Jump to content

Rootkit detected, removed but back next day


Recommended Posts

I run scan and MalwareByte detects "Registry Keys Detected: 1
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_*202EETADPUG (Rootkit.0Access) .


The Log says no action taken but in completion window it allows for removal  and says success.

I can see it in quaranteen and delete it, restart Pc and redo scan which shows clear.

When I scan next day its there again. How can I permenantly remove this? tried going int registry but wont allow me access to delete.


Help please

Link to post
Share on other sites

Welcome to the forum.

Please download Farbar Recovery Scan Tool and save it to a folder. (use correct version for your system.....Which system am I using?)

Please make sure you click download buttons that look similar to this, not "sponsored ad links":


  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
Link to post
Share on other sites

Thank you for your fast reply, I have downloaded Fabar but prior to seeing your reply I found Malwarebytes Anti-Rootkit BETA  tool which was running for couple of hours and I think that might have done the triick. I will run another scan in the morning and if still there I will attach the Logs you say. However things seem promising as some programs (MIS) which I couldnt access have started to work.

I will reply with results tomorrow.


Link to post
Share on other sites

I have to stop here because there's evidence of illegal software on your system.
The software is Adobe and the crack is your host file, it allows you to by-pass Adobe activation.

Read the policy on Piracy here:

If you want to continue to receive help, remove the software and restore the host file back to Microsofts original state.



2007-08-11 06:58 - 2013-10-13 22:33 - 00250882 ____A D:\WINDOWS\system32\Drivers\etc\hosts localhost mpa.one.microsoft.com activate.adobe.com practivate.adobe.com ereg.adobe.com activate.wip3.adobe.com wip3.adobe.com 3dns-3.adobe.com 3dns-2.adobe.com adobe-dns.adobe.com adobe-dns-2.adobe.com adobe-dns-3.adobe.com ereg.wip3.adobe.com activate-sea.adobe.com wwis-dubc1-vip60.adobe.com activate-sjc0.adobe.com practivate.adobe.com ereg.adobe.com activate.wip3.adobe.com wip3.adobe.com 3dns-3.adobe.com 3dns-2.adobe.com adobe-dns.adobe.com adobe-dns-2.adobe.com adobe-dns-3.adobe.com ereg.wip3.adobe.com activate-sea.adobe.com wwis-dubc1-vip60.adobe.com activate-sjc0.adobe.com



Link to post
Share on other sites

Please download and run RogueKiller 32 Bit to your desktop.

RogueKiller 64 Bit <---use this one for 64 bit systems

Which system am I using?

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

(please don't put logs in code or quotes and use the default font)


Link to post
Share on other sites

RogueKiller V8.7.11 [Dec  3 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Jim [Admin rights]
Mode : Scan -- Date : 12/12/2013 19:33:58
| ARK || FAK || MBR |

¤¤¤ Bad processes : 1 ¤¤¤
[ZeroAccess][sERVICE] ???etadpug -- "D:\Program Files\Google\Desktop\Install\{a0a97ba7-73ec-17f8-1b98-f61f15c87bd3}\   \   \???ﯹ๛\{a0a97ba7-73ec-17f8-1b98-f61f15c87bd3}\GoogleUpdate.exe" < [x] -> STOPPED

¤¤¤ Registry Entries : 4 ¤¤¤
[sERVICE][ZeroAccess] HKLM\[...]\CCSet\[...]\Services : ???etadpug ("D:\Program Files\Google\Desktop\Install\{a0a97ba7-73ec-17f8-1b98-f61f15c87bd3}\   \   \???ﯹ๛\{a0a97ba7-73ec-17f8-1b98-f61f15c87bd3}\GoogleUpdate.exe" < [x]) -> FOUND
[sERVICE][ZeroAccess] HKLM\[...]\CS002\[...]\Services : ???etadpug ("D:\Program Files\Google\Desktop\Install\{a0a97ba7-73ec-17f8-1b98-f61f15c87bd3}\   \   \???ﯹ๛\{a0a97ba7-73ec-17f8-1b98-f61f15c87bd3}\GoogleUpdate.exe" < [x]) -> FOUND
[sERVICE][ZeroAccess] HKLM\[...]\CS003\[...]\Services : ???etadpug ("D:\Program Files\Google\Desktop\Install\{a0a97ba7-73ec-17f8-1b98-f61f15c87bd3}\   \   \???ﯹ๛\{a0a97ba7-73ec-17f8-1b98-f61f15c87bd3}\GoogleUpdate.exe" < [x]) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][Folder] Install : D:\Documents and Settings\Jim\Local Settings\Application Data\Google\Desktop\Install [-] --> FOUND
[ZeroAccess][Folder] Install : D:\Program Files\Google\Desktop\Install [-] --> FOUND

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) SAMSUNG HD204UI +++++
--- User ---
[MBR] 44fa010f340e13893425780bf1208490
[bSP] ac38dada356d3b55042f9c0732d3b962 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 4096 | Size: 476927 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 976752000 | Size: 476913 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2930266112 | Size: 476934 Mo
3 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 1953472512 | Size: 476950 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_S_12122013_193358.txt >>


Link to post
Share on other sites

Download the attached fixlist.txt to the same folder as FRST.

Run FRST.exe and click Fix only once and wait

The tool will create a log (Fixlog.txt) in the folder, please post it to your reply.


Download Malwarebytes Anti-Rootkit from HERE

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt
To attach a log if needed:

Bottom right corner of this page.


New window that comes up.




If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

Internet access

Windows Update

Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot. It's located in the Plugins folder which is in the MBAR folder.

Just run fixdamage.exe.

Verify that they are now functioning normally.


Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.