Yes, ZeroFrost, same results here. Only a few traces left over. Nice tool.
A forum for reverse engineering, OS internals and malware analysis
I reran the new one on my test setup it killed the junction that was created in C:\Windows however netbt.sys was still infected by sirefef according to MSE and TDSSKiller after the Yorkyt.exe scan/removal
I tried it in one case and the tool was unable to delete the symbolic link created by the rootkit.
Here it is the Junction log after I asked the user to run the tool...
Georgi
Here it is the Junction log after I asked the user to run the tool...
Code: Select all
Regards,Junction v1.06 - Windows junction creator and reparse point viewer
Copyright (C) 2000-2010 Mark Russinovich
Sysinternals - www.sysinternals.com
Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.
...\\?\c:\\WINDOWS\$NtUninstallKB55876$\2579806779: SYMBOLIC LINK
Print Name : c:\windows\system32\config
Substitute Name: \systemroot\system32\config
\\?\c:\\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790
Substitute Name: C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790
.\\?\c:\\WINDOWS\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_4.0.0.0_x-ww_29b51492
Substitute Name: C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_4.0.0.0_x-ww_29b51492
Georgi
Interesting results. I'll have to try it again.
B-boy, did you try running it again?
B-boy, did you try running it again?
@LeastPrivileges
Nope...I gave up and cleaned up the Symbolic using another methods instead.
Nothing was really done by the tool :(
Anyway - the Panda tool failed again in a colleague's topic as well.
Regards,
Georgi
Nope...I gave up and cleaned up the Symbolic using another methods instead.
Nothing was really done by the tool :(
Code: Select all
Usually I use Gmer => Files => to kill and delete the junction, but the gmer's driver catchme.sys caused a BSOD this time (both for Gmer or Combofix) so I used alternative methods.2012-03-20 15:58:58: Checking for bad folder
2012-03-20 15:58:58: Found 1 folders.
2012-03-20 15:58:58: Checking C:\WINDOWS\assembly\tmp
2012-03-20 15:58:58: ... Folder test returns: 1
2012-03-20 15:58:58: Checking for bad folder
2012-03-20 15:58:58: Found 1 folders.
2012-03-20 15:58:58: Checking C:\WINDOWS\$NtUninstallKB55876$
2012-03-20 15:58:58: ... Folder test returns: 1
2012-03-20 15:59:02: Some drivers where replaced. We need to enforce...
2012-03-20 15:59:02: Drivers replaced:
2012-03-20 15:59:02:
2012-03-20 15:59:02: Autonomous mode, clearing out yt folder
2012-03-20 15:59:28: Restarting...
Anyway - the Panda tool failed again in a colleague's topic as well.
Code: Select all
Hope that helps ? :)2012-03-20 20:56:49: Checking for bad folder
2012-03-20 20:56:49: Found 1 folders.
2012-03-20 20:56:49: Checking C:\WINDOWS\assembly\tmp
2012-03-20 20:56:49: ... Folder test returns: 1
2012-03-20 20:56:49: Checking for bad folder
2012-03-20 20:56:49: Found 1 folders.
2012-03-20 20:56:49: Checking C:\WINDOWS\$NtUninstallKB22488$
2012-03-20 20:56:49: ... Folder test returns: 1
2012-03-20 20:56:50: Some drivers where replaced. We need to enforce...
2012-03-20 20:56:50: Drivers replaced:
2012-03-20 20:56:50:
2012-03-20 20:56:50: Autonomous mode, clearing out yt folder
2012-03-20 20:57:55: Restarting...
Regards,
Georgi
B-boy/StyLe/ wrote:Anyway - the Panda tool failed again in a colleague's topic as well.Hi Georgi,
Can you link us to the topic(s) where it has failed?
thisisu wrote:Yes, sure.B-boy/StyLe/ wrote:Anyway - the Panda tool failed again in a colleague's topic as well.Hi Georgi,
Can you link us to the topic(s) where it has failed?
Here they are:
http://www.kaldata.com/forums/index.php ... 92587&st=0
http://www.kaldata.com/forums/index.php ... &p=2206499
Regards,
Georgi
I noticed that sometimes the various removal tools have to be run more than once to be able to delete the entire infection. I usually use stand-alone permissions tools on the directories first, then run automated removal tools, it seems to help.
MD5: 41B25AE2F6720E53C70CCFF4436D7088
8/43
8/43
Attachments
pass:infected
(158 KiB) Downloaded 71 times
(158 KiB) Downloaded 71 times
LeastPrivileges wrote:I noticed that sometimes the various removal tools have to be run more than once to be able to delete the entire infection. I usually use stand-alone permissions tools on the directories first, then run automated removal tools, it seems to help.
Hi again,
Yeah, ZA may mess a lot of things, so various tools should be run to fix it out regarding the situation.
But if you have seen in the topics above I already granted permissions to that folder using inherit and grantperm before I run the panda tool.
Also it seems that the tool use xcalcs.exe to reset the permissions to the C:\Windows\$NtUninstallKBxxxx$ folder by himself.
Also it don't know if it use fsutil reparsepoint delete C:\Windows\$NtUninstallKBxxxx$ to break the junction, but the symbolic link was still there.
Check this out too => http://forums.majorgeeks.com/showpost.p ... stcount=11
I ran the Panda yorkyt.exe which found the services & said it had cleaned the infection but the services are still there. I have uploaded the log.
Don't threat me bad. This is a very promising tool but it need a little update. :)
Regards,
Georgi
