I have a Server 2012 R2 running Avast for Business. I get continuous threat notifications from the File System Shields of a lnk.runner. These treats are a from a variety of file sources (they don’t seem to repeat). I tried to run a boot-time scan to remove the infection, but it hung in the process when it was asking for user interaction (the server does not have a keyboard or mouse plugged directly into it).

Tonight, I have run Malware Bytes, FRST, and aswMBR. I have included the saved .txt files

Farbar > Windows XP/Vista/7/8/Windows 10 (32-Bit and 64-Bit)
Mbam > Windows 10 (32/64-bit), Windows 8.1 (32/64-bit), Windows 8 (32/64-bit), Windows 7 (32/64-bit), Windows Vista , (Service Pack 1 or later, 32/64-bit), Windows XP (Service Pack 2 or later, 32-bit only)

You need to contact the avast business support :
https://support.business.avast.com/hc/en-us

Do you have bespoke programmes running ?

As I can find no information for the following drivers/services

S1 brdljdgv; ??\C:\Windows\system32\drivers\brdljdgv.sys
S1 elnbnjzv; ??\C:\Windows\system32\drivers\elnbnjzv.sys
S1 iacsdgyu; ??\C:\Windows\system32\drivers\iacsdgyu.sys
S1 igaurlkn; ??\C:\Windows\system32\drivers\igaurlkn.sys
S1 nsflylhu; ??\C:\Windows\system32\drivers\nsflylhu.sys
S1 suwhiass; ??\C:\Windows\system32\drivers\suwhiass.sys
S1 svbooxus; ??\C:\Windows\system32\drivers\svbooxus.sys
S1 zuvxywbb; ??\C:\Windows\system32\drivers\zuvxywbb.sys

Nothing too bespoke here that we don’t have on another server. To the best of my knowledge, just commercially available software.

OK this programme is a keylogger and appears to be legitimate : SpectorCNE

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: S1 brdljdgv; \??\C:\Windows\system32\drivers\brdljdgv.sys [X] S1 elnbnjzv; \??\C:\Windows\system32\drivers\elnbnjzv.sys [X] S1 iacsdgyu; \??\C:\Windows\system32\drivers\iacsdgyu.sys [X] S1 igaurlkn; \??\C:\Windows\system32\drivers\igaurlkn.sys [X] S1 nsflylhu; \??\C:\Windows\system32\drivers\nsflylhu.sys [X] S1 suwhiass; \??\C:\Windows\system32\drivers\suwhiass.sys [X] S1 svbooxus; \??\C:\Windows\system32\drivers\svbooxus.sys [X] S1 zuvxywbb; \??\C:\Windows\system32\drivers\zuvxywbb.sys [X] C:\Windows\system32\drivers\brdljdgv.sys C:\Windows\system32\drivers\elnbnjzv.sys C:\Windows\system32\drivers\iacsdgyu.sys C:\Windows\system32\drivers\igaurlkn.sys C:\Windows\system32\drivers\nsflylhu.sys C:\Windows\system32\drivers\suwhiass.sys C:\Windows\system32\drivers\svbooxus.sys C:\Windows\system32\drivers\zuvxywbb.sys EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

The SpectorCNE is a workplace monitoring software (I know it has keylogger as part of its tools). The Avast notifications predate the installation of it and we specifically put exclusions into Avast for it. Is this going to disable that software? Or should I consult with the software vendor just be certain?

No I am leaving the spector files alone as I surmise that they were deliberately installed

The files being removed are drivers for which I can find no reference on any file list and they are not signed…

I am creating a restore point first and quarantining the files just in case