Jump to content

Computer Infected by yeabests.cc


Recommended Posts

Hey. I'm Roshan,

I recently downloaded a android recovery program from the internet called Wondershare.  But, unfortunately, it was a virus file. It immediately started downloading and installing programs without my consent. I switched off the internet and uninstalled all the programs which it installed and deleted it.

But , I still saw some new programs in my desktop. One of them was MPC Cleaner. I tried to delete it from ProgramFilesx86 but it wouldn't let me to do so, asking for administrator rights.

I tried to search the internet for solutions but I could not access the internet due to some DNS problems.

I tried to install MBAM but it won't install (runtime error 110:137 - could not call proc).

I also got a run.vbs error, which I solved using this post: http://www.winhelponline.com/blog/cannot-find-script-run-vbs-logon/

I used another computer to search for solutions and found this post: https://forums.malwarebytes.org/topic/173575-cant-install-malwarebytes-run-firefox/

That user had almost the same problem as mine. So, I followed the instructions specified in that post. I used AdwCleaner and it found threats and I cleaned them. After a reboot , I was able to install MBAM and access the internet. I scanned the computer using MBAM and it found numerous threats and I deleted all of them. After a reboot, MPC Cleaner was gone.

But , whenever I opened the Internet Browsers- Google Chrome, Mozilla Firefox, Internet Explorer, I get redirected to yeabests.cc page.

I used Zemana Anti-Malware and it detected the threats and repaired them. But, after a reboot , yeabests.cc still comes back.

I consequently used Zoek, ZHP Cleaner, HitmanPro, UnHackMe but still the problem persists.

Please help me remove this virus.

Thanks.

 

Link to post
Share on other sites

Hello Roshan and welcome to Malwarebytes,

My screen name is kevinf80, i`m here to help clean up your system, continue as follows please:

Download RKill from here: http://www.bleepingcomputer.com/download/rkill/

There are three buttons to choose from with different names on, select the first one and save it to your desktop.
 
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7/8/10, right-click on it and Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • A log pops up at the end of the run. This log file is located at C:\rkill.log. Please post this in your next reply.
  • If you do not see the black box flash on the screen delete the icon from the desktop and go back to the link for the download, select the next button and try to run the tool again, continue to repeat this process using the remaining buttons until the tool runs. You will find further links if you scroll down the page with other names, try them one at a time.
  • If the tool does not run from any of the links provided, please let me know.


Next,

Please open Malwarebytes Anti-Malware.
 
  • On the Settings tab > Detection and Protection sub tab, Detection Options, tick the box "Scan for rootkits".
  • Under Non-Malware Protection sub tab Change PUP and PUM entries to Treat detections as Malware
  • Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete Apply Actions to any found entries.
  • Wait for the prompt to restart the computer to appear (if applicable), then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.


To get the log from Malwarebytes do the following:
 
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have three options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
    XML file (*.xml) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
     
  • Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…



If Malwarebytes is not installed follow these instructions first:

Download Malwarebytes Anti-Malware to your desktop.
  • Double-click mbam-setup and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
  • Launch Malwarebytes Anti-Malware
  • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish. Follow the instructions above....


Next,

Download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...
 
  • Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt) Please attach those logs to your reply.


Let me see those logs in your reply...

Thank you,

Kevin...
Link to post
Share on other sites

Thanks for those logs, there are two AV programs installed and active, that is counterproductive and will cause problems for your operating system. It is essential to uninstall one asap....

Next,

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into.
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

Download AdwCleaner by Xplode onto your Desktop.
 
  • Double click on Adwcleaner.exe to run the tool.
  • Click on the Scan in the Actions box
  • Please wait fot the scan to finish..
  • When "Waiting for action.Please uncheck elements you want to keep" shows in top line..
  • Click on the Cleaning box.
  • Next click OK on the "Closing Programs" pop up box.
  • Click OK on the Information box & again OK to allow the necessary reboot
  • After restart the AdwCleaner(C*)-Notepad log will appear, please copy/paste it in your next reply. Where * is the number relative to list of scans completed...


Next,

Please download Junkware Removal Tool to your desktop.
 
  • Shut down your protection software now to avoid potential conflicts. (re-enable when done)
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.


Next,

Download Sophos Free Virus Removal Tool and save it to your desktop.
 
  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View log file... (bottom left hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program
  • If no threats were found please confirm that result....


Let me see those logs, also give an update of any remaining issues or concerns..

Thank you,

Kevin

 

 

Fixlist.txt

Link to post
Share on other sites

Hey Kevin,

              Still whenever I open my browsers - Chrome , Firefox , IE , I get redirected to yeabests.cc . I found another post with the same problem and it was solved: https://forums.malwarebytes.org/topic/181690-computer-infected-by-malware/#comment-1033544

              Sophos Free Virus Removal Tool found no threats.

              I also get an error during startup from Microsoft Security but maybe it is due to the uninstallation of MSE. Is it a problem?

Here are the logs attached:

 

 

 

AdwCleaner[C4].txt

Fixlog.txt

JRT.txt

Link to post
Share on other sites

51a612a8b27e2-Zoek.pngScan with ZOEK

Please download ZOEK by Smeenk from here: http://hijackthis.nl/smeenk/ and save it to your desktop (preferred version is the *.exe one)

*.exe Mirror http://smeenk.247fixes.com/Tools/zoek.exe

Temporary disable your AntiVirus and AntiSpyware protection - instructions here or here

 

  • Right-click on 51a612a8b27e2-Zoek.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Wait patiently until the main console will appear, it may take a minute or two.
  • In the main box please paste in the following script:

 

 

createsrpoint;
autoclean;
emptyalltemp;
FFdefaults;
CHRdefaults;
ipconfig /flushdns >>"%temp%\log.txt";b

 

 

  • Make sure that Scan All Users option is checked.
  • Push Run Script and wait patiently. The scan may take a couple of minutes.
  • When the scan completes, a zoek-results logfile should open in notepad.
  • If a reboot is needed, it will be opened after it. You may also find it at your main drive (usually C:\ drive)

 

Please include its content in your next reply. Don't forget to re-enable security software!

Does the redirect stop? if not do the following:

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt  under "Optional scan" Select scan, when done post the new logs....

Thanks,

Kevin

 

Link to post
Share on other sites

If the re-directs have stopped you should be good to go, run the following to clean up first...

Download "Delfix by Xplode" and save it to your desktop.

Or use the following if first link is down:

"Delfix link mirror"

If your security program alerts to Delfix either, accept the alert or turn your security off.

Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator

Make Sure the following items are checked:


  •    
  • Remove disinfection tools
       
  • Purge System Restore <--- this will remove all previous and possibly exploited restore points, a new point relative to system status at present will be created.
       
  • Reset system settings   <--- this will reset any system settings back to default that were changed either by us during cleansing or malware/infection

Now click on "Run" and wait patiently until the tool has completed.

The tool will create a log when it has completed. We don't need you to post this.

Any remnant files/logs from tools we have used can be deleted…

Next,

Read the following links to fully understand PC Security and Best Practices, you may find them useful....

Answers to Common Security Questions and best Practices

Do I need a Registry Cleaner?

Take care and surf safe

Kevin...  busy.gif

 

 

 

Link to post
Share on other sites

Yes I see yeabests.cc has returned, run the following:

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into.
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

ZN3USrZ.pngEmsisoft Emergency Kit

  • Click Here to download Emsisoft Emergency Kit. The download will automatically start after a moment.
  • Save EmsisoftEmergencyKit.exe to your Desktop.
  • Double click on EmsisoftEmergencyKit.exe (Windows Vista/7/8 users: Accept UAC warning if it is enabled). A screen like this will appear:
    dQVDkTW.png
  • Leave everything as it is, then click Extract. This will unpack Emsisoft Emergency Kit to the EEK folder located in the root drive (usually C:\).
  • Once the extraction is done, an icon qwL1Upn.png will appear on your Desktop. Double click it to start Emsisoft Emergency Kit.
  • Wait for Emsisoft Emergency Kit to finish loading signatures. A screen like this should appear:
  • Wait for Emsisoft Emergency Kit to finish loading signatures. A screen like this should appear:

    yEgPemv.png

  • Choose Yes, then wait for EEK to finish updating.

  • Choose Malware Scan under the Scan button. When EEK asks to activate PUP detection, choose Yes.

  • Wait for the scan to finish.

    RUeRoi4.png

  • If EEK detects something, all detected items will be displayed. Place a checkmark before everything, then choose Quarantine Selected.

  • If Emsisoft Emergency Kit asks to reboot, please do so immediately.

  • The scan log is located in Logs -> Scan Logs. Click on the entry of the latest scan, choose Export and save the report on your Desktop.

    P7FSALs.png

  • Please Copy and Paste the contents of the scan log in your next reply.

Fixlist.txt

Link to post
Share on other sites

Hey Kevin,

Here are the logs attached:

Emsisoft Emergency Kit - Version 11.0
Last update: 24-04-2016 14:56:05
User account: PC\roshan

Scan settings:

Scan type: Malware Scan
Objects: Rootkits, Memory, Traces, Files

Detect PUPs: On
Scan archives: Off
ADS Scan: On
File extension filter: Off
Advanced caching: On
Direct disk access: Off

Scan start:    24-04-2016 14:56:46
Key: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\{A16B1AF7-982D-40C3-B5C1-633E1A6A6678}     detected: Application.AdInstall (A)

Scanned    72981
Found    1

Scan end:    24-04-2016 15:03:35
Scan time:    0:06:49

Key: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\{A16B1AF7-982D-40C3-B5C1-633E1A6A6678}     Application.AdInstall (A)

Quarantined    1
 

Fixlog.txt

Scan_160424-150430.txt

Link to post
Share on other sites

Ok, not sure why this problem is keep coming back. Lets try with Zoek again...

51a612a8b27e2-Zoek.pngScan with ZOEK

Please download ZOEK by Smeenk from here: http://hijackthis.nl/smeenk/ and save it to your desktop (preferred version is the *.exe one)

*.exe Mirror http://smeenk.247fixes.com/Tools/zoek.exe

Temporary disable your AntiVirus and AntiSpyware protection - instructions here or here

  • Right-click on 51a612a8b27e2-Zoek.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Wait patiently until the main console will appear, it may take a minute or two.
  • In the main box please paste in the following script:

	createsrpoint;
	autoclean;
	emptyalltemp;
	ipconfig /flushdns &gt;&gt;"%temp%\log.txt";b
	FFdefaults;
	CHRdefaults;


  • Make sure that Scan All Users option is checked.
  • Push Run Script and wait patiently. The scan may take a couple of minutes.
  • When the scan completes, a zoek-results logfile should open in notepad.
  • If a reboot is needed, it will be opened after it. You may also find it at your main drive (usually C:\ drive)

Please include its content in your next reply. Don't forget to re-enable security software!


Does the issue still happen..

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.