PCGeek Posted December 22, 2013 ID:767865 Share Posted December 22, 2013 RogueKiller has detected ZeroAccess on my PC. Should I remove these:RogueKiller V8.7.13 _x64_ [Dec 18 2013] by Tigzymail : tigzyRK<at>gmail<dot>comFeedback : http://www.adlice.com/forum/Website : http://www.adlice.com/softwares/roguekiller/Blog : http://www.adlice.comOperating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits versionStarted in : Normal modeUser : Nick [Admin rights]Mode : Scan -- Date : 12/21/2013 14:45:23| ARK || FAK || MBR |¤¤¤ Bad processes : 0 ¤¤¤¤¤¤ Registry Entries : 14 ¤¤¤[DNS][PUM] HKLM\[...]\CCSet\[...]\{DDDEE9C7-E36E-4EEE-B325-989049DE534D} : NameServer (95.211.10.3 [NETHERLANDS (NL)]) -> FOUND[DNS][PUM] HKLM\[...]\CCSet\[...]\{E8380213-C326-4117-9BF9-5743F2AB801A} : NameServer (95.211.10.3 [NETHERLANDS (NL)]) -> FOUND[DNS][PUM] HKLM\[...]\CS001\[...]\{DDDEE9C7-E36E-4EEE-B325-989049DE534D} : NameServer (95.211.10.3 [NETHERLANDS (NL)]) -> FOUND[DNS][PUM] HKLM\[...]\CS001\[...]\{E8380213-C326-4117-9BF9-5743F2AB801A} : NameServer (95.211.10.3 [NETHERLANDS (NL)]) -> FOUND[DNS][PUM] HKLM\[...]\CS002\[...]\{DDDEE9C7-E36E-4EEE-B325-989049DE534D} : NameServer (95.211.10.3 [NETHERLANDS (NL)]) -> FOUND[DNS][PUM] HKLM\[...]\CS002\[...]\{E8380213-C326-4117-9BF9-5743F2AB801A} : NameServer (95.211.10.3 [NETHERLANDS (NL)]) -> FOUND[HJ POL][PUM] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND[HJ POL][PUM] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND[HJ POL][PUM] HKLM\[...]\System : EnableLUA (0) -> FOUND[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : DisableRegistryTools (0) -> FOUND[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : EnableLUA (0) -> FOUND[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND¤¤¤ Scheduled tasks : 1 ¤¤¤[V2][sUSP PATH] Origin : C:\Users\Nick\AppData\Roaming\Origin\update.vbe [-] -> FOUND¤¤¤ Startup Entries : 0 ¤¤¤¤¤¤ Web browsers : 2 ¤¤¤[FF][PROXY] 2pkoe4p9.Default User : user_pref("network.proxy.hxxp", "46.23.68.179"); -> FOUND[FF][PROXY] 2pkoe4p9.Default User : user_pref("network.proxy.hxxp_port", 39431); -> FOUND¤¤¤ Particular Files / Folders: ¤¤¤[ZeroAccess][File] @ : C:\Users\Nick\AppData\Local\{d9173d69-4760-711b-ce45-773b0af1ad5c}\@ [-] --> FOUND[ZeroAccess][Folder] U : C:\Windows\Installer\{d9173d69-4760-711b-ce45-773b0af1ad5c}\U [-] --> FOUND[ZeroAccess][Folder] U : C:\Users\Nick\AppData\Local\{d9173d69-4760-711b-ce45-773b0af1ad5c}\U [-] --> FOUND[ZeroAccess][Folder] L : C:\Windows\Installer\{d9173d69-4760-711b-ce45-773b0af1ad5c}\L [-] --> FOUND[ZeroAccess][Folder] L : C:\Users\Nick\AppData\Local\{d9173d69-4760-711b-ce45-773b0af1ad5c}\L [-] --> FOUND¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤¤¤¤ External Hives: ¤¤¤¤¤¤ Infection : ZeroAccess ¤¤¤¤¤¤ HOSTS File: ¤¤¤--> %SystemRoot%\System32\drivers\etc\hosts127.0.0.1 localhost127.0.0.1 activate.adobe.com127.0.0.1 3dns-3.adobe.com127.0.0.1 adobe-dns-2.adobe.com127.0.0.1 adobe-dns-3.adobe.com127.0.0.1 ereg.wip3.adobe.com127.0.0.1 activate-sea.adobe.com127.0.0.1 wip3.adobe.com127.0.0.1 wwis-dubc1-vip60.adobe.com127.0.0.1 activate-sjc0.adobe.com127.0.0.1 practivate.adobe.com127.0.0.1 ereg.adobe.com127.0.0.1 activate.wip3.adobe.com127.0.0.1 3dns-2.adobe.com127.0.0.1 adobe-dns.adobe.com::1 localhost¤¤¤ MBR Check: ¤¤¤+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) ST32000641AS +++++--- User ---[MBR] 69223aba84ce526c164f1efc3bdc9277[bSP] 8cbed59385b3925bc0a2df452822599a : Windows Vista MBR CodePartition table:0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 14142 Mo2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 29044736 | Size: 1893546 MoUser = LL1 ... OK!User = LL2 ... OK!+++++ PhysicalDrive1: (\\.\PHYSICALDRIVE1 @ USB) SanDisk Cruzer Blade USB Device +++++--- User ---[MBR] d7f3b86e257330270e40bda36f1812b5[bSP] df4f83c1f72e36823a12b0dfc7617313 : Empty MBR CodePartition table:0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 8192 | Size: 15260 MoUser = LL1 ... OK!Error reading LL2 MBR! ([0x32] The request is not supported. )+++++ PhysicalDrive2: (\\.\PHYSICALDRIVE2 @ USB) WD Ext HDD 1021 USB Device +++++--- User ---[MBR] 6d17b0815860d28e9d16eb2c438e540f[bSP] 832e2d65aece4a7455b015011b7ce13e : Windows XP MBR CodePartition table:0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 1907726 MoUser = LL1 ... OK!Error reading LL2 MBR! ([0x32] The request is not supported. )Finished : << RKreport[0]_S_12212013_144523.txt >> Link to post Share on other sites More sharing options...
MrCharlie Posted December 22, 2013 ID:767872 Share Posted December 22, 2013 Your RK log shows the custom adobe host file used to by-pass adobe activation, AKA Piracy. 127.0.0.1 localhost127.0.0.1 activate.adobe.com127.0.0.1 3dns-3.adobe.com127.0.0.1 adobe-dns-2.adobe.com127.0.0.1 adobe-dns-3.adobe.com127.0.0.1 ereg.wip3.adobe.com127.0.0.1 activate-sea.adobe.com127.0.0.1 wip3.adobe.com127.0.0.1 wwis-dubc1-vip60.adobe.com127.0.0.1 activate-sjc0.adobe.com127.0.0.1 practivate.adobe.com127.0.0.1 ereg.adobe.com127.0.0.1 activate.wip3.adobe.com127.0.0.1 3dns-2.adobe.com127.0.0.1 adobe-dns.adobe.com::1 localhost General P2P/Piracy Warning:1. If you're using Peer 2 Peer software such uTorrent, BitTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.2. If you have illegal/cracked software, cracks, keygens, custom (Adobe) host file, etc. on the system, please remove or uninstall them now and read the policy on Piracy.Failure to remove such software will result in your topic being closed and no further assistance being provided.MrC Link to post Share on other sites More sharing options...
Recommended Posts