Weird things - logs as requested

[Juliet]

Let's update Malwarebytes Anti-Malware and run a scan

• Open Malwarebytes Anti-Malware
  
• On the Dashboard click on Update Now
  
• Go to the Setting Tab
  
• Under Setting go to Detection and Protection
  
• Under PUP and PUM make sure both are set to show Treat Detections as Malware
  
• Go to Advanced setting and make sure Automatically Quarantine Detected Items is checked
  
• Then on the Dashboard click on Scan
  
• Make sure to select THREAT SCAN
  
• Then click on Scan
  
• Note: You may see the following message, "Could not load DDA driver". Click Yes, allow your PC to reboot and continue afterwards.
• If threats are detected, click Remove Selected. If you are prompted to reboot, click Yes.
• Upon completion of the scan (or after the reboot), click the History tab.
• Click Application Logs, followed by the first Scan Log.
• Click Export,followed by Copy to Clipboard. Paste the log in your next reply.
  

~~~~

What we can do now is run an online scan with Eset, a good trusted scanner, reliable and thorough.
The settings I suggest will also show us items located in quarantine folders so don't be alarmed with this, also, in case of a false positive I ask that you not allow it to delete what it does find.
This scanner can take quite a bit of time to run, depending of course how full your computer is.


Please disable your Antivirus as shown in the following topic: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Please download Emsisoft Emergency Kit and save it to your desktop.
Double click on the EmsisoftEmergencyKit file you downloaded to extract its contents and create a shortcut on the desktop.

• Leave all settings as they are and click the Extract button at the bottom.
• A folder named EEK will be created in the root of the drive (usually c:\).

• After extraction please double-click on the new Start Emsisoft Emergency Kit icon on your desktop.
• The first time you launch it, Emsisoft Emergency Kit will recommend that you allow it to download updates.
• Please click Yes so that it downloads the latest database updates.
• When the update process is complete, a new button will appear in the lower-left corner that says Back. Click on this button to return to the Overview screen.
• Click on Scan to be taken to the scan options.
• If you are asked if you want the scanner to scan for Potentially Unwanted Programs, then click Yes.
• Click on the Malware Scan button to start the scan.
• When the scan is completed click the View report button in the lower-right corner, and the scan log will be opened in Notepad.
• Please save the log in Notepad on your desktop, and copy it to your next reply.
• When you close Emsisoft Emergency Kit, it will give you an option to sign up for a newsletter. This is optional, and is not necessary for the malware removal process.

Please post these 2 logs when finished.

How is the computer now?

[madcap378]

Juliet.
Sorry. We are always at wrong ends of the day.
12 hours again b4 i will be able to action your
Directions.
Seems to b great. Only several weeks old.
Win 10 new to me too. Some things not as
Easy to find. Thank u for your patience with me.
Madcap378.

[Juliet]

I understand.

[madcap378]

Juliet.

result of Malwarebyte run .... more to come from MADCAP378

Malwarebytes Anti-Malware
www.malwarebytes.org


Protection, 7/10/2016 9:16 AM, SYSTEM, LAPTOP-ELHTQAT0, Protection, Malware Protection, Starting,
Protection, 7/10/2016 9:16 AM, SYSTEM, LAPTOP-ELHTQAT0, Protection, Malware Protection, Started,
Protection, 7/10/2016 9:16 AM, SYSTEM, LAPTOP-ELHTQAT0, Protection, Malicious Website Protection, Starting,
Protection, 7/10/2016 9:17 AM, SYSTEM, LAPTOP-ELHTQAT0, Protection, Malicious Website Protection, Started,
Update, 7/10/2016 9:38 AM, SYSTEM, LAPTOP-ELHTQAT0, Manual, IP Database, 2016.10.4.2, 2016.10.6.1,
Update, 7/10/2016 9:38 AM, SYSTEM, LAPTOP-ELHTQAT0, Manual, Domain Database, 2016.10.6.3, 2016.10.6.12,
Update, 7/10/2016 9:38 AM, SYSTEM, LAPTOP-ELHTQAT0, Manual, Malware Database, 2016.10.6.4, 2016.10.6.13,
Protection, 7/10/2016 9:38 AM, SYSTEM, LAPTOP-ELHTQAT0, Protection, Refresh, Starting,
Protection, 7/10/2016 9:38 AM, SYSTEM, LAPTOP-ELHTQAT0, Protection, Malicious Website Protection, Stopping,
Protection, 7/10/2016 9:38 AM, SYSTEM, LAPTOP-ELHTQAT0, Protection, Malicious Website Protection, Stopped,
Protection, 7/10/2016 9:38 AM, SYSTEM, LAPTOP-ELHTQAT0, Protection, Refresh, Success,
Protection, 7/10/2016 9:38 AM, SYSTEM, LAPTOP-ELHTQAT0, Protection, Malicious Website Protection, Starting,
Protection, 7/10/2016 9:38 AM, SYSTEM, LAPTOP-ELHTQAT0, Protection, Malicious Website Protection, Started,
Scan, 7/10/2016 10:05 AM, SYSTEM, LAPTOP-ELHTQAT0, Manual, Start:7/10/2016 9:40 AM, Duration:24 min 1 sec, Threat Scan, Completed, 0 Malware Detections, 1 Non-Malware Detection,
Protection, 7/10/2016 10:06 AM, SYSTEM, LAPTOP-ELHTQAT0, Protection, Malware Protection, Starting,
Protection, 7/10/2016 10:06 AM, SYSTEM, LAPTOP-ELHTQAT0, Protection, Malware Protection, Started,
Protection, 7/10/2016 10:06 AM, SYSTEM, LAPTOP-ELHTQAT0, Protection, Malicious Website Protection, Starting,
Protection, 7/10/2016 10:06 AM, SYSTEM, LAPTOP-ELHTQAT0, Protection, Malicious Website Protection, Started,



scan log

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 7/10/2016
Scan Time: 9:40 AM
Logfile:
Administrator: Yes

Version: 2.2.1.1043
Malware Database: v2016.10.06.13
Rootkit Database: v2016.09.26.02
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 10
CPU: x64
File System: NTFS
User: pacdam

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 302473
Time Elapsed: 24 min, 1 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 1
PUP.Optional.Linkury, C:\Users\madca\AppData\Roaming\Pluscanair.bin, Quarantined, [d62f11858515e551ff6273936a9b758b],

Physical Sectors: 0
(No malicious items detected)

[madcap378]

Juliet

Ran EST as requested :

Emsisoft Emergency Kit - Version 11.9
Last update: 7/10/2016 10:45:25 AM
User account: LAPTOP-ELHTQAT0\pacdam
Computer name: LAPTOP-ELHTQAT0
OS version: Windows 10x64

Scan settings:

Scan type: Malware Scan
Objects: Rootkits, Memory, Traces, Files

Detect PUPs: On
Scan archives: Off
ADS Scan: On
File extension filter: Off
Advanced caching: On
Direct disk access: Off

Scan start: 7/10/2016 10:46:03 AM
C:\Program Files (x86)\Phizother\Chdengine.dll detected: Trojan.Generic.19040731 (B)

Scanned 75261
Found 1

Scan end: 7/10/2016 10:49:29 AM
Scan time: 0:03:26


Interested to see PHIZOTHER part of the culprit. Still feel uneasy about PRACOPH and PHIZOTHER folders as they turned up at the time of infection.

You asked yesterday how was the computer: in the main it has been well behaved however, I have been having problems with FTM 2014 but am not sure if the problem is with win10 or what. It may be a FTM problem as it opens ok but then content within is plagued with problems.......
but as this is a newer laptop I had not opened FTM prior to infection.

thank you.
I await your further advice re the seemingly remaining Trojan.
madcap378

[Juliet]

Glad the computer is running better.

We can certainly remove C:\Program Files (x86)\Phizother\Chdengine.dll

Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
To do this highlight the contents of the box and right click on it and select copy.
Paste this into the open notepad. save it to the Desktop as fixlist.txt
NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
It needs to be saved Next to the "Farbar Recovery Scan Tool" (If asked to overwrite existing one please allow)

start
CreateRestorePoint:
CloseProcesses:
C:\Program Files (x86)\Phizother\Chdengine.dll
EmptyTemp:
End

Open FRST/FRST64 and press the > Fix < button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

2016-09-30 21:06 - 2016-10-02 10:24 - 00000000 ____D C:\Program Files (x86)\Pracoph
2016-09-30 23:22 - 2016-09-30 23:24 - 00000000 ____D C:\Program Files (x86)\Phizother

The 2 above folders were created at the same time.

2016-09-30 23:22 - 2016-09-30 23:24 - 00000000 ____D C:\Users\madca\AppData\Local\Chvghcooveph
2016-09-30 21:06 - 2016-09-30 22:45 - 00000000 ____D C:\Users\madca\AppData\Roaming\Ghasetion
2016-09-30 21:06 - 2016-09-30 21:07 - 00000000 ____D C:\Users\madca\AppData\Local\Bazckprahward

Next, these were created around the same time as the above and I cannot find any information on these and appear suspicious to me, you have any info on these?


2016-10-01 09:36 - 2016-10-02 10:45 - 00000000 ____D C:\Users\madca\AppData\Roaming\Gajedefsim
2016-10-01 09:36 - 2016-10-01 14:33 - 00000000 ____D C:\Users\madca\AppData\Roaming\CihuuChfakg

The next day, or when the computer was booted up, the above appear and again I cannot find any supportive information to tell me what these folders were and or if are suspicious.



FTM 2014 was created before Windows 10 came out so my first thought is to try and contact Ancestry.com to see if any updates can be applied or if they have any work arounds.

[madcap378]

Juliet,

thank you again.
RAN as requested:
Result:
Fix result of Farbar Recovery Scan Tool (x64) Version: 04-10-2016
Ran by pacdam (07-10-2016 11:46:36) Run:2
Running from C:\Users\madca\Desktop
Loaded Profiles: pacdam (Available Profiles: pacdam)
Boot Mode: Normal
==============================================

fixlist content:
*****************
start
CreateRestorePoint:
CloseProcesses:
C:\Program Files (x86)\Phizother\Chdengine.dll
EmptyTemp:
End
*****************

Restore point was successfully created.
Processes closed successfully.
C:\Program Files (x86)\Phizother\Chdengine.dll => moved successfully

=========== EmptyTemp: ==========

BITS transfer queue => 0 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 13867923 B
Java, Flash, Steam htmlcache => 0 B
Windows/system/drivers => 3119768 B
Edge => 0 B
Chrome => 126096661 B
Firefox => 0 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 0 B
LocalService => 4922 B
NetworkService => 0 B
madca => 34664252 B

RecycleBin => 0 B
EmptyTemp: => 169.5 MB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 11:47:16 ====

I am not familiar with any of the files which you indicate came about the same time as the infection.

What I was downloading as I hoped was "msworks task launcher" and got not that but a whole lot of infection.

I do not recall now which link I followed to let you know but googling it now there are heaps which I suspect are all a trifle suss.
Since the infection, I have used my standalone which is older and has a functional working system to export and have forfeited the works db for plain old excel...... so will not be looking again for a workable MSWORKs launcher.

Ancestry.com no longer support FTM - and I have contacted the company which has taken them over for support in this matter so that aspect is in hand.

Getting back to the time of infection, I tried to uninstal sunny days etc but they would only replicate with newer version numbers so I suspect lots of funny things came through at that time........

I again await your further advice and thank you, again

madcap378

[Juliet]

DO you think sunnydays was not completely uninstalled/deleted?

Let's see if we can find remnants.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following quotebox into the main textfield:
  

  :folderfind
  sunnydays
  :filefind
  sunnydays
  :regfind
  sunnydays

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

[madcap378]

Just mentioned Sunnydays as it was the only one I readily recalled. There were several others whose names I now forget.

But I ran the system look as advised and all is well for that one.

Resultant log:
"SystemLook 30.07.11 by jpshortstuff
Log created at 09:49 on 08/10/2016 by pacdam
Administrator - Elevation successful
WARNING: SystemLook running under WOW64. Use SystemLook_x64 for accurate results.

========== folderfind ==========

Searching for "sunnydays"
No folders found.

========== filefind ==========

Searching for "sunnydays"
No files found.

========== regfind ==========

Searching for "sunnydays"
No data found.

-= EOF =-"

PHIZOTHER seems to only contain befeck.exe and has cleared all virus checks. Befeck seems to relate to media players so will hold and see if nothing happens.

PRACOPH - contains mple.exe which I feel suspicious about. Should I leave it or delete this folder........AND may I now delete all those new items which are now on my desktop?
Bother - just looking at the programs via control panel for anything looking like mple or glary [pracoph] and noticed that "sunnyday version 1.1" is still appearing as a program. name variation?
HAve to go for a while but will post a screen print when I return.
thank you again
madcap378

DO you think sunnydays was not completely uninstalled/deleted?

Let's see if we can find remnants.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following quotebox into the main textfield:
  
• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

[madcap378]

Hopefully you will be able to read this ok.

It turns up in the list of programs installed but does not appear in the list of files within PROGRAM files or PROGRAM (x86) files
Will await your investigation and advice. screenprint attached as png.

madcap378

Just mentioned Sunnydays as it was the only one I readily recalled. There were several others whose names I now forget.

But I ran the system look as advised and all is well for that one.

Resultant log:
"SystemLook 30.07.11 by jpshortstuff
Log created at 09:49 on 08/10/2016 by pacdam
Administrator - Elevation successful
WARNING: SystemLook running under WOW64. Use SystemLook_x64 for accurate results.

========== folderfind ==========

Searching for "sunnydays"
No folders found.

========== filefind ==========

Searching for "sunnydays"
No files found.

========== regfind ==========

Searching for "sunnydays"
No data found.

-= EOF =-"

PHIZOTHER seems to only contain befeck.exe and has cleared all virus checks. Befeck seems to relate to media players so will hold and see if nothing happens.

PRACOPH - contains mple.exe which I feel suspicious about. Should I leave it or delete this folder........AND may I now delete all those new items which are now on my desktop?
Bother - just looking at the programs via control panel for anything looking like mple or glary [pracoph] and noticed that "sunnyday version 1.1" is still appearing as a program. name variation?
HAve to go for a while but will post a screen print when I return.
thank you again
madcap378