Jump to content
Unidirectional

MWB is unable to delete yelloader trojan

Recommended Posts

Hello, 

So a couple of weeks ago I downloaded an unsafe torrent and got a virus. While I initially thought I got it fixed, yesterday I ran MWB and was informed my computer was infected with Trojan.Yelloader. I quarantined it and then restarted the PC as prompted. But after running a second scan, it seems like MWB was unable to delete. How can I get this off of my PC? 

Thank you,

Unidirectional

Share this post


Link to post
Share on other sites

Hello @Unidirectional and :welcome:

Yes, this rootkit requires a special method to remove.

 

For the next part, you'll need to download the FRST (executable on a clean computer and move them onto your USB Flash Drive. That USB can only be inserted in the infected computer if it is either shut down or in the Windows RE (Recovery Environment). Otherwise, the infection will mess with the files on the USB and you'll have to restart all over again.

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Recovery Environment Scan
Follow the instructions below to download and execute a scan on your system with FRST from the Recovery Environment, and provide the logs in your next reply.

Item(s) required:

  • USB Flash Drive (size depends on if you have to create a USB Recovery or Installation media)
  • Another computer (clean of infection)
  • CD/DVD (optional: only needed if you need to create a Recovery or Installation media and your USB Flash Drive is too small)

Preparing the USB Flash Drive

  • Download the right version of FRST for your system from a clean computer:
    • FRST 32-bit
    • FRST 64-bit
      Note: Only the right version will run on your system, the other will throw an error message. So if you don't know what your system's version is, simply download both of them, and the one that works is the one you should be using.
  • Move the executable (FRST.exe or FRST64.exe) onto your USB Flash Drive

Boot into the Recovery Environment

  • To enter the Recovery Environment with Windows Vista and Windows 7, follow the instructions below:
    • Restart the computer
    • Once you've seen your BIOS splash screen (the computer manufacturer logo), tap the F8 key repeatedly until the Advanced Boot Options menu appears
    • Use the arrow keys to select Repair your computer, and press the Enter
    • Select your keyboard layout (US, French, etc.) and click on Next
    • Click on Command Prompt to open the command prompt
      Note: If you can't access the Recovery Environment using the F8 method above, you'll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out this tutorial on SevenForums.
  • To enter the Recovery Environment with Windows 8 or Windows 8.1, follow the instructions in this tutorial on EightForums
    Note: If you can't access the Recovery Environment using the method above, you'll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out this tutorial.
  • To enter the Recovery Environment with Windows 10, follow the instructions in this tutorial on TenForums
    Note: If you can't access the Recovery Environment using the method above, you'll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out this tutorial on TenForums.
  • Once in the Windows RE, plug the USB Flash Drive into the computer

Once in the command prompt

  • In the command prompt, type notepad and press on Enter
  • Notepad will open. Click on the File menu and select Open
  • Click on Computer/This PC, find the letter for your USB Flash Drive, then close the window and Notepad
  • In the command prompt, type e:\frst.exe (for the x64 version, type e:\frst64.exe and press on Enter
  • Note: Replace the letter e with the drive letter of your USB Flash Drive
  • FRST will open
  • Click on Yes to accept the disclaimer
  • Click on the Scan button and wait for the scan to complete
  • A log called FRST.txt will be saved on your USB Flash Drive. Attach it in your next reply

 

Thanks

Ron

 

Share this post


Link to post
Share on other sites

Please try this again. The log indicates it did not work. If the USB was inserted before the Reovery point then it cannot fix it.

Format the USB stick from a clean computer and try again

 

Share this post


Link to post
Share on other sites

Sorry about that, hopefully I did it right this time. I waited until the command prompt to put it in this time. But I noticed that in the log that there is a note that says if it the system is bootable I must run FRST in either normal or safe mode. Should I try to run FRST in safe mode instead of recovery mode since my system is bootable? 

FRST.txt

Share this post


Link to post
Share on other sites

No, from Recovery only. Let me do some research and see what's going on. If you've followed directions exactly and the drive was never inserted under Safe or Normal mode then it normally repairs on its own.

I'll get back to you a bit later after researching

 

Share this post


Link to post
Share on other sites

Okay, looks like we may need to take a slightly different approach.

Do you have another Clean computer you're using?

Please save this file to the USB drive too and use it to run a fix

Please download the attached fixlist.txt file and save it to the USB stick, from a clean computer.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.

The tool will make a log on the same location as FRST named (Fixlog.txt). Please attach or post it to your next reply.

 

fixlist.txt

Ron

 

 

 

Share this post


Link to post
Share on other sites

Yes I have another clean computer I'm using, scanned it with MWB and Avast to make sure and both came up as negative for anything. But also, I ran MWB on the original computer and it said no threats were detected. Also, a folder labeled UPECHMRH was where the .exe's were (Both .exe names were UPECHMRH.exe and VDSUHNA.exe). After MWB said it did not detect any threats, I went to the folder and was able to access them (previously I wasn't able to with this folder and a couple more folders) and delete them.  After that I ran RKILL.  Also here is the fixlog text.

Fixlog.txt

Share this post


Link to post
Share on other sites

Okay, please go ahead and reboot the computer into Normal Mode and run the following fix. If FRST won't run or the Fix won't run please let me know.

 

Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

fixlist.txt

 

This will run some other repair fixes and reboot. After the reboot please run FRST again and ensure that Additions.txt is also check and post back new logs for them.

So, you should be posting back 3 logs.

Fixlog.txt
FRST.txt
Additions.txt

 

Share this post


Link to post
Share on other sites

So far so good.

Let me have you run the following using another antivirus scanner to verify if they're able to find anything or not just to make sure.

 

Please download and run the following Kaspersky antivirus scanner to remove any found threats

Kaspersky Virus Removal Tool

Let me know if it finds anything or not

Share this post


Link to post
Share on other sites

Thank you, the antivirus you provided is still scanning finals but it says it did detect 1 object and also while running the antivirus windows defender popped up and said it detected a couple threats. Names of them are Trojan:Win32/Occamy.C, Trojan:Win32/SquareNet.Q, and Trojan:Win64/Detrahere.S

Share this post


Link to post
Share on other sites

Okay, please try to get the logs if you can, if not maybe take a picture with your phone to share if need.

 

 

Share this post


Link to post
Share on other sites

Would you like me to get logs for Kaspersky or Windows Defender? I'm not sure how to do either, sorry. Also, Kaspersky is still scanning. 

Share this post


Link to post
Share on other sites

I would also like to let you know that I didn't save the fixlist.txt file to my desktop but to my usb and ran it there, should I trying again but this time save fixlist.txt and FRST to the desktop?

Share this post


Link to post
Share on other sites

The detections were from items that FRST removed.

Has Kaspersky completed?

Running it from the USB is okay but should really be ran from your Desktop if possible or at least your C drive.

 

Share this post


Link to post
Share on other sites

Kaspersky has finished and it looks like they weren't viruses but I deleted everything related to the items just in case anyways. But, windows defender said again there was a threat detected. The second photo is of the latest one.  

kas[ersky.PNG

virtool.PNG

Share this post


Link to post
Share on other sites

Please go ahead and run all the scans again and post back new logs.

We should be pretty close to being done

 

Please run the following steps and post back the logs as an attachment when ready.

STEP 01

  • If you're already running Malwarebytes 3 then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
  • If you don't have Malwarebytes 3 installed yet please download it from here and install it.
  • Once installed then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
  • Once the scan is completed click on the Export Summary button and save the file as a Text file to your desktop or other location you can find, and attach that log on your next reply.
  • If Malwarebytes won't run then please skip to the next step and let me know on your next reply.

STEP 02

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

  • Right-click on the program and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Accept the Terms of use.
  • Wait until the database is updated.
  • Click Scan Now.
  • When finished, please click Clean & Repair.
  • Your PC should reboot now if any items were found.
  • After reboot, a log file will be opened. Copy its content into your next reply.

 

RESTART THE COMPUTER Before running Step 3

STEP 03
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here.
  • Please attach the Additions.txt log to your reply as well.

 

Thanks

Ron

 

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.