ZeroAccess

[PCGeek]

RogueKiller has detected ZeroAccess on my PC. Should I remove these:
RogueKiller V8.7.13 _x64_ [Dec 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Nick [Admin rights]
Mode : Scan -- Date : 12/21/2013 14:45:23
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 14 ¤¤¤
[DNS][PUM] HKLM\[...]\CCSet\[...]\{DDDEE9C7-E36E-4EEE-B325-989049DE534D} : NameServer (95.211.10.3 [NETHERLANDS (NL)]) -> FOUND
[DNS][PUM] HKLM\[...]\CCSet\[...]\{E8380213-C326-4117-9BF9-5743F2AB801A} : NameServer (95.211.10.3 [NETHERLANDS (NL)]) -> FOUND
[DNS][PUM] HKLM\[...]\CS001\[...]\{DDDEE9C7-E36E-4EEE-B325-989049DE534D} : NameServer (95.211.10.3 [NETHERLANDS (NL)]) -> FOUND
[DNS][PUM] HKLM\[...]\CS001\[...]\{E8380213-C326-4117-9BF9-5743F2AB801A} : NameServer (95.211.10.3 [NETHERLANDS (NL)]) -> FOUND
[DNS][PUM] HKLM\[...]\CS002\[...]\{DDDEE9C7-E36E-4EEE-B325-989049DE534D} : NameServer (95.211.10.3 [NETHERLANDS (NL)]) -> FOUND
[DNS][PUM] HKLM\[...]\CS002\[...]\{E8380213-C326-4117-9BF9-5743F2AB801A} : NameServer (95.211.10.3 [NETHERLANDS (NL)]) -> FOUND
[HJ POL][PUM] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : EnableLUA (0) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 1 ¤¤¤
[V2][sUSP PATH] Origin : C:\Users\Nick\AppData\Roaming\Origin\update.vbe [-] -> FOUND

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 2 ¤¤¤
[FF][PROXY] 2pkoe4p9.Default User : user_pref("network.proxy.hxxp", "46.23.68.179"); -> FOUND
[FF][PROXY] 2pkoe4p9.Default User : user_pref("network.proxy.hxxp_port", 39431); -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][File] @ : C:\Users\Nick\AppData\Local\{d9173d69-4760-711b-ce45-773b0af1ad5c}\@ [-] --> FOUND
[ZeroAccess][Folder] U : C:\Windows\Installer\{d9173d69-4760-711b-ce45-773b0af1ad5c}\U [-] --> FOUND
[ZeroAccess][Folder] U : C:\Users\Nick\AppData\Local\{d9173d69-4760-711b-ce45-773b0af1ad5c}\U [-] --> FOUND
[ZeroAccess][Folder] L : C:\Windows\Installer\{d9173d69-4760-711b-ce45-773b0af1ad5c}\L [-] --> FOUND
[ZeroAccess][Folder] L : C:\Users\Nick\AppData\Local\{d9173d69-4760-711b-ce45-773b0af1ad5c}\L [-] --> FOUND

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts


127.0.0.1 localhost
127.0.0.1 activate.adobe.com
127.0.0.1 3dns-3.adobe.com
127.0.0.1 adobe-dns-2.adobe.com
127.0.0.1 adobe-dns-3.adobe.com
127.0.0.1 ereg.wip3.adobe.com
127.0.0.1 activate-sea.adobe.com
127.0.0.1 wip3.adobe.com
127.0.0.1 wwis-dubc1-vip60.adobe.com
127.0.0.1 activate-sjc0.adobe.com
127.0.0.1 practivate.adobe.com
127.0.0.1 ereg.adobe.com
127.0.0.1 activate.wip3.adobe.com
127.0.0.1 3dns-2.adobe.com
127.0.0.1 adobe-dns.adobe.com
::1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) ST32000641AS +++++
--- User ---
[MBR] 69223aba84ce526c164f1efc3bdc9277
[bSP] 8cbed59385b3925bc0a2df452822599a : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 14142 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 29044736 | Size: 1893546 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: (\\.\PHYSICALDRIVE1 @ USB) SanDisk Cruzer Blade USB Device +++++
--- User ---
[MBR] d7f3b86e257330270e40bda36f1812b5
[bSP] df4f83c1f72e36823a12b0dfc7617313 : Empty MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 8192 | Size: 15260 Mo
User = LL1 ... OK!
Error reading LL2 MBR! ([0x32] The request is not supported. )

+++++ PhysicalDrive2: (\\.\PHYSICALDRIVE2 @ USB) WD Ext HDD 1021 USB Device +++++
--- User ---
[MBR] 6d17b0815860d28e9d16eb2c438e540f
[bSP] 832e2d65aece4a7455b015011b7ce13e : Windows XP MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 1907726 Mo
User = LL1 ... OK!
Error reading LL2 MBR! ([0x32] The request is not supported. )

Finished : << RKreport[0]_S_12212013_144523.txt >>

[MrCharlie]

Your RK log shows the custom adobe host file used to by-pass adobe activation, AKA Piracy.
 

127.0.0.1 localhost
127.0.0.1 activate.adobe.com
127.0.0.1 3dns-3.adobe.com
127.0.0.1 adobe-dns-2.adobe.com
127.0.0.1 adobe-dns-3.adobe.com
127.0.0.1 ereg.wip3.adobe.com
127.0.0.1 activate-sea.adobe.com
127.0.0.1 wip3.adobe.com
127.0.0.1 wwis-dubc1-vip60.adobe.com
127.0.0.1 activate-sjc0.adobe.com
127.0.0.1 practivate.adobe.com
127.0.0.1 ereg.adobe.com
127.0.0.1 activate.wip3.adobe.com
127.0.0.1 3dns-2.adobe.com
127.0.0.1 adobe-dns.adobe.com
::1 localhost

 

General P2P/Piracy Warning:

1. If you're using Peer 2 Peer software such uTorrent, BitTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.
Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.
2. If you have illegal/cracked software, cracks, keygens, custom (Adobe) host file, etc. on the system, please remove or uninstall them now and read the policy on Piracy.
Failure to remove such software will result in your topic being closed and no further assistance being provided.

MrC