Unidirectional Posted April 24, 2019 ID:1309421 Share Posted April 24, 2019 Hello, So a couple of weeks ago I downloaded an unsafe torrent and got a virus. While I initially thought I got it fixed, yesterday I ran MWB and was informed my computer was infected with Trojan.Yelloader. I quarantined it and then restarted the PC as prompted. But after running a second scan, it seems like MWB was unable to delete. How can I get this off of my PC? Thank you, Unidirectional Link to post Share on other sites More sharing options...
Unidirectional Posted April 24, 2019 Author ID:1309422 Share Posted April 24, 2019 I'd like to request help if possible. Link to post Share on other sites More sharing options...
Unidirectional Posted April 24, 2019 Author ID:1309437 Share Posted April 24, 2019 Here the text report files: Threat Scan Report.txt FRST.txt Addition.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted April 25, 2019 Root Admin ID:1309461 Share Posted April 25, 2019 Hello @Unidirectional and Yes, this rootkit requires a special method to remove. For the next part, you'll need to download the FRST (executable on a clean computer and move them onto your USB Flash Drive. That USB can only be inserted in the infected computer if it is either shut down or in the Windows RE (Recovery Environment). Otherwise, the infection will mess with the files on the USB and you'll have to restart all over again. Farbar Recovery Scan Tool (FRST) - Recovery Environment Scan Follow the instructions below to download and execute a scan on your system with FRST from the Recovery Environment, and provide the logs in your next reply. Item(s) required: USB Flash Drive (size depends on if you have to create a USB Recovery or Installation media) Another computer (clean of infection) CD/DVD (optional: only needed if you need to create a Recovery or Installation media and your USB Flash Drive is too small) Preparing the USB Flash Drive Download the right version of FRST for your system from a clean computer: FRST 32-bit FRST 64-bitNote: Only the right version will run on your system, the other will throw an error message. So if you don't know what your system's version is, simply download both of them, and the one that works is the one you should be using. Move the executable (FRST.exe or FRST64.exe) onto your USB Flash Drive Boot into the Recovery Environment To enter the Recovery Environment with Windows Vista and Windows 7, follow the instructions below: Restart the computer Once you've seen your BIOS splash screen (the computer manufacturer logo), tap the F8 key repeatedly until the Advanced Boot Options menu appears Use the arrow keys to select Repair your computer, and press the Enter Select your keyboard layout (US, French, etc.) and click on Next Click on Command Prompt to open the command promptNote: If you can't access the Recovery Environment using the F8 method above, you'll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out this tutorial on SevenForums. To enter the Recovery Environment with Windows 8 or Windows 8.1, follow the instructions in this tutorial on EightForumsNote: If you can't access the Recovery Environment using the method above, you'll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out this tutorial. To enter the Recovery Environment with Windows 10, follow the instructions in this tutorial on TenForumsNote: If you can't access the Recovery Environment using the method above, you'll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out this tutorial on TenForums. Once in the Windows RE, plug the USB Flash Drive into the computer Once in the command prompt In the command prompt, type notepad and press on Enter Notepad will open. Click on the File menu and select Open Click on Computer/This PC, find the letter for your USB Flash Drive, then close the window and Notepad In the command prompt, type e:\frst.exe (for the x64 version, type e:\frst64.exe and press on Enter Note: Replace the letter e with the drive letter of your USB Flash Drive FRST will open Click on Yes to accept the disclaimer Click on the Scan button and wait for the scan to complete A log called FRST.txt will be saved on your USB Flash Drive. Attach it in your next reply Thanks Ron Link to post Share on other sites More sharing options...
Unidirectional Posted April 25, 2019 Author ID:1309608 Share Posted April 25, 2019 Here you go: FRST.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted April 25, 2019 Root Admin ID:1309678 Share Posted April 25, 2019 Please try this again. The log indicates it did not work. If the USB was inserted before the Reovery point then it cannot fix it. Format the USB stick from a clean computer and try again Link to post Share on other sites More sharing options...
Unidirectional Posted April 25, 2019 Author ID:1309691 Share Posted April 25, 2019 Sorry about that, hopefully I did it right this time. I waited until the command prompt to put it in this time. But I noticed that in the log that there is a note that says if it the system is bootable I must run FRST in either normal or safe mode. Should I try to run FRST in safe mode instead of recovery mode since my system is bootable? FRST.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted April 25, 2019 Root Admin ID:1309693 Share Posted April 25, 2019 No, from Recovery only. Let me do some research and see what's going on. If you've followed directions exactly and the drive was never inserted under Safe or Normal mode then it normally repairs on its own. I'll get back to you a bit later after researching Link to post Share on other sites More sharing options...
Unidirectional Posted April 25, 2019 Author ID:1309694 Share Posted April 25, 2019 Okay, thank you so much! Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted April 25, 2019 Root Admin ID:1309697 Share Posted April 25, 2019 Okay, looks like we may need to take a slightly different approach. Do you have another Clean computer you're using? Please save this file to the USB drive too and use it to run a fix Please download the attached fixlist.txt file and save it to the USB stick, from a clean computer.NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system. Run FRST or FRST64 and press the Fix button just once and wait. The tool will make a log on the same location as FRST named (Fixlog.txt). Please attach or post it to your next reply. fixlist.txt Ron Link to post Share on other sites More sharing options...
Unidirectional Posted April 25, 2019 Author ID:1309699 Share Posted April 25, 2019 Yes I have another clean computer I'm using, scanned it with MWB and Avast to make sure and both came up as negative for anything. But also, I ran MWB on the original computer and it said no threats were detected. Also, a folder labeled UPECHMRH was where the .exe's were (Both .exe names were UPECHMRH.exe and VDSUHNA.exe). After MWB said it did not detect any threats, I went to the folder and was able to access them (previously I wasn't able to with this folder and a couple more folders) and delete them. After that I ran RKILL. Also here is the fixlog text. Fixlog.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted April 25, 2019 Root Admin ID:1309701 Share Posted April 25, 2019 Okay, please go ahead and reboot the computer into Normal Mode and run the following fix. If FRST won't run or the Fix won't run please let me know. Please download the attached fixlist.txt file and save it to the Desktop.NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system. Run FRST or FRST64 and press the Fix button just once and wait. If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply. Note: If the tool warned you about an outdated version please download and run the updated version. fixlist.txt This will run some other repair fixes and reboot. After the reboot please run FRST again and ensure that Additions.txt is also check and post back new logs for them. So, you should be posting back 3 logs. Fixlog.txt FRST.txt Additions.txt Link to post Share on other sites More sharing options...
Unidirectional Posted April 26, 2019 Author ID:1309708 Share Posted April 26, 2019 Here you go. Addition.txt Fixlog.txt FRST.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted April 26, 2019 Root Admin ID:1309710 Share Posted April 26, 2019 So far so good. Let me have you run the following using another antivirus scanner to verify if they're able to find anything or not just to make sure. Please download and run the following Kaspersky antivirus scanner to remove any found threats Kaspersky Virus Removal Tool Let me know if it finds anything or not Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted April 26, 2019 Root Admin ID:1309717 Share Posted April 26, 2019 Heading home, will check back on you again in a couple hours though Link to post Share on other sites More sharing options...
Unidirectional Posted April 26, 2019 Author ID:1309718 Share Posted April 26, 2019 Thank you, the antivirus you provided is still scanning finals but it says it did detect 1 object and also while running the antivirus windows defender popped up and said it detected a couple threats. Names of them are Trojan:Win32/Occamy.C, Trojan:Win32/SquareNet.Q, and Trojan:Win64/Detrahere.S Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted April 26, 2019 Root Admin ID:1309719 Share Posted April 26, 2019 Okay, please try to get the logs if you can, if not maybe take a picture with your phone to share if need. Link to post Share on other sites More sharing options...
Unidirectional Posted April 26, 2019 Author ID:1309721 Share Posted April 26, 2019 Would you like me to get logs for Kaspersky or Windows Defender? I'm not sure how to do either, sorry. Also, Kaspersky is still scanning. Link to post Share on other sites More sharing options...
Unidirectional Posted April 26, 2019 Author ID:1309726 Share Posted April 26, 2019 This is the best I can do Link to post Share on other sites More sharing options...
Unidirectional Posted April 26, 2019 Author ID:1309731 Share Posted April 26, 2019 I would also like to let you know that I didn't save the fixlist.txt file to my desktop but to my usb and ran it there, should I trying again but this time save fixlist.txt and FRST to the desktop? Link to post Share on other sites More sharing options...
Unidirectional Posted April 26, 2019 Author ID:1309732 Share Posted April 26, 2019 Also, once FRST reset the PC and I let it boot normally, FRST did not repoen or anything. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted April 26, 2019 Root Admin ID:1309734 Share Posted April 26, 2019 The detections were from items that FRST removed. Has Kaspersky completed? Running it from the USB is okay but should really be ran from your Desktop if possible or at least your C drive. Link to post Share on other sites More sharing options...
Unidirectional Posted April 26, 2019 Author ID:1309735 Share Posted April 26, 2019 Kaspersky has finished and it looks like they weren't viruses but I deleted everything related to the items just in case anyways. But, windows defender said again there was a threat detected. The second photo is of the latest one. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted April 26, 2019 Root Admin ID:1309757 Share Posted April 26, 2019 Please go ahead and run all the scans again and post back new logs. We should be pretty close to being done Please run the following steps and post back the logs as an attachment when ready.STEP 01 If you're already running Malwarebytes 3 then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button. If you don't have Malwarebytes 3 installed yet please download it from here and install it. Once installed then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button. Once the scan is completed click on the Export Summary button and save the file as a Text file to your desktop or other location you can find, and attach that log on your next reply. If Malwarebytes won't run then please skip to the next step and let me know on your next reply. STEP 02 Please download AdwCleaner by Malwarebytes and save the file to your Desktop. Right-click on the program and select Run as Administrator to start the tool. Accept the Terms of use. Wait until the database is updated. Click Scan Now. When finished, please click Clean & Repair. Your PC should reboot now if any items were found. After reboot, a log file will be opened. Copy its content into your next reply. RESTART THE COMPUTER Before running Step 3 STEP 03 Please download the Farbar Recovery Scan Tool and save it to your desktop.Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit Double-click to run it. When the tool opens, click Yes to disclaimer. Press the Scan button. It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply. The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here. Please attach the Additions.txt log to your reply as well. Thanks Ron Link to post Share on other sites More sharing options...
Unidirectional Posted April 26, 2019 Author ID:1309791 Share Posted April 26, 2019 Here you go. AdwCleaner[C05].txt yup.txt FRST.txt Addition.txt Link to post Share on other sites More sharing options...
Recommended Posts