Inftected with trojan.zeroaccess!inf4

[Grokked]

I have a client's computer that is infected with trojan.zeroaccess!inf4. After reading through several posts on this forum, I found this one which instructed me to boot into Repair your computer mode and run the Farbar Recovery Scan Tool x64. I have done so and the results are below, but I am unsure how to proceed. I know it might be necessary for me to rebuild this system from scratch, but I would really rather not do so as this user has a somewhat complicated setup.

Is this enough information? Can it be removed like the one in the post linked above?

First, the FRST.txt

Scan result of Farbar Recovery Scan Tool Version: 14-08-2012

Ran by SYSTEM at 14-08-2012 10:35:33

Running from J:\

Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)

The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [10920552 2010-06-22] (Realtek Semiconductor)

HKLM\...\Run: [RunDLLEntry_THXCfg] C:\Windows\system32\RunDLL32.exe C:\Windows\system32\THXCfg64.dll,RunDLLEntry THXCfg64 [17920 2009-10-15] (Creative Technology Ltd.)

HKLM\...\Run: [RunDLLEntry_EptMon] C:\Windows\system32\RunDLL32.exe C:\Windows\system32\EptMon64.dll,RunDLLEntry EptMon64 [21504 2009-10-15] (Creative Technology Ltd.)

HKLM\...\Run: [Agency Software Printer virtual printer agent] "C:\ASIPrinter\agspagent.exe" [116224 2010-02-23] ()

HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1281240 2012-06-12] (Microsoft Corporation)

HKLM-x32\...\Run: [iAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [283160 2010-09-13] (Intel Corporation)

HKLM-x32\...\Run: [shwiconXP9106] C:\Program Files (x86)\Multimedia Card Reader(9106)\ShwiconXP9106.exe [237568 2010-03-10] (Alcor Micro Corp.)

HKLM-x32\...\Run: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [336384 2011-01-04] (Advanced Micro Devices, Inc.)

HKLM-x32\...\Run: [THX Audio Control Panel] "C:\Program Files (x86)\Creative\THX TruStudio PC\THXAudioCP\THXAudio.exe" /r [963584 2009-12-01] (Creative Technology Ltd)

HKLM-x32\...\Run: [RoxWatchTray] "C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe" [240112 2010-11-25] (Sonic Solutions)

HKLM-x32\...\Run: [AccuWeatherWidget] "C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe" "C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\start.umj" --startup [2825741 2011-05-30] ()

HKLM-x32\...\Run: [sSBkgdUpdate] "C:\Program Files (x86)\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot [210472 2006-10-25] (Nuance Communications, Inc.)

HKLM-x32\...\Run: [PaperPort PTD] "C:\Program Files (x86)\ScanSoft\PaperPort\pptd40nt.exe" [29984 2008-07-10] (Nuance Communications, Inc.)

HKLM-x32\...\Run: [indexSearch] "C:\Program Files (x86)\ScanSoft\PaperPort\IndexSearch.exe" [46368 2008-07-10] (Nuance Communications, Inc.)

HKLM-x32\...\Run: [brMfcWnd] C:\Program Files (x86)\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN [1159168 2009-05-26] (Brother Industries, Ltd.)

HKLM-x32\...\Run: [ControlCenter3] C:\Program Files (x86)\Brother\ControlCenter3\brctrcen.exe /autorun [114688 2008-12-24] (Brother Industries, Ltd.)

Tcpip\..\Interfaces\{67129F94-0873-4D9E-8479-FB8CAC40CEDC}: [NameServer]8.8.8.8,4.2.2.1

Startup: C:\Users\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk

ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files (x86)\McAfee Security Scan\2.0.181\SSScheduler.exe (McAfee, Inc.)

Startup: C:\Users\Beth\Start Menu\Programs\Startup\Dropbox.lnk

ShortcutTarget: Dropbox.lnk -> (No File)

==================== Services (Whitelisted) ======

2 LMIRescue_994acd89-9a0e-4250-ad00-ab4ec656ef36; "C:\Users\Beth\AppData\Local\LogMeIn Rescue Applet\LMIR0003.tmp\LMI_Rescue_srv.exe" -service -sid 994acd89-9a0e-4250-ad00-ab4ec656ef36 [2487208 2012-08-14] (LogMeIn, Inc.)

2 MBAMService; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe" [655944 2012-07-03] (Malwarebytes Corporation)

2 McAfee SiteAdvisor Service; C:\PROGRA~2\mcafee\SITEAD~1\mcsacore.exe [103472 2012-06-15] (McAfee, Inc.)

3 McComponentHostService; "C:\Program Files (x86)\McAfee Security Scan\2.0.181\McCHSvc.exe" [227232 2010-01-15] (McAfee, Inc.)

3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [357976 2012-06-12] (Microsoft Corporation)

2 Retrospect Client; "C:\Program Files (x86)\Retrospect\Retrospect Client\RemotSvc.exe" [67104 2007-04-10] (EMC)

2 Retrospect Helper; "C:\Program Files (x86)\Retrospect\Retrospect Client\rthlpsvc.exe" [122880 2008-12-08] (EMC Corporation)

2 RoxWatch12; "C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe" [219632 2010-11-25] (Sonic Solutions)

3 stllssvr; "C:\Program Files (x86)\Common Files\SureThing Shared\stllssvr.exe" [74392 2010-11-08] (MicroVision Development, Inc.)

2 WinVNC4; "C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service [2069880 2010-06-14] (RealVNC Ltd.)

========================== Drivers (Whitelisted) =============

3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [24904 2012-07-03] (Malwarebytes Corporation)

3 PCDSRVC{1E208CE0-FB7451FF-06020101}_0; \??\c:\program files\dell support center\pcdsrvc_x64.pkms [x]

1 uawikeik; \??\C:\Windows\system32\drivers\uawikeik.sys [x]

========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2012-08-13 21:39 - 2012-08-13 21:40 - 00000163 ____A C:\Users\Beth\Desktop\NoSave.reg

2012-08-13 18:46 - 2012-08-13 18:46 - 00000000 ____D C:\FRST

2012-08-13 18:05 - 2012-08-13 21:44 - 00000446 ___AH C:\Windows\Tasks\Norton Security Scan for Beth.job

2012-08-13 18:05 - 2012-08-13 18:05 - 00001345 ____A C:\Users\Public\Desktop\Norton Security Scan.lnk

2012-08-13 18:05 - 2012-08-13 18:05 - 00001345 ____A C:\Users\All Users\Desktop\Norton Security Scan.lnk

2012-08-13 18:05 - 2012-08-13 18:05 - 00000000 ____D C:\Windows\System32\Drivers\NSSx64

2012-08-13 18:05 - 2012-08-13 18:05 - 00000000 ____D C:\Users\All Users\Symantec

2012-08-13 18:05 - 2012-08-13 18:05 - 00000000 ____D C:\Users\All Users\Norton

2012-08-13 18:05 - 2012-08-13 18:05 - 00000000 ____D C:\Users\All Users\Application Data\Symantec

2012-08-13 18:05 - 2012-08-13 18:05 - 00000000 ____D C:\Users\All Users\Application Data\Norton

2012-08-13 18:05 - 2012-08-13 18:05 - 00000000 ____D C:\Program Files (x86)\Norton Security Scan

2012-08-13 09:49 - 2012-08-13 09:49 - 00146192 ____A C:\Users\Beth\Desktop\Clean Up.CSV

2012-08-13 09:40 - 2012-08-13 09:40 - 00178074 ____A C:\Users\Beth\Desktop\Client list2.CSV

2012-08-10 16:43 - 2012-08-10 16:43 - 495996921 ____A C:\Windows\MEMORY.DMP

2012-08-10 16:43 - 2012-08-10 16:43 - 00275152 ____A C:\Windows\Minidump\081012-12698-01.dmp

2012-08-10 16:43 - 2012-08-10 16:43 - 00000000 ____D C:\Windows\Minidump

2012-08-10 14:09 - 2012-08-10 14:09 - 00003201 ____A C:\Users\Beth\Desktop\Sophos Virus Removal Tool.lnk

2012-08-10 14:09 - 2012-08-10 14:09 - 00000000 ____D C:\Users\All Users\Sophos

2012-08-10 14:09 - 2012-08-10 14:09 - 00000000 ____D C:\Users\All Users\Application Data\Sophos

2012-08-10 14:08 - 2012-08-10 14:08 - 00000000 ____D C:\Program Files (x86)\Sophos

2012-08-10 12:05 - 2012-08-09 09:22 - 00002116 ____A C:\Users\Beth\Desktop\1 A ADMIN.lnk

2012-08-09 13:12 - 2012-08-09 13:12 - 00000855 ____A C:\Users\Beth\Desktop\DocMgr.lnk

2012-08-09 13:09 - 2012-08-09 13:09 - 00000591 ____A C:\Users\Beth\Desktop\EZAgent for Windows.lnk

2012-08-09 13:09 - 2002-02-01 07:00 - 01497088 ____A (Borland Corporation) C:\Windows\SysWOW64\cc3260mt.dll

2012-08-09 13:09 - 2002-02-01 07:00 - 01410560 ____A (Borland Corporation) C:\Windows\SysWOW64\cc3260.dll

2012-08-09 09:21 - 2012-08-09 09:21 - 00002222 ____A C:\Users\Beth\Desktop\1 A Forms.lnk

2012-08-08 02:33 - 2012-08-08 02:33 - 00000000 ____D C:\Windows\Microsoft Antimalware

2012-08-07 23:29 - 2012-08-07 23:29 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.001F1A808349AC4E

2012-08-07 22:37 - 2012-08-07 22:37 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.44374E941E357E74

2012-08-07 22:30 - 2012-08-07 22:30 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.62B16AD5EBEBFD6D

2012-08-07 22:28 - 2012-08-07 22:28 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.F72A20313FDCCB39

2012-08-07 22:24 - 2012-08-07 22:24 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.D139BB7A81DC13ED

2012-08-07 22:22 - 2012-08-07 22:22 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.8FCCC2300990F21B

2012-08-07 22:17 - 2012-08-07 22:17 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.8BAD4DE9C42C183E

2012-08-07 22:14 - 2012-08-07 22:14 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.677E7E919A93BA74

2012-08-07 22:12 - 2012-08-07 22:12 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.D392BC8220C9EA9E

2012-08-07 14:13 - 2012-08-07 14:13 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.31C0332431AAF4D3

2012-08-07 14:08 - 2012-08-07 14:08 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.67917730D5517AB1

2012-08-07 14:05 - 2012-08-07 14:05 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.D2302AB19E368FA7

2012-08-07 14:02 - 2012-08-07 14:02 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.39C3512D87246FBC

2012-08-07 14:00 - 2012-08-07 14:00 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.3118768E3C642D62

2012-08-07 13:37 - 2012-08-07 13:37 - 00000000 ____D C:\Program Files\Microsoft Security Client

2012-08-07 13:37 - 2012-08-07 13:37 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client

2012-08-07 11:43 - 2012-08-14 09:16 - 00001748 ____A C:\Windows\setupact.log

2012-08-07 11:43 - 2012-08-07 11:43 - 00000000 ____A C:\Windows\setuperr.log

2012-08-07 11:41 - 2012-08-07 11:41 - 00000000 ____D C:\Users\Beth\Desktop\rkill-backup

2012-08-07 11:40 - 2012-08-07 11:40 - 00000000 ____D C:\Users\Beth\Application Data\Malwarebytes

2012-08-07 11:40 - 2012-08-07 11:40 - 00000000 ____D C:\Users\Beth\AppData\Roaming\Malwarebytes

2012-08-07 11:40 - 2012-08-07 11:40 - 00000000 ____D C:\Users\All Users\Malwarebytes

2012-08-07 11:40 - 2012-08-07 11:40 - 00000000 ____D C:\Users\All Users\Application Data\Malwarebytes

2012-08-07 11:40 - 2012-08-07 11:40 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware

2012-08-07 11:40 - 2012-07-03 13:46 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys

2012-08-07 11:24 - 2012-08-07 11:24 - 00000000 __SHD C:\Windows\System32\%APPDATA%

2012-08-07 11:21 - 2012-08-07 11:23 - 00000000 ____D C:\Users\All Users\Application Data\7531CCA90007E37BEDC3AC1AF875F002

2012-08-07 11:21 - 2012-08-07 11:23 - 00000000 ____D C:\Users\All Users\7531CCA90007E37BEDC3AC1AF875F002

2012-08-07 11:21 - 2012-08-07 11:21 - 00340480 ____A (Electronic Arts Inc.) C:\Users\Beth\Application Data\hcasex.dll

2012-08-07 11:21 - 2012-08-07 11:21 - 00340480 ____A (Electronic Arts Inc.) C:\Users\Beth\AppData\Roaming\hcasex.dll

2012-08-07 11:21 - 2012-08-07 11:21 - 00000000 ____D C:\Users\Beth\Local Settings\Application Data\{E8AA92A9-E0AB-11E1-8270-B8AC6F996F26}

2012-08-07 11:21 - 2012-08-07 11:21 - 00000000 ____D C:\Users\Beth\Local Settings\{E8AA92A9-E0AB-11E1-8270-B8AC6F996F26}

2012-08-07 11:21 - 2012-08-07 11:21 - 00000000 ____D C:\Users\Beth\AppData\Local\{E8AA92A9-E0AB-11E1-8270-B8AC6F996F26}

2012-08-07 11:20 - 2012-08-07 11:20 - 00063488 ___AH (FRISK Software International) C:\Windows\System32\iexpvate64.dll

2012-07-31 12:44 - 2012-08-01 09:42 - 00018944 ____A C:\Users\Beth\Desktop\Petter.xls

2012-07-26 00:31 - 2012-07-26 00:31 - 00000000 ____A C:\extensions.sqlite

2012-07-17 10:47 - 2012-07-17 10:47 - 00000000 ____D C:\Users\Beth\Local Settings\Macromedia

2012-07-17 10:47 - 2012-07-17 10:47 - 00000000 ____D C:\Users\Beth\Local Settings\Application Data\Macromedia

2012-07-17 10:47 - 2012-07-17 10:47 - 00000000 ____D C:\Users\Beth\AppData\Local\Macromedia

2012-07-17 09:26 - 2012-08-14 09:17 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

============ 3 Months Modified Files ========================

2012-08-14 09:37 - 2012-04-17 15:03 - 00000506 ____A C:\Windows\Tasks\SystemToolsDailyTest.job

2012-08-14 09:23 - 2009-07-13 23:45 - 00021296 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2012-08-14 09:23 - 2009-07-13 23:45 - 00021296 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2012-08-14 09:22 - 2011-07-05 12:37 - 471352320 ____A C:\Users\Beth\My Documents\Beth's Archives.pst

2012-08-14 09:22 - 2011-07-05 12:37 - 471352320 ____A C:\Users\Beth\Documents\Beth's Archives.pst

2012-08-14 09:22 - 2011-07-05 12:37 - 428688384 ____A C:\Users\Beth\My Documents\Beth's Outlook.pst

2012-08-14 09:22 - 2011-07-05 12:37 - 428688384 ____A C:\Users\Beth\Documents\Beth's Outlook.pst

2012-08-14 09:21 - 2009-07-14 00:13 - 00783244 ____A C:\Windows\System32\PerfStringBackup.INI

2012-08-14 09:17 - 2012-07-17 09:26 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2012-08-14 09:16 - 2012-08-07 11:43 - 00001748 ____A C:\Windows\setupact.log

2012-08-14 09:16 - 2009-07-14 00:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2012-08-13 21:44 - 2012-08-13 18:05 - 00000446 ___AH C:\Windows\Tasks\Norton Security Scan for Beth.job

2012-08-13 21:44 - 2010-11-20 22:47 - 00046846 ____A C:\Windows\PFRO.log

2012-08-13 21:40 - 2012-08-13 21:39 - 00000163 ____A C:\Users\Beth\Desktop\NoSave.reg

2012-08-13 18:05 - 2012-08-13 18:05 - 00001345 ____A C:\Users\Public\Desktop\Norton Security Scan.lnk

2012-08-13 18:05 - 2012-08-13 18:05 - 00001345 ____A C:\Users\All Users\Desktop\Norton Security Scan.lnk

2012-08-13 17:00 - 2011-07-05 16:53 - 00000059 ____A C:\APPTWN.LOG

2012-08-13 09:49 - 2012-08-13 09:49 - 00146192 ____A C:\Users\Beth\Desktop\Clean Up.CSV

2012-08-13 09:40 - 2012-08-13 09:40 - 00178074 ____A C:\Users\Beth\Desktop\Client list2.CSV

2012-08-10 16:43 - 2012-08-10 16:43 - 495996921 ____A C:\Windows\MEMORY.DMP

2012-08-10 16:43 - 2012-08-10 16:43 - 00275152 ____A C:\Windows\Minidump\081012-12698-01.dmp

2012-08-10 16:40 - 2011-06-16 16:39 - 01412309 ____A C:\Windows\WindowsUpdate.log

2012-08-10 14:09 - 2012-08-10 14:09 - 00003201 ____A C:\Users\Beth\Desktop\Sophos Virus Removal Tool.lnk

2012-08-09 14:46 - 2011-07-05 14:05 - 00001155 ____A C:\Windows\Brpfx04a.ini

2012-08-09 13:12 - 2012-08-09 13:12 - 00000855 ____A C:\Users\Beth\Desktop\DocMgr.lnk

2012-08-09 13:09 - 2012-08-09 13:09 - 00000591 ____A C:\Users\Beth\Desktop\EZAgent for Windows.lnk

2012-08-09 09:22 - 2012-08-10 12:05 - 00002116 ____A C:\Users\Beth\Desktop\1 A ADMIN.lnk

2012-08-09 09:21 - 2012-08-09 09:21 - 00002222 ____A C:\Users\Beth\Desktop\1 A Forms.lnk

2012-08-09 09:13 - 2011-02-10 11:10 - 00796186 ____A C:\Windows\SysWOW64\PerfStringBackup.INI

2012-08-09 09:07 - 2011-06-22 00:39 - 00126152 ____A C:\Users\Beth\Local Settings\GDIPFONTCACHEV1.DAT

2012-08-09 09:07 - 2011-06-22 00:39 - 00126152 ____A C:\Users\Beth\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2012-08-09 09:07 - 2011-06-22 00:39 - 00126152 ____A C:\Users\Beth\AppData\Local\GDIPFONTCACHEV1.DAT

2012-08-09 09:07 - 2009-07-13 23:45 - 00460760 ____A C:\Windows\System32\FNTCACHE.DAT

2012-08-08 16:24 - 2011-06-25 13:42 - 00000376 ____A C:\Windows\ODBC.INI

2012-08-08 16:24 - 2009-07-13 21:34 - 00000531 ____A C:\Windows\win.ini

2012-08-08 03:13 - 2009-07-13 18:19 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe

2012-08-07 23:29 - 2012-08-07 23:29 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.001F1A808349AC4E

2012-08-07 22:37 - 2012-08-07 22:37 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.44374E941E357E74

2012-08-07 22:30 - 2012-08-07 22:30 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.62B16AD5EBEBFD6D

2012-08-07 22:29 - 2009-07-14 00:08 - 00032636 ____A C:\Windows\Tasks\SCHEDLGU.TXT

2012-08-07 22:28 - 2012-08-07 22:28 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.F72A20313FDCCB39

2012-08-07 22:24 - 2012-08-07 22:24 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.D139BB7A81DC13ED

2012-08-07 22:22 - 2012-08-07 22:22 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.8FCCC2300990F21B

2012-08-07 22:17 - 2012-08-07 22:17 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.8BAD4DE9C42C183E

2012-08-07 22:14 - 2012-08-07 22:14 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.677E7E919A93BA74

2012-08-07 22:12 - 2012-08-07 22:12 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.D392BC8220C9EA9E

2012-08-07 14:13 - 2012-08-07 14:13 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.31C0332431AAF4D3

2012-08-07 14:08 - 2012-08-07 14:08 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.67917730D5517AB1

2012-08-07 14:05 - 2012-08-07 14:05 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.D2302AB19E368FA7

2012-08-07 14:02 - 2012-08-07 14:02 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.39C3512D87246FBC

2012-08-07 14:00 - 2012-08-07 14:00 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.3118768E3C642D62

2012-08-07 13:37 - 2011-07-05 14:30 - 00001945 ____A C:\Windows\epplauncher.mif

2012-08-07 11:43 - 2012-08-07 11:43 - 00000000 ____A C:\Windows\setuperr.log

2012-08-07 11:21 - 2012-08-07 11:21 - 00340480 ____A (Electronic Arts Inc.) C:\Users\Beth\Application Data\hcasex.dll

2012-08-07 11:21 - 2012-08-07 11:21 - 00340480 ____A (Electronic Arts Inc.) C:\Users\Beth\AppData\Roaming\hcasex.dll

2012-08-07 11:20 - 2012-08-07 11:20 - 00063488 ___AH (FRISK Software International) C:\Windows\System32\iexpvate64.dll

2012-08-03 06:17 - 2012-04-02 09:20 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe

2012-08-03 06:17 - 2011-07-07 16:34 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl

2012-08-01 09:42 - 2012-07-31 12:44 - 00018944 ____A C:\Users\Beth\Desktop\Petter.xls

2012-07-30 10:21 - 2012-02-02 12:21 - 00016896 ____A C:\Users\Beth\Desktop\Expat 101.xls

2012-07-27 13:40 - 2011-10-24 11:48 - 00040448 ____A C:\Users\Beth\Desktop\AutoQuote.xls

2012-07-26 00:31 - 2012-07-26 00:31 - 00000000 ____A C:\extensions.sqlite

2012-07-25 08:16 - 2012-04-17 15:03 - 00000564 ____A C:\Windows\Tasks\PCDoctorBackgroundMonitorTask.job

2012-07-12 03:02 - 2011-06-22 00:58 - 59701280 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe

2012-07-03 13:46 - 2012-08-07 11:40 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys

2012-06-11 22:08 - 2012-07-12 03:05 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2012-06-09 00:43 - 2012-07-11 06:28 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll

2012-06-08 23:41 - 2012-07-11 06:28 - 12873728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll

2012-06-06 01:06 - 2012-07-11 06:28 - 02004480 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll

2012-06-06 01:06 - 2012-07-11 06:28 - 01881600 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll

2012-06-06 01:02 - 2012-07-11 06:27 - 01133568 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll

2012-06-06 00:05 - 2012-07-11 06:28 - 01390080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll

2012-06-06 00:05 - 2012-07-11 06:28 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll

2012-06-06 00:03 - 2012-07-11 06:27 - 00805376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cdosys.dll

2012-06-05 07:29 - 2012-06-05 07:29 - 00227688 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\MpFilter.sys

2012-06-05 07:29 - 2012-06-05 07:29 - 00117464 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\NisDrvWFP.sys

2012-06-02 17:19 - 2012-06-22 03:46 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll

2012-06-02 17:19 - 2012-06-22 03:46 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll

2012-06-02 17:19 - 2012-06-22 03:46 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe

2012-06-02 17:19 - 2012-06-22 03:46 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll

2012-06-02 17:19 - 2012-06-22 03:46 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll

2012-06-02 17:15 - 2012-06-22 03:46 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll

2012-06-02 17:15 - 2012-06-22 03:46 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll

2012-06-02 15:19 - 2012-06-22 03:46 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll

2012-06-02 15:15 - 2012-06-22 03:46 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe

2012-06-02 07:49 - 2012-07-12 03:01 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2012-06-02 07:17 - 2012-07-12 03:01 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll

2012-06-02 07:12 - 2012-07-12 03:01 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll

2012-06-02 07:05 - 2012-07-12 03:01 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2012-06-02 07:05 - 2012-07-12 03:01 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll

2012-06-02 07:04 - 2012-07-12 03:01 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl

2012-06-02 07:04 - 2012-07-12 03:01 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll

2012-06-02 07:03 - 2012-07-12 03:01 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2012-06-02 07:01 - 2012-07-12 03:01 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe

2012-06-02 07:00 - 2012-07-12 03:01 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll

2012-06-02 06:59 - 2012-07-12 03:01 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll

2012-06-02 06:57 - 2012-07-12 03:01 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2012-06-02 06:57 - 2012-07-12 03:01 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll

2012-06-02 06:54 - 2012-07-12 03:01 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll

2012-06-02 04:07 - 2012-07-12 03:01 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll

2012-06-02 03:43 - 2012-07-12 03:01 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll

2012-06-02 03:33 - 2012-07-12 03:01 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll

2012-06-02 03:26 - 2012-07-12 03:01 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll

2012-06-02 03:25 - 2012-07-12 03:01 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl

2012-06-02 03:25 - 2012-07-12 03:01 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll

2012-06-02 03:23 - 2012-07-12 03:01 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll

2012-06-02 03:21 - 2012-07-12 03:01 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll

2012-06-02 03:20 - 2012-07-12 03:01 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe

2012-06-02 03:19 - 2012-07-12 03:01 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll

2012-06-02 03:19 - 2012-07-12 03:01 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll

2012-06-02 03:17 - 2012-07-12 03:01 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll

2012-06-02 03:16 - 2012-07-12 03:01 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb

2012-06-02 03:14 - 2012-07-12 03:01 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll

2012-06-02 00:50 - 2012-07-11 06:28 - 00458704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys

2012-06-02 00:48 - 2012-07-11 06:28 - 00151920 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys

2012-06-02 00:48 - 2012-07-11 06:28 - 00095600 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys

2012-06-02 00:45 - 2012-07-11 06:28 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll

2012-06-02 00:44 - 2012-07-11 06:28 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll

2012-06-01 23:40 - 2012-07-11 06:28 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll

2012-06-01 23:40 - 2012-07-11 06:28 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll

2012-06-01 23:39 - 2012-07-11 06:28 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll

2012-06-01 23:34 - 2012-07-11 06:28 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll

2012-06-01 15:37 - 2011-11-18 13:06 - 00000000 ____A C:\Users\Beth\My Documents\Nuance Image Printer Writer Port

2012-06-01 15:37 - 2011-11-18 13:06 - 00000000 ____A C:\Users\Beth\Documents\Nuance Image Printer Writer Port

2012-05-31 12:25 - 2010-11-20 22:27 - 00279656 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe

2012-05-31 11:58 - 2012-05-31 11:58 - 00013824 ____A C:\Users\Beth\My Documents\Billing.xls

2012-05-31 11:58 - 2012-05-31 11:58 - 00013824 ____A C:\Users\Beth\Documents\Billing.xls

2012-05-29 11:57 - 2011-12-03 17:40 - 00000000 ____A C:\Windows\brdfxspd.dat

ZeroAccess:

C:\Windows\Installer\{3372e53c-a36f-1e32-4118-d1d70f003a40}

C:\Windows\Installer\{3372e53c-a36f-1e32-4118-d1d70f003a40}\@

C:\Windows\Installer\{3372e53c-a36f-1e32-4118-d1d70f003a40}\L

C:\Windows\Installer\{3372e53c-a36f-1e32-4118-d1d70f003a40}\U

C:\Windows\Installer\{3372e53c-a36f-1e32-4118-d1d70f003a40}\U\00000001.@

C:\Windows\Installer\{3372e53c-a36f-1e32-4118-d1d70f003a40}\U\80000000.@

C:\Windows\Installer\{3372e53c-a36f-1e32-4118-d1d70f003a40}\U\800000cb.@

ZeroAccess:

C:\Users\Beth\AppData\Local\{3372e53c-a36f-1e32-4118-d1d70f003a40}

C:\Users\Beth\AppData\Local\{3372e53c-a36f-1e32-4118-d1d70f003a40}\L

C:\Users\Beth\AppData\Local\{3372e53c-a36f-1e32-4118-d1d70f003a40}\U

========================= Known DLLs (Whitelisted) ============

========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe 014A9CB92514E27C0107614DF764BC06 ZeroAccess <==== ATTENTION!.

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 9%

Total physical RAM: 8174.46 MB

Available physical RAM: 7395.95 MB

Total Pagefile: 8172.66 MB

Available Pagefile: 7386.12 MB

Total Virtual: 8192 MB

Available Virtual: 8191.9 MB

======================= Partitions =========================

1 Drive c: (OS) (Fixed) (Total:919.22 GB) (Free:862.45 GB) NTFS

3 Drive e: (RECOVERY) (Fixed) (Total:12.25 GB) (Free:5.28 GB) NTFS ==>[system with boot components (obtained from reading drive)]

8 Drive j: () (Removable) (Total:29.7 GB) (Free:29.7 GB) FAT32

9 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt

-------- ------------- ------- ------- --- ---

Disk 0 Online 931 GB 0 B

Disk 1 Online 29 GB 0 B

Disk 2 No Media 0 B 0 B

Disk 3 No Media 0 B 0 B

Disk 4 No Media 0 B 0 B

Disk 5 No Media 0 B 0 B

Partitions of Disk 0:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 OEM 39 MB 31 KB

Partition 2 Primary 12 GB 40 MB

Partition 3 Primary 919 GB 12 GB

==================================================================================

Disk: 0

Partition 1

Type : DE

Hidden: Yes

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 8 FAT Partition 39 MB Healthy Hidden

==================================================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 E RECOVERY NTFS Partition 12 GB Healthy

==================================================================================

Disk: 0

Partition 3

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 C OS NTFS Partition 919 GB Healthy

==================================================================================

Partitions of Disk 1:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

* Partition 1 Primary 29 GB 0 B

==================================================================================

Disk: 1

There is no partition selected.

There is no partition selected.

Please select a partition and try again.

==================================================================================

Last Boot: 2012-08-07 00:02

======================= End Of Log ==========================

And Second, the Search.txt.

Farbar Recovery Scan Tool Version: 14-08-2012

Ran by SYSTEM at 2012-08-14 11:42:15

Running from J:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe

[2009-07-13 18:19] - [2009-07-13 20:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\services.exe

[2009-07-13 18:19] - [2012-08-08 03:13] - 0328704 ____A (Microsoft Corporation) 014A9CB92514E27C0107614DF764BC06

====== End Of Search ======

Thanks in advance for your assistance.

[MrCharlie]

OK, here you go......Please carefully carry out this procedure!!!!!!

Please download the attached fixlist.txt and copy it to your flashdrive.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options. (as you did before)

Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

MrC

[Grokked]

Here is the Fixlog.txt

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 14-08-2012

Ran by SYSTEM at 2012-08-14 13:12:39 Run:1

Running from J:\

==============================================

C:\Windows\Installer\{3372e53c-a36f-1e32-4118-d1d70f003a40} moved successfully.

C:\Users\Beth\AppData\Local\{3372e53c-a36f-1e32-4118-d1d70f003a40} moved successfully.

C:\Windows\System32\services.exe moved successfully.

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe copied successfully to C:\Windows\System32\services.exe

==== End of Fixlog ====

[MrCharlie]

Before we continue...........

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller to your desktop.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

MrC

[Grokked]

Here is the RogueKiller log

RogueKiller V7.6.6 [08/10/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User: Beth [Admin rights]

Mode: Scan -- Date: 08/14/2012 13:30:31

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 5 ¤¤¤

[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND

[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND

[ZeroAccess] HKCR\[...]\InprocServer32 : (C:\Users\Beth\AppData\Local\{3372e53c-a36f-1e32-4118-d1d70f003a40}\n.) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD10EALX-759BA0 +++++

--- User ---

[MBR] f963d101b67d7fcb1545621163b20323

[bSP] 59ec9d8b4e51db5ec52d5e3eb3383826 : Windows Vista MBR Code

Partition table:

0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo

1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 12542 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 25767936 | Size: 941286 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1].txt >>

RKreport[1].txt

[MrCharlie]

Run RogueKiller again and click Scan

When the scan completes > click on the Registry tab

Put a check next to all of these and uncheck the rest: (if found)

¤¤¤ Registry Entries: 5 ¤¤¤

[ZeroAccess] HKCR\[...]\InprocServer32 : (C:\Users\Beth\AppData\Local\{3372e53c-a36f-1e32-4118-d1d70f003a40}\n.) -> FOUND

Now click Delete on the right hand column under Options

-------------------------

Reboot and ..........

Please Update and run a Quick Scan with MBAM, post the report.

Make sure that everything is checked, and click Remove Selected.

-------------------------------

Reboot and scan the system with RogueKiller again and post the new log, MrC

[Grokked]

MBAM found no infections, but here is the log. Are there more steps I need to take to ensure the system is clean? I know Microsoft Security Essentials is not running, so I'm going to remove and reinstall it.

Malwarebytes Anti-Malware (Trial) 1.62.0.1300

www.malwarebytes.org

Database version: v2012.08.14.06

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

Beth :: RUZICKA09 [administrator]

Protection: Disabled

8/14/2012 2:06:00 PM

mbam-log-2012-08-14 (14-06-00).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 193840

Time elapsed: 1 minute(s), 57 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

[MrCharlie]

Yes you have to reinstall MSE.

Can you run RogueKiller again as I asked and post the log...MrC

[Grokked]

Sorry, I missed that request. But here is the log of a scan I just performed.

RogueKiller V7.6.6 [08/10/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User: Beth [Admin rights]

Mode: Scan -- Date: 08/14/2012 14:32:45

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 4 ¤¤¤

[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND

[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD10EALX-759BA0 +++++

--- User ---

[MBR] f963d101b67d7fcb1545621163b20323

[bSP] 59ec9d8b4e51db5ec52d5e3eb3383826 : Windows Vista MBR Code

Partition table:

0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo

1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 12542 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 25767936 | Size: 941286 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[4].txt >>

RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt ; RKreport[4].txt

[MrCharlie]

After the clean up, scan with MSE.

~~~~~~~~~~~~~~~~

A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall)

---------------------------------

Please download OTL from one of the links below: (you may already have OTL on the system)

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com

http://www.itxassoci...T-Tools/OTL.exe

Save it to your desktop.

Run OTL and hit the CleanUp button. (This will cleanup the tools and logs used including itself)

Any other programs or logs you can manually delete.

IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, etc....

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

[Maurice Naggar]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!