Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

[RogueKiller] Official Tutorial

- - - - -
Started by Tigzy , Jan 26 2012 03:23 AM

  • Please log in to reply

#16
Aaflac
Posted 19 February 2013 - 01:55 PM

Aaflac

    Visiting Staff

  • Visiting Consultant
  • 26 posts
Tigzy,

Would appreciate some assistance...

RogueKiller identified a ZeroAccess infection in this report:

RogueKiller V8.5.1 _x64_ [Feb 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : RogueKiller - Geeks to Go Forums
Website : Download RogueKiller (Official website)
Blog : tigzy-RK

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Safe mode with network support
User : XXXX [Admin rights]
Mode : Scan -- Date : 02/18/2013 14:19:17
| ARK || FAK || MBR |

¤¤¤ Bad processes : 1 ¤¤¤
[Microsoft][HJNAME] notepad.exe -- C:\Windows\System32\notepad.exe [7] -> KILLED [TermProc]

¤¤¤ Registry Entries : 6 ¤¤¤
[TASK][SUSP PATH] MagniPicUpdaterTask{7CB4CF25-B289-400F-A672-4E00FCD112E6}.job : C:\ProgramData\Premium\MagniPic\MagniPic.exe /schedule /profile "C:\ProgramData\Premium\MagniPic\profile.ini" [-] -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_TrackProgs (0) -> FOUND
[HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ DESK] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FILE] Desktop.ini : C:\windows\Assembly\Desktop.ini [-] --> FOUND (ZeroAccess ??)

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\windows\system32\drivers\etc\hosts



¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: TOSHIBA MK6475GSX +++++
--- User ---
[MBR] a7e0b95e3524175fc84db50334f68ff0
[BSP] 9ea1ced1571f36b81b112b3982abe1b2 : Windows Vista MBR Code
Partition table:
0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 593552 Mo
2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 1218668544 | Size: 15427 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1]_S_02182013_02d1419.txt >>
RKreport[1]_S_02182013_02d1419.txt


As you can see, the following file appeared on it:
[ZeroAccess][FILE] Desktop.ini : C:\windows\Assembly\Desktop.ini [-] --> FOUND

In a subsequent Mode : Remove report, the file was removed:
¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FILE] Desktop.ini : C:\windows\Assembly\Desktop.ini [-] --> REMOVED

Have seen the following (below) before, but not the above:
C:\windows\Assembly\gac_32\Desktop.ini
C:\windows\Assembly\gac_64\Desktop.ini
C:\windows\Assembly\gac\Desktop.ini

Is this file something new?
Googled it through 12+ pages with reports, but, it never appeared.

Also, what does the [-] mean?
C:\windows\Assembly\Desktop.ini [-]

Thanks for your help!

Edited by Aaflac, 22 February 2013 - 10:31 PM.

  • 0

Advertisements

#17
Aaflac
Posted 22 February 2013 - 11:18 AM

Aaflac

    Visiting Staff

  • Visiting Consultant
  • 26 posts
Found the answer.

Disregard the above.

Thank you.
  • 0
Back to How-To Guides and Tutorials · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Forum
  2. Community
  3. How-To Guides and Tutorials

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP