Possible Google Redirect Virus

Eager_Elephant

Hi Guys

I have been having problems with Google for the last few days.

If I do a Google search and then click on the website I want it redirects to a totally random website and keeps throwing up surveys for me to do.

When this started I notice my Microsoft Security Essentials has disappeared - it no longer shows as an icon on the bottom right of my screen and I when I click onto it from my start menu it says it can't find the application.

If I go to Add/remove Programs it shows a being on the system.

I know you usually ask for a HT log so I have done one and will post it in the next post.

Thanks in advance for any help.

Eager_Elephant

Here is my HT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:03:09, on 11/07/2013
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\Program Files\Barclays\Business Manager\bin\ticketservice.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Barclays\Business Manager\bin\updateservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\smax4.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
C:\Documents and Settings\Dad\Local Settings\Application Data\Akamai\netsession_win.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Palo Alto Software\8.0\PAS8_UD.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Dad\Local Settings\Application Data\Akamai\netsession_win.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\svchost.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local;<local>
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemHelp] remhelp.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [AutoProp] C:\PROGRA~1\MICROS~4\Office10\bots\fp_wmp\regprop.exe C:\PROGRA~1\MICROS~4\Office10\bots\fp_wmp\WMPaddin.dll
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\smax4.exe" /tray
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [Conime] %windir%\system32\conime.exe
O4 - HKLM\..\Run: [RIMBBLaunchAgent.exe] C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
O4 - HKLM\..\Run: [CitrixReceiver] "C:\Documents and Settings\All Users\Start Menu\Programs\Citrix\Receiver Updater.lnk"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe"
O4 - HKCU\..\Run: [Akamai NetSession Interface] "C:\Documents and Settings\Dad\Local Settings\Application Data\Akamai\netsession_win.exe"
O4 - HKUS\S-1-5-21-4060819339-1799449563-1670966297-1012\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-4060819339-1799449563-1670966297-1012\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User '?')
O4 - HKUS\S-1-5-21-4060819339-1799449563-1670966297-1014\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Palo Alto Software Update Manager 8.0.lnk = C:\Program Files\Common Files\Palo Alto Software\8.0\PAS8_UD.exe
O4 - Global Startup: Reboot.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - [URL]file:///C:/Program%20Files/Mahjong%20World/Images/stg_drm.ocx[/URL]
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1134894082296
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - [URL]file:///C:/Program%20Files/Mahjong%20World/Images/armhelper.ocx[/URL]
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: BBM Ticket Service (BBMTicketService) - - c:\Program Files\Barclays\Business Manager\bin\ticketservice.exe
O23 - Service: BBM Update Service (BBMUpdateService) - - c:\Program Files\Barclays\Business Manager\bin\updateservice.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Microsoft Antimalware Service (MsMpSvc) - Unknown owner - C:\Program Files\Microsoft Security Client\MsMpEng.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
--
End of file - 10229 bytes

waddler_8

Download Roguekiller from the link below & save it to your desktop

LINK

• Double click roguekiller.exe to run it.
• Wait for the prescan to finish.
• Accept the EULA
• Under Options, click the Scan button
• When the Status reports Scan finished, click Report under Options
  
  If an infection is detected, do not delete anything yet!
  
  
• Notepad will open. Copy & paste the contents of that report in a reply here.
• The log can also be found on your desktop entitled RKreport[**].txt
• Close RogueKiller. Click Yes to the prompt

Eager_Elephant

Thanks

Roguekiller report:

RogueKiller V8.6.2 [Jul 5 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/
Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Dad [Admin rights]
Mode : Scan -- Date : 07/11/2013 20:21:38
| ARK || FAK || MBR |
¤¤¤ Bad processes : 1 ¤¤¤
[SVCHOST] svchost.exe -- C:\WINDOWS\system32\svchost.exe [7] -> KILLED [TermProc]
¤¤¤ Registry Entries : 7 ¤¤¤
[HJ SECU] HKLM\[...]\Security Center : AntiVirusDisableNotify (1) -> FOUND
[HJ SECU] HKLM\[...]\Security Center : FirewallDisableNotify (1) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\RECYCLER\S-1-5-21-4060819339-1799449563-1670966297-1005\$567689b5dca9e7ce2a628e9c38abf5f4\n. [-]) -> FOUND
[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\RECYCLER\S-1-5-18\$567689b5dca9e7ce2a628e9c38abf5f4\n. [-]) -> FOUND
[HJ INPROC][ZeroAccess] HKLM\[...]\InprocServer32 : (C:\RECYCLER\S-1-5-18\$567689b5dca9e7ce2a628e9c38abf5f4\n. [-]) -> FOUND
¤¤¤ Scheduled tasks : 0 ¤¤¤
¤¤¤ Startup Entries : 0 ¤¤¤
¤¤¤ Web browsers : 0 ¤¤¤
¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][File] n : C:\RECYCLER\S-1-5-18\$567689b5dca9e7ce2a628e9c38abf5f4\n [-] --> FOUND
[ZeroAccess][File] n : C:\RECYCLER\S-1-5-21-4060819339-1799449563-1670966297-1005\$567689b5dca9e7ce2a628e9c38abf5f4\n [-] --> FOUND
[ZeroAccess][File] @ : C:\RECYCLER\S-1-5-18\$567689b5dca9e7ce2a628e9c38abf5f4\@ [-] --> FOUND
[ZeroAccess][File] @ : C:\RECYCLER\S-1-5-21-4060819339-1799449563-1670966297-1005\$567689b5dca9e7ce2a628e9c38abf5f4\@ [-] --> FOUND
[ZeroAccess][Folder] U : C:\RECYCLER\S-1-5-18\$567689b5dca9e7ce2a628e9c38abf5f4\U [-] --> FOUND
[ZeroAccess][Folder] U : C:\RECYCLER\S-1-5-21-4060819339-1799449563-1670966297-1005\$567689b5dca9e7ce2a628e9c38abf5f4\U [-] --> FOUND
[ZeroAccess][Folder] L : C:\RECYCLER\S-1-5-18\$567689b5dca9e7ce2a628e9c38abf5f4\L [-] --> FOUND
[ZeroAccess][Folder] L : C:\RECYCLER\S-1-5-21-4060819339-1799449563-1670966297-1005\$567689b5dca9e7ce2a628e9c38abf5f4\L [-] --> FOUND
[ZeroAccess][File] Desktop.ini : C:\WINDOWS\assembly\GAC\Desktop.ini [-] --> FOUND
¤¤¤ Driver : [LOADED] ¤¤¤
¤¤¤ External Hives: ¤¤¤
¤¤¤ Infection : ZeroAccess ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: ST3160021A +++++
--- User ---
[MBR] 69953ba01dbc7ae00c41def2da3eef07
[BSP] a1571a7cce92e180218817d8ac13bc61 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 80325 | Size: 152586 Mo
User = LL1 ... OK!
User = LL2 ... OK!
+++++ PhysicalDrive1: ST3160021A +++++
--- User ---
[MBR] 7639788a4f2ad936e277d1b2584d3bf1
[BSP] 20da3c55c8efad17264dc84d570011f8 : Empty MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 152625 Mo
User = LL1 ... OK!
User = LL2 ... OK!
+++++ PhysicalDrive2: ST3160021A +++++
--- User ---
[MBR] 011d205b0637a6af57e416e9d656ec4b
[BSP] cf81834338789c5364adc30c450e202d : Empty MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 152625 Mo
User = LL1 ... OK!
User = LL2 ... OK!
Finished : << RKreport[0]_S_07112013_202138.txt >>

waddler_8

As I suspected.

¤¤¤ Infection : ZeroAccess ¤¤¤

aka Sirefef - http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32%2FSirefef

Go here and read through the instructions for downloading and running ComboFix:

Bleeping Computer ComboFix Tutorial

• IMPORTANT! Ensure you temporarily turn off your antivirus before downloading & running. Instructions here
• Save combofix to your desktop.
• Double click combofix.exe & follow the prompts closely.
• Combofix may reboot the PC several times.
• When it's finished, it will automatically produce a log. Post the contents of that log.
• It can also be found on your C:\ drive named combofix.txt

Above all, BE PATIENT! and let it run it's course.

Eager_Elephant

Thanks again

I am unable to disable Microsoft Security Essentials as the icon has disappeared and in my start menu it says 'The file cannot be accessed at this time'.

When I went in to Add/Remove Programs it told me that the program had already been removed and did I want to remove it from the list??

Obviously Combofix wants it disabled otherwise it won't work properly?

Any ideas?

waddler_8

If it's not accessible, let combofix continue. OK any warnings it may give.

Eager_Elephant

Sorry for being dim but just wondered how patient I need to be.

I have been running ComboFix for nearly 24 hours and I think it has got stuck.

On my computer screen I have a blue box with all that it was doing like the stages etc and then it started deleting files etc and after deleting loads the cursor is just sitting their flashing. It was like this at 8am this morning and has not changed since.

My screensaver is now on the screen and I cant get rid of it to access my desktop but I can see the Combofix box.

I assume once Combofix is finished it would come up with a note to tell me it has finished??

Shall I switch the computer off and try again or just leave it?

Thanks

I have just read back to your instructions and I think this might be the log I need to post but as my computer is stuck I can't so shall I just switch it off and try to find the log under the C drive?

waddler_8

No, it shouldn't take that long at all by far. Ctrl + alt + del to bring up task manager then shut down using that.

Go and see if c:\combofix.txt exists. If not, re-run rogue killer.

Eager_Elephant

Here is my Rogue Killer report if it is needed:

RogueKiller V8.6.2 [Jul 5 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/
Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Dad [Admin rights]
Mode : Scan -- Date : 07/13/2013 07:50:06
| ARK || FAK || MBR |
¤¤¤ Bad processes : 2 ¤¤¤
[SUSP PATH][DLL] explorer.exe -- c:\DOCUME~1\ALLUSE~1\APPLIC~1\BROWSE~1\261339~1.144\{C16C1~1\BROWSE~1.DLL [x] ->
[SUSP PATH][WHITELIST] explorer.exe -- c:\DOCUME~1\ALLUSE~1\APPLIC~1\BROWSE~1\261339~1.144\{C16C1~1\BROWSE~1.DLL [x] ->
¤¤¤ Registry Entries : 6 ¤¤¤
[HJ POL] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ SECU] HKLM\[...]\Security Center : AntiVirusDisableNotify (1) -> FOUND
[HJ SECU] HKLM\[...]\Security Center : FirewallDisableNotify (1) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[APPINIT][SUSP PATH] HKLM\[...]\Windows : AppInit_DLLs (c:\DOCUME~1\ALLUSE~1\APPLIC~1\BROWSE~1\261339~1.144\{C16C1~1\BROWSE~1.DLL [7]) -> FOUND
¤¤¤ Scheduled tasks : 1 ¤¤¤
[V1][SUSP PATH] At1.job : C:\DOCUME~1\Dad\APPLIC~1\DSite\UPDATE~1\UPDATE~1.EXE - /Check [-] -> FOUND
¤¤¤ Startup Entries : 0 ¤¤¤
¤¤¤ Web browsers : 0 ¤¤¤
¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][File] @ : C:\RECYCLER\S-1-5-18\$567689b5dca9e7ce2a628e9c38abf5f4\@ [-] --> FOUND
[ZeroAccess][Folder] U : C:\RECYCLER\S-1-5-18\$567689b5dca9e7ce2a628e9c38abf5f4\U [-] --> FOUND
¤¤¤ Driver : [LOADED] ¤¤¤
¤¤¤ External Hives: ¤¤¤
¤¤¤ Infection : ZeroAccess ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: ST3160021A +++++
--- User ---
[MBR] 69953ba01dbc7ae00c41def2da3eef07
[BSP] a1571a7cce92e180218817d8ac13bc61 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 80325 | Size: 152586 Mo
User = LL1 ... OK!
User = LL2 ... OK!
+++++ PhysicalDrive1: ST3160021A +++++
--- User ---
[MBR] 7639788a4f2ad936e277d1b2584d3bf1
[BSP] 20da3c55c8efad17264dc84d570011f8 : Empty MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 152625 Mo
User = LL1 ... OK!
User = LL2 ... OK!
+++++ PhysicalDrive2: ST3160021A +++++
--- User ---
[MBR] 011d205b0637a6af57e416e9d656ec4b
[BSP] cf81834338789c5364adc30c450e202d : Empty MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 152625 Mo
User = LL1 ... OK!
User = LL2 ... OK!
Finished : << RKreport[0]_S_07132013_075006.txt >>
RKreport[0]_S_07112013_202138.txt





Shall I run ComboFix again?

Eager_Elephant

I have run ComboFix and I now have a log:

ComboFix 13-07-12.01 - Dad 13/07/2013 8:05.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.991.525 [GMT 1:00]
Running from: c:\documents and settings\Dad\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run

---

.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Dad\Application Data\171add71-9f03-4572-a359-6004e36869b8.txt
c:\documents and settings\Dad\Application Data\adebbc25-cdd0-46d7-a526-76defa60da02.txt
c:\documents and settings\Dad\Application Data\BonsaiErrorLog.txt
c:\documents and settings\Dad\My Documents\~WRL0001.tmp
c:\documents and settings\Dad\WINDOWS
c:\documents and settings\meat boutique\Application Data\171add71-9f03-4572-a359-6004e36869b8.txt
C:\install.exe
c:\recycler\S-1-5-18\$567689b5dca9e7ce2a628e9c38abf5f4\n
C:\Thumbs.db
c:\windows\assembly\GAC\Desktop.ini
c:\windows\EventSystem.log
c:\windows\smdat32a.sys
c:\windows\smdat32m.sys
c:\windows\system32\dllcache\wmpvis.dll
c:\windows\system32\drivers\etc\hosts.ics
c:\windows\system32\dumphive.exe
c:\windows\system32\Process.exe
c:\windows\system32\spool\prtprocs\w32x86\ppbiPr.dll
c:\windows\system32\SrchSTS.exe
c:\windows\system32\Thumbs.db
c:\windows\system32\tmp.reg
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe
c:\windows\wininit.ini
E:\explorer.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.

---

\Legacy_BROWSERDEFENDERT