Sysinternals Homepage
Forum Home Forum Home > Sysinternals Utilities > RootkitRevealer Logs
  New Posts New Posts RSS Feed - $NtuninstallerKB12686$
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

$NtuninstallerKB12686$

 Post Reply Post Reply
Author
Message
Brian1234 View Drop Down
Newbie
Newbie


Joined: 03 January 2012
Status: Offline
Points: 4
Post Options Post Options   Thanks (0) Thanks(0)   Quote Brian1234 Quote  Post ReplyReply Direct Link To This Post Topic: $NtuninstallerKB12686$
    Posted: 03 January 2012 at 3:53am
RKR is showing me this directory and a listing of files 'inside' it:
  $NtuninstallerKB12686$

GMER also showed it to me but did not highlight it in red (like it does for known threats?).

I am suspicious though because I cannot locate a KB 12686 (it would be awfully old?) and also because this is a <JUNCTION> when all the other uninstaller dirs are basic <DIR>'s.

Is this directory OK?  Feedback appreciated, thanks!


Back to Top
nullptr View Drop Down
Senior Member
Senior Member
Avatar

Joined: 06 April 2008
Location: Australia
Status: Offline
Points: 757
Post Options Post Options   Thanks (0) Thanks(0)   Quote nullptr Quote  Post ReplyReply Direct Link To This Post Posted: 03 January 2012 at 6:08am
Your PC is infected with Rootkit ZeroAccess. I'd advise seeking help at one of the dedicated malware removal forums as after the infection is removed, it's quite likely you'll have no internet connectivity.
Try the forums at MajorGeeks or Bleeping Computer.

In the meantime, if possible, disconnect this PC from the internet. The more you use it, the greater the chance of other infections being downloaded + passwords etc being stolen.
Back to Top
Brian1234 View Drop Down
Newbie
Newbie


Joined: 03 January 2012
Status: Offline
Points: 4
Post Options Post Options   Thanks (0) Thanks(0)   Quote Brian1234 Quote  Post ReplyReply Direct Link To This Post Posted: 05 January 2012 at 6:06am
Thanks for the feedback!  I did see some removals of Sirefef along the way, which seems to be aka ZeroAccess.  How did you call that from just two tidbits of info?  I couldn't find any good search hits for the KB number. 

Any idea what the <JUNCTION> points to?  Possibly an encrypted file system? 


Back to Top
nullptr View Drop Down
Senior Member
Senior Member
Avatar

Joined: 06 April 2008
Location: Australia
Status: Offline
Points: 757
Post Options Post Options   Thanks (0) Thanks(0)   Quote nullptr Quote  Post ReplyReply Direct Link To This Post Posted: 06 January 2012 at 11:37am
Originally posted by Brian1234 Brian1234 wrote:

How did you call that from just two tidbits of info?  I couldn't find any good search hits for the KB number.
Basically from my own playing with it and RCE'ing. The KB number is generated according to some PC specs and is unique to each computer.

Some interesting read on ZeroAcces here and here.
Back to Top
Brian1234 View Drop Down
Newbie
Newbie


Joined: 03 January 2012
Status: Offline
Points: 4
Post Options Post Options   Thanks (0) Thanks(0)   Quote Brian1234 Quote  Post ReplyReply Direct Link To This Post Posted: 08 January 2012 at 1:55am
Thanks again!  That's some good reading. 

I read that the KB number is one shorter than expected, I presume so it won't conflict with real KB uninstall dirs.  I also found sirefef.com which helped me get rid of that <JUNCTION> and gave me some other things to look for.
Back to Top
kevin1777 View Drop Down
Newbie
Newbie


Joined: 12 January 2012
Status: Offline
Points: 1
Post Options Post Options   Thanks (0) Thanks(0)   Quote kevin1777 Quote  Post ReplyReply Direct Link To This Post Posted: 12 January 2012 at 8:55am
Hi Brian, I have had the same problem. I disabled the rootkit from accessing the internet with my own methods, but have been unable to delete the NTUninstallKB directory and sirefef.com seems to be down. Could you please tell me how you were able to delete that directory?
Back to Top
nullptr View Drop Down
Senior Member
Senior Member
Avatar

Joined: 06 April 2008
Location: Australia
Status: Offline
Points: 757
Post Options Post Options   Thanks (0) Thanks(0)   Quote nullptr Quote  Post ReplyReply Direct Link To This Post Posted: 12 January 2012 at 10:34am
kevin1777 - Combofix will remove it, if you need any further help then let me know.
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down