Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

[RogueKiller] Official Tutorial

- - - - -
Started by Tigzy , Jan 26 2012 03:23 AM

  • Please log in to reply

#16
Aaflac
Posted 19 February 2013 - 01:55 PM

Aaflac

    Visiting Staff

  • Visiting Consultant
  • 26 posts
Tigzy,

Would appreciate some assistance...

RogueKiller identified a ZeroAccess infection in this report:

RogueKiller V8.5.1 _x64_ [Feb 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : RogueKiller - Geeks to Go Forums
Website : Download RogueKiller (Official website)
Blog : tigzy-RK

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Safe mode with network support
User : XXXX [Admin rights]
Mode : Scan -- Date : 02/18/2013 14:19:17
| ARK || FAK || MBR |

¤¤¤ Bad processes : 1 ¤¤¤
[Microsoft][HJNAME] notepad.exe -- C:\Windows\System32\notepad.exe [7] -> KILLED [TermProc]

¤¤¤ Registry Entries : 6 ¤¤¤
[TASK][SUSP PATH] MagniPicUpdaterTask{7CB4CF25-B289-400F-A672-4E00FCD112E6}.job : C:\ProgramData\Premium\MagniPic\MagniPic.exe /schedule /profile "C:\ProgramData\Premium\MagniPic\profile.ini" [-] -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_TrackProgs (0) -> FOUND
[HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ DESK] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FILE] Desktop.ini : C:\windows\Assembly\Desktop.ini [-] --> FOUND (ZeroAccess ??)

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\windows\system32\drivers\etc\hosts



¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: TOSHIBA MK6475GSX +++++
--- User ---
[MBR] a7e0b95e3524175fc84db50334f68ff0
[BSP] 9ea1ced1571f36b81b112b3982abe1b2 : Windows Vista MBR Code
Partition table:
0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 593552 Mo
2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 1218668544 | Size: 15427 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1]_S_02182013_02d1419.txt >>
RKreport[1]_S_02182013_02d1419.txt


As you can see, the following file appeared on it:
[ZeroAccess][FILE] Desktop.ini : C:\windows\Assembly\Desktop.ini [-] --> FOUND

In a subsequent Mode : Remove report, the file was removed:
¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FILE] Desktop.ini : C:\windows\Assembly\Desktop.ini [-] --> REMOVED

Have seen the following (below) before, but not the above:
C:\windows\Assembly\gac_32\Desktop.ini
C:\windows\Assembly\gac_64\Desktop.ini
C:\windows\Assembly\gac\Desktop.ini

Is this file something new?
Googled it through 12+ pages with reports, but, it never appeared.

Also, what does the [-] mean?
C:\windows\Assembly\Desktop.ini [-]

Thanks for your help!

Edited by Aaflac, 22 February 2013 - 10:31 PM.

  • 0

Advertisements

#17
Aaflac
Posted 22 February 2013 - 11:18 AM

Aaflac

    Visiting Staff

  • Visiting Consultant
  • 26 posts
Found the answer.

Disregard the above.

Thank you.
  • 0
Back to How-To Guides and Tutorials · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Community
  3. How-To Guides and Tutorials

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP