|
$NtuninstallerKB12686$ |
Post Reply 
|
| Author | |
Brian1234 
Newbie 
Joined: 03 January 2012 Status: Offline Points: 4 |
 Post Options
 Thanks(0)
 Quote Reply
 Topic: $NtuninstallerKB12686$Posted: 03 January 2012 at 3:53am |
|
RKR is showing me this directory and a listing of files 'inside' it:
$NtuninstallerKB12686$ GMER also showed it to me but did not highlight it in red (like it does for known threats?). I am suspicious though because I cannot locate a KB 12686 (it would be awfully old?) and also because this is a <JUNCTION> when all the other uninstaller dirs are basic <DIR>'s. Is this directory OK? Feedback appreciated, thanks! |
|
 |
|
|
nullptr
Senior Member 
Joined: 06 April 2008 Location: Australia Status: Offline Points: 746 |
Post Options
Thanks(0)
Quote Reply
Posted: 03 January 2012 at 6:08am |
|
Your PC is infected with Rootkit ZeroAccess. I'd advise seeking help at one of the dedicated malware removal forums as after the infection is removed, it's quite likely you'll have no internet connectivity.
Try the forums at MajorGeeks or Bleeping Computer. In the meantime, if possible, disconnect this PC from the internet. The more you use it, the greater the chance of other infections being downloaded + passwords etc being stolen. |
|
|
|
|
Brian1234
Newbie
Joined: 03 January 2012 Status: Offline Points: 4 |
Post Options
Thanks(0)
Quote Reply
Posted: 05 January 2012 at 6:06am |
|
Thanks for the feedback! I did see some removals of Sirefef along the way, which seems to be aka ZeroAccess. How did you call that from just two tidbits of info? I couldn't find any good search hits for the KB number.
Any idea what the <JUNCTION> points to? Possibly an encrypted file system? |
|
|
|
|
nullptr
Senior Member
Joined: 06 April 2008 Location: Australia Status: Offline Points: 746 |
Post Options
Thanks(0)
Quote Reply
Posted: 06 January 2012 at 11:37am |
Some interesting read on ZeroAcces here and here. |
|
|
|
|
Brian1234
Newbie
Joined: 03 January 2012 Status: Offline Points: 4 |
Post Options
Thanks(0)
Quote Reply
Posted: 08 January 2012 at 1:55am |
|
Thanks again! That's some good reading.
I read that the KB number is one shorter than expected, I presume so it won't conflict with real KB uninstall dirs. I also found sirefef.com which helped me get rid of that <JUNCTION> and gave me some other things to look for. |
|
|
|
|
kevin1777
Newbie
Joined: 12 January 2012 Status: Offline Points: 1 |
Post Options
Thanks(0)
Quote Reply
Posted: 12 January 2012 at 8:55am |
|
Hi Brian, I have had the same problem. I disabled the rootkit from accessing the internet with my own methods, but have been unable to delete the NTUninstallKB directory and sirefef.com seems to be down. Could you please tell me how you were able to delete that directory?
|
|
|
|
|
nullptr
Senior Member
Joined: 06 April 2008 Location: Australia Status: Offline Points: 746 |
Post Options
Thanks(0)
Quote Reply
Posted: 12 January 2012 at 10:34am |
|
kevin1777 - Combofix will remove it, if you need any further help then let me know.
|
|
|
|
|
Post Reply
|
|
Tweet
|
| Forum Jump | Forum Permissions You cannot post new topics in this forum You cannot reply to topics in this forum You cannot delete your posts in this forum You cannot edit your posts in this forum You cannot create polls in this forum You cannot vote in polls in this forum |
Topic Options
Brian1234 wrote: