[TwinHeadedEagle]

I don't know, worked for me first time...

Folder: directive is used only to show content of specific folder

Try to use only this inside fixlist

c:\frst\quarantine

[Quads]

I don't know, worked for me first time...

Folder: directive is used only to show content of specific folder

Try to use only this inside fixlist

c:\frst\quarantine

doesn't listing a file or folder in a fixlist tell FRST to shift the listed file or folder to Quarantine (Moved successfully) so how does that work when the folder to move is the quarantine folder??

Quads

[TwinHeadedEagle]

Take a look at my examle, worked like a charm


===================================================

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 02-09-2013 04
Ran by Joshua at 2013-08-28 17:33:24 Run:23
Running from C:\Users\Joshua\Desktop
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
Folder: C:\FRST\Quarantine
*****************


========================= Folder: C:\FRST\Quarantine ========================

2013-08-28 17:24 - 2013-08-28 17:31 - 0000000 ____D () C:\FRST\Quarantine\{ce83b62b-b544-3a88-a9bd-8a4fe6bd5e33}
2013-08-28 17:24 - 2013-08-28 17:24 - 0000000 ____D () C:\FRST\Quarantine\{ce83b62b-b544-3a88-a9bd-8a4fe6bd5e33}\{ce83b62b-b544-3a88-a9bd-8a4fe6bd5e33}
2013-08-28 17:24 - 2013-08-28 17:24 - 0000000 ____D () C:\FRST\Quarantine\{ce83b62b-b544-3a88-a9bd-8a4fe6bd5e33}\❤≸⋙
2013-08-28 17:24 - 2013-08-28 17:24 - 0000000 ____D () C:\FRST\Quarantine\{ce83b62b-b544-3a88-a9bd-8a4fe6bd5e33}\{ce83b62b-b544-3a88-a9bd-8a4fe6bd5e33}\
2013-08-28 17:24 - 2013-08-28 17:24 - 0000000 ____D () C:\FRST\Quarantine\{ce83b62b-b544-3a88-a9bd-8a4fe6bd5e33}\❤≸⋙\Ⱒ☠⍨
2013-08-28 17:24 - 2013-08-28 17:24 - 0000000 ____D () C:\FRST\Quarantine\{ce83b62b-b544-3a88-a9bd-8a4fe6bd5e33}\{ce83b62b-b544-3a88-a9bd-8a4fe6bd5e33}\ \...
2013-08-28 17:24 - 2013-08-28 17:24 - 0000000 ____D () C:\FRST\Quarantine\{ce83b62b-b544-3a88-a9bd-8a4fe6bd5e33}\❤≸⋙\Ⱒ☠⍨\‮ﯹ๛
2013-08-28 17:24 - 2013-08-28 17:24 - 0000000 ____D () C:\FRST\Quarantine\{ce83b62b-b544-3a88-a9bd-8a4fe6bd5e33}\{ce83b62b-b544-3a88-a9bd-8a4fe6bd5e33}\ \...\‮ﯹ๛
2013-08-28 17:24 - 2013-08-28 17:24 - 0000000 ____D () C:\FRST\Quarantine\{ce83b62b-b544-3a88-a9bd-8a4fe6bd5e33}\❤≸⋙\Ⱒ☠⍨\‮ﯹ๛\{ce83b62b-b544-3a88-a9bd-8a4fe6bd5e33}
2013-08-28 17:24 - 2013-08-28 17:30 - 0000000 ____D () C:\FRST\Quarantine\{ce83b62b-b544-3a88-a9bd-8a4fe6bd5e33}\{ce83b62b-b544-3a88-a9bd-8a4fe6bd5e33}\ \...\‮ﯹ๛\{ce83b62b-b544-3a88-a9bd-8a4fe6bd5e33}
2013-08-28 17:24 - 2013-08-28 17:30 - 0000000 __SHD () C:\FRST\Quarantine\{ce83b62b-b544-3a88-a9bd-8a4fe6bd5e33}\{ce83b62b-b544-3a88-a9bd-8a4fe6bd5e33}\ \...\‮ﯹ๛\{ce83b62b-b544-3a88-a9bd-8a4fe6bd5e33}\U
2013-08-28 17:24 - 2013-08-28 17:24 - 0002048 __ASH () C:\FRST\Quarantine\@
2013-08-28 17:24 - 2013-08-28 17:27 - 0005632 __ASH () C:\FRST\Quarantine\Desktop.ini

====== End of Folder: ======


==== End of Fixlog ====

===============================================================

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 02-09-2013 04
Ran by Joshua at 2013-08-28 17:34:14 Run:24
Running from C:\Users\Joshua\Desktop
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
DeleteQuarantine:
*****************

C:\FRST\Quarantine => Deleted successfully.

==== End of Fixlog ====

[TwinHeadedEagle]

No, listing a file will show it's md5, and listing a folder will show it's content, only that, no shifting file/folder to quarantine with File: and Folder: directive...

[Quads]

I have had systems where yes that works, but here is another stubborn folder with the ZA folder inside.

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 31-08-2013 04
Ran by Rene at 2013-08-31 20:01:03 Run:2
Running from C:\Users\Rene\Desktop
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
Start
DeleteQuarantine:
end

*****************

C:\FRST\Quarantine => Failed to delete.

==== End of Fixlog ====






Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 31-08-2013 04
Ran by SYSTEM at 2013-08-31 22:38:31 Run:3
Running from G:\
Boot Mode: Recovery
==============================================

Content of fixlist:
*****************
Start
DeleteQuarantine:
end

*****************

C:\FRST\Quarantine => Failed to delete.

==== End of Fixlog ====

[Win32:Virut]

3 droppers

[Tigzy]

Quads, please give a try with RogueKiller: http://www.adlice.com/zeroaccess-remova ... guekiller/

[Win32:Virut]

6 droppers

[Win32:Virut]

6 droppers

[Quads]

Quads, please give a try with RogueKiller: http://www.adlice.com/zeroaccess-remova ... guekiller/

I had the user take the ZA folder out of the FRST Quarantine folder and back in the install folder, NOW the FRST Quarantine folder can be deleted.

Here is a screenshot from his system showing the folder back in location,



Files to move or delete:
====================
ZeroAccess:
C:\Program Files (x86)\Google\Desktop\Install\{9652e4e8-ecf6-b222-c8d1-a286d15be5d8}


I had the user download Roguekiller and run a scan (my Roguekiller is days older download)

RogueKiller V8.6.7 [Aug 28 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Rene [Admin rights]
Mode : Scan -- Date : 09/01/2013 18:35:39
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 4 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : Google Update ("C:\Users\Rene\AppData\Local\Google\Update\GoogleUpdate.exe" /c [7]) -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-3704940909-3345842904-1635473410-1000\[...]\Run : Google Update ("C:\Users\Rene\AppData\Local\Google\Update\GoogleUpdate.exe" /c [7]) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 5 ¤¤¤
[V1][SUSP PATH] GoogleUpdateTaskUserS-1-5-21-3704940909-3345842904-1635473410-1000UA.job : C:\Users\Rene\AppData\Local\Google\Update\GoogleUpdate.exe - /ua /installsource scheduler [7][x] -> FOUND
[V1][SUSP PATH] GoogleUpdateTaskUserS-1-5-21-3704940909-3345842904-1635473410-1000Core.job : C:\Users\Rene\AppData\Local\Google\Update\GoogleUpdate.exe - /c [7] -> FOUND
[V2][SUSP PATH] DealPly : C:\Users\Rene\AppData\Roaming\DealPly\UpdateProc\UpdateTask.exe - /Check [x] -> FOUND
[V2][SUSP PATH] GoogleUpdateTaskUserS-1-5-21-3704940909-3345842904-1635473410-1000Core : C:\Users\Rene\AppData\Local\Google\Update\GoogleUpdate.exe - /c [7] -> FOUND
[V2][SUSP PATH] GoogleUpdateTaskUserS-1-5-21-3704940909-3345842904-1635473410-1000UA : C:\Users\Rene\AppData\Local\Google\Update\GoogleUpdate.exe - /ua /installsource scheduler [7][x] -> FOUND

¤¤¤ Startup Entries : 2 ¤¤¤
[Default][SUSP PATH] Best Buy pc app.lnk : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk @C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe "C:\ProgramData\Best Buy pc app\Best Buy pc app.application" [-][7][-] -> FOUND
[Default User][SUSP PATH] Best Buy pc app.lnk : C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk @C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe "C:\ProgramData\Best Buy pc app\Best Buy pc app.application" [-][7][-] -> FOUND

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts




¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST3500413AS ATA Device +++++
--- User ---
[MBR] 10f85a32ab92494311cb79e915c87289
[BSP] bba74085005ebce33141caf6ccd87628 : Windows 7/8 MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 17408 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 35653632 | Size: 100 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 35858432 | Size: 459430 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: ST3500413AS ATA Device +++++
--- User ---
[MBR] 3c31d08e3f9f8b450abd984fa861adc5
[BSP] 33a07a59d299ab4ea9f4ab0156f9d86f : Windows XP MBR Code
Partition table:
0 - [ACTIVE] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 63 | Size: 7727 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

+++++ PhysicalDrive2: ST3500413AS ATA Device +++++
--- User ---
[MBR] 3c31d08e3f9f8b450abd984fa861adc5
[BSP] 33a07a59d299ab4ea9f4ab0156f9d86f : Windows XP MBR Code
Partition table:
0 - [ACTIVE] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 63 | Size: 7727 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[0]_S_09012013_183539.txt >>

Didn't find the install folder :o


I created the Install folder on my system in the correct location but empty and Roguekiller finds my folder, but it didn't find his Install folder.