ZeroAccess virus help

Nick Tyler · Dec 21, 2013

RogueKiller has detected ZeroAccess on my PC. Should I remove these:
RogueKiller V8.7.13 _x64_ [Dec 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Nick [Admin rights]
Mode : Scan -- Date : 12/21/2013 14:45:23
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 14 ¤¤¤
[DNS][PUM] HKLM\[...]\CCSet\[...]\{DDDEE9C7-E36E-4EEE-B325-989049DE534D} : NameServer (95.211.10.3 [NETHERLANDS (NL)]) -> FOUND
[DNS][PUM] HKLM\[...]\CCSet\[...]\{E8380213-C326-4117-9BF9-5743F2AB801A} : NameServer (95.211.10.3 [NETHERLANDS (NL)]) -> FOUND
[DNS][PUM] HKLM\[...]\CS001\[...]\{DDDEE9C7-E36E-4EEE-B325-989049DE534D} : NameServer (95.211.10.3 [NETHERLANDS (NL)]) -> FOUND
[DNS][PUM] HKLM\[...]\CS001\[...]\{E8380213-C326-4117-9BF9-5743F2AB801A} : NameServer (95.211.10.3 [NETHERLANDS (NL)]) -> FOUND
[DNS][PUM] HKLM\[...]\CS002\[...]\{DDDEE9C7-E36E-4EEE-B325-989049DE534D} : NameServer (95.211.10.3 [NETHERLANDS (NL)]) -> FOUND
[DNS][PUM] HKLM\[...]\CS002\[...]\{E8380213-C326-4117-9BF9-5743F2AB801A} : NameServer (95.211.10.3 [NETHERLANDS (NL)]) -> FOUND
[HJ POL][PUM] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : EnableLUA (0) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 1 ¤¤¤
[V2][SUSP PATH] Origin : C:\Users\Nick\AppData\Roaming\Origin\update.vbe [-] -> FOUND

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 2 ¤¤¤
[FF][PROXY] 2pkoe4p9.Default User : user_pref("network.proxy.hxxp", "46.23.68.179"); -> FOUND
[FF][PROXY] 2pkoe4p9.Default User : user_pref("network.proxy.hxxp_port", 39431); -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][File] @ : C:\Users\Nick\AppData\Local\{d9173d69-4760-711b-ce45-773b0af1ad5c}\@ [-] --> FOUND
[ZeroAccess][Folder] U : C:\Windows\Installer\{d9173d69-4760-711b-ce45-773b0af1ad5c}\U [-] --> FOUND
[ZeroAccess][Folder] U : C:\Users\Nick\AppData\Local\{d9173d69-4760-711b-ce45-773b0af1ad5c}\U [-] --> FOUND
[ZeroAccess][Folder] L : C:\Windows\Installer\{d9173d69-4760-711b-ce45-773b0af1ad5c}\L [-] --> FOUND
[ZeroAccess][Folder] L : C:\Users\Nick\AppData\Local\{d9173d69-4760-711b-ce45-773b0af1ad5c}\L [-] --> FOUND

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts

127.0.0.1 localhost
127.0.0.1 activate.adobe.com
127.0.0.1 3dns-3.adobe.com
127.0.0.1 adobe-dns-2.adobe.com
127.0.0.1 adobe-dns-3.adobe.com
127.0.0.1 ereg.wip3.adobe.com
127.0.0.1 activate-sea.adobe.com
127.0.0.1 wip3.adobe.com
127.0.0.1 wwis-dubc1-vip60.adobe.com
127.0.0.1 activate-sjc0.adobe.com
127.0.0.1 practivate.adobe.com
127.0.0.1 ereg.adobe.com
127.0.0.1 activate.wip3.adobe.com
127.0.0.1 3dns-2.adobe.com
127.0.0.1 adobe-dns.adobe.com
::1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) ST32000641AS +++++
--- User ---
[MBR] 69223aba84ce526c164f1efc3bdc9277
[BSP] 8cbed59385b3925bc0a2df452822599a : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 14142 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 29044736 | Size: 1893546 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: (\\.\PHYSICALDRIVE1 @ USB) SanDisk Cruzer Blade USB Device +++++
--- User ---
[MBR] d7f3b86e257330270e40bda36f1812b5
[BSP] df4f83c1f72e36823a12b0dfc7617313 : Empty MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 8192 | Size: 15260 Mo
User = LL1 ... OK!
Error reading LL2 MBR! ([0x32] The request is not supported. )

+++++ PhysicalDrive2: (\\.\PHYSICALDRIVE2 @ USB) WD Ext HDD 1021 USB Device +++++
--- User ---
[MBR] 6d17b0815860d28e9d16eb2c438e540f
[BSP] 832e2d65aece4a7455b015011b7ce13e : Windows XP MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 1907726 Mo
User = LL1 ... OK!
Error reading LL2 MBR! ([0x32] The request is not supported. )

Finished : << RKreport[0]_S_12212013_144523.txt >>

jinksy · Dec 21, 2013

Try AVG bootable,

http://www.avg.com/gb-en/avg-rescue-cd

ex_bubblehead · Dec 21, 2013

Zero access is a right nasty trojan. It's self healing, and leaves hooks behind that are close to impossible to clean. If your system is truly infected by this little jewel the only real solution is to back up your data, wipe the drive with a drive wipe utility, and reinstall Windows clean.

Nick Tyler · Dec 21, 2013

Is it really serious or can I just leave it?

ex_bubblehead · Dec 21, 2013

VERY serious. Just google it. You do not want it around.

Search

ZeroAccess virus help

Nick Tyler

Honorable

jinksy

Honorable

ex_bubblehead

Titan

Nick Tyler

Honorable

ex_bubblehead

Titan

TRENDING THREADS

Latest posts

Moderators online

Share this page