hmm...Rootkit? Malware? (Win7 x64)

Win7 Sp1 x64 home prem.
Dell laptop, AVG and Zone Alarm running.

Hello - and thanks in advance for any assistance offered.
This forum is astonishing.

We believe that 1 (non-admin) user account was infected with a rootkit based on existing threads on this forum and elsewhere (2 instances of iexplore.exe running in task manager despite only using firefox for example).
Before finding this forum, had already deleted that account, checked av/firewall was up to date and ran ccleaner, Malwarebytes etc. No other symptoms in other accounts.

Worried we may have removed visible traces, leaving the effective remnant still actively lurking somewhere. Almost hope a prob can be found and removed for conclusive answer(!). Finding this very stressful.


So....

As per instructions, UAC disabled, steps folllowed (hopefully!), scans made.
Logs attached:

Hitman found nothing so no log.

 

Welcome to MajorGeeks, despairnoob

http://img850.imageshack.us/img850/4746/programsandfeatureswin7.gif From Programs and Features (via Control Panel), please uninstall the below:

• Java(TM) 6 Update 31 (outdated)
• Java(TM) 7 Update 5 (outdated)

__

Delete the following items listed below:

• C:\Users\NewAd\Desktop\cnet2_ComboFix_exe.exe <= File
• C:\Users\NewAd\Desktop\c0vs0l34.exe <= File
• C:\ProgramData\-aqHe0RUCNjxLfb <= File
• C:\ProgramData\-aqHe0RUCNjxLfbr <= File
• C:\ProgramData\aqHe0RUCNjxLfb <= File
• C:\ProgramData\dvssvnqlzfzwktn <= Folder
• C:\ProgramData\knojosoqvsexjqv <= File

__

The rest of your logs are clean. Also having more than iexplore.exe running is quite normal. And you don't have a TDL infection which used to launch iexplore.exe on its own.

 

thisisu,
Many, many thanks for your kind attention.

As asked I have uninstalled the 2 outdated java & deleted listed files/folder. I include hitman log for completeness (not sure why I did not include it before!).
Also, over-eagerly, I had scanned with OTL and include that.

I didn't and hadn't used IE this year (until last few days since posting here). The two instances running would not shut down and were using lots of memory.

So the laptop was infected? All those files were created at the same date
I have read in many places that you can never be 100% sure of removing a compromise. Would you recommend a clean install?

thanks in advance for any further guidance.

 

It was infected at some point I believe with some type of Fake AntiVirus. I do not think it active though. Just remnants.

Only if you do not mind reinstalling all your programs. You could back up the data before hand. However, I would not recommend it in your case because you didn't appear to be heavily infected at all.

 

Did you have difficulty deleting the files and folders I mentioned above? They are still present according to your OTL log.

 

thisisu,

Many thank once again for your reply.
Sorry for confusion re OTL - the log was produced same time as the others - hence the now-deleted filed weres still present. They are def gone now.
I will change UAC back etc and finish up as per instructions in removal guide.
Thanks again.

 

You're welcome. Be safe.