Search the Community

Hello, My name is Ethan and I'd like to request help with malware/rootkit/ad/etc removal. To give you some background, I recently got infected with THIS file. It changed my browser, redirected pages to "eatyellowmango. com", changed file names to ".bat", installed bitcoin miners, 100% CPU usage, and much worse. After 10+ hours of running every AV program I knew, it's mostly gone; but I'm still having issues with what I believe is "Adware.Yelloader" and rootkit(s). I've also gotten a BSOD message three times, saying "irql_not_less_or_equal", but that stopped now. So far, I've ran the following programs: Rkill, Malwarebytes, Chameleon, Zemana, AdwCleaner, HitmanPro, SUPERAntiSpyware, Webroot SecureAnywhere, AVG, Avast, ESET Online Scanner, Sophos, EmsisoftEmergencyKit, Defogger, MiniToolBox, FRST (Logs), and FixTDSS (Unsuccessful) - and I plan to run TronScript soon. (I also ran these programs in SafeMode w/ Network) Everything seems to be normal now, except that I'm having problems running TDSSkiller, JRT, ComboFix, Malwarebytes Anti-Rootkit (Missing DDA driver + "The system inaccessible seems inaccessible or encrypted. Scan cant continue"), BitDefender, and some other normal programs such as Razer Synapse. They ask for admin privileges, but they never open afterwords. While I'm not very experienced on this topic, I believe it may be a program/virus denying me access. I'm willing to simply wipe my drives (SSD w/ win10, HDD for storage), but that's the last resort. If you could help, I'd greatly appreciate it. Thank you to anyone who reads/replies to my thread! Addition.txt FRST.txt MB Scan.txt

Note Updated on October 27, 2017 If you are trying to start Malwarebytes and you receive an error message that the resource is already in use then you may be infected with Adware.Yelloader. Please follow the instructions below to remove the infection. 1. Download version 1.10.3.1001of Malwarebytes Anti Rootkit (MBAR) https://malwarebytes.app.box.com/s/flmkkcawxhohv6jf6wlkentlvycq0f3z 2. Run the exe as administrator by right clicking and select run as administrator. Click ok to extract. If Mbar wont run please download the zip copy from this article and follow the instructions at the link to get running. Then Continue at Step 3. https://support.malwarebytes.com/docs/DOC-1267 3. After extraction MBAR should start. Click next. 4. Update by hitting the update button. After the update completes hit next. 5. Hit the scan button. Please let it finish the scan. This rootkit may slow your machine down and MBAR may look like it will freeze but it will continue to scan. Please allow it to do so. If you get the following error message: Click Yes and your computer will reboot. After the reboot, the MBAR window should automatically open. Note: If your Desktop is missing/black, do not worry. This is normal. Please proceed with the remaining instructions below. Click Next followed by Next. Click Scan. If the scan successfully completes, please skip to the Remediation bullet points below. If you receive the same message, "Could not load DDA driver", click Yes. Click OK. Your computer will automatically boot into the Recovery Environment. Proceed with the instructions below afterwards. If Windows did not boot into the recovery environment hold the SHIFT key and click restart computer while holding the shift key down. You should then boot into the boot options menu. Select repair your computer from the list and follow the instructions below. If still not successfull from a command prompt in normal windows run the following command: bcdedit.exe /set {bootmgr} displaybootmenu yes Windows 7: Select your desired keyboard layout and click Next. Select your user account, enter your user account password (leave blank if you don't have one and click OK. Click Command Prompt. Windows 10: Click Troubleshoot. Click Advanced Options followed by Command Prompt. Select your account and enter your password if you have one. Command Prompt in Recovery Environment: Type the following text below into the Command Prompt and press Enter on the keyboard: C:\mbstart.cmd Note: If you encounter an error stating the command is not recognized, replace "C" with the letter "D" (e.g. D:\mbstart.cmd). Note: Repeat with each letter of the alphabet until the command successfully executes. Once the command is successfully executed, your computer will automatically boot back into Normal Mode. The MBAR window should automatically open. Click Next. Click update Click Scan Remediation: If threats are detected, click the Cleanup button. If you are prompted to restart, please hit Yes . Upon completion of the scan or after the reboot, two files named mbar-log.txt and system-log.txt will be created. Both files can be found in the extracted MBAR folder on your Desktop. Please attach both files in your next reply. 7. Malwarebytes functionality should be restored. You must run a Malwarebytes custom scan with rootkit on so any remaining detections are removed. This should remedy the rootkit. If you are still having issues please post in this forum or open a helpdesk ticket. Changelog: Made compatible if Malwarebytes 3 was already pre-installed. Updated bundled defintions to more recent package. Updated on 09-13-2017 for latest variants. Updated on 10-14-2017 for latest variant. Updated on 10-27-2017 for latest variant and better success with dda driver loading without Recovery environment.