System File infected with TR/BProtector.Gen

ShamrockRig · 16 Apr 2014

UsernameIssues said:

derekimo said:

Rixterz said:

As there are important system files infected rather than just extra malicious files being put there, it's best to dump all of your needed files elsewhere and then just let NPE sort the infected ones out.

-Rixterz

https://security.symantec.com/nbrt/npe.aspx

Because Norton Power Eraser uses aggressive methods to detect threats, there is a risk that it can select some legitimate programs for removal. If you accidentally remove a legitimate program, you can run Norton Power Eraser to review past repair sessions and undo them.

I think sticking to the advice and guidance of cottonball would be best.

Assumes that the OS will boot ;-(

I agree, wait for cottonball.

@Rixterz,
Our comments are not meant to discourage you from helping in threads... but the infection of system files (if that is indeed what the OP has) is best handled slowly, by less automated tools.

Hey i'm a safe guy too!..maybe xD!

Yeah following Cottonballs instruction is always a good way to go! Knows his stuff!

UsernameIssues · 16 Apr 2014

Yep; but unless cottonball is known to be away for a while...
...there is not much reason to change horses midstream

Mual · 16 Apr 2014

Done it. Here is the zoek.exe result :)

Code:

zoek-results.log

And here is the link to the virus total scan :

Code:

taskeng.exe:
https://www.virustotal.com/en/file/9...is/1397708365/

nvxdsync:
https://www.virustotal.com/en/file/9...is/1397708656/

oodag.exe:
https://www.virustotal.com/en/file/1...is/1397708931/

Jacee · 16 Apr 2014

You have some adware, but wait for cottonball to get back to you for the 'fix'

Mual · 17 Apr 2014

Jacee said:

You have some adware, but wait for cottonball to get back to you for the 'fix'

I'll wait for his reply.

cottonball · 17 Apr 2014

Mual,

Based on the VirusTotal results, it makes one wonder about the validity of those files Avira is pointing to as being infected.

Let's go this route...

Please right-click zoek.exe once again, and select: Run as Administrator (Give the program a few seconds to appear.)
Next, copy/paste the entire script in the code box below to the input field of Zoek:

Code:

autoclean;
emptyalltemp;
emptyclsid;

Now...
Close any open windows.
Click the Run script button and wait. It takes a few minutes to run the script.

When finished, the zoek-results.log is opened in Notepad.
If a reboot is needed the log is opened after the reboot.

Please post the new zoek-results.log in your reply.

Next, let's see what MBAM has to report on the files Avira is targeting...

Please go to the Malwarebytes Anti-Malware (MBAM) download
Save to the Desktop
Double-click the downloaded MBAM file to run it.

When the installation begins, follow the prompts in the setup process.
Do not make any changes to default settings and when the program has finished installing, make sure only the following options are checked:
>Update Malwarebytes’ Anti-Malware
>Launch Malwarebytes’ Anti-Malware

Uncheck:
>Enable free trial of Malwarebytes Anti-Malware PRO
Click on the Finish button.

If an update is found, the program automatically updates itself.
At the program console, on the Scanner tab, and select: Perform Quick Scan

Next, click on the Scan button.

When the Malwarebytes scan is completed, click on: Show Results
When presented with a screen showing the malware detected, just press: Save Log

Save the log to the Desktop, or to an easy to find location.

Please copy/paste the entire contents of the MBAM report in your reply.

Mual · 20 Apr 2014

I'll be posting soon once I done it, lately I've busy with college stuff. Sorry :)

Mual · 22 Apr 2014

I downloaded and update the MBAM to the latest version already. But I do not know where can I find "program console, on the Scanner tab, and select: Perform Quick Scan". Please guide me.

And here is another scan of zoek.

Code:

zoek-results.log

And I get this pop up error after zoek scan, which zoek require me to restart the computer.

System File infected with TR/BProtector.Gen-untitled.png

cottonball · 22 Apr 2014

...do not know where can I find "program console, on the Scanner tab, and select: Perform Quick Scan".

The program console is nothing more that the main screen of MBAM. However, there is a new version of MBAM, and my instructions are outdated. Malwarebytes Anti-Malware 2.0 has a completely redesigned user interface.

Double-click mbam-setup-2.X.X.XXXX.exe to install (X's = current version)
Place a checkmark next to Launch Malwarebytes Anti-Malware, then click: Finish

Once MBAM opens, when it says Your databases is out of date, click the Fix Now button.

Next, click the Settings tab at the top, and, in the left column, select Detections and Protections
If not already checked, select: Scan for rootkits

Click the Scan tab at the top of the program window, and select: Threat Scan
Next, click: Scan Now

If you receive a message that updates are available, click: Update Now

At this point, the update is downloaded, installed, and the scan starts.
The scan may take some time to finish, so please be patient.

If potential threats are detected, select Quarantine All as the Action for all the listed items.
Next, click: Apply Actions

While still on the Scan tab, click the link for View detailed log
In the window that opens, click the Export button, select Text file (*.txt), and save the log to the Desktop.

Notes:
1. The log is automatically saved by MBAM and is also viewed by clicking:
History tab > Application Logs.
2, If MBAM encounters a file that is difficult to remove...
Click OK and allow MBAM to proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

cottonball · 22 Apr 2014

If you still get the chkdsk prompt, for running the utility on C: drive, use the following:
Disk Check