Would appreciate some assistance...
RogueKiller identified a ZeroAccess infection in this report:
RogueKiller V8.5.1 _x64_ [Feb 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : RogueKiller - Geeks to Go Forums
Website : Download RogueKiller (Official website)
Blog : tigzy-RK
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Safe mode with network support
User : XXXX [Admin rights]
Mode : Scan -- Date : 02/18/2013 14:19:17
| ARK || FAK || MBR |
¤¤¤ Bad processes : 1 ¤¤¤
[Microsoft][HJNAME] notepad.exe -- C:\Windows\System32\notepad.exe [7] -> KILLED [TermProc]
¤¤¤ Registry Entries : 6 ¤¤¤
[TASK][SUSP PATH] MagniPicUpdaterTask{7CB4CF25-B289-400F-A672-4E00FCD112E6}.job : C:\ProgramData\Premium\MagniPic\MagniPic.exe /schedule /profile "C:\ProgramData\Premium\MagniPic\profile.ini" [-] -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_TrackProgs (0) -> FOUND
[HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ DESK] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FILE] Desktop.ini : C:\windows\Assembly\Desktop.ini [-] --> FOUND (ZeroAccess ??)
¤¤¤ Driver : [NOT LOADED] ¤¤¤
¤¤¤ Infection : ZeroAccess ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
--> C:\windows\system32\drivers\etc\hosts
¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: TOSHIBA MK6475GSX +++++
--- User ---
[MBR] a7e0b95e3524175fc84db50334f68ff0
[BSP] 9ea1ced1571f36b81b112b3982abe1b2 : Windows Vista MBR Code
Partition table:
0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 593552 Mo
2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 1218668544 | Size: 15427 Mo
User = LL1 ... OK!
User = LL2 ... OK!
Finished : << RKreport[1]_S_02182013_02d1419.txt >>
RKreport[1]_S_02182013_02d1419.txt
As you can see, the following file appeared on it:
[ZeroAccess][FILE] Desktop.ini : C:\windows\Assembly\Desktop.ini [-] --> FOUND
In a subsequent Mode : Remove report, the file was removed:
¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FILE] Desktop.ini : C:\windows\Assembly\Desktop.ini [-] --> REMOVED
Have seen the following (below) before, but not the above:
C:\windows\Assembly\gac_32\Desktop.ini
C:\windows\Assembly\gac_64\Desktop.ini
C:\windows\Assembly\gac\Desktop.ini
Is this file something new?
Googled it through 12+ pages with reports, but, it never appeared.
Also, what does the [-] mean?
C:\windows\Assembly\Desktop.ini [-]
Thanks for your help!
Edited by Aaflac, 22 February 2013 - 10:31 PM.