Rootkit detected, removed but back next day

[FU_Too]

I run scan and MalwareByte detects "Registry Keys Detected: 1
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_*202EETADPUG (Rootkit.0Access) .

 

The Log says no action taken but in completion window it allows for removal  and says success.

I can see it in quaranteen and delete it, restart Pc and redo scan which shows clear.

When I scan next day its there again. How can I permenantly remove this? tried going int registry but wont allow me access to delete.

 

Help please

[MrCharlie]

Welcome to the forum.

Please download Farbar Recovery Scan Tool and save it to a folder. (use correct version for your system.....Which system am I using?)

Please make sure you click download buttons that look similar to this, not "sponsored ad links":

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

MrC

[FU_Too]

Thank you for your fast reply, I have downloaded Fabar but prior to seeing your reply I found Malwarebytes Anti-Rootkit BETA 1.07.0.1008  tool which was running for couple of hours and I think that might have done the triick. I will run another scan in the morning and if still there I will attach the Logs you say. However things seem promising as some programs (MIS) which I couldnt access have started to work.

I will reply with results tomorrow.

Thanks

[MrCharlie]

I strongly suggest you do what I asked.

MrC

[FU_Too]

You are right, have had PC running for 72 hours and have done at least 5 scand and root detected and cleaned each time BUT after each reset shows clean but next day there again.

Attached files from Fabar as you requested.

FRST.txt

Addition.txt

[MrCharlie]

I have to stop here because there's evidence of illegal software on your system.
The software is Adobe and the crack is your host file, it allows you to by-pass Adobe activation.

Read the policy on Piracy here:
http://forums.malwarebytes.org/index.php?showtopic=97700

If you want to continue to receive help, remove the software and restore the host file back to Microsofts original state.

MrC

--------------------------------------------
 

2007-08-11 06:58 - 2013-10-13 22:33 - 00250882 ____A D:\WINDOWS\system32\Drivers\etc\hosts
127.0.0.1 localhost
127.0.0.1 mpa.one.microsoft.com
127.0.0.1 activate.adobe.com
127.0.0.1 practivate.adobe.com
127.0.0.1 ereg.adobe.com
127.0.0.1 activate.wip3.adobe.com
127.0.0.1 wip3.adobe.com
127.0.0.1 3dns-3.adobe.com
127.0.0.1 3dns-2.adobe.com
127.0.0.1 adobe-dns.adobe.com
127.0.0.1 adobe-dns-2.adobe.com
127.0.0.1 adobe-dns-3.adobe.com
127.0.0.1 ereg.wip3.adobe.com
127.0.0.1 activate-sea.adobe.com
127.0.0.1 wwis-dubc1-vip60.adobe.com
127.0.0.1 activate-sjc0.adobe.com
127.0.0.1 practivate.adobe.com
127.0.0.1 ereg.adobe.com
127.0.0.1 activate.wip3.adobe.com
127.0.0.1 wip3.adobe.com
127.0.0.1 3dns-3.adobe.com
127.0.0.1 3dns-2.adobe.com
127.0.0.1 adobe-dns.adobe.com
127.0.0.1 adobe-dns-2.adobe.com
127.0.0.1 adobe-dns-3.adobe.com
127.0.0.1 ereg.wip3.adobe.com
127.0.0.1 activate-sea.adobe.com
127.0.0.1 wwis-dubc1-vip60.adobe.com
127.0.0.1 activate-sjc0.adobe.com

 

 

[FU_Too]

removed all Adobe from pc, Do I just do rescan with Fabar or do I delete previous logs?

[MrCharlie]

Please download and run RogueKiller 32 Bit to your desktop.

RogueKiller 64 Bit <---use this one for 64 bit systems

Which system am I using?

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

(please don't put logs in code or quotes and use the default font)

MrC

[FU_Too]

RogueKiller V8.7.11 [Dec  3 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Jim [Admin rights]
Mode : Scan -- Date : 12/12/2013 19:33:58
| ARK || FAK || MBR |

¤¤¤ Bad processes : 1 ¤¤¤
[ZeroAccess][sERVICE] ???etadpug -- "D:\Program Files\Google\Desktop\Install\{a0a97ba7-73ec-17f8-1b98-f61f15c87bd3}\   \   \???ﯹ๛\{a0a97ba7-73ec-17f8-1b98-f61f15c87bd3}\GoogleUpdate.exe" < [x] -> STOPPED

¤¤¤ Registry Entries : 4 ¤¤¤
[sERVICE][ZeroAccess] HKLM\[...]\CCSet\[...]\Services : ???etadpug ("D:\Program Files\Google\Desktop\Install\{a0a97ba7-73ec-17f8-1b98-f61f15c87bd3}\   \   \???ﯹ๛\{a0a97ba7-73ec-17f8-1b98-f61f15c87bd3}\GoogleUpdate.exe" < [x]) -> FOUND
[sERVICE][ZeroAccess] HKLM\[...]\CS002\[...]\Services : ???etadpug ("D:\Program Files\Google\Desktop\Install\{a0a97ba7-73ec-17f8-1b98-f61f15c87bd3}\   \   \???ﯹ๛\{a0a97ba7-73ec-17f8-1b98-f61f15c87bd3}\GoogleUpdate.exe" < [x]) -> FOUND
[sERVICE][ZeroAccess] HKLM\[...]\CS003\[...]\Services : ???etadpug ("D:\Program Files\Google\Desktop\Install\{a0a97ba7-73ec-17f8-1b98-f61f15c87bd3}\   \   \???ﯹ๛\{a0a97ba7-73ec-17f8-1b98-f61f15c87bd3}\GoogleUpdate.exe" < [x]) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][Folder] Install : D:\Documents and Settings\Jim\Local Settings\Application Data\Google\Desktop\Install [-] --> FOUND
[ZeroAccess][Folder] Install : D:\Program Files\Google\Desktop\Install [-] --> FOUND

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts

 

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) SAMSUNG HD204UI +++++
--- User ---
[MBR] 44fa010f340e13893425780bf1208490
[bSP] ac38dada356d3b55042f9c0732d3b962 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 4096 | Size: 476927 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 976752000 | Size: 476913 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2930266112 | Size: 476934 Mo
3 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 1953472512 | Size: 476950 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_S_12122013_193358.txt >>

 

[MrCharlie]

Download the attached fixlist.txt to the same folder as FRST.

Run FRST.exe and click Fix only once and wait

The tool will create a log (Fixlog.txt) in the folder, please post it to your reply.

Then......

Download Malwarebytes Anti-Rootkit from HERE

• Unzip the contents to a folder in a convenient location.
• Open the folder where the contents were unzipped and run mbar.exe
• Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
• Click on the Cleanup button to remove any threats and reboot if prompted to do so.
• Wait while the system shuts down and the cleanup process is performed.
• Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
• When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt

To attach a log if needed:

Bottom right corner of this page.

New window that comes up.

~~~~~~~~~~~~~~~~~~~~~~~

Note:

If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

Internet access

Windows Update

Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot. It's located in the Plugins folder which is in the MBAR folder.

Just run fixdamage.exe.

Verify that they are now functioning normally.

MrC

[MrCharlie]

How are we doing??

Do you still need help or can I close this post??

MrC

[LDTate]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!