a couple of hours i rebooted machine.
It ahd stalled after "Deleting Files":
C:Documents and Settings\Brent\Local Settings\temp\c25e8b3b-33a7-42bf-85e6-6680c6753136\ClieSecureRT.dll
Attached Files
File Type: log SUPERAntiSpyware Scan Log - 06-04-2012 - 16-47-34.log (582 Bytes, 1 views)
File Type: txt RRlog.txt (1.8 KB, 1 views)
File Type: zip MGlogs.zip (274.5 KB, 2 views)
Reply With Quote
Sponsored links
  #6  
Old 06-04-12, 20:00
thisisu's Avatar
thisisu thisisu is offline
Malware Consultant
 
Join Date: Apr 2006
Location: Houston, TX
Posts: 8,175
Thanks: 270
Thanked 1,437 Times in 1,356 Posts
Default Re: PUP.bProtector

Thanks for letting me know. We need to run a customized scan.

Please download OTL by OldTimer.
  • Save it to your desktop.
  • Double click on the OTL icon on your desktop.
  • Check the "Scan All Users" checkbox.
  • Check the "Standard Output".
  • Change the setting of "Drivers" and "Services" to "All"
  • Copy the text in the code box below and paste it into the text-field.
    Code:
    activex
    netsvcs
    %systemdrive%\crauto.exe /s /md5
    %systemdrive%\protector.dll /s /md5
    %windir%\system32\drivers\*.sys /lockedfiles
  • Now click the button.
  • One report will be created:
    • OTL.txt <-- Will be opened
  • Attach OTL.txt to your next message. (How to attach)
__________________
Facebook . Twitter . Blog . VirusTotal
Reply With Quote
  #7  
Old 06-04-12, 21:33
caisleyb caisleyb is offline
Private E-2
 
Join Date: May 2012
Posts: 10
Thanks: 1
Thanked 0 Times in 0 Posts
Default Re: PUP.bProtector

Ran otl
Attached is the log.

Regards
Brent
Attached Files
File Type: txt OTL.Txt (210.3 KB, 10 views)
Reply With Quote
  #8  
Old 06-04-12, 22:13
thisisu's Avatar
thisisu thisisu is offline
Malware Consultant
 
Join Date: Apr 2006
Location: Houston, TX
Posts: 8,175
Thanks: 270
Thanked 1,437 Times in 1,356 Posts
Default Re: PUP.bProtector

From Add/Remove Programs (via Control Panel), please uninstall the below:
  • Java(TM) 6 Update 32
  • Registry Patrol


Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the text-field.
Code:
:otl
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-602162358-1604221776-839522115-1003\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
O20 - AppInit_DLLs: (protector.dll) - C:\WINDOWS\System32\protector.dll ()
ActiveX: {ACC563BC-4266-43f0-B6ED-9D38C4202C7E} -
[2012/05/13 18:58:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\bProtector
[6 C:\*.tmp files -> C:\*.tmp -> ]
[16 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2012/05/13 18:58:07 | 000,795,128 | ---- | M] () -- C:\WINDOWS\System32\protector.dll
:files
C:\$VAULT$.AVG /d
C:\WINDOWS\Tasks\bProtector.job /d
C:\WINDOWS\Tasks\DriverPerformer_UPDATES.job
:reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]
:commands
[purity]
[clearallrestorepoints]
[emptytemp]
[resethosts]
Now click the button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

Now run C:\MGtools\GetLogs.bat by double-clicking it.
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

Let me know how the system is running after you have completed these steps.
__________________
Facebook . Twitter . Blog . VirusTotal
Reply With Quote
  #9  
Old 06-04-12, 22:27
caisleyb caisleyb is offline
Private E-2
 
Join Date: May 2012
Posts: 10
Thanks: 1
Thanked 0 Times in 0 Posts
Default Re: PUP.bProtector

Error appears when trying to uninstall Registry PAtrol.
Refer attached
Attached Images
File Type: png regerror.PNG (59.6 KB, 2 views)
Reply With Quote
  #10  
Old 06-04-12, 22:39
thisisu's Avatar
thisisu thisisu is offline
Malware Consultant
 
Join Date: Apr 2006
Location: Houston, TX
Posts: 8,175
Thanks: 270
Thanked 1,437 Times in 1,356 Posts
Default Re: PUP.bProtector

Ok, just skip that for now. Continue with the rest of my instructions.
__________________
Facebook . Twitter . Blog . VirusTotal
Reply With Quote
Sponsored links
  #11  
Old 06-04-12, 23:30
caisleyb caisleyb is offline
Private E-2
 
Join Date: May 2012
Posts: 10
Thanks: 1
Thanked 0 Times in 0 Posts
Default Re: PUP.bProtector

Ran the OTL and rebooted as requested.
Ran the MGtools - but realised the AVAST antivirus was on and it stated it had stopped a file executing. Missed the name pev???
Atttached both logs
Attached Files
File Type: log 06052012_135622.log (14.4 KB, 3 views)
File Type: zip MGlogs.zip (272.8 KB, 3 views)
Reply With Quote
  #12  
Old 06-04-12, 23:49
thisisu's Avatar
thisisu thisisu is offline
Malware Consultant
 
Join Date: Apr 2006
Location: Houston, TX
Posts: 8,175
Thanks: 270
Thanked 1,437 Times in 1,356 Posts
Default Re: PUP.bProtector

Quote:
Originally Posted by caisleyb View Post
Ran the MGtools - but realised the AVAST antivirus was on and it stated it had stopped a file executing. Missed the name pev???
pevFind. Yes please disable Avast and then run the GetLogs.bat file again. Then attach newest MGlogs.zip.
__________________
Facebook . Twitter . Blog . VirusTotal
Reply With Quote
  #13  
Old 06-05-12, 00:06
caisleyb caisleyb is offline
Private E-2
 
Join Date: May 2012
Posts: 10
Thanks: 1
Thanked 0 Times in 0 Posts
Default Re: PUP.bProtector

Thought you were going to say that.
Attached is rescanned log
Attached Files
File Type: zip MGlogs.zip (274.7 KB, 2 views)
Reply With Quote
  #14  
Old 06-05-12, 00:19
thisisu's Avatar
thisisu thisisu is offline
Malware Consultant
 
Join Date: Apr 2006
Location: Houston, TX
Posts: 8,175
Thanks: 270
Thanked 1,437 Times in 1,356 Posts
Default Re: PUP.bProtector

The OTL fix was unsuccessful for the most part. We are going to try with another tool to fix the leftovers.

Now download The Avenger by Swandog46 and unzip it.
Shut down your protection software now to avoid possible conflicts.
Run avenger.exe by double-clicking it. (Vista/7 right-click and select Run as Administrator)
Click "OK" at the warning to continue to using the tool.
Copy everything in the code box below, and paste it into the "Input script here:" text-field.
Code:
Files to delete:
C:\WINDOWS\system32\protector.dll
C:\WINDOWS\system32\config\systemprofile\Application Data\rgikns.dat
Folders to delete:
C:\Documents and Settings\All Users\Application Data\bProtector
Registry values to replace with dummy:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs
Now click the "Execute" button.
Click Yes when asked to "Reboot now?"
If Avenger does not reboot the PC for you -- manually reboot.
Upon rebooting into Windows, Notepad will open with the results of the fix (avenger.txt).
Attach c:\avenger.txt to your next message. (How to attach)

__

Now run C:\MGtools\GetLogs.bat by double-clicking it.
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)
__________________
Facebook . Twitter . Blog . VirusTotal
Reply With Quote
  #15  
Old 06-05-12, 00:38
caisleyb caisleyb is offline
Private E-2
 
Join Date: May 2012
Posts: 10
Thanks: 1
Thanked 0 Times in 0 Posts
Default Re: PUP.bProtector

Avenger log looks unusual - refer attached.
MGtools ran - updated log attached
Attached Files
File Type: txt avenger.txt (1.7 KB, 4 views)
File Type: zip MGlogs.zip (271.2 KB, 1 views)
Reply With Quote
Sponsored links
  #16  
Old 06-05-12, 00:46
thisisu's Avatar
thisisu thisisu is offline
Malware Consultant
 
Join Date: Apr 2006
Location: Houston, TX
Posts: 8,175
Thanks: 270
Thanked 1,437 Times in 1,356 Posts
Default Re: PUP.bProtector

Yes it looks different than usual but is legible. Looks like it worked. Are you still having any trouble with the bProtector junk?
__________________
Facebook . Twitter . Blog . VirusTotal
Reply With Quote
The Following User Says Thank You to thisisu For This Useful Post:
caisleyb (06-05-12)
  #17  
Old 06-05-12, 00:56
caisleyb caisleyb is offline
Private E-2
 
Join Date: May 2012
Posts: 10
Thanks: 1
Thanked 0 Times in 0 Posts
Default Re: PUP.bProtector

One of the signs of an issue was the redirection of my internet explorer homepage. After reading your reply I opened explorer and it did not redirect - excellent.
Another was Chrome not responding - tried now - fantastic..

Thanks heaps for your prompt replies today and your patience. You guys are an awesome resource. Much appreciated.
I will see how the computer goes over the next couple of days. Any further issues I will contact you guys again.

Kind Regards
Brent
Reply With Quote
  #18  
Old 06-05-12, 12:36
thisisu's Avatar
thisisu thisisu is offline
Malware Consultant
 
Join Date: Apr 2006
Location: Houston, TX
Posts: 8,175
Thanks: 270
Thanked 1,437 Times in 1,356 Posts
Default Re: PUP.bProtector

Quote:
Originally Posted by caisleyb View Post
Thanks heaps for your prompt replies today and your patience. You guys are an awesome resource. Much appreciated.
I will see how the computer goes over the next couple of days. Any further issues I will contact you guys again.

Kind Regards
Brent
You're welcome. Tell your friends about us

If you are not having any other malware problems, it is time to do our final steps:
  1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
  2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
    • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
    • "%userprofile%\Desktop\combofix" /uninstall
      • Notes: The space between the combofix" and the /uninstall, it must be there.
      • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
  3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
  4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
  5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
  6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
  7. Go to add/remove programs and uninstall HijackThis if it present
  8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
    related to MGtools and some other items from our cleaning procedures.
  9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
    • Refer to the cleaning procedures pointed to by step 7 of the READ ME
      for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
  10. After doing the above, you should work through the below link:
Be safe
__________________
Facebook . Twitter . Blog . VirusTotal
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 05:13.

MajorGeeks.Com Menu

MajorGeeks.Com \ All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ NEW! PC Games \ System Tools \ Macintosh \ Demonews.Com \ Top Downloads

MajorGeeks.Com \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds


All content Copyright MajorGeeks.com source code Powered by vBulletin® Version 3.8.4
Copyright © 2009 vBulletin Solutions, Inc. All rights reserved.
Ad Management by RedTyger