Tigzy wrote:Quads, please give a try with RogueKiller: http://www.adlice.com/zeroaccess-remova ... guekiller/
I had the user take the ZA folder out of the FRST Quarantine folder and back in the install folder, NOW the FRST Quarantine folder can be deleted.
Here is a screenshot from his system showing the folder back in location,
Files to move or delete:
====================
ZeroAccess:
C:\Program Files (x86)\Google\Desktop\Install\{9652e4e8-ecf6-b222-c8d1-a286d15be5d8}
I had the user download Roguekiller and run a scan (my Roguekiller is days older download)
RogueKiller V8.6.7 [Aug 28 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback :
http://www.adlice.com/forum/
Website :
http://www.adlice.com/softwares/roguekiller/
Blog :
http://tigzyrk.blogspot.com/
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Rene [Admin rights]
Mode : Scan -- Date : 09/01/2013 18:35:39
| ARK || FAK || MBR |
¤¤¤ Bad processes : 0 ¤¤¤
¤¤¤ Registry Entries : 4 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : Google Update ("C:\Users\Rene\AppData\Local\Google\Update\GoogleUpdate.exe" /c [7]) -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-3704940909-3345842904-1635473410-1000\[...]\Run : Google Update ("C:\Users\Rene\AppData\Local\Google\Update\GoogleUpdate.exe" /c [7]) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
¤¤¤ Scheduled tasks : 5 ¤¤¤
[V1][SUSP PATH] GoogleUpdateTaskUserS-1-5-21-3704940909-3345842904-1635473410-1000UA.job : C:\Users\Rene\AppData\Local\Google\Update\GoogleUpdate.exe - /ua /installsource scheduler [7][x] -> FOUND
[V1][SUSP PATH] GoogleUpdateTaskUserS-1-5-21-3704940909-3345842904-1635473410-1000Core.job : C:\Users\Rene\AppData\Local\Google\Update\GoogleUpdate.exe - /c [7] -> FOUND
[V2][SUSP PATH] DealPly : C:\Users\Rene\AppData\Roaming\DealPly\UpdateProc\UpdateTask.exe - /Check [x] -> FOUND
[V2][SUSP PATH] GoogleUpdateTaskUserS-1-5-21-3704940909-3345842904-1635473410-1000Core : C:\Users\Rene\AppData\Local\Google\Update\GoogleUpdate.exe - /c [7] -> FOUND
[V2][SUSP PATH] GoogleUpdateTaskUserS-1-5-21-3704940909-3345842904-1635473410-1000UA : C:\Users\Rene\AppData\Local\Google\Update\GoogleUpdate.exe - /ua /installsource scheduler [7][x] -> FOUND
¤¤¤ Startup Entries : 2 ¤¤¤
[Default][SUSP PATH] Best Buy pc app.lnk : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk @C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe "C:\ProgramData\Best Buy pc app\Best Buy pc app.application" [-][7][-] -> FOUND
[Default User][SUSP PATH] Best Buy pc app.lnk : C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk @C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe "C:\ProgramData\Best Buy pc app\Best Buy pc app.application" [-][7][-] -> FOUND
¤¤¤ Web browsers : 0 ¤¤¤
¤¤¤ Particular Files / Folders: ¤¤¤
¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤
¤¤¤ External Hives: ¤¤¤
¤¤¤ Infection : ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts
¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: ST3500413AS ATA Device +++++
--- User ---
[MBR] 10f85a32ab92494311cb79e915c87289
[BSP] bba74085005ebce33141caf6ccd87628 : Windows 7/8 MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 17408 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 35653632 | Size: 100 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 35858432 | Size: 459430 Mo
User = LL1 ... OK!
User = LL2 ... OK!
+++++ PhysicalDrive1: ST3500413AS ATA Device +++++
--- User ---
[MBR] 3c31d08e3f9f8b450abd984fa861adc5
[BSP] 33a07a59d299ab4ea9f4ab0156f9d86f : Windows XP MBR Code
Partition table:
0 - [ACTIVE] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 63 | Size: 7727 Mo
User = LL1 ... OK!
Error reading LL2 MBR!
+++++ PhysicalDrive2: ST3500413AS ATA Device +++++
--- User ---
[MBR] 3c31d08e3f9f8b450abd984fa861adc5
[BSP] 33a07a59d299ab4ea9f4ab0156f9d86f : Windows XP MBR Code
Partition table:
0 - [ACTIVE] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 63 | Size: 7727 Mo
User = LL1 ... OK!
Error reading LL2 MBR!
Finished : << RKreport[0]_S_09012013_183539.txt >>
Didn't find the install folder :o
I created the Install folder on my system in the correct location but empty and Roguekiller finds my folder, but it didn't find his Install folder.