Jump to content

I'm infected, and Malwarebytes is constantly detecting Adware.Yontoo


Go to solution Solved by AdvancedSetup,

Recommended Posts

  • Root Admin

Hello @oender

 

 

Let's go ahead and run a couple of scans and get some updated logs from your system. Please read the entire post below before starting so that you're more familiar with the process

Then follow each step in the order provided. Unless otherwise asked, please attach all logs

 

Please make the following system changes:

  • If you have not done so already - Enable System Protection and create a NEW System Restore Point
  • Temporarily disable your antivirus real-time protection or other security software first only if it blocks or interferes with the scans or downloads.. Make sure to turn it back on once the scans are completed
  • Temporarily disable Microsoft SmartScreen to download software below only if needed. Make sure to turn it back on once the downloads are completed
  • Disable-Fast-Startup
  • Show-Hidden-Folders-Files-Extensions

Please run the following scans:

  1. Click the following link and run a  Scan with AdwCleaner
  2. Click the following link and run a  Scan with Malwarebytes 
       RESTART the computer
  3. Click the following link and run a  Scan with Farbar Recovery Scan Tool 
     

Example image of where to click to attach files when posting your reply

image.thumb.png.e208c182ff570799c53bcf57

 

Thank you

 

Link to post
Share on other sites

  • Root Admin

Please run the following

Sophos Scan & Clean

Download Sophos Free Virus Removal Tool and save it to your desktop.

  • If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete.....
  • Please close all other open applications and Do Not use your PC whilst the scan is in progress... This scan is very thorough so it may take several hours to complete, please be patient...

Double click the icon and select Run

Click Next

Select I accept the terms in this license agreement, then click Next twice

Click Install

Click Finish to launch the program

  • Once the virus database has been updated click Start Scanning

If any threats are found click Details, then View log file... (bottom left hand corner)

 

Attach the results in your next reply

  • Close the Notepad document, close the Threat Details screen, then click Start cleanup

Click Exit to close the program

 

If no threats were found please confirm that result...

  • The Virus Removal Tool scans the following areas of your computer:
  • Memory, including system memory on 32-bit (x86) versions of Windows
  • The Windows registry
  • All local hard drives, fixed and removable
  • Mapped network drives are not scanned.

Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan.

 

Saved logs are found under this sub-folder: C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs 

Please attach that log on your next reply

Thank you

 

Link to post
Share on other sites

  • Root Admin

Interesting. Thank you for the update. Please try the following scanner.

 

 

Please run the following ESET Online Scanner and perform a Full Scan

 

Click the following link to save the installer for ESET Online Scanner

https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

  • It will start a download of "esetonlinescanner.exe"
  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get started. 
  • When presented with the initial ESET screen, click on "Get Started". Read and accept the Terms of use
  • On the "Before we start..." screen chose if you want to send anonymous data and if you want to provide feedback or not, then click Continue
  • When prompted for scan type, Click on the Full Scan button
  • Enable  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click the Start scan button.
  • Have patience.  The entire process may take a few hours or more.
  • When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
  • Click The blue “Save scan log” to save the log and give it a name and location you remember.
  • If something was removed and you know it is a false postive, you may click on the blue ”Restore cleaned files”  ( in blue, at the bottom).
  • Press Continue when all done.  You should click to turn off the offer for “periodic scanning”.
  • Enable "Delete application data on closing" - You do not need to submit feedback unless you want to. Simply ignore and close the program.

 

Note: If you do need to do a File Restore from ESET please follow the directions below

[KB2915] Restore files quarantined by the ESET Online Scanner version 3

https://support.eset.com/en/kb2915-restore-files-quarantined-by-the-eset-online-scanner

 

Please attach the ESET scan log you saved at the end to your next reply

 

Link to post
Share on other sites

I done all steps in the previous messages. but I ran again Malwarebytes and get again this:

 

Malwarebytes
www.malwarebytes.com

-Detalles del registro-
Fecha del análisis: 7/3/24
Hora del análisis: 23:37
Archivo de registro: 00a44365-dd0e-11ee-8397-7020840e1421.json

-Información del software-
Versión: 4.6.9.314
Versión de los componentes: 1.0.2276
Versión del paquete de actualización: 1.0.81907
Licencia: Premium

-Información del sistema-
SO: Windows 11 (Build 22623.730)
CPU: x64
Sistema de archivos: NTFS
Usuario: HW

-Resumen del análisis-
Tipo de análisis: Análisis de amenazas
Análisis iniciado por:: Manual
Resultado: Completado
Objetos analizados: 298457
Amenazas detectadas: 11
Amenazas en cuarentena: 0
Tiempo transcurrido: 2 min, 44 seg

-Opciones de análisis-
Memoria: Activado
Inicio: Activado
Sistema de archivos: Activado
Archivo: Activado
Rootkits: Desactivado
Heurística: Activado
PUP: Detectar
PUM: Detectar

-Detalles del análisis-
Proceso: 0
(No hay elementos maliciosos detectados)

Módulo: 0
(No hay elementos maliciosos detectados)

Clave del registro: 0
(No hay elementos maliciosos detectados)

Valor del registro: 0
(No hay elementos maliciosos detectados)

Datos del registro: 0
(No hay elementos maliciosos detectados)

Secuencia de datos: 0
(No hay elementos maliciosos detectados)

Carpeta: 1
Adware.Yontoo.ChrPRST, C:\USERS\LENOVO\APPDATA\LOCAL\MICROSOFT\EDGE\USER DATA\Default\Sync Data\LevelDB, Sin acciones por parte del usuario, 9643, 878859, , , , , , 

Archivo: 10
Adware.Yontoo.ChrPRST, C:\Users\Lenovo\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\000004.log, Sin acciones por parte del usuario, 9643, 878859, , , , , 51EFC0269C516C2C054B84D82182AD24, 611DA59392C0B0984914064A559B5AF3A0B803D0F527DC8706B6FFB543B924AE
Adware.Yontoo.ChrPRST, C:\Users\Lenovo\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\000005.ldb, Sin acciones por parte del usuario, 9643, 878859, , , , , 78D15B1804EB65EB0D58246BF6EEDA42, 55E3E09EE455F37BF9FE0931A970F9BE039ED32D582A1EAE81E9F554093EF82D
Adware.Yontoo.ChrPRST, C:\Users\Lenovo\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\CURRENT, Sin acciones por parte del usuario, 9643, 878859, , , , , 46295CAC801E5D4857D09837238A6394, 0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
Adware.Yontoo.ChrPRST, C:\Users\Lenovo\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOCK, Sin acciones por parte del usuario, 9643, 878859, , , , , , 
Adware.Yontoo.ChrPRST, C:\Users\Lenovo\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG, Sin acciones por parte del usuario, 9643, 878859, , , , , E3F14869E78B97EAB13BDDC2F466E640, 6711193E6202933E951BED3A93B3644E198E3AE811B94D26D6954363607BEA3B
Adware.Yontoo.ChrPRST, C:\Users\Lenovo\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG.old, Sin acciones por parte del usuario, 9643, 878859, , , , , 6D6951C1FEAB6D40C7591A96BE2BC7D5, 731109A16227DA7C729C036CE83444EF31173E3835F55FFB78DB938632ABDE86
Adware.Yontoo.ChrPRST, C:\Users\Lenovo\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\MANIFEST-000001, Sin acciones por parte del usuario, 9643, 878859, , , , , 4713E3CE987CDA1195ABF12528E61109, 75CF989A386174F020EAC872776E2475CD2009D6A153906CA7304A62B6A00307
Adware.Yontoo.ChrPRST, C:\USERS\LENOVO\APPDATA\LOCAL\MICROSOFT\EDGE\USER DATA\Default\Preferences, Sin acciones por parte del usuario, 9643, 878859, , , , , 160514E420A507BAAEA492C05C48C4DC, 6E8256B34F255161E8F72975B355DD2A572DBB33A2FC2B4A8592174CF3E4CD75
Adware.Yontoo.ChrPRST, C:\USERS\LENOVO\APPDATA\LOCAL\MICROSOFT\EDGE\USER DATA\Default\Secure Preferences, Sin acciones por parte del usuario, 9643, 878859, 1.0.81907, , ame, , 4BC970D9070B3D9565BB6E64CB74C787, A5C7FDDA71F146FD00B0DDEB782A0A96F4F3AF0452CCB600C7889702E2D6BBAE
Adware.Yontoo.ChrPRST, C:\DOCUMENTS AND SETTINGS\ALL USERS\NTUSER.POL, Sin acciones por parte del usuario, 9643, -1, 0.0.0, , action, , 075B0DA82E23780FA2DD7F2EA0464FD4, 26332AF7F0DCF06A13ABB741E5EAA39F0FF9E7E823512701500B4E52340357AB

Sector físico: 0
(No hay elementos maliciosos detectados)

WMI: 0
(No hay elementos maliciosos detectados)


(end)

Link to post
Share on other sites

  • Root Admin

Please clean the Microsoft Edge Cache and Cookies

https://www.microsoft.com/en-us/edge/learning-center/how-to-manage-and-clear-your-cache-and-cookies?form=MA13I2

https://www.cloudwards.net/clear-cache-in-edge/

Once it's been properly cleaned, restart the computer and scan with Malwarebytes again

Thank you

 

Link to post
Share on other sites

Hello Mr. Root

This time Farbar wont open at all. I restarted the pc a couple of times, turned off Malwarebytes and MS antivirus to see if that works but this do not solve this issue. It is possible to scan the pc SSD outside (external USB enclosure) and scan it in other pc?

what do you think?

mwb-scan-report.txt

Link to post
Share on other sites

  • Root Admin
Posted (edited)

Please download https://www.safezone.cc/resources/av-block-remover-avbr.224/download AV block remover, unzip it and run.


If you possibly can't run it, just rename AVbr.exe -> AV-b-r.exe for instance and run. Or you can use this link to download a random named file to run: https://avbr.safezone.cc/rnd/


If this method doesn't work, run this tool NOT from your Desktop or Downloads folder (use any other folder).

If the malware still blocks the utility, then try to run it in Safe Mode with Networking. Follow the instructions. After reboot you'll receive AV_block_remove_date-time.log. Please attach it to your next post.
 

Edited by AdvancedSetup
Updated information
Link to post
Share on other sites

  • Root Admin

Great, please try to run the following now.

 

Let's go ahead and run a couple of scans and get some updated logs from your system. Please read the entire post below before starting so that you're more familiar with the process

Then follow each step in the order provided. Unless otherwise asked, please attach all logs

 

Please make the following system changes:

  • If you have not done so already - Enable System Protection and create a NEW System Restore Point
  • Temporarily disable your antivirus real-time protection or other security software first only if it blocks or interferes with the scans or downloads.. Make sure to turn it back on once the scans are completed
  • Temporarily disable Microsoft SmartScreen to download software below only if needed. Make sure to turn it back on once the downloads are completed
  • Disable-Fast-Startup
  • Show-Hidden-Folders-Files-Extensions

Please run the following scans:

  1. Click the following link and run a  Scan with AdwCleaner
  2. Click the following link and run a  Scan with Malwarebytes 
       RESTART the computer
  3. Click the following link and run a  Scan with Farbar Recovery Scan Tool 
     

Example image of where to click to attach files when posting your reply

image.thumb.png.e208c182ff570799c53bcf57

 

Thank you

 

Link to post
Share on other sites

Posted (edited)

I reboot the PC run a scan and it finds this: 

Malwarebytes
www.malwarebytes.com

-Detalles del registro-
Fecha del análisis: 13/3/24
Hora del análisis: 16:37
Archivo de registro: 505f86e0-e18a-11ee-b85f-7020840e1421.json

-Información del software-
Versión: 4.6.9.314
Versión de los componentes: 1.0.2276
Versión del paquete de actualización: 1.0.82120
Licencia: Premium

-Información del sistema-
SO: Windows 11 (Build 22623.730)
CPU: x64
Sistema de archivos: NTFS
Usuario: Henning\HWD

-Resumen del análisis-
Tipo de análisis: Análisis de amenazas
Análisis iniciado por:: Manual
Resultado: Completado
Objetos analizados: 290217
Amenazas detectadas: 2
Amenazas en cuarentena: 0
Tiempo transcurrido: 1 min, 44 seg

-Opciones de análisis-
Memoria: Activado
Inicio: Activado
Sistema de archivos: Activado
Archivo: Activado
Rootkits: Desactivado
Heurística: Activado
PUP: Detectar
PUM: Detectar

-Detalles del análisis-
Proceso: 0
(No hay elementos maliciosos detectados)

Módulo: 0
(No hay elementos maliciosos detectados)

Clave del registro: 0
(No hay elementos maliciosos detectados)

Valor del registro: 0
(No hay elementos maliciosos detectados)

Datos del registro: 0
(No hay elementos maliciosos detectados)

Secuencia de datos: 0
(No hay elementos maliciosos detectados)

Carpeta: 0
(No hay elementos maliciosos detectados)

Archivo: 2
Adware.Yontoo.ChrPRST, C:\USERS\LENOVO\APPDATA\LOCAL\MICROSOFT\EDGE\USER DATA\Default\Secure Preferences, Sin acciones por parte del usuario, 9641, 878859, 1.0.82120, , ame, , 1B701BAFAEAC97E00E565A56E99941A6, AE730BB1E681DB4A10CFE5480431265E5499DFFED65D06D680E0F1C549848526
Adware.Yontoo.ChrPRST, C:\DOCUMENTS AND SETTINGS\ALL USERS\NTUSER.POL, Sin acciones por parte del usuario, 9641, -1, 0.0.0, , action, , 075B0DA82E23780FA2DD7F2EA0464FD4, 26332AF7F0DCF06A13ABB741E5EAA39F0FF9E7E823512701500B4E52340357AB

Sector físico: 0
(No hay elementos maliciosos detectados)

WMI: 0
(No hay elementos maliciosos detectados)


(end)

Edited by oender
Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.