Morganos

Ok, I did this too and I attached fixlog.txt 24 hours with no issues, I think everything will be fine.. Thanks again! Fixlog.txt

Hello, thank you very much for your reply! I will describe how things went, I hope I can do it without confusing you. STEP 00 The first thing I did as my PC opened, was to open the Task Manager and terminate the 'anc.exe' process. Sorry, it has been my routine for the past 2 days and I forgot not to do it.. I hope it didn't compromise the following results :/ STEP 01 Disabled my antivirus (Avira) as you instructed, and ran JRT ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Junkware Removal Tool (JRT) by Malwarebytes Version: 8.1.3 (04.10.2017) Operating System: Windows 7 Professional x86 Ran by WUD (Administrator) on Thu 04/20/2017 at 2:17:54.74 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ File System: 9 Failed to delete: C:\ProgramData\google\google chrome.exe (File) Successfully deleted: C:\Users\WUD\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8UUBRVOK (Temporary Internet Files Folder) Successfully deleted: C:\Users\WUD\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LGEMGZ5P (Temporary Internet Files Folder) Successfully deleted: C:\Users\WUD\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SVE3CNXD (Temporary Internet Files Folder) Successfully deleted: C:\Users\WUD\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y6HUUFR5 (Temporary Internet Files Folder) Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8UUBRVOK (Temporary Internet Files Folder) Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LGEMGZ5P (Temporary Internet Files Folder) Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SVE3CNXD (Temporary Internet Files Folder) Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y6HUUFR5 (Temporary Internet Files Folder) Deleted the following from C:\Users\WUD\AppData\Roaming\Mozilla\Firefox\Profiles\uawm04yb.default\prefs.js user_pref(browser.uiCustomization.state, {\placements\:{\PanelUI-contents\:[\edit-controls\,\zoom-controls\,\new-window-button\,\privatebrowsing-button\,\save- user_pref(extensions.safesearchplus2@avira.com.abTestParameters, {\iconTest\:\WithIcon\}); user_pref(extensions.safesearchplus2@avira.com.prev_default_engine_name, \Google\); user_pref(browser.startup.homepage, hxxp://yourtv.link); Registry: 2 Successfully deleted: HKCU\Software\Microsoft\Internet Explorer\Main\\Start Page (Registry Value) Successfully deleted: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} (Registry Key) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Scan was completed on Thu 04/20/2017 at 2:21:02.86 End of JRT log ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ STEP 02 Ran AdwCleaner, NO threats were found, so I didn't restart my PC # AdwCleaner v6.045 - Logfile created 20/04/2017 at 02:28:17 # Updated on 28/03/2017 by Malwarebytes # Database : 2017-04-19.2 [Server] # Operating System : Windows 7 Professional Service Pack 1 (X86) # Username : WUD - WUD-PC # Running from : C:\Users\WUD\Desktop\AdwCleaner.exe # Mode: Scan # Support : https://www.malwarebytes.com/support ***** [ Services ] ***** No malicious services found. ***** [ Folders ] ***** No malicious folders found. ***** [ Files ] ***** No malicious files found. ***** [ DLL ] ***** No malicious DLLs found. ***** [ WMI ] ***** No malicious keys found. ***** [ Shortcuts ] ***** No infected shortcut found. ***** [ Scheduled Tasks ] ***** No malicious task found. ***** [ Registry ] ***** No malicious registry entries found. ***** [ Web browsers ] ***** No malicious Firefox based browser items found. No malicious Chromium based browser items found. ************************* C:\AdwCleaner\AdwCleaner[C0].txt - [3344 Bytes] - [17/04/2017 18:58:05] C:\AdwCleaner\AdwCleaner[C2].txt - [2464 Bytes] - [17/04/2017 19:17:51] C:\AdwCleaner\AdwCleaner[C3].txt - [4080 Bytes] - [17/04/2017 20:35:11] C:\AdwCleaner\AdwCleaner[C4].txt - [1507 Bytes] - [17/04/2017 22:42:10] C:\AdwCleaner\AdwCleaner[C5].txt - [3532 Bytes] - [18/04/2017 11:56:30] C:\AdwCleaner\AdwCleaner[C6].txt - [1920 Bytes] - [19/04/2017 11:35:49] C:\AdwCleaner\AdwCleaner[S0].txt - [3224 Bytes] - [17/04/2017 18:55:31] C:\AdwCleaner\AdwCleaner[S1].txt - [2550 Bytes] - [17/04/2017 19:16:55] C:\AdwCleaner\AdwCleaner[S2].txt - [4032 Bytes] - [17/04/2017 20:34:32] C:\AdwCleaner\AdwCleaner[S3].txt - [1697 Bytes] - [17/04/2017 22:41:32] C:\AdwCleaner\AdwCleaner[S4].txt - [1734 Bytes] - [17/04/2017 22:56:47] C:\AdwCleaner\AdwCleaner[S5].txt - [3583 Bytes] - [18/04/2017 11:55:58] C:\AdwCleaner\AdwCleaner[S6].txt - [2029 Bytes] - [19/04/2017 11:35:02] C:\AdwCleaner\AdwCleaner[S7].txt - [1948 Bytes] - [20/04/2017 02:28:17] ########## EOF - C:\AdwCleaner\AdwCleaner[S7].txt - [2021 Bytes] ########## STEP 03 Disabled my antivirus again (thought I should) and ran Sophos. While Sophos was scanning, Malwarebytes poped up saying it had found 5 threats (I had no idea it was running, sorry!). I didn't do anything at the moment, I just minimized it. Here are the results of Sophos (2 threats): 2017-04-19 23:36:32.641 Sophos Virus Removal Tool version 2.5.6 2017-04-19 23:36:32.641 Copyright (c) 2009-2016 Sophos Limited. All rights reserved. 2017-04-19 23:36:32.641 This tool will scan your computer for viruses and other threats. If it finds any, it will give you the option to remove them. 2017-04-19 23:36:32.641 Windows version 6.1 SP 1.0 Service Pack 1 build 7601 SM=0x100 PT=0x1 Win32 2017-04-19 23:36:32.641 Checking for updates... 2017-04-19 23:36:33.281 Update progress: proxy server not available 2017-04-19 23:36:49.006 Option all = no 2017-04-19 23:36:49.006 Option recurse = yes 2017-04-19 23:36:49.006 Option archive = no 2017-04-19 23:36:49.006 Option service = yes 2017-04-19 23:36:49.006 Option confirm = yes 2017-04-19 23:36:49.006 Option sxl = yes 2017-04-19 23:36:49.006 Option max-data-age = 35 2017-04-19 23:36:49.006 Option vdl-logging = yes 2017-04-19 23:36:49.021 Customer ID: 094260ca9b3af99f9d4a3909fc47a743 2017-04-19 23:36:49.021 Machine ID: 26eadbd5bc7d4b06a67a2f81c6b841b4 2017-04-19 23:36:49.021 Component SVRTcli.exe version 2.5.6 2017-04-19 23:36:49.021 Component control.dll version 2.5.6 2017-04-19 23:36:49.021 Component SVRTservice.exe version 2.5.6 2017-04-19 23:36:49.021 Component engine\osdp.dll version 1.44.1.2281 2017-04-19 23:36:49.021 Component engine\veex.dll version 3.68.1.2281 2017-04-19 23:36:49.021 Component engine\savi.dll version 9.0.7.2281 2017-04-19 23:36:49.021 Component rkdisk.dll version 1.5.31.1 2017-04-19 23:36:49.021 Version info: Product version 2.5.6 2017-04-19 23:36:49.037 Version info: Detection engine 3.68.1 2017-04-19 23:36:49.037 Version info: Detection data 5.38 2017-04-19 23:36:49.037 Version info: Build date 4/4/2017 2017-04-19 23:36:49.037 Version info: Data files added 221 2017-04-19 23:36:49.037 Version info: Last successful update (not yet updated) 2017-04-19 23:37:00.425 Downloading updates... 2017-04-19 23:37:00.440 Update progress: [I96736] sdds.svrt_10: adding primary package C1A903B2-E63E-483b-982D-04BB9C457C60 RECOMMENDED baseVersion=1 2017-04-19 23:37:00.440 Update progress: [I95020] sdds.svrt_10: looking for packages included from product C1A903B2-E63E-483b-982D-04BB9C457C60 RECOMMENDED path= 2017-04-19 23:37:00.440 Update progress: [I22529] sdds.svrt_10: looking for supplements included from product C1A903B2-E63E-483b-982D-04BB9C457C60 RECOMMENDED path= 2017-04-19 23:37:00.440 Update progress: [I49502] sdds.savi0910.xml: found supplement SAVIW32 LATEST path= baseVersion= [included from product C1A903B2-E63E-483b-982D-04BB9C457C60 RECOMMENDED path=] 2017-04-19 23:37:00.440 Update progress: [I95020] sdds.savi0910.xml: looking for packages included from product SAVIW32 LATEST path= 2017-04-19 23:37:00.440 Update progress: [I22529] sdds.savi0910.xml: looking for supplements included from product SAVIW32 LATEST path= 2017-04-19 23:37:00.440 Update progress: [I49502] sdds.data0910.xml: found supplement IDE539 LATEST path= baseVersion= [included from product SAVIW32 LATEST path=] 2017-04-19 23:37:00.440 Update progress: [I95020] sdds.data0910.xml: looking for packages included from product IDE539 LATEST path= 2017-04-19 23:37:00.440 Update progress: [I22529] sdds.data0910.xml: looking for supplements included from product IDE539 LATEST path= 2017-04-19 23:37:00.440 Update progress: [I49502] sdds.data0910.xml: found supplement IDE540 LATEST path= baseVersion= [included from product IDE539 LATEST path=] 2017-04-19 23:37:00.440 Update progress: [I95020] sdds.data0910.xml: looking for packages included from product IDE540 LATEST path= 2017-04-19 23:37:00.440 Update progress: [I22529] sdds.data0910.xml: looking for supplements included from product IDE540 LATEST path= 2017-04-19 23:37:00.440 Update progress: [I49502] sdds.data0910.xml: found supplement IDE541 LATEST path= baseVersion= [included from product IDE540 LATEST path=] 2017-04-19 23:37:00.440 Update progress: [I95020] sdds.data0910.xml: looking for packages included from product IDE541 LATEST path= 2017-04-19 23:37:00.440 Update progress: [I22529] sdds.data0910.xml: looking for supplements included from product IDE541 LATEST path= 2017-04-19 23:37:00.440 Update progress: [I19463] Syncing product C1A903B2-E63E-483b-982D-04BB9C457C60 RECOMMENDED path= 2017-04-19 23:37:02.453 Update progress: [I19463] Syncing product SAVIW32 LATEST path= 2017-04-19 23:37:02.453 Update progress: [I19463] Product download size 162626989 bytes 2017-04-19 23:37:21.298 Update progress: [I19463] Syncing product IDE539 LATEST path= 2017-04-19 23:37:21.298 Update progress: [I19463] Product download size 2453408 bytes 2017-04-19 23:37:33.528 Update progress: [I19463] Syncing product IDE540 LATEST path= 2017-04-19 23:37:33.528 Update progress: [I19463] Product download size 967455 bytes 2017-04-19 23:37:42.233 Update progress: [I19463] Syncing product IDE541 LATEST path= 2017-04-19 23:37:42.717 Installing updates... 2017-04-19 23:37:44.573 Error level 1 2017-04-19 23:40:16.595 Update successful 2017-04-19 23:40:33.816 Option all = no 2017-04-19 23:40:33.816 Option recurse = yes 2017-04-19 23:40:33.816 Option archive = no 2017-04-19 23:40:33.816 Option service = yes 2017-04-19 23:40:33.816 Option confirm = yes 2017-04-19 23:40:33.816 Option sxl = yes 2017-04-19 23:40:33.816 Option max-data-age = 35 2017-04-19 23:40:33.816 Option vdl-logging = yes 2017-04-19 23:40:33.832 Customer ID: 094260ca9b3af99f9d4a3909fc47a743 2017-04-19 23:40:33.832 Machine ID: 26eadbd5bc7d4b06a67a2f81c6b841b4 2017-04-19 23:40:33.847 Component SVRTcli.exe version 2.5.6 2017-04-19 23:40:33.847 Component control.dll version 2.5.6 2017-04-19 23:40:33.847 Component SVRTservice.exe version 2.5.6 2017-04-19 23:40:33.847 Component engine\osdp.dll version 1.44.1.2281 2017-04-19 23:40:33.847 Component engine\veex.dll version 3.68.1.2281 2017-04-19 23:40:33.847 Component engine\savi.dll version 9.0.7.2281 2017-04-19 23:40:33.863 Component rkdisk.dll version 1.5.31.1 2017-04-19 23:40:33.863 Version info: Product version 2.5.6 2017-04-19 23:40:33.863 Version info: Detection engine 3.68.1 2017-04-19 23:40:33.863 Version info: Detection data 5.38 2017-04-19 23:40:33.863 Version info: Build date 4/4/2017 2017-04-19 23:40:33.863 Version info: Data files added 221 2017-04-19 23:40:33.863 Version info: Last successful update 4/20/2017 2:40:16 AM 2017-04-19 23:48:14.739 Could not open C:\Boot\BCD 2017-04-19 23:48:16.783 Could not open C:\hiberfil.sys 2017-04-19 23:55:57.434 >>> Virus 'Troj/Miner-BM' found in file C:\ProgramData\anc\anc.exe 2017-04-19 23:55:57.434 >>> Virus 'Troj/Miner-BM' found in file HKU\S-1-5-21-2378800864-159095509-290568945-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04202017023849781\Software\Microsoft\Windows\CurrentVersion\Run\anc.exe 2017-04-19 23:55:57.434 >>> Virus 'Troj/Miner-BM' found in file HKU\S-1-5-21-2378800864-159095509-290568945-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04202017023718365\Software\Microsoft\Windows\CurrentVersion\Run\anc.exe 2017-04-19 23:55:57.434 >>> Virus 'Troj/Miner-BM' found in file HKU\S-1-5-21-2378800864-159095509-290568945-1001\Software\Microsoft\Windows\CurrentVersion\Run\anc.exe 2017-04-19 23:55:57.434 >>> Virus 'Troj/Miner-BM' found in file HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 2017-04-19 23:55:57.434 >>> Virus 'Troj/Miner-BM' found in file HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin 2017-04-19 23:56:21.629 Could not open C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752} 2017-04-19 23:56:21.629 Could not open C:\System Volume Information\{4e21df72-2555-11e7-9d63-00241ddc0834}{3808876b-c176-4e48-b7ae-04046e6cc752} 2017-04-19 23:56:21.629 Could not open C:\System Volume Information\{4e21df8d-2555-11e7-9d63-00241ddc0834}{3808876b-c176-4e48-b7ae-04046e6cc752} 2017-04-20 00:03:53.499 Could not open C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb 2017-04-20 00:03:53.499 Could not open C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb 2017-04-20 00:04:00.394 Could not open C:\Windows\System32\config\RegBack\DEFAULT 2017-04-20 00:04:00.394 Could not open C:\Windows\System32\config\RegBack\SAM 2017-04-20 00:04:00.394 Could not open C:\Windows\System32\config\RegBack\SECURITY 2017-04-20 00:04:00.394 Could not open C:\Windows\System32\config\RegBack\SOFTWARE 2017-04-20 00:04:00.410 Could not open C:\Windows\System32\config\RegBack\SYSTEM 2017-04-20 00:19:33.669 >>> Virus 'Mal/Generic-S' found in file D:\Utorrent\0Software\Windows 7 SP1 X86 en-US March 2016\sources\$oem$\$$\Setup\Files\Done.exe\FILE:0001 2017-04-20 00:19:33.669 Disinfection not offered 2017-04-20 00:20:16.601 Could not open LOGICAL:0004:00000000 2017-04-20 00:20:16.601 Could not open E:\ 2017-04-20 00:20:16.850 The following items will be cleaned up: 2017-04-20 00:20:16.850 Troj/Miner-BM 2017-04-20 00:20:16.850 Mal/Generic-S STEP 03_b I quarantined the files that Malwarebytes found and restarted my PC like it said. Here is the log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 4/20/17 Scan Time: 2:37 AM Logfile: MalwarebytesReport2.txt Administrator: Yes -Software Information- Version: 3.0.6.1469 Components Version: 1.0.103 Update Package Version: 1.0.1764 License: Trial -System Information- OS: Windows 7 Service Pack 1 CPU: x86 File System: NTFS User: System -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 245408 Time Elapsed: 7 min, 11 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Enabled PUM: Enabled -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 3 Trojan.FakeAlert.E, C:\PROGRAMDATA\GOOGLE\GOOGLE CHROME.EXE, No Action By User, [1887], [353510],1.0.1764 PUP.Optional.YourTV.YTVRev, C:\USERS\WUD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\UAWM04YB.DEFAULT\SEARCHPLUGINS\GOOGLE .XML, No Action By User, [2398], [355013],1.0.1764 PUP.Optional.YourTV.YTVRev, C:\PROGRAMDATA\GOOGLE\GOOGLE CHROME.EXE, No Action By User, [2398], [-1],0.0.0 Physical Sector: 0 (No malicious items detected) (end) STEP 04 After restarting, I checked and saw that 'anc.exe' was not there this time. Ran FRST as instructed and the logs are attached. Also, Chrome finally opened normally instead of going to yourtv.link page! Thank you very much for your time, please let me know if you need me to clarify anything! Addition.txt FRST.txt

And these are the Malwarebytes results in case it helps.. MalwarebytesReport.txt

Hello, I'm another victim of the yourtv.link virus. I've tried almost every solution I found on this forum, but no luck.. 99% of the detections of the programs are about yourtv.link, but at some point, Rkill found anc.exe and stopped it. Also, whenever I try to open Chrome, Malwarebytes blocks it as Malware/Trojan.Fakealert.E. I've been trying to solve this for a day, please help! Thank you in advance.. Addition.txt FRST.txt