Jump to content

Pup.WinYahoo Won't Go Away


Recommended Posts

  • Root Admin

Hello @ItsBarbarino and :welcome:

Please run Malwarebytes and check for updates, then run a Threat Scan and post back that log. Then proceed and run the following for me and we'll see about getting you cleaned up.

 

 

Please restart the computer first and then run the following steps and post back the logs when ready.

STEP 01
Please download Junkware Removal Tool to your desktop.

  • Shutdown your antivirus to avoid any conflicts.
  • Right click over JRT.exe and select Run as administrator on Windows Vista or Windows 7, double-click on XP.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next reply message
  • When completed make sure to re-enable your antivirus

STEP 02

 

 

adwcleaner_new.png Fix with AdwCleaner

 

Please download AdwCleaner by Xplode and save the file to your Desktop.

  • Right-click on adwcleaner_new.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Accept the Terms of use.
  • Wait until the database is updated.
  • Click Scan.
  • When finished, please click Clean.
  • Your PC should reboot now.
  • After reboot, logfile will be opened. Copy its content into your next reply.

Note: Reports will be saved in your system partition, usually at C:\Adwcleaner

STEP 03
Download Sophos Free Virus Removal Tool and save it to your desktop.
 

  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View Log file (bottom left-hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program
  • If no threats were found, please confirm that result.

STEP 04
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here.
  • Please attach the Additions.txt log to your reply as well.

 

Thanks

Ron

 

Link to post
Share on other sites

JRT.TXT:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.1.3 (04.10.2017)
Operating System: Windows 10 Home x64 
Ran by Andrew (Administrator) on Fri 06/16/2017 at  7:57:58.21
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
File System: 0 


Registry: 0 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Fri 06/16/2017 at  7:59:30.80
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

ADW Logfiles:

# AdwCleaner v6.047 - Logfile created 16/06/2017 at 08:04:39
# Updated on 19/05/2017 by Malwarebytes
# Database : 2017-06-15.1 [Server]
# Operating System : Windows 10 Home  (X64)
# Username : Andrew - ANDREWS-DESKTOP
# Running from : C:\Users\Andrew\Desktop\AdwCleaner.exe
# Mode: Scan
# Support : https://www.malwarebytes.com/support

***** [ Services ] *****

Service Found:  DrvAgent64


***** [ Folders ] *****

No malicious folders found.


***** [ Files ] *****

File Found:  C:\WINDOWS\SysWOW64\drivers\DRVAGENT64.SYS
File Found:  C:\WINDOWS\rsrcs.dll
File Found:  C:\Users\Maggie\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_www.shopathome.com_0.localstorage
File Found:  C:\Users\Maggie\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_www.shopathome.com_0.localstorage-journal


***** [ DLL ] *****

No malicious DLLs found.


***** [ WMI ] *****

No malicious keys found.


***** [ Shortcuts ] *****

No infected shortcut found.


***** [ Scheduled Tasks ] *****

No malicious task found.


***** [ Registry ] *****

Key Found:  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C0AFC06A-6C9E-420F-AABF-B1AC7EE1F589}
Key Found:  HKCU\SOFTWARE\Classes\ChromeHTML


***** [ Web browsers ] *****

No malicious Firefox based browser items found.
Chrome pref Found:  [C:\Users\Maggie\AppData\Local\Google\Chrome\User Data\Default\Web data] - aol.com
Chrome pref Found:  [C:\Users\Maggie\AppData\Local\Google\Chrome\User Data\Default\Web data] - ask.com
Chrome pref Found:  [C:\Users\Maggie\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] - hxxps://us.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_dnldstr_16_07&param1=1&param2=f%3
Chrome pref Found:  [C:\Users\Maggie\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences ] - hxxps://us.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_dnldstr_16_07&param1=1&param2=f%

[!] You may need to disable the Chrome synchronization from your Google account in order to fully remove the malicious preferences. Please consult this Google help: https://support.google.com/chrome/answer/3097271?hl=en [!]


*************************

C:\AdwCleaner\AdwCleaner[S0].txt - [2274 Bytes] - [16/06/2017 08:04:39]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [2347 Bytes] ##########

# AdwCleaner v6.047 - Logfile created 16/06/2017 at 08:06:20
# Updated on 19/05/2017 by Malwarebytes
# Database : 2017-06-15.1 [Server]
# Operating System : Windows 10 Home  (X64)
# Username : Andrew - ANDREWS-DESKTOP
# Running from : C:\Users\Andrew\Desktop\AdwCleaner.exe
# Mode: Clean
# Support : https://www.malwarebytes.com/support

***** [ Services ] *****

[-] Service deleted: DrvAgent64


***** [ Folders ] *****

***** [ Files ] *****

[-] File deleted: C:\WINDOWS\SysWOW64\drivers\DRVAGENT64.SYS
[-] File deleted: C:\WINDOWS\rsrcs.dll
[-] File deleted: C:\Users\Maggie\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_www.shopathome.com_0.localstorage
[-] File deleted: C:\Users\Maggie\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_www.shopathome.com_0.localstorage-journal


***** [ DLL ] *****

***** [ WMI ] *****

***** [ Shortcuts ] *****

***** [ Scheduled Tasks ] *****

***** [ Registry ] *****

[-] Key deleted: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C0AFC06A-6C9E-420F-AABF-B1AC7EE1F589}
[-] Key deleted: HKCU\SOFTWARE\Classes\ChromeHTML


***** [ Web browsers ] *****

[-] [C:\Users\Maggie\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Deleted: aol.com
[-] [C:\Users\Maggie\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Deleted: ask.com
[-] [C:\Users\Maggie\AppData\Local\Google\Chrome\User Data\Default] [startup_urls] Deleted: hxxps://us.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_dnldstr_16_07&param1=1&param2=f%3D7%26b%3DChrome%26cc%3Dus%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1QzuyCzztC0C0AtBtDtD0CyCtD0EtDtAtAyCtN0D0Tzu0StCyDtDzytN1L2XzutAtFtCzztFtCtFtDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StAtC0DyB0AyBtBzytGtDzzyByBtGyDyEyEyEtGtD0DyCyBtGtDtAzzyCtAtCtDzzyC0B0AtD2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyBtCtCyE0AtCyE0FtG0BtBtC0EtGyE0C0BzztGzyyD0F0CtG0DtCzz0AtAtByEzzzytB0Dzz2QtN0A0LzutB%26cr%3D788581058%26a%3Dwncy_dnldstr_16_07%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome
[-] [C:\Users\Maggie\AppData\Local\Google\Chrome\User Data\Default] [homepage] Deleted: hxxps://us.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_dnldstr_16_07&param1=1&param2=f%3D1%26b%3DChrome%26cc%3Dus%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1QzuyCzztC0C0AtBtDtD0CyCtD0EtDtAtAyCtN0D0Tzu0StCyDtDzytN1L2XzutAtFtCzztFtCtFtDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StAtC0DyB0AyBtBzytGtDzzyByBtGyDyEyEyEtGtD0DyCyBtGtDtAzzyCtAtCtDzzyC0B0AtD2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyBtCtCyE0AtCyE0FtG0BtBtC0EtGyE0C0BzztGzyyD0F0CtG0DtCzz0AtAtByEzzzytB0Dzz2QtN0A0LzutB%26cr%3D788581058%26a%3Dwncy_dnldstr_16_07%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome


*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C0].txt - [2843 Bytes] - [16/06/2017 08:06:20]
C:\AdwCleaner\AdwCleaner[S0].txt - [2426 Bytes] - [16/06/2017 08:04:39]

########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt - [2989 Bytes] ##########
 

Sophos Log File

2017-06-16 12:12:34.589    Sophos Virus Removal Tool version 2.6.0
2017-06-16 12:12:34.589    Copyright (c) 2009-2017 Sophos Limited. All rights reserved.

2017-06-16 12:12:34.589    This tool will scan your computer for viruses and other threats. If it finds any, it will give you the option to remove them.

2017-06-16 12:12:34.589    Windows version 6.2 SP 0.0  build 9200 SM=0x300 PT=0x1 WOW64
2017-06-16 12:12:34.589    Checking for updates...
2017-06-16 12:12:34.698    Update progress: proxy server not available
2017-06-16 12:12:41.855    Option all = no
2017-06-16 12:12:41.855    Option recurse = yes
2017-06-16 12:12:42.136    Option archive = no
2017-06-16 12:12:42.136    Option service = yes
2017-06-16 12:12:42.136    Option confirm = yes
2017-06-16 12:12:42.136    Option sxl = yes
2017-06-16 12:12:42.136    Option max-data-age = 35
2017-06-16 12:12:42.136    Option vdl-logging = yes
2017-06-16 12:12:42.136    Customer ID:    094260ca9b3af99f9d4a3909fc47a743
2017-06-16 12:12:42.136    Machine ID:    2fe2f7e3b7404b97930a48b95b7077b0
2017-06-16 12:12:42.136    Component SVRTcli.exe version 2.6.0
2017-06-16 12:12:42.136    Component control.dll version 2.6.0
2017-06-16 12:12:42.136    Component SVRTservice.exe version 2.6.0
2017-06-16 12:12:42.136    Component engine\osdp.dll version 1.44.1.2285
2017-06-16 12:12:42.136    Component engine\veex.dll version 3.68.5.2285
2017-06-16 12:12:42.136    Component engine\savi.dll version 9.0.7.2285
2017-06-16 12:12:42.136    Component rkdisk.dll version 1.5.31.1
2017-06-16 12:12:42.136    Version info:    Product version    2.6.0
2017-06-16 12:12:42.136    Version info:    Detection engine    3.68.5
2017-06-16 12:12:42.136    Version info:    Detection data    5.39
2017-06-16 12:12:42.136    Version info:    Build date    5/2/2017
2017-06-16 12:12:42.136    Version info:    Data files added    346
2017-06-16 12:12:42.136    Version info:    Last successful update    (not yet updated)
2017-06-16 12:12:49.644    Downloading updates...
2017-06-16 12:12:49.644    Update progress: [I96736] sdds.svrt_10: adding primary package C1A903B2-E63E-483b-982D-04BB9C457C60 RECOMMENDED baseVersion=1
2017-06-16 12:12:49.644    Update progress: [I95020] sdds.svrt_10: looking for packages included from product C1A903B2-E63E-483b-982D-04BB9C457C60 RECOMMENDED path=
2017-06-16 12:12:49.644    Update progress: [I22529] sdds.svrt_10: looking for supplements included from product C1A903B2-E63E-483b-982D-04BB9C457C60 RECOMMENDED path=
2017-06-16 12:12:49.644    Update progress: [I49502] sdds.savi0910.xml: found supplement SAVIW32 LATEST path= baseVersion= [included from product C1A903B2-E63E-483b-982D-04BB9C457C60 RECOMMENDED path=]
2017-06-16 12:12:49.644    Update progress: [I95020] sdds.savi0910.xml: looking for packages included from product SAVIW32 LATEST path=
2017-06-16 12:12:49.644    Update progress: [I22529] sdds.savi0910.xml: looking for supplements included from product SAVIW32 LATEST path=
2017-06-16 12:12:49.644    Update progress: [I49502] sdds.data0910.xml: found supplement IDE540 LATEST path= baseVersion= [included from product SAVIW32 LATEST path=]
2017-06-16 12:12:49.644    Update progress: [I95020] sdds.data0910.xml: looking for packages included from product IDE540 LATEST path=
2017-06-16 12:12:49.644    Update progress: [I22529] sdds.data0910.xml: looking for supplements included from product IDE540 LATEST path=
2017-06-16 12:12:49.644    Update progress: [I49502] sdds.data0910.xml: found supplement IDE541 LATEST path= baseVersion= [included from product IDE540 LATEST path=]
2017-06-16 12:12:49.644    Update progress: [I95020] sdds.data0910.xml: looking for packages included from product IDE541 LATEST path=
2017-06-16 12:12:49.644    Update progress: [I22529] sdds.data0910.xml: looking for supplements included from product IDE541 LATEST path=
2017-06-16 12:12:49.644    Update progress: [I49502] sdds.data0910.xml: found supplement IDE542 LATEST path= baseVersion= [included from product IDE541 LATEST path=]
2017-06-16 12:12:49.644    Update progress: [I95020] sdds.data0910.xml: looking for packages included from product IDE542 LATEST path=
2017-06-16 12:12:49.644    Update progress: [I22529] sdds.data0910.xml: looking for supplements included from product IDE542 LATEST path=
2017-06-16 12:12:49.644    Update progress: [I49502] sdds.data0910.xml: found supplement IDE543 LATEST path= baseVersion= [included from product IDE542 LATEST path=]
2017-06-16 12:12:49.644    Update progress: [I95020] sdds.data0910.xml: looking for packages included from product IDE543 LATEST path=
2017-06-16 12:12:49.644    Update progress: [I22529] sdds.data0910.xml: looking for supplements included from product IDE543 LATEST path=
2017-06-16 12:12:49.644    Update progress: [I19463] Syncing product C1A903B2-E63E-483b-982D-04BB9C457C60 RECOMMENDED path=
2017-06-16 12:12:49.738    Update progress: [I19463] Syncing product SAVIW32 LATEST path=
2017-06-16 12:12:49.738    Update progress: [I19463] Product download size 165113825 bytes
2017-06-16 12:13:16.340    Update progress: [I19463] Syncing product IDE540 LATEST path=
2017-06-16 12:13:16.340    Update progress: [I19463] Product download size 1784068 bytes
2017-06-16 12:13:17.278    Update progress: [I19463] Syncing product IDE541 LATEST path=
2017-06-16 12:13:17.278    Update progress: [I19463] Product download size 2265483 bytes
2017-06-16 12:13:18.833    Update progress: [I19463] Syncing product IDE542 LATEST path=
2017-06-16 12:13:18.833    Update progress: [I19463] Product download size 1154946 bytes
2017-06-16 12:13:19.130    Update progress: [I19463] Syncing product IDE543 LATEST path=
2017-06-16 12:13:20.142    Installing updates...
2017-06-16 12:13:20.767    Error level 1
2017-06-16 12:13:30.615    Update successful
2017-06-16 12:13:40.241    Option all = no
2017-06-16 12:13:40.241    Option recurse = yes
2017-06-16 12:13:40.241    Option archive = no
2017-06-16 12:13:40.241    Option service = yes
2017-06-16 12:13:40.241    Option confirm = yes
2017-06-16 12:13:40.241    Option sxl = yes
2017-06-16 12:13:40.241    Option max-data-age = 35
2017-06-16 12:13:40.241    Option vdl-logging = yes
2017-06-16 12:13:40.256    Customer ID:    094260ca9b3af99f9d4a3909fc47a743
2017-06-16 12:13:40.256    Machine ID:    2fe2f7e3b7404b97930a48b95b7077b0
2017-06-16 12:13:40.256    Component SVRTcli.exe version 2.6.0
2017-06-16 12:13:40.256    Component control.dll version 2.6.0
2017-06-16 12:13:40.256    Component SVRTservice.exe version 2.6.0
2017-06-16 12:13:40.256    Component engine\osdp.dll version 1.44.1.2285
2017-06-16 12:13:40.256    Component engine\veex.dll version 3.68.5.2285
2017-06-16 12:13:40.256    Component engine\savi.dll version 9.0.7.2285
2017-06-16 12:13:40.256    Component rkdisk.dll version 1.5.31.1
2017-06-16 12:13:40.256    Version info:    Product version    2.6.0
2017-06-16 12:13:40.256    Version info:    Detection engine    3.68.5
2017-06-16 12:13:40.256    Version info:    Detection data    5.39
2017-06-16 12:13:40.256    Version info:    Build date    5/2/2017
2017-06-16 12:13:40.256    Version info:    Data files added    346
2017-06-16 12:13:40.256    Version info:    Last successful update    6/16/2017 8:13:30 AM

2017-06-16 15:42:17.633    Could not open C:\hiberfil.sys
2017-06-16 15:42:17.643    Could not open C:\pagefile.sys
2017-06-16 15:53:27.049    Could not open C:\swapfile.sys
2017-06-16 15:53:27.539    Could not open C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}
2017-06-16 15:53:27.539    Could not open C:\System Volume Information\{78531a22-5097-11e7-b0d8-60a44c626fb9}{3808876b-c176-4e48-b7ae-04046e6cc752}
2017-06-16 15:53:27.539    Could not open C:\System Volume Information\{78531a5e-5097-11e7-b0d8-60a44c626fb9}{3808876b-c176-4e48-b7ae-04046e6cc752}
2017-06-16 15:53:27.540    Could not open C:\System Volume Information\{79fa6a33-4a72-11e7-b0d6-60a44c626fb9}{3808876b-c176-4e48-b7ae-04046e6cc752}
2017-06-16 15:53:27.540    Could not open C:\System Volume Information\{b6de9b66-51c2-11e7-b0da-60a44c626fb9}{3808876b-c176-4e48-b7ae-04046e6cc752}
2017-06-16 15:53:27.540    Could not open C:\System Volume Information\{d7ee2c67-44d4-11e7-b0d5-60a44c626fb9}{3808876b-c176-4e48-b7ae-04046e6cc752}
2017-06-16 15:54:38.545    >>> Virus 'Mal/VMProtBad-A' found in file C:\Torrents\Torrent Dump\Andrew\DAEMON Tools Pro Advanced v5.2.0. 0348 Including Crack [h33t][iahq76]\Crack\BRD.dll
2017-06-16 15:58:31.211    Could not open C:\Users\Andrew\AppData\Local\Google\Chrome\User Data\Default\Current Session
2017-06-16 15:58:31.212    Could not open C:\Users\Andrew\AppData\Local\Google\Chrome\User Data\Default\Current Tabs
2017-06-16 17:15:14.091    Could not open C:\WINDOWS\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb
2017-06-16 17:15:14.091    Could not open C:\WINDOWS\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb
2017-06-16 17:15:18.381    Could not open C:\WINDOWS\System32\config\BBI
2017-06-16 17:15:18.592    Could not open C:\WINDOWS\System32\config\RegBack\DEFAULT
2017-06-16 17:15:18.596    Could not open C:\WINDOWS\System32\config\RegBack\SAM
2017-06-16 17:15:18.598    Could not open C:\WINDOWS\System32\config\RegBack\SECURITY
2017-06-16 17:15:18.599    Could not open C:\WINDOWS\System32\config\RegBack\SOFTWARE
2017-06-16 17:15:18.601    Could not open C:\WINDOWS\System32\config\RegBack\SYSTEM
2017-06-16 17:31:13.164    >>> Virus 'Mal/VMProtBad-A' found in file C:\zoek_backup\C_PROGRA~2_DAEMON Tools Pro\BRD.dll
2017-06-16 17:31:17.593    Could not open LOGICAL:0003:00000000
2017-06-16 17:31:17.594    Could not open D:\
2017-06-16 17:31:18.254    The following items will be cleaned up:
2017-06-16 17:31:18.254    Mal/VMProtBad-A
 

 

 

JRT.txt

AdwCleaner[C0].txt

AdwCleaner[S0].txt

SophosVirusRemovalTool616.log

Addition.txt

FRST.txt

Link to post
Share on other sites

To my knowledge, yes. Chrome is our main browser and I use the computer for work, so it's almost always open. I tried uninstalling and reinstalling Chrome and it is still detected. I also suspect it is making Chrome eat up a lot of CPU while running, though I don't know.

Malwarebytes detects it always in the same folder, under my wife's username, in the Chrome App Data folder. Just had another scan run 2 hours ago and it wasn't detected; don't know if it's been eradicated or if Malwarebytes missed it due to quarantine.

Link to post
Share on other sites

  • Root Admin

Well, in most cases uninstall of Chrome does not remove many of these type of redirects. If Sync was not deleted, it returns. If it's sitting in one of the Chrome settings it returns. It needs a good solid clean removal in some cases. If that is the case I can help you with that. Reboot the computer a couple of times, let your wife login and use Chrome some. Then let me know if it returns or not and we'll look at doing a manual clean removal of Chrome if needed.

Thanks

Ron

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.