[dalykapa15]

hi dbreeze,

 

I completed the custom scan and this is the report I received.

I am now onto step 2. I will post the log when that one is done.

Thanks for all your help.

 

Log from step 1:

 

<?xml version="1.0" encoding="UTF-16"?>
-<mbam-log>-<header><date>2015/01/31 21:05:03 -0500</date><logfile>mbam-log-2015-01-31 (21-03-29).xml</logfile><isadmin>yes</isadmin></header>-<engine><version>2.00.4.1028</version><malware-database>v2015.01.31.06</malware-database><rootkit-database>v2015.01.14.01</rootkit-database><license>premium</license><file-protection>enabled</file-protection><web-protection>enabled</web-protection><self-protection>disabled</self-protection></engine>-<system><osversion>Windows 8</osversion><arch>x64</arch><username>Pat</username><filesys>NTFS</filesys></system>-<summary><type>custom</type><result>completed</result><objects>518214</objects><time>3554</time><processes>0</processes><modules>0</modules><keys>0</keys><values>0</values><datas>0</datas><folders>0</folders><files>2</files><sectors>0</sectors></summary>-<options><memory>enabled</memory><startup>enabled</startup><filesystem>enabled</filesystem><archives>enabled</archives><rootkits>enabled</rootkits><deeprootkit>disabled</deeprootkit><heuristics>enabled</heuristics><pup>enabled</pup><pum>enabled</pum></options>-<items>-<file><path>C:\FRST\Quarantine\C\ProgramData\Windows Genuine Advantage\{423FD05E-1233-4B3E-8C91-534CD32F94F0}\msiexec.exe</path><vendor>Trojan.Dropper</vendor><action>success</action><hash>232e33c494f55dd9163f29cb58aa758b</hash></file>-<file><path>C:\Users\Pat\AppData\LocalLow\iyhwihh.dll</path><vendor>Trojan.Chrome.INJ</vendor><action>success</action><hash>2e238d6a2168d561e7ddba378f723dc3</hash></file></items></mbam-log>

[Advertisements]

hi dbreeze,

 

here is the log for eset:

should this be longer?

 

This is my mom's computer. she has not been on the system.  I am having her use it and will send a seperate reply with how it is running.

thank you for all your help.

 

 

C:\ToolKit.exe    a variant of Win64/HiddenStart.A potentially unsafe application
C:\FRST\Quarantine\C\Program Files (x86)\AskPartnerNetwork\Toolbar\APNSetup.exe    a variant of Win32/Bundled.Toolbar.Ask.E potentially unsafe application
C:\FRST\Quarantine\C\Users\Pat\AppData\Local\Temp\APNSetup.exe.xBAD    a variant of Win32/Bundled.Toolbar.Ask.E potentially unsafe application
C:\Program Files\Adware-Removal-Tool\ARTP3.exe    MSIL/FakeTool.PS trojan
C:\Users\Pat\Desktop\IE11\KeyFinderInstaller.exe    a variant of Win32/OpenCandy.C potentially unsafe application
 

[dalykapa15]

hi dbreeze,

 

here is the log for eset:

should this be longer?

 

This is my mom's computer. she has not been on the system.  I am having her use it and will send a seperate reply with how it is running.

thank you for all your help.

 

 

C:\ToolKit.exe    a variant of Win64/HiddenStart.A potentially unsafe application
C:\FRST\Quarantine\C\Program Files (x86)\AskPartnerNetwork\Toolbar\APNSetup.exe    a variant of Win32/Bundled.Toolbar.Ask.E potentially unsafe application
C:\FRST\Quarantine\C\Users\Pat\AppData\Local\Temp\APNSetup.exe.xBAD    a variant of Win32/Bundled.Toolbar.Ask.E potentially unsafe application
C:\Program Files\Adware-Removal-Tool\ARTP3.exe    MSIL/FakeTool.PS trojan
C:\Users\Pat\Desktop\IE11\KeyFinderInstaller.exe    a variant of Win32/OpenCandy.C potentially unsafe application
 

[dbreeze]

I have seen longer and shorter ESET logs; it depends on how much malware has been on the system for how long.

Let's get it cleaned up....

 

Download the attached fixlist.txt file and save it to the Desktop.

NOTE. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 by right clicking on the FRST64.exe file, selecting "Run as Administrator..". The User Account Control may open up; if it does, select Yes to continue to let FRST open and load.

The tool will check for an updated version of itself every time it loads; please allow it to do this and the program will either inform you it is downloading an updated copy (and to wait until it is safe to continue) or show nothing (meaning there is no update found) and you can continue on. Press the Fix button just once and wait. The tool will create a restore point, process the script and ask for a restart of your system.

If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.

When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

Attached Files

•  Fixlist.txt   228bytes   184 downloads

[dalykapa15]

hi d breeze,

 

the system seems to be ok for what she does(email, games ect) .  When she logs on not as many trojans as before are coming at her.  She was a victim of a scam and I feel whatever they put on here may be hidden.

 

I downloaded the fixlist.txt and here is the reply:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 05-02-2015
Ran by Pat at 2015-02-05 20:17:19 Run:4
Running from C:\Users\Pat\Downloads\FRST-OlderVersion\fight the bugs
Loaded Profiles: Pat &  (Available profiles: Pat)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
start
CreateRestorePoint:
CloseProcesses:
C:\Users\Pat\AppData\LocalLow\iyhwihh.dll
C:\ToolKit.exe
C:\Program Files\Adware-Removal-Tool\ARTP3.exe
C:\Users\Pat\Desktop\IE11\KeyFinderInstaller.exe
EmptyTemp:
Reboot:
end

*****************

Restore point was successfully created.
Processes closed successfully.
"C:\Users\Pat\AppData\LocalLow\iyhwihh.dll" => File/Directory not found.
C:\ToolKit.exe => Moved successfully.
C:\Program Files\Adware-Removal-Tool\ARTP3.exe => Moved successfully.
C:\Users\Pat\Desktop\IE11\KeyFinderInstaller.exe => Moved successfully.
EmptyTemp: => Removed 340.1 MB temporary data.


The system needed a reboot.

==== End of Fixlog 20:18:30 ====

[dbreeze]

Let's see if this breaks the rest of the connections to the trojans.
 
Download the attached fixlist.txt file and save it to the Desktop.

NOTE. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 by right clicking on the FRST64.exe file, selecting "Run as Administrator..".  The User Account Control may open up; if it does, select Yes to continue to let FRST open and load.  

The tool will check for an updated version of itself every time it loads; please allow it to do this and the program will either inform you it is downloading an updated copy (and to wait until it is safe to continue) or show nothing (meaning there is no update found) and you can continue on.  Press the Fix button just once and wait.  The tool will create a restore point, process the script and ask for a restart of your system.
 


If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.

When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

Attached Files

•  Fixlist.txt   359bytes   190 downloads

[dalykapa15]

hi d breeze,

 

sorryi have not replied. I live in the NE and experiencing lots of snow. I hope to get to my mom's in the next day or two. thanks for your understanding and help.

[dbreeze]

Not a problem.  Thanks for letting me know; realworld always comes first.  Bundle up and stay warm!

[dalykapa15]

hi dbreeze

 

thanks for your help and understanding. its been cold and snowy. some warm weather is due tomorrow but then right back to cold and more snow.  this has been an unimaginable winter. the snow is packed in :-(.      good if your a skier.

 

 

 

 

Here is the results of the last scan:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 08-02-2015
Ran by Pat at 2015-02-10 20:16:38 Run:5
Running from C:\Users\Pat\Downloads\FRST-OlderVersion\fight the bugs
Loaded Profiles: Pat &  (Available profiles: Pat)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
start
CreateRestorePoint:
CloseProcesses:
CMD: ipconfig /flushdns
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state on
REG: Reg Delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F
REG: Reg Add "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F
CMD: bitsadmin /reset /allusers
Hosts:
Reboot:
end

*****************

Restore point was successfully created.
Processes closed successfully.

=========  ipconfig /flushdns =========


Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========


=========  netsh advfirewall reset =========

Ok.


========= End of CMD: =========


=========  netsh advfirewall set allprofiles state on =========

Ok.


========= End of CMD: =========


========= Reg Delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F =========

ERROR: The system was unable to find the specified registry key or value.


========= End of Reg: =========


========= Reg Add "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F =========

The operation completed successfully.



========= End of Reg: =========

[dbreeze]

How is the system now?

[dalykapa15]

hi dbreeze,

 

the system seems to be ok however the trojans are still coming.i still can not install trend micro.  it does tend to seem like it is working only to stall out.  My mom was a victim of a scam and they did  get on her computer. I am confident they put something on. As they are still calling and she is hanging up.  Hopefully I can get there tomorrow to look at the system. It has been very frigid and more snow. thanks for your understanding and your help.

[dalykapa15]

hi dbreeze

 

her system is running good however today she seemed to lose icons and pictures. not really sure why.   I ran a malware scan and nothing showed. Nothing is in the quarantine log either.   She has been able to play solitare. She is going to keep going on and see if anything comes her way.  She noticed she could not open a folder of documents today.  It was completely empty and everything she had done was gone? Not exactly sure where it went.  thanks again for your help and understanding. more weather heading this way. 

[dbreeze]

Yes, please keep me up to date.  I will keep this open as long as possible due to the weather issues in the NE.
 
About Trend Micro; did you try running the cleanup / removal tool for Trend and then installing?  ( http://esupport.tren...rt/1105809.aspx go to the Having Problems Removing Trend Micro? section at the bottom )

[dbreeze]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.