I recently contracted malware including Rootkit.ZeroAccess, which I was able to eliminate finally only with ComboFix.
Before resorting to that though, I tried unsuccessfully using the Windows Recovery Console and BartPE to delete two ostensible "uninstall" folders in C:\Windows named as $NtUninstallKBxxxxx$ which anti-rootkit scans had identified as bad and which ComboFix ultimately did remove.
I was surprised that I was unable to delete those 2 objects using either the Recovery Console or BartPE.
In the case of BartPE, I tried using its A43 utility, and received the message that the folder could not be accessed by the system.
I then tried using the "del" and "rd" commands in the BartPE command prompt window.
With the "del" command, I got the message that it could not delete the file.
With the "rd" command, I got the message that it could not remove folder as the directory was not empty.
I had thought that with BartPE, a user could delete anything on the hard disk drive.
I must conclude that I was wrong in that thinking.
Anyone have any insights or suggestions?
Thanks in advance. /jcw
Full Version: Clarification Sought
If it's a folder use RD /S:
http://ss64.com/nt/rd.html
but it is still possible (on NTFS) that you need to Take Ownership of the folder/files:
http://ss64.com/nt/cacls.html
(or through the shell GUI - that may depend on the BartPE shell you use)
Normally "user" SYSTEM can access all files, but this can be changed, by removing SYSTEM from allowed access or limiting the kind of access, and it is likely that a malware does so.
jaclaz
http://ss64.com/nt/rd.html
but it is still possible (on NTFS) that you need to Take Ownership of the folder/files:
http://ss64.com/nt/cacls.html
(or through the shell GUI - that may depend on the BartPE shell you use)
Normally "user" SYSTEM can access all files, but this can be changed, by removing SYSTEM from allowed access or limiting the kind of access, and it is likely that a malware does so.
jaclaz
jaclaz:
Yes, I used "RD /S" as well as "RD", with the same result.
And I tried to take owership of the 2 bad "uninstall" objects, but couldn't - got message that access was denied.
Interestingly, Windows identified the 2 objects as junctions, not directories.
I ran the junction tool and it showed the target of the 2 objects as a folder in Windows which I had suspected was involved with the malware.
If any other thoughts, let me know.
Thanks for your time. /jcw
Yes, I used "RD /S" as well as "RD", with the same result.
And I tried to take owership of the 2 bad "uninstall" objects, but couldn't - got message that access was denied.
Interestingly, Windows identified the 2 objects as junctions, not directories.
I ran the junction tool and it showed the target of the 2 objects as a folder in Windows which I had suspected was involved with the malware.
If any other thoughts, let me know.
Thanks for your time. /jcw
What junction tool did you use and did you use in under BartPE or regular Windows?
Ed:
the junction tool is at:
http://technet.microsoft.com/en-us/sysinternals/bb896768
Used it in WXP normal mode as didn't/don't have it on BartPE.
It too could not delete the 2 bad "uninstall" objects that I described above.
/jcw
the junction tool is at:
http://technet.microsoft.com/en-us/sysinternals/bb896768
Used it in WXP normal mode as didn't/don't have it on BartPE.
It too could not delete the 2 bad "uninstall" objects that I described above.
/jcw
Can you rename the junctions or the folder they are pointing to?
QUOTE (jcw @ Jan 19 2012, 03:43 AM) 
I had thought that with BartPE, a user could delete anything on the hard disk drive.
I must conclude that I was wrong in that thinking.
Anyone have any insights or suggestions?
Thanks in advance. /jcw
I must conclude that I was wrong in that thinking.
Anyone have any insights or suggestions?
Thanks in advance. /jcw
Nothing works, neither Bartpe nor a linux live CD but this (using takeown and icacls in a DOS box or batch file)
echo usage: 4delete.cmd c:\hard_2_del_folder
pause
takeown /f %1 /r /d y
icacls %1 /grant administrators:F /t
rd /s %1
@oscar
No
attrib -s -h -r %1\*.* /S
needed?
No
attrib -s -h -r %1\*.* /S
needed?
Ed: sorry for the delay in getting back to your question that you asked above, namely:
"Can you rename the junctions or the folder they are pointing to?"
In my case, they were ostensibly compressed "uninstall" folders in C:\Windows, named:
$NtUninstallKB23971$
$NtUninstallKB41564$
Note that the numbers are 5 digits, not 6 or 7 as in the case of MS KB articles.
It appears that the numbers are random.
In my case, both of those objects pointed to: C:\Windows\system32\config
That was the location (actually, in its systemprofile sub-folder) where the malware stored browsing information (e.g. temp net files, cookies, history, etc.)
/jcw
"Can you rename the junctions or the folder they are pointing to?"
In my case, they were ostensibly compressed "uninstall" folders in C:\Windows, named:
$NtUninstallKB23971$
$NtUninstallKB41564$
Note that the numbers are 5 digits, not 6 or 7 as in the case of MS KB articles.
It appears that the numbers are random.
In my case, both of those objects pointed to: C:\Windows\system32\config
That was the location (actually, in its systemprofile sub-folder) where the malware stored browsing information (e.g. temp net files, cookies, history, etc.)
/jcw
Oscar (on Jan. 21)
Ed (on Jan. 22)
I am using WXP. I understand that "takeown" and "icacls" weren't available until after XP (1st in Vista?).
Would have "cacls" helped?
Here's the twist though:
While I could see the 2 objects in Windows Explorer, I could gain no access to them in Win Explorer, including for the purpose of changing their attributes or taking ownership.
But in a command window, either in normal mode or in safe mode, the 2 objects were not listed. So I doubt I would have been able to run any commands in the command window concening the objects?
I could see the objects in the Windows Recovery Console, which is where they were identified as junctions, but I couldn't delete or remove them in the Recovery Console.
Back in normal mode of Windows, running the junction tool gave me information about the objects, including their target, but I couldn't delete them with that tool.
/jcw
Ed (on Jan. 22)
I am using WXP. I understand that "takeown" and "icacls" weren't available until after XP (1st in Vista?).
Would have "cacls" helped?
Here's the twist though:
While I could see the 2 objects in Windows Explorer, I could gain no access to them in Win Explorer, including for the purpose of changing their attributes or taking ownership.
But in a command window, either in normal mode or in safe mode, the 2 objects were not listed. So I doubt I would have been able to run any commands in the command window concening the objects?
I could see the objects in the Windows Recovery Console, which is where they were identified as junctions, but I couldn't delete or remove them in the Recovery Console.
Back in normal mode of Windows, running the junction tool gave me information about the objects, including their target, but I couldn't delete them with that tool.
/jcw
Takeown is there since 2K (in the Resource Kit) if I remember correctly.
Most probably you have to list in a command prompt window hidden (and possibly system) files in order to see those files.
DIR /A should have worked.
http://ss64.com/nt/dir.html
Yes, icacls is the "new version" of cacls.
JFYI, there are a couple good third party freewares, SETACL and FILEACL:
http://sourceforge.net/projects/setacl/
http://www.gbordier.com/gbtools/index.htm
that could as well have worked.
jaclaz
Most probably you have to list in a command prompt window hidden (and possibly system) files in order to see those files.
DIR /A should have worked.
http://ss64.com/nt/dir.html
Yes, icacls is the "new version" of cacls.
JFYI, there are a couple good third party freewares, SETACL and FILEACL:
http://sourceforge.net/projects/setacl/
http://www.gbordier.com/gbtools/index.htm
that could as well have worked.
jaclaz
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.