Assistance Would Be Appreciated, Please.

I currently have friends PC that I have been unsuccessfully trying to remove a virus from.
Each time the scan finds and removes Trojans etc, more appear at the next boot and scan.

On the 14th April 2017 my friend clicked an email link, that she immediately knew, she should not have done. The email was deleted before the PC was handed over to me.

The symptoms, in addition to what the various scanners find, are a slow PC, the McAffee Live Safe software being disabled (from time to time!), Windows defender fining suspicious files (while McAffee is not running) and bizarrely the System Properties window opening on the Hardware tab with, the Device Manager button highlighted!

I have tried various scanners etc before following your guide.
I believe I have followed everything in your guide to the letter.
My logs are attached

You help and assistance would be very much appreciated.
Regards
Danny

 

Emails also seem to be sent out from contacts in Outlook. They have a title of "Invoice 0000078 from Gemma Piper ()"
The Gemma Piper being a contact in Outlook.

The content of the email is, (I have deliberately broken the link below, so no-one falls foul of an accidental click...)
You have received an invoice from Gemma Piper () for £2,132.51. To view, print or download a ZIP copy of your invoice, click the link below:

h t t p : / / kanchan.net / view-report-invoice-00001952 / lwn4pg-y04-vr.inv/

Best regards, Gemma Piper
()

Just thought I should mention it.
Thank you

 

Thank you so much for your assistance. I do really appreciate it.

C:\WINDOWS\system32\tasks\Mkmhijqwipf - Now deleted
The contents of the folders above are as follows.

Directory of C:\Users\HilaryW\AppData\Roaming\5IcS
13/04/2017 13:26 <DIR> .
13/04/2017 13:26 <DIR> ..
16/07/2016 12:42 74,752 sigverif.exe
1 File(s) 74,752 bytes
2 Dir(s) 391,629,373,440 bytes free

Directory of C:\Users\HilaryW\AppData\Roaming\ClientsideMutation
13/04/2017 14:20 <DIR> .
13/04/2017 14:20 <DIR> ..
0 File(s) 0 bytes
2 Dir(s) 391,629,037,568 bytes free

***This directory appears to used by the Redsky Accounts software Hilary installed*****
Directory of C:\Users\HilaryW\AppData\Roaming\RDC
10/04/2017 17:07 <DIR> .
10/04/2017 17:07 <DIR> ..
10/04/2017 17:07 7,163 bxclient.ini
03/04/2017 13:10 86,016 crprint.mdb
22/10/2014 09:37 <DIR> forms
22/10/2014 09:38 <DIR> images
23/10/2014 10:29 <DIR> reps
22/10/2014 09:37 246 summit.theme
10/04/2017 17:07 1,060,864 wordlist.mdb
4 File(s) 1,154,289 bytes
5 Dir(s) 391,630,520,320 bytes free

Directory of C:\Users\HilaryW\AppData\Roaming\tGTyhs
17/04/2017 09:27 <DIR> .
17/04/2017 09:27 <DIR> ..
13/04/2017 11:04 344,068 q0k3YrEs.xP1
1 File(s) 344,068 bytes
2 Dir(s) 391,630,561,280 bytes free


The two log files from FRST64.exe are as attached.

Thank you again for looking at this for me.

 

Thank you so much!
I had an "error" when I started FRST64.exe - it said "failed to update(1)" which I guess is expected as the network cable was unplugged.
Fixlog.txt attached.

Many thanks for your time helping with this, I (obviously) couldn't have done it without you.
ATB
Danny

 

I'll leave it running over night (it is 20:10 here) and see what arises in the morning.
With kind regards
Danny

 

All clear - thank you.
Back with my friend now.
ATB
Danny