Yontoo keeps reappearing after quarantine

[Purvis]

The title says it, really. I run Malawarebytes, it finds three instances of Yontoo, I quarantine them and restart, run it again, and there they are.

I've done a full MSE scan, got nothing. Done a Spybot scan, just got a bunch of niggling little low level threats threats it deems not very important.

 

I am not sure what Malawarebytes report you want, before or after, so I included both. I hope they're the right ones, otherwise I'll need to be directed where to find the right ones...

FRST.txt

Addition.txt

zzz Malawarebytes Nov 26 2017.txt

zzz Malawarebytes Nov 26b 2017.txt

[kevinf80]

Hello Purvis and welcome to Malwarebytes, Follow the instructions in this link to clear your current problem: https://forums.malwarebytes.com/topic/214325-chrome-secure-preferences-detection-always-comes-back/ Be aware there are two posts in that thread, if the first instruction does not help move onto the second.... Let me know if the issue is cleared... Thank you, Kevin...

[Purvis]

I tried turning off chrome and doing a scan and quarantine, but after doing a quarantine restart and scanning again (I did not open chrome til the scan was done), the three instances of yontoo were still there.

Looking at the next step, I don't seem to have any options to mess with sync at all. I don't actually log into chrome, though, so perhaps there is no syncing there to be an issue? I'm not sure if I even have an account to log into chrome to start with? Should I skip that part and move onto the next step, or what?

 

Edit: Also, thanks for getting to me. Sorry to have neglected that.

Edit edit: In fact, here is where I went to look for sync stuff, maybe I am dumber than I thought and went to the wrong place?

Edited November 26, 2017 by Purvis

[kevinf80]

Run the following and post its log..

Download RogueKiller and save it on your desktop, ensure to download correct version.. RogueKiller (X86) RogueKiller (x64)   Exit all running applications. Double-click on RogueKiller.exe to launch the tool. On its first execution, RogueKiller will disply the software license (EULA), click on "Accept" to continue. If RogueKiller is unable to load, do not hesitate to try launching it several times or rename it winlogon. Click "Start Scan" to begin the analysis. This may take some time. Once the scan is complete, click the "Open TXT" button to display the scan report. Copy/Paste it's content in your next reply. Do not use the Remove Selected option until i`ve had a look at the log..

[Purvis]

I think this is what you want. I went out for a walk after closing everything and setting it to run, and when I came back it had opened chrome to yell at me about PUP removal. I assume this didn't break things? I'm hoping I used the right version...

Anyways, the log:  

RogueKiller V12.11.25.0 (x64) [Nov 20 2017] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : https://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Purvis [Administrator]
Started from : C:\Users\Purvis\Desktop\RogueKiller_portable64.exe
Mode : Scan -- Date : 11/26/2017 15:59:39 (Duration : 00:30:24)

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 0 ¤¤¤

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 2 ¤¤¤
[PUP.Gen1][Folder] C:\ProgramData\APN -> Found
[PUP.Gen1][Folder] C:\ProgramData\APN -> Found

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 [Too big!] ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD10 EZEX-00BN5A0 SATA Disk Device +++++
--- User ---
[MBR] e09039ce3f7a28b4c473b4408ca42b23
[BSP] 3ab186ac5685b64784b27b1772dd6e83 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 953767 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

[kevinf80]

Hiya Purvis, Yess you`ve ran correct version of RK, and I do not believe you`ve broken anything... Continue please: Run RogueKiller again.... Wait for the scan to complete On completion, the results will be displayed Checkmark all found entries then click on the Remove Selected button On completion, the results will be displayed. Click on the Open Report button in the bottom left corner, followed by the Open TXT button (also in the bottom left corner) This will open the report in Notepad. Copy/paste its content in your next reply.... Next, Please download Zemana AntiMalware and save it to your Desktop.   Install the program and once the installation is complete it will start automatically. Without changing any options, press Scan to begin. After the short scan is finished, if threats are detected press Next to remove them. Note: If restart is required to finish the cleaning process, you should click Reboot. If reboot isn't required, please re-boot your computer manually.   Open Zemana AntiMalware again. Click on icon and double click the latest report. Now click File > Save As and choose your Desktop before pressing Save. Attach saved report in your next message. Let me see those two logs, also let me know if the Chrome issue is cleared... Thank you, Kevin

[Purvis]

Before I do that, do I need to shut down everything running again?

[kevinf80]

Yes please, if possible close out all windows..

[Purvis]

Did both scans, in the order suggested, followed instructions about as well as I could. Found one bit of oddness from the second scan hiding in a folder full of stuff from my old computer from about two years ago which is largely untouched (that folder in particular, I don't think, has ever been touched on this computer).

Tried to remove yontoo afterwards, restarted to finish, scanned again, and the three are still there.

rk_6BA1.tmp.txt

2017.11.26-17.32.49-i0-t92-d1.txt

[kevinf80]

Hello Purvis,

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs. "FRST.txt" and "Addition.txt"

Run FRST again:

Type the following in the edit box after "Search:".

*Yontoo*

Click Search Registry button and post the log (Search.txt) it makes to your reply.

Thank you,

Kevin

[Purvis]

20 hours ago, Purvis said:

Here are the new scans. FRST wanted to overwrite the originals, but I figured that may not have been a good idea so I made these separate. Also I've learnd Discord may have been running in the background in one or more of those previous scans; it seems shutting the window didn't shut it off like it does most other things...

 

Addition1.txt

FRST1.txt

SearchReg.txt

[kevinf80]

I believe the best way forward with this Chrome issue is to make a clean install, follow these instructions...

If your Chrome Bookmarks are important do this first: Go to this link: http://www.wikihow.com/Export-Bookmarks-from-Chrome follow the instructions and Export your Bookmarks from Chrome, save to your Desktop or similar. Note the instructions can also be used to Import the bookmarks..... Continue for a clean install: Download Chrome installer and save to install later: https://www.google.com/intl/en_uk/chrome/browser/desktop/index.html https://www.google.com/intl/en_usa/chrome/browser/desktop/index.html Remove all synced data from Chrome go here: https://support.google.com/chrome/answer/6386691?hl=en-GB follow those instructions... It is essntial that any/all synced data is removed when the browser is hijacked or exploited in anyway... Uninstall Chrome: https://support.google.com/chrome/answer/95319?hl=en-GB follow those instructions, ensure the option to "Also delete your browsing data" is selected. <<--- Very important!! Navigate to C:\Users\Your user name\Appdata\Local from that folder delete the folder named Google (you will need to show hidden files/folders to see the folder Appdata) For XP that will be My Computer > C:\ Documents and Settings\Your User Name\Application Data\Roaming How to show hidden files and folders for windows: http://www.howtogeek.com/howto/windows-vista/show-hidden-files-and-folders-in-windows-vista/ Install Google Chrome : Install Adblock Plus to Chrome: https://chrome.google.com/webstore/detail/adblock-plus/cfhdojbkjhnklbpkdaibdccddilifddb Install DrWeb Link Ant-virus Link Checker: https://chrome.google.com/webstore/detail/drweb-anti-virus-link-che/aleggpabliehgbeagmfhnodcijcmbonb?hl=en Does that help...?

 

 

[Purvis]

I am not sure what I am supposed to be doing with regards to dealing with synched data?

It sends me here:  https://support.google.com/chrome/answer/165139?hl=en-GB&visit_id=1-636474243401342501-866151747&rd=1 And this doesn't seem to say much on the topic? Maybe I am too dumb to see it? As far as I know, I never logged onto Chrome to start with, though.

And just to be sure, once I've reinstalled, run Malawarebytes again, remove any yontoo instances, then restart and see if they came back? Or should they be gone entirely and nothing will be detected after this, assuming it works?

[kevinf80]

Yes for sure that link is changed in the way info to remove all synced data is presented... Try the following link:

https://www.howtogeek.com/103655/how-to-delete-your-google-chrome-browser-sync-data/

I`ll update my C/R to replace original link, thanks for bringing that to my attention...

[Purvis]

Okay. I'm going to be dense here, please accept my apologies.

I followed that link, and it told me to go to https://www.google.com/dashboard/
When I do that, it takes me instead to https://myaccount.google.com/dashboard

And it directs me to look for this:   

And I can't find anything like that. I've tried clicking around a little bit, and haven't seen anything talking about Chrome sync, let alone undoing anything like that. I'm not sure what I'm missing here. =[

Is the article out of date, perhaps? I note it's like five and a half years old.

[kevinf80]

No you are not dense in anyway, this is another mistake by me. I do not use Chrome so am not that familiar with its set up... I`ve installed it now so can give you better instruction to clear all synced data (hopefully) Open Chrome and sign into your account, open a new tab and type or copy paste chrome://settings/syncSetup hit enter... In the new window that opens "Sync everthing" will probably be selected, scroll down to and select "Managed sync data on Google Dashboard" A new window will open, scroll down to and select "Reset Sync" that will clear synced data from Google Server... Continue to next step to completely Uninstall Chrome.... and continue...

[Purvis]

I don't think I have an account? Certainly never one I've signed into, at least?

It does note my gmail, though? But like there's no little thinger in the upper right corner that mentions any account being signed in. (I specifically never intended to sign in just because I never saw a need for it...)

Edited November 28, 2017 by Purvis

[Purvis]

Should I just sign in with my gmail, then?

[Purvis]

Sorry to bump this, I want to make sure I'm doing it right before I proceed.

[kevinf80]

If you have synced data saved to Google servers then you must have an account, that is my understanding. To access and remove such data you must be logged in...

Try the following without trying to sign in:

Open Chrome, open a new tab, copy/paste this to the address bar chrome://settings/syncSetup hit the enter key.

A new window will open, Select > "Manage synced data on Google dashboard" if you have an account it should be listed

[Purvis]

That sends me to chrome://settings/people, which no mention of synced data anywhere. Let me just hit you up with some hasty ugly screenshots of what I do have, maybe it'll save some of your time? 

[kevinf80]

The very top image asks "Sign in to Chrome" what happens if you select that...

[Purvis]

Looks like it wants my email. Which is why I asked a little bit ago if I should just use that?

[kevinf80]

If you have a gmail address you will more than likely have an account, after your email is inserted it will ask for a password, or even another way to complete the sign in. Mine asks me to open Google on my iphone an input a number it produces.... I hate Chrome... now I know why..

[Purvis]

Thankfully, it seemed happy with just my gmail password.

Anyways, did all that, reinstalled chrome, put in adblock and the link check (I didn't know that latter one existed; useful!), and malawarebytes doesn't seem to detect any Yontoo. Hopefully it'll stay that way.

Anything else that needs to be done?