windows \ $NtUninstallKB36574$

Discussion in 'Malware Help (A Specialist Will Reply)' started by JJ95, Sep 21, 2012.

  1. JJ95

    JJ95 Private E-2

    This folder is in the windows folder: $NtUninstallKB36574$

    It is not accessible. I cannot change the security settings.

    It is the remnants of a virus infestation.

    I have seen this on 2 client computers this past 6 months.

    So, how is it possible for a folder to be inaccessible to administrators?

    How do I change the security settings to delete it.


    After running many virus removers, I am fairly sure the viruses are gone.

    Ideas?
     
    JJ95, Sep 21, 2012
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!
    Administrator permissions can always be removed by changing the permissions of the folders so that you do not have access. It can be set to be owned by the System or similar and excludes the Administrators.

    Sounds like you have a left over from a Zero Access infection and I would not really know if you are really clean without at least having some scans run. So in lieu of our full cleaning process, please run the below. If all of the infection has not been removed, the folder would still not be removable.


    Please download RogueKiller - Save to your Desktop. See the download links under this icon http://forums.majorgeeks.com/chaslang/images/MGDownloadLoc.gif
    • Double click RogueKiller.exe to run (Note: If running Vista or Win 7 use right-click and select Run as Administrator)
    • When it opens, press the Scan button. . Only run a scan! Do not fix anything at this time
    • When it is finished, there will be a log on your desktop called RKreport[1].txt
    • Attach RKreport[1].txt to your next message ( after you complete all scans or get as far as you can go). (See: HOW TO: Attach Items To Your Post )
    Now refer to this link Using MGtools and run MGtools. Then attach the C:\MGlogs.zip file MGtools.

    If you don't want to run the above and are 100% certain you have really removed all of the ZeroAccess infection which can impact the MBR and partitions, then you can boot to the System Recovery Environment ( for Win 8, Win 7, and Vista ) or to the Recovery Console of Win XP and use the command prompt to delete the folder. If it blocks you from seeing it or deleting it, you may have to reset the folder attributes first using the attrib command.
     
    chaslang, Sep 22, 2012
    #2
  3. JJ95

    JJ95 Private E-2

    Thank you for your response.

    Windows 7 Pro 32 , all updates.

    Virus infection on Tuesday. Not the FBI dude. A blank screen with a box requesting a code.

    Once I was able to gain access in safe mode I did the following to remove the immediate problems:
    Manually deleted temp files
    Stopped the page file, and the hibernate function
    Malwarebytes quick scan
    Superantispyware quick scan
    MS essentials (installed) quick scan

    Manually found and deleted some missed viri remnants, following found guidance.

    Started in regular mode:

    Windows update, firewall,.. were missing. Did a couple of fixes, too much work. So restored to a point 2 days earlier.

    All appeared to be working. But not IE.

    Suspecting more jerks, used ESET online scan, rogueKiller, tdskiller, kaspersky, and Emsisoft Emergency kit. RogueKiller found some reg entries. Nothing running. Emsisoft found some bits in a storage folder. Nothing found by the others. Except MGTOOLs.

    The machine appears to be clean.

    BUT::: IE was/is way stupid.

    Google starts fine. And search on "TEST" quickly presents many choices. Clicking the first choice results in the tab name changing and waiting at least 5 minutes for the page to display. Same with the MS web site.

    All FIX-IT choices I can find have been applied: no problems have been found.

    All add-ons were disabled. No joy.

    A complete reset. No joy.

    I attempted to install IE9 but was informed it is already installed.

    This has become more than stupid.

    ==========

    So, I found the FIX-IT to uninstall ie9.

    And ie8 is doing the same thing.

    FF and Chrome work fine.

    I did a dns flush, and so on.

    ======================
    event viewer entry:
    The program iexplore.exe version 9.0.8112.16450 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.
    Process ID: 460
    Start Time: 01cd98e8c0c9fd8c
    Termination Time: 133
    Application Path: C:\Program Files\Internet Explorer\iexplore.exe
    ..........................

    no info available in the Action Center.

    ---------------------------

    I found the $NtUninstallKB36574$ folder and attempted to gain access. Cannot view, take ownership, change permissions in any way. Have not tried from a repair disk command prompt.

    ================
     

    Attached Files:

    JJ95, Sep 22, 2012
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You did not attach the requested log from RogueKiller.
    There are not signs of this folder in your logs, but the scan for those kinds of folders only lists folders within the last 90 days. How old is this folder? Based on other logs in MGtools it appears that this may have been part of an infection cleaned up on about Dec 11, 2011 ( more than 9 months ago ). I will give you something to try in my next message.

    Also there are not signs of malware. The only problems I see is the use of MSconfig to stop dozens of services and startup processes. In fact services for Avast antivirus are trapped in there and Avast does not even seem to be installed anymore.
     
    Last edited: Sep 23, 2012
    chaslang, Sep 23, 2012
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Now download The Avenger by Swandog46, and save it to your Desktop.
    See the download links under this icon http://www.majorgeeks.com/images/dll.gif
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Do not change any check box options!!
    • Copy everything in the Quote box below, and paste it into the Input script here: part of the window:
    • Now click the Execute button.
    • Click Yes to the prompt to confirm you want to execute.
    • Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    • Your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.
    Attach the log from Avenger.
    Did that remove the folder?
     
    chaslang, Sep 23, 2012
    #5

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds