Jump to content

Youndoo PUP removal


Recommended Posts

Hello nanobrain and welcome to Malwarebytes.org,

My screen name is kevinf80, i`m here to help clean up your system. Make sure to run all scans from accounts with Administrator status, continue as follows please:

Anyone other than the original starter of this thread please DO NOT follow the instructions and advice posted as replies here, my help and advice is NOT related to your system and will probably cause more harm than good...

Continue as follows please:

Please open Malwarebytes Anti-Malware.
 
  • On the Settings tab > Detection and Protection sub tab, Detection Options, tick the box "Scan for rootkits".
  • Under Non-Malware Protection sub tab Change PUP and PUM entries to Treat detections as Malware
  • Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete Apply Actions to any found entries.
  • Wait for the prompt to restart the computer to appear (if applicable), then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.


To get the log from Malwarebytes do the following:
 
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have three options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
    XML file (*.xml) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
     
  • Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…


Next,

Download AdwCleaner by Xplode onto your Desktop.
 
  • Double click on Adwcleaner.exe to run the tool.
  • Click on the Scan in the Actions box
  • Please wait fot the scan to finish..
  • When "Waiting for action.Please uncheck elements you want to keep" shows in top line..
  • Click on the Cleaning box.
  • Next click OK on the "Closing Programs" pop up box.
  • Click OK on the Information box & again OK to allow the necessary reboot
  • After restart the AdwCleaner(C*)-Notepad log will appear, please copy/paste it in your next reply. Where * is the number relative to list of scans completed...


Next,

Download Sophos Free Virus Removal Tool and save it to your desktop.
 
  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View log file... (bottom left hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program
  • If no threats were found please confirm that result....


Let me see those logs, also give an update on any remaining issues or concerns....

Thank you,

Kevin...

 

 

Link to post
Share on other sites

Hello Kevin, thanks for responding. 1st update, the log from MBAM. Will update when completing further steps.
Also, just realized it's in Swedish, any way to change this or will this suffice?

Malwarebytes Anti-Malware
www.malwarebytes.org

Skanningsdatum: 2016-07-04
Skanningstid: 18:53
Loggfil: 
Administratör: Ja

Version: 2.2.1.1043
Databas med skadliga program: v2016.07.04.06
Databas med rootkit: v2016.05.27.01
Licens: Utvärderingsversion
Skydd mot skadliga program: Aktiverat
Skydd mot skadliga webbplatser: Aktiverat
Självförsvar: Inaktiverat

OS: Windows 7 Service Pack 1
CPU: x64
Filsystem: NTFS
Användare: Marcus

Skanningstyp: Hotskanning
Resultat: Slutförd
Skannade objekt: 344972
Förfluten tid: 10 min, 29 sek

Minne: Aktiverat
Autostart: Aktiverat
Filsystem: Aktiverat
Arkivfiler: Aktiverat
Rootkits: Aktiverat
Heuristik: Aktiverat
PUP: Aktiverat
PUM: Aktiverat

Processer: 0
(Inga skadliga poster upptäckta)

Moduler: 0
(Inga skadliga poster upptäckta)

Registernycklar: 2
PUP.Optional.YesSearches, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{1560FE9B-D84C-4691-B4EB-C7120EBCB9C7}, Ta-bort-vid-omstart, [ff0765bb851574c22efdb9efcc38758b], 
PUP.Optional.YesSearches, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Anulient Cache, Ta-bort-vid-omstart, [d135a47ce9b146f0f337d4d4758fb54b], 

Registervärden: 2
PUP.Optional.Youndoo, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SHELLEXECUTEHOOKS\{6710C780-E20E-4C49-A87D-321850ED3D7C}, Flyttad till karantän, [8086df4133670e2860376e0216ec43bd], 
PUP.Optional.YesSearches, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{1560FE9B-D84C-4691-B4EB-C7120EBCB9C7}|Path, \Anulient Cache, Ta-bort-vid-omstart, [ff0765bb851574c22efdb9efcc38758b]

Registerdata: 0
(Inga skadliga poster upptäckta)

Mappar: 0
(Inga skadliga poster upptäckta)

Filer: 1
HackTool.Agent.Steam, C:\Users\Marcus\Desktop\Rensa skrivbordet and stuff\Ny mapp\steam_api64.dll, Flyttad till karantän, [b353948cebaf0234cb03422a20e2dc24], 

Fysiska sektorer: 0
(Inga skadliga poster upptäckta)


(end)

Link to post
Share on other sites

At the moment I don't seem to have any issues but I noticed that a couple more pups surfaced when I scanned just now. The "yessearch" to be exact, it wasn't there when I posted the thread.

 

# AdwCleaner v5.201 - Logfile created 04/07/2016 at 19:10:13
# Updated 30/06/2016 by ToolsLib
# Database : 2016-07-04.1 [Server]
# Operating system : Windows 7 Home Premium Service Pack 1 (X64)
# Username : Marcus - MARCUS-DATOR
# Running from : C:\Users\Marcus\Desktop\AdwCleaner.exe
# Option : Clean
# Support : https://toolslib.net/forum

***** [ Services ] *****


***** [ Folders ] *****

[-] Folder Deleted : C:\ProgramData\ytd video downloader
[#] Folder Deleted : C:\ProgramData\Application Data\ytd video downloader
[-] Folder Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ytd video downloader
[-] Folder Deleted : C:\Program Files (x86)\GreenTree Applications

***** [ Files ] *****

[-] File Deleted : C:\Users\Public\Desktop\YTD Video Downloader.lnk

***** [ DLLs ] *****


***** [ WMI ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****


***** [ Registry ] *****

[-] Key Deleted : HKCU\Software\GreenTree Applications\YTD
[-] Key Deleted : HKLM\SOFTWARE\{E6276374-DE18-4AA5-A365-9016A2F98A2D}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1a413f37-ed88-4fec-9666-5c48dc4b7bb7}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\11598763487076930564

***** [ Web browsers ] *****


*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C1].txt - [1446 bytes] - [04/07/2016 19:10:13]
C:\AdwCleaner\AdwCleaner[S1].txt - [1554 bytes] - [04/07/2016 19:09:03]

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [1592 bytes] ##########
Thanks,

Link to post
Share on other sites

It's finished now.
 

2016-07-04 17:16:20.777    Sophos Virus Removal Tool version 2.5.5
2016-07-04 17:16:20.777    Copyright (c) 2009-2014 Sophos Limited. All rights reserved.

2016-07-04 17:16:20.777    This tool will scan your computer for viruses and other threats. If it finds any, it will give you the option to remove them.

2016-07-04 17:16:20.777    Windows version 6.1 SP 1.0 Service Pack 1 build 7601 SM=0x300 PT=0x1 WOW64
2016-07-04 17:16:20.777    Checking for updates...
2016-07-04 17:16:27.063    Option all = no
2016-07-04 17:16:27.063    Option recurse = yes
2016-07-04 17:16:27.063    Option archive = no
2016-07-04 17:16:27.063    Option service = yes
2016-07-04 17:16:27.063    Option confirm = yes
2016-07-04 17:16:27.063    Option sxl = yes
2016-07-04 17:16:27.063    Option max-data-age = 35
2016-07-04 17:16:27.063    Option EnableSafeClean = yes
2016-07-04 17:16:28.161    Option vdl-logging = yes
2016-07-04 17:16:28.169    Customer ID:    094260ca9b3af99f9d4a3909fc47a743
2016-07-04 17:16:28.169    Machine ID:    10868d32452847eaaa557abb84da0aaf
2016-07-04 17:16:28.169    Component SVRTcli.exe version 2.5.5
2016-07-04 17:16:28.170    Component control.dll version 2.5.5
2016-07-04 17:16:28.170    Component SVRTservice.exe version 2.5.5
2016-07-04 17:16:28.170    Component engine\osdp.dll version 1.44.1.2250
2016-07-04 17:16:28.170    Component engine\veex.dll version 3.65.0.2250
2016-07-04 17:16:28.170    Component engine\savi.dll version 9.0.1.2250
2016-07-04 17:16:28.170    Component rkdisk.dll version 1.5.30.0
2016-07-04 17:16:28.170    Version info:    Product version    2.5.5
2016-07-04 17:16:28.171    Version info:    Detection engine    3.65.0
2016-07-04 17:16:28.171    Version info:    Detection data    5.26
2016-07-04 17:16:28.171    Version info:    Build date    2016-04-05
2016-07-04 17:16:28.171    Version info:    Data files added    574
2016-07-04 17:16:28.171    Version info:    Last successful update    (not yet updated)
2016-07-04 17:16:31.827    Update progress: proxy server not available
2016-07-04 17:16:47.558    Downloading updates...
2016-07-04 17:16:47.558    Update progress: [I96736] Looking for package C1A903B2-E63E-483b-982D-04BB9C457C60 1.0 
2016-07-04 17:16:47.558    Update progress: [I49502] Found supplement SAVIW32 LATEST 
2016-07-04 17:16:47.558    Update progress: [I49502] Found supplement IDE527 LATEST 
2016-07-04 17:16:47.558    Update progress: [I49502] Found supplement IDE528 LATEST 
2016-07-04 17:16:47.558    Update progress: [I49502] Found supplement IDE529 LATEST 
2016-07-04 17:16:47.558    Update progress: [I49502] Found supplement IDE530 LATEST 
2016-07-04 17:16:47.558    Update progress: [I49502] Found supplement IDE531 LATEST 
2016-07-04 17:16:47.558    Update progress: [I49502] Found supplement IDE532 LATEST 
2016-07-04 17:16:47.558    Update progress: [I19463] Syncing product C1A903B2-E63E-483b-982D-04BB9C457C60 1
2016-07-04 17:16:47.558    Update progress: [I19463] Syncing product SAVIW32 70
2016-07-04 17:16:55.525    Update progress: [I19463] Syncing product IDE527 142
2016-07-04 17:16:58.036    Installing updates...
2016-07-04 17:16:58.647    Error level 1
2016-07-04 17:16:58.662    Update progress: [I19463] Syncing product IDE528 127
2016-07-04 17:16:58.662    Update progress: [I19463] Syncing product IDE529 135
2016-07-04 17:16:58.662    Update progress: [I19463] Syncing product IDE530 176
2016-07-04 17:16:58.662    Update progress: [I19463] Syncing product IDE531 1
2016-07-04 17:16:58.662    Update progress: [I19463] Syncing product IDE532 1
2016-07-04 17:17:04.528    Update successful
2016-07-04 17:17:11.224    Option all = no
2016-07-04 17:17:11.224    Option recurse = yes
2016-07-04 17:17:11.224    Option archive = no
2016-07-04 17:17:11.224    Option service = yes
2016-07-04 17:17:11.224    Option confirm = yes
2016-07-04 17:17:11.224    Option sxl = yes
2016-07-04 17:17:11.224    Option max-data-age = 35
2016-07-04 17:17:11.224    Option EnableSafeClean = yes
2016-07-04 17:17:11.255    Option vdl-logging = yes
2016-07-04 17:17:11.255    Customer ID:    094260ca9b3af99f9d4a3909fc47a743
2016-07-04 17:17:11.255    Machine ID:    10868d32452847eaaa557abb84da0aaf
2016-07-04 17:17:11.255    Component SVRTcli.exe version 2.5.5
2016-07-04 17:17:11.255    Component control.dll version 2.5.5
2016-07-04 17:17:11.255    Component SVRTservice.exe version 2.5.5
2016-07-04 17:17:11.255    Component engine\osdp.dll version 1.44.1.2250
2016-07-04 17:17:11.255    Component engine\veex.dll version 3.65.0.2250
2016-07-04 17:17:11.255    Component engine\savi.dll version 9.0.1.2250
2016-07-04 17:17:11.255    Component rkdisk.dll version 1.5.30.0
2016-07-04 17:17:11.255    Version info:    Product version    2.5.5
2016-07-04 17:17:11.255    Version info:    Detection engine    3.65.0
2016-07-04 17:17:11.255    Version info:    Detection data    5.26
2016-07-04 17:17:11.255    Version info:    Build date    2016-04-05
2016-07-04 17:17:11.255    Version info:    Data files added    574
2016-07-04 17:17:11.255    Version info:    Last successful update    2016-07-04 19:17:04

2016-07-04 19:09:00.919    Could not open C:\hiberfil.sys
2016-07-04 19:09:00.921    Could not open C:\pagefile.sys
2016-07-04 19:13:41.444    Could not open C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}
2016-07-04 19:13:41.444    Could not open C:\System Volume Information\{4f110375-420a-11e6-9859-6c626d3b70c6}{3808876b-c176-4e48-b7ae-04046e6cc752}
2016-07-04 19:13:41.444    Could not open C:\System Volume Information\{9122430d-4141-11e6-84fb-6c626d3b70c6}{3808876b-c176-4e48-b7ae-04046e6cc752}
2016-07-04 19:13:59.009    Could not open C:\Users\Marcus\AppData\Local\Google\Chrome\User Data\Profile 1\Current Session
2016-07-04 19:13:59.010    Could not open C:\Users\Marcus\AppData\Local\Google\Chrome\User Data\Profile 1\Current Tabs
2016-07-04 19:21:25.418    Could not open C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb
2016-07-04 19:21:25.418    Could not open C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb
2016-07-04 19:21:26.484    Could not open C:\Windows\System32\config\COMPONENTS
2016-07-04 19:21:26.601    Could not open C:\Windows\System32\config\RegBack\DEFAULT
2016-07-04 19:21:26.605    Could not open C:\Windows\System32\config\RegBack\SAM
2016-07-04 19:21:26.607    Could not open C:\Windows\System32\config\RegBack\SECURITY
2016-07-04 19:21:26.609    Could not open C:\Windows\System32\config\RegBack\SOFTWARE
2016-07-04 19:21:26.610    Could not open C:\Windows\System32\config\RegBack\SYSTEM
2016-07-04 19:36:47.782    >>> Virus 'Troj/Agent-WFN' found in file F:\Maschine Install\Cracka\Native Instruments Kontakt 5.3.0 WiN x86x64 + Update [deepstatus][h33t][1337x]\Native Instruments Kontakt 5.3.0 WiN x86x64 VST & Standalone\N.i.K.5.3.0-CHi\RegPatch\RegPatch.exe
2016-07-04 19:36:51.029    >>> Virus 'Troj/Agent-WFN' found in file F:\Maschine Install\Cracka\Native Instruments Kontakt 5.3.0 WiN x86x64 + Update [deepstatus][h33t][1337x]\Native Instruments Kontakt 5.3.0 WiN x86x64 VST & Standalone\N.i.K.5.3.0-CHi\X64\X64 UniPatch.exe
2016-07-04 19:36:54.632    >>> Virus 'Troj/Agent-WFN' found in file F:\Maschine Install\Cracka\Native Instruments Kontakt 5.3.0 WiN x86x64 + Update [deepstatus][h33t][1337x]\Native Instruments Kontakt 5.3.0 WiN x86x64 VST & Standalone\N.i.K.5.3.0-CHi\X86\X86 UniPatch.exe
2016-07-04 19:37:03.165    >>> Virus 'Troj/Agent-WFN' found in file F:\Maschine Install\Kontakt 5 unlocked\Native Instruments Kontakt 5.3.0 WiN x86x64 + Update [deepstatus][h33t][1337x]\kontakt 5\N.i.K.5.3.0-CHi\RegPatch\RegPatch.exe
2016-07-04 19:37:06.345    >>> Virus 'Troj/Agent-WFN' found in file F:\Maschine Install\Kontakt 5 unlocked\Native Instruments Kontakt 5.3.0 WiN x86x64 + Update [deepstatus][h33t][1337x]\kontakt 5\N.i.K.5.3.0-CHi\X64\X64 UniPatch.exe
2016-07-04 19:37:09.609    >>> Virus 'Troj/Agent-WFN' found in file F:\Maschine Install\Kontakt 5 unlocked\Native Instruments Kontakt 5.3.0 WiN x86x64 + Update [deepstatus][h33t][1337x]\kontakt 5\N.i.K.5.3.0-CHi\X86\X86 UniPatch.exe
2016-07-04 19:37:29.590    >>> Virus 'Mal/Generic-S' found in file F:\Maschine Install\Working expansions\Native Instruments - Maschine Expansion Golden Kingdom HYBRID.READ.NFO [MATRiX][dada]\Golden Kindom v1.0.0\MATRiX\R2R Encryptor The Suppliers Tools\grpenc.exe
2016-07-04 19:37:29.590    >>> Virus 'Mal/Generic-S' found in file F:\Maschine Install\Working expansions\Native Instruments - Maschine Expansion Golden Kingdom HYBRID.READ.NFO [MATRiX][dada]\Golden Kindom v1.0.0\MATRiX\R2R Encryptor The Suppliers Tools\grpenc.exe
2016-07-04 19:37:29.590    >>> Virus 'Mal/Generic-S' found in file F:\Maschine Install\Working expansions\Native Instruments - Maschine Expansion Golden Kingdom HYBRID.READ.NFO [MATRiX][dada]\Golden Kindom v1.0.0\MATRiX\R2R Encryptor The Suppliers Tools\grpenc.exe
2016-07-04 19:37:40.488    >>> Virus 'Mal/Generic-S' found in file F:\Maschine Install\Working expansions\Native Instruments - Maschine Expansion Golden Kingdom HYBRID.READ.NFO [MATRiX][dada]\Golden Kindom v1.0.0\MATRiX\R2R Encryptor The Suppliers Tools\r2renc.exe
2016-07-04 19:37:40.488    >>> Virus 'Mal/Generic-S' found in file F:\Maschine Install\Working expansions\Native Instruments - Maschine Expansion Golden Kingdom HYBRID.READ.NFO [MATRiX][dada]\Golden Kindom v1.0.0\MATRiX\R2R Encryptor The Suppliers Tools\r2renc.exe
2016-07-04 19:37:40.488    >>> Virus 'Mal/Generic-S' found in file F:\Maschine Install\Working expansions\Native Instruments - Maschine Expansion Golden Kingdom HYBRID.READ.NFO [MATRiX][dada]\Golden Kindom v1.0.0\MATRiX\R2R Encryptor The Suppliers Tools\r2renc.exe
2016-07-04 19:38:03.182    >>> Virus 'Troj/Agent-WFN' found in file F:\Morphvox Pro\morphvox.pro.v4.4.9-patch.exe
2016-07-04 20:08:20.312    The following items will be cleaned up:
2016-07-04 20:08:20.312    Troj/Agent-WFN
2016-07-04 20:08:20.312    Mal/Generic-S
 

Link to post
Share on other sites

Not anything noticable at the moment, but MBAM still found a threat. I've done all the steps aswell. It's a register pup.

Malwarebytes Anti-Malware
www.malwarebytes.org

Skanningsdatum: 2016-07-06
Skanningstid: 02:46
Loggfil: 
Administratör: Ja

Version: 2.2.1.1043
Databas med skadliga program: v2016.07.05.14
Databas med rootkit: v2016.05.27.01
Licens: Utvärderingsversion
Skydd mot skadliga program: Aktiverat
Skydd mot skadliga webbplatser: Aktiverat
Självförsvar: Inaktiverat

OS: Windows 7 Service Pack 1
CPU: x64
Filsystem: NTFS
Användare: Marcus

Skanningstyp: Hotskanning
Resultat: Slutförd
Skannade objekt: 346086
Förfluten tid: 12 min, 12 sek

Minne: Aktiverat
Autostart: Aktiverat
Filsystem: Aktiverat
Arkivfiler: Aktiverat
Rootkits: Aktiverat
Heuristik: Aktiverat
PUP: Aktiverat
PUM: Aktiverat

Processer: 0
(Inga skadliga poster upptäckta)

Moduler: 0
(Inga skadliga poster upptäckta)

Registernycklar: 0
(Inga skadliga poster upptäckta)

Registervärden: 1
PUP.Optional.Youndoo, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SHELLEXECUTEHOOKS\{6710C780-E20E-4C49-A87D-321850ED3D7C}, , [6c06a0809dfd88ae3d573d3355adff01], 

Registerdata: 0
(Inga skadliga poster upptäckta)

Mappar: 0
(Inga skadliga poster upptäckta)

Filer: 0
(Inga skadliga poster upptäckta)

Fysiska sektorer: 0
(Inga skadliga poster upptäckta)


(end)

b5ea50d1553952797139eeab569b390b.png

Link to post
Share on other sites

Run the following to double check your system:

Go here: https://www.zemana.com/Download download and install Zemana Anti-malware. Allow a shortcut to be saved to your Desktop.. The tool will be active with a 15 day trial....

Right click on user posted image Zemana Antimalware and select "Run as Administrator"

From the GUI select "Settings"

user posted image

In the new window Select 1. Updates, when complete Select 2. Real Time Protection.

user posted image

In the next window make sure 1. all boxes are checkmarked and the action is "Quarantine" and then " 2. Select the home icon.

user posted image

In the new window select "Scan"

user posted image

When the scan completes check each found entry (if any). For "Suspicious Browser Settings" choose REPAIR for all other entries choose QUARANTINE then select the "Next" tab


The action complete window will open, from there select the "Back" tab. That will take you back to the home screen...

On that screen select the "Reports" tab. (Looks like 3 chimneys)

user posted image

On that screen select and highlite the scan details line, then select "Open Report"

user posted image

Copy and paste that log to your reply...
 
Thank you,
 
Kevin....
Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.