Panda ZeroAccess/Sirefef Removal

par **Malekal_morte** » 02 avr. 2012 11:28

Panda sort son fix pour supprimer le malware : ZeroAccess / Sirefef.

La page pour télécharger l'outil est disponible à cette adresse : http://www.pandasecurity.com/usa/homeus ... idIdioma=2

Le fix se présente sous le nom yorkyt.exe avec l'icône Panda.

Pour rappel, un billet récapitule la liste des fix pour supprimer ZeroAccess / Sirefef : https://www.malekal.com/2012/03/04/sire ... antivirus/
~~

Après le lancement, le programme nécessite un redémarrage :

Après le redémarrage, le fix se relance

Si l'infection ZeroAccess/Sirefef est détectée, le fix vous informe des modifications effectuées sur le système pour le supprimer et necessite à nouveau un redémarrage :

Au redémarrage, si tout s'est bien passé le message Cleanup Completed s'affiche :

Un coup de Malwarebyte Anti-Malware permet de supprimer les restes :

Notamment le faux crack/keygen qui était en réalité un dropper ZeroAccess/Sirefef et les éléments dans %TEMP% nécessaire à l'installation de l'infection :

Dossier(s) détecté(s): 1
C:\WINDOWS\system32\lowsec (Stolen.data) -> Mis en quarantaine et supprimé avec succès.

Fichier(s) détecté(s): 17
C:\Documents and Settings\Mak\Bureau\SoftSphere_DefenseWall_HIPS_v1_keygen.exe (Rootkit.0Access) -> Mis en quarantaine et supprimé avec succès.
C:\WINDOWS\system32\exfat.dll (Rootkit.0Access) -> Mis en quarantaine et supprimé avec succès.
C:\WINDOWS\Temp\yt\GetFiles\badfiles\[email protected] (Backdoor.0Access) -> Mis en quarantaine et supprimé avec succès.
C:\WINDOWS\Temp\yt\GetFiles\badfiles\[email protected] (Trojan.Agent) -> Mis en quarantaine et supprimé avec succès.
C:\WINDOWS\Temp\yt\GetFiles\badfiles\[email protected] (Trojan.Agent) -> Mis en quarantaine et supprimé avec succès.
C:\WINDOWS\Temp\yt\GetFiles\badfiles\[email protected] (Rootkit.0Access.H) -> Mis en quarantaine et supprimé avec succès.
C:\WINDOWS\Temp\yt\GetFiles\badfiles\[email protected] (Rootkit.0Access) -> Mis en quarantaine et supprimé avec succès.
C:\WINDOWS\Temp\yt\GetFiles\badfiles\[email protected] (Rootkit.0Access.H) -> Mis en quarantaine et supprimé avec succès.
C:\WINDOWS\Temp\yt\GetFiles\badfiles\[email protected] (Rootkit.0Access.H) -> Mis en quarantaine et supprimé avec succès.
C:\WINDOWS\Temp\yt\GetFiles\badfiles\SHELL.X.bad (Rootkit.0Access) -> Mis en quarantaine et supprimé avec succès.
C:\WINDOWS\Temp\yt\GetFiles\badfiles\X.BAD.2 (Rootkit.0Access) -> Mis en quarantaine et supprimé avec succès.
C:\Documents and Settings\LocalService\Local Settings\Temp\{E9C1E1AC-C9B2-4c85-94DE-9C1518918D02}.tlb (Rootkit.Zeroaccess) -> Suppression au redémarrage.
C:\Documents and Settings\Mak\Local Settings\Temp\{E9C1E1AC-C9B2-4c85-94DE-9C1518918D02}.tlb (Rootkit.Zeroaccess) -> Suppression au redémarrage.
C:\Documents and Settings\NetworkService\Local Settings\Temp\{E9C1E1AC-C9B2-4c85-94DE-9C1518918D02}.tlb (Rootkit.Zeroaccess) -> Suppression au redémarrage.
C:\WINDOWS\Temp\{E9C1E1AC-C9B2-4c85-94DE-9C1518918D02}.tlb (Rootkit.Zeroaccess) -> Suppression au redémarrage.
C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Mis en quarantaine et supprimé avec succès.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Mis en quarantaine et supprimé avec succès.

(fin)

~~

Le fix de Panda créé un rapport (yorkyt.exe.log) dans le répertoire d'où a été lancé le fix :

2012-04-02 10:48:34: ****************************************************
2012-04-02 10:48:34: Starting UP ... v 0.0.0.192
2012-04-02 10:48:34: ****************************************************
2012-04-02 10:48:34: Listing processes...
2012-04-02 10:48:34: :[System Process]:0
2012-04-02 10:48:34: :System:4
2012-04-02 10:48:34: :smss.exe:596
2012-04-02 10:48:34: :csrss.exe:660
2012-04-02 10:48:34: :winlogon.exe:684
2012-04-02 10:48:34: :services.exe:728
2012-04-02 10:48:34: :lsass.exe:740
2012-04-02 10:48:34: :vmacthlp.exe:896
2012-04-02 10:48:34: :svchost.exe:908
2012-04-02 10:48:34: :svchost.exe:988
2012-04-02 10:48:34: :svchost.exe:1068
2012-04-02 10:48:34: :svchost.exe:1132
2012-04-02 10:48:34: :svchost.exe:1184
2012-04-02 10:48:34: :spoolsv.exe:1596
2012-04-02 10:48:34: :explorer.exe:1656
2012-04-02 10:48:34: :VMwareTray.exe:1740
2012-04-02 10:48:34: :vmtoolsd.exe:1760
2012-04-02 10:48:34: :ctfmon.exe:1768
2012-04-02 10:48:34: :msmsgs.exe:1780
2012-04-02 10:48:34: :reader_sl.exe:1812
2012-04-02 10:48:34: :jqs.exe:2032
2012-04-02 10:48:34: :winvnc.exe:272
2012-04-02 10:48:34: :vmtoolsd.exe:456
2012-04-02 10:48:34: :alg.exe:1580
2012-04-02 10:48:34: :wmiprvse.exe:2868
2012-04-02 10:48:34: :wuauclt.exe:3996
2012-04-02 10:48:34: :procexp.exe:2368
2012-04-02 10:48:34: :firefox.exe:2580
2012-04-02 10:48:34: :yorkyt.exe:3708
2012-04-02 10:48:34: :wmiprvse.exe:3736
2012-04-02 10:48:34:
2012-04-02 10:48:34: Setting restore point
2012-04-02 10:48:37: Determining autonomous or dropped mode...
2012-04-02 10:48:37: Autonomus mode
2012-04-02 10:48:37: Installing drivers...
2012-04-02 10:48:39: Checking that it installed...
2012-04-02 10:48:39: Driver is installed...
2012-04-02 10:48:39: cmd.exe /c start "C:\Documents and Settings\Mak\Mes documents\Downloads\yorkyt.exe"
2012-04-02 10:48:44: Restarting...
2012-04-02 10:49:36: ****************************************************
2012-04-02 10:49:36: Starting UP ... v 0.0.0.192
2012-04-02 10:49:36: ****************************************************
2012-04-02 10:49:36: Listing processes...
2012-04-02 10:49:36: :[System Process]:0
2012-04-02 10:49:36: :System:4
2012-04-02 10:49:36: :smss.exe:580
2012-04-02 10:49:36: :csrss.exe:644
2012-04-02 10:49:36: :winlogon.exe:668
2012-04-02 10:49:36: :services.exe:712
2012-04-02 10:49:36: :lsass.exe:724
2012-04-02 10:49:36: :vmacthlp.exe:876
2012-04-02 10:49:36: :svchost.exe:892
2012-04-02 10:49:36: :svchost.exe:972
2012-04-02 10:49:36: :svchost.exe:1056
2012-04-02 10:49:36: :svchost.exe:1108
2012-04-02 10:49:36: :svchost.exe:1176
2012-04-02 10:49:36: :userinit.exe:1528
2012-04-02 10:49:36: :spoolsv.exe:1588
2012-04-02 10:49:36: :explorer.exe:1616
2012-04-02 10:49:36: :yorkyt.exe:1684
2012-04-02 10:49:36: :winvnc.exe:1728
2012-04-02 10:49:36: :VMwareTray.exe:1736
2012-04-02 10:49:36: :vmtoolsd.exe:1744
2012-04-02 10:49:36: :ctfmon.exe:1752
2012-04-02 10:49:36: :msmsgs.exe:1760
2012-04-02 10:49:36: :reader_sl.exe:1788
2012-04-02 10:49:36: :jqs.exe:2000
2012-04-02 10:49:36: :winvnc.exe:180
2012-04-02 10:49:36: :vmtoolsd.exe:320
2012-04-02 10:49:36: :wmiprvse.exe:596
2012-04-02 10:49:36: :alg.exe:1328
2012-04-02 10:49:36:
2012-04-02 10:49:36: RUN mode
2012-04-02 10:49:36: Determining autonomous or dropped mode...
2012-04-02 10:49:36: Autonomus mode
2012-04-02 10:49:36: Waiting for Explorer.exe...
2012-04-02 10:50:06: Launching parsers...
2012-04-02 10:50:06: ---------------------------------------------------------------------
2012-04-02 10:50:06: Found Service: Alerter
2012-04-02 10:50:06: Real Path: C:\WINDOWS\system32\alrsvc.dll
2012-04-02 10:50:06: Display Name: Avertissement
2012-04-02 10:50:06: Description: Informe les utilisateurs et les ordinateurs sélectionnés des alertes administratives. Si ce service est arrêté, les programmes qui utilisent les alertes administratives ne les recevront pas. Si ce service est désactivé, les services qui en dépendent ne pourront pas démarrer.
2012-04-02 10:50:06: ServiceDLL: system32\alrsvc.dll
2012-04-02 10:50:06: File size: 17408
2012-04-02 10:50:06: DLL File name: alrsvc.dll
2012-04-02 10:50:06: Original File Name: ALRSVC.DLL
2012-04-02 10:50:06: Company:
2012-04-02 10:50:06: Mod/Cre/Acc time: 20040819170920 20010828140000 20120402105006
2012-04-02 10:50:06: ---------------------------------------------------------------------
2012-04-02 10:50:06: Found Service: AppMgmt
2012-04-02 10:50:06: Real Path: C:\WINDOWS\System32\appmgmts.dll
2012-04-02 10:50:06: Display Name: Gestion d'applications
2012-04-02 10:50:06: Description: Fournit des services d'installation de logiciels tels que Attribuer, Publier et Supprimer.
2012-04-02 10:50:06: ServiceDLL: System32\appmgmts.dll
2012-04-02 10:50:06: File size: 176640
2012-04-02 10:50:06: DLL File name: appmgmts.dll
2012-04-02 10:50:06: Original File Name: appmgmts.dll
2012-04-02 10:50:06: Company:
2012-04-02 10:50:06: Mod/Cre/Acc time: 20040819170920 20010828140000 20120402105006
2012-04-02 10:50:06: ---------------------------------------------------------------------
2012-04-02 10:50:06: Found Service: AudioSrv
2012-04-02 10:50:06: Real Path: C:\WINDOWS\System32\audiosrv.dll
2012-04-02 10:50:06: Display Name: Audio Windows
2012-04-02 10:50:06: Description: Gère les périphériques audio pour les programmes basés sur Windows. Si ce service est arrêté, les périphériques et les effets audio ne fonctionneront pas correctement. Si ce service est désactivé, les services en dépendant explicitement ne démarreront pas.
2012-04-02 10:50:06: ServiceDLL: System32\audiosrv.dll
2012-04-02 10:50:06: File size: 42496
2012-04-02 10:50:06: DLL File name: audiosrv.dll
2012-04-02 10:50:06: Original File Name: audiosrv.dll
2012-04-02 10:50:06: Company:
2012-04-02 10:50:06: Mod/Cre/Acc time: 20040819170922 20010828140000 20120402104617
2012-04-02 10:50:06: ---------------------------------------------------------------------
2012-04-02 10:50:06: Found Service: BITS
2012-04-02 10:50:06: Real Path: C:\WINDOWS\System32\qmgr.dll
2012-04-02 10:50:06: Display Name: Service de transfert intelligent en arrière-plan
2012-04-02 10:50:06: Description: Transfère des fichiers en tâche de fond en utilisant la bande passante du réseau lors de ses périodes d'inactivité. Si le service est arrêté, des fonctionnalités telles que Windows Update et MSN Explorer ne pourront plus télécharger automatiquement des programmes et d'autres informations. Si ce service est désactivé, tous les services qui en dépendent explicitement peuvent présenter des problèmes de transfert de fichiers s'ils ne disposent pas d'un mécanisme sûr de remplacement pour transférer les fichier
2012-04-02 10:50:06: ServiceDLL: System32\qmgr.dll
2012-04-02 10:50:06: File size: 382464
2012-04-02 10:50:06: DLL File name: qmgr.dll
2012-04-02 10:50:06: Original File Name: qmgr.dll
2012-04-02 10:50:06: Company:
2012-04-02 10:50:06: Mod/Cre/Acc time: 20040819170940 20091114123458 20120402105006
2012-04-02 10:50:06: ---------------------------------------------------------------------
2012-04-02 10:50:06: Found Service: Browser
2012-04-02 10:50:06: Real Path: C:\WINDOWS\System32\browser.dll
2012-04-02 10:50:06: Display Name: Explorateur d'ordinateur
2012-04-02 10:50:06: Description: Tient à jour une liste des ordinateurs présents sur le réseau et fournit cette liste aux ordinateurs désignés comme navigateurs. Si ce service est arrêté, la liste ne sera pas mise ou tenue à jour. Si ce service est désactivé, les services qui en dépendent ne pourront pas démarrer.
2012-04-02 10:50:06: ServiceDLL: System32\browser.dll
2012-04-02 10:50:06: File size: 77312
2012-04-02 10:50:06: DLL File name: browser.dll
2012-04-02 10:50:06: Original File Name: browser.dll
2012-04-02 10:50:06: Company:
2012-04-02 10:50:06: Mod/Cre/Acc time: 20040819170922 20010828140000 20120402104617
2012-04-02 10:50:06: ---------------------------------------------------------------------
2012-04-02 10:50:06: Found Service: CryptSvc
2012-04-02 10:50:06: Real Path: C:\WINDOWS\System32\cryptsvc.dll
2012-04-02 10:50:06: Display Name: Services de cryptographie
2012-04-02 10:50:06: Description: Fournit trois services de gestion : le service de base de données de catalogue, qui confirme la signature des fichiers Windows; le service de racine protégée, qui ajoute et supprime des certificats d'autorité de certification de racine approuvés et le service Clé, qui fournit une aide dans l'inscription de cet ordinateur pour les certificats. Si ce service est arrêté, ces services de gestion ne fonctionneront pas correctement. Si ce service est désactivé, tout service en dépendant explicitement ne démarrera pas.
2012-04-02 10:50:06: ServiceDLL: System32\cryptsvc.dll
2012-04-02 10:50:06: File size: 60416
2012-04-02 10:50:06: DLL File name: cryptsvc.dll
2012-04-02 10:50:06: Original File Name: cryptsvc.dll
2012-04-02 10:50:06: Company:
2012-04-02 10:50:06: Mod/Cre/Acc time: 20040819170922 20010828140000 20120402104617
2012-04-02 10:50:06: ---------------------------------------------------------------------
2012-04-02 10:50:06: Found Service: DcomLaunch
2012-04-02 10:50:06: Real Path: C:\WINDOWS\system32\rpcss.dll
2012-04-02 10:50:06: Display Name: Lanceur de processus serveur DCOM
2012-04-02 10:50:06: Description: Fournit la fonctionnalité de lancement des services DCOM.
2012-04-02 10:50:06: ServiceDLL: system32\rpcss.dll
2012-04-02 10:50:06: File size: 395776
2012-04-02 10:50:06: DLL File name: rpcss.dll
2012-04-02 10:50:06: Original File Name: rpcss.dll
2012-04-02 10:50:06: Company:
2012-04-02 10:50:06: Mod/Cre/Acc time: 20040819170940 20010828140000 20120402104321
2012-04-02 10:50:06: ---------------------------------------------------------------------
2012-04-02 10:50:06: Found Service: Dhcp
2012-04-02 10:50:06: Real Path: C:\WINDOWS\System32\dhcpcsvc.dll
2012-04-02 10:50:06: Display Name: Client DHCP
2012-04-02 10:50:06: Description: Gère la configuration réseau en inscrivant et en mettant à jour les adresses IP et les noms DNS.
2012-04-02 10:50:06: ServiceDLL: System32\dhcpcsvc.dll
2012-04-02 10:50:06: File size: 111616
2012-04-02 10:50:06: DLL File name: dhcpcsvc.dll
2012-04-02 10:50:06: Original File Name: dhcpcsvc.dll
2012-04-02 10:50:06: Company:
2012-04-02 10:50:06: Mod/Cre/Acc time: 20040819170924 20010828140000 20120402104617
2012-04-02 10:50:06: ---------------------------------------------------------------------
2012-04-02 10:50:06: Found Service: dmserver
2012-04-02 10:50:06: Real Path: C:\WINDOWS\System32\dmserver.dll
2012-04-02 10:50:06: Display Name: Gestionnaire de disque logique
2012-04-02 10:50:06: Description: Détecte et analyse de nouveaux lecteurs de disque durs et envoie les informations de volume de disque au service gestionnaire administratif de disque logique pour la configuration. Si ce service est arrêté, l'état des disques dynamiques et les informations de configuration peuvent devenir obsolètes. Si ce service est désactivé, tout service en dépendant explicitement ne démarrera pas.
2012-04-02 10:50:06: ServiceDLL: System32\dmserver.dll
2012-04-02 10:50:06: File size: 24576
2012-04-02 10:50:06: DLL File name: dmserver.dll
2012-04-02 10:50:06: Original File Name: dmserver.dll
2012-04-02 10:50:06: Company:
2012-04-02 10:50:06: Mod/Cre/Acc time: 20040819170924 20010828140000 20120402104617
2012-04-02 10:50:06: ---------------------------------------------------------------------
2012-04-02 10:50:06: Found Service: Dnscache
2012-04-02 10:50:06: Real Path: C:\WINDOWS\System32\dnsrslvr.dll
2012-04-02 10:50:06: Display Name: Client DNS
2012-04-02 10:50:06: Description: Résout et met en cache les noms DNS pour cet ordinateur. Si ce service est arrêté, l'ordinateur ne pourra pas résoudre les noms DNS et trouver les contrôleurs de domaine Active Directory. Si ce service est désactivé, les services qui en dépendent ne pourront pas démarrer.
2012-04-02 10:50:06: ServiceDLL: System32\dnsrslvr.dll
2012-04-02 10:50:06: File size: 45568
2012-04-02 10:50:06: DLL File name: dnsrslvr.dll
2012-04-02 10:50:06: Original File Name: dnsrslvr.dll
2012-04-02 10:50:06: Company:
2012-04-02 10:50:06: Mod/Cre/Acc time: 20040819170924 20010828140000 20120402104617
2012-04-02 10:50:06: !!!!!!!
2012-04-02 10:50:06: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
2012-04-02 10:50:06: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
2012-04-02 10:50:06: Found Service: easdrv
2012-04-02 10:50:06: Real Path: C:\WINDOWS\system32\exfat.dll
2012-04-02 10:50:06: Display Name: NPPTNT
2012-04-02 10:50:06: Description: New service would allow parents to control their children's online activity.
2012-04-02 10:50:06: ServiceDLL: system32\exfat.dll
2012-04-02 10:50:06: File size: 5120
2012-04-02 10:50:06: DLL File name: exfat.dll
2012-04-02 10:50:06: Original File Name: adserxvice.exe
2012-04-02 10:50:06: Company:
2012-04-02 10:50:06: Mod/Cre/Acc time: 20040819171004 20010828140000 20120402104630
2012-04-02 10:50:06: !!!!!!!!!
2012-04-02 10:50:06:
2012-04-02 10:50:06: Looking for SHELL key
2012-04-02 10:50:06: HKCU WINLOGON SHELL: C:\DOCUMENTS AND SETTINGS\MAK\LOCAL SETTINGS\APPLICATION DATA\3451974D\X
2012-04-02 10:50:06: Folder: C:\DOCUMENTS AND SETTINGS\MAK\LOCAL SETTINGS\APPLICATION DATA\3451974D\
2012-04-02 10:50:06: File: X
2012-04-02 10:50:06: ...Will request C:\DOCUMENTS AND SETTINGS\MAK\LOCAL SETTINGS\APPLICATION DATA\3451974D\X
2012-04-02 10:50:06: ... New user shell: EXPLORER.EXE,
2012-04-02 10:50:06: Checking for bad folder
2012-04-02 10:50:06: Found 1 folders.
2012-04-02 10:50:06: Checking C:\DOCUMENTS AND SETTINGS\MAK\LOCAL SETTINGS\APPLICATION DATA\3451974d
2012-04-02 10:50:06: ... Folder test returns: 1
2012-04-02 10:50:06: Bad Folder found: 3451974d
2012-04-02 10:50:06: ... Unhidding
2012-04-02 10:50:06: ... Parse Point: 1 0
2012-04-02 10:50:06: ... Folder: C:\DOCUMENTS AND SETTINGS\MAK\LOCAL SETTINGS\APPLICATION DATA\3451974d\U
2012-04-02 10:50:07: ... File: C:\DOCUMENTS AND SETTINGS\MAK\LOCAL SETTINGS\APPLICATION DATA\3451974d\@
2012-04-02 10:50:07: ... File: C:\DOCUMENTS AND SETTINGS\MAK\LOCAL SETTINGS\APPLICATION DATA\3451974d\X.BAD
2012-04-02 10:50:07: ... File: C:\DOCUMENTS AND SETTINGS\MAK\LOCAL SETTINGS\APPLICATION DATA\3451974d\U\[email protected]
2012-04-02 10:50:07: ... File: C:\DOCUMENTS AND SETTINGS\MAK\LOCAL SETTINGS\APPLICATION DATA\3451974d\U\[email protected]
2012-04-02 10:50:07: ... File: C:\DOCUMENTS AND SETTINGS\MAK\LOCAL SETTINGS\APPLICATION DATA\3451974d\U\[email protected]
2012-04-02 10:50:07: ... File: C:\DOCUMENTS AND SETTINGS\MAK\LOCAL SETTINGS\APPLICATION DATA\3451974d\U\[email protected]
2012-04-02 10:50:07: ... File: C:\DOCUMENTS AND SETTINGS\MAK\LOCAL SETTINGS\APPLICATION DATA\3451974d\U\[email protected]
2012-04-02 10:50:07: ... File: C:\DOCUMENTS AND SETTINGS\MAK\LOCAL SETTINGS\APPLICATION DATA\3451974d\U\[email protected]
2012-04-02 10:50:07: ... File: C:\DOCUMENTS AND SETTINGS\MAK\LOCAL SETTINGS\APPLICATION DATA\3451974d\U\[email protected]
2012-04-02 10:50:07: ... File: C:\DOCUMENTS AND SETTINGS\MAK\LOCAL SETTINGS\APPLICATION DATA\3451974d\U\[email protected]
2012-04-02 10:50:10: Folder: GAC
2012-04-02 10:50:10: Folder: GAC_32
2012-04-02 10:50:10: Folder: GAC_MSIL
2012-04-02 10:50:10: ... Fixing permissions on C:\WINDOWS\assembly\GAC_MSIL\desktop.ini
2012-04-02 10:50:10: Folder: NativeImages_v2.0.50727_32
2012-04-02 10:50:10: Folder: NativeImages_v4.0.30319_32
2012-04-02 10:50:10: Folder: temp
2012-04-02 10:50:10: Folder: tmp
2012-04-02 10:50:10: Checking for bad folder
2012-04-02 10:50:10: Found 1 folders.
2012-04-02 10:50:10: Checking C:\WINDOWS\assembly\tmp
2012-04-02 10:50:10: ... Folder test returns: 1
2012-04-02 10:50:10: Checking for bad folder
2012-04-02 10:50:10: Found 1 folders.
2012-04-02 10:50:10: Checking C:\WINDOWS\$NtUninstallKB23779$
2012-04-02 10:50:10: ... Folder test returns: 0
2012-04-02 10:50:10: Bad Folder found: $NtUninstallKB23779$
2012-04-02 10:50:10: ... Unhidding
2012-04-02 10:50:11: ... Parse Point: 0 0
2012-04-02 10:50:11: ... Deleting parse point
2012-04-02 10:50:11: ... Folder: C:\WINDOWS\$NtUninstallKB23779$\877762381
2012-04-02 10:50:11: ... Unhidding folder C:\WINDOWS\$NtUninstallKB23779$\877762381
2012-04-02 10:50:11: ... Folder: C:\WINDOWS\$NtUninstallKB23779$\877762381\loader.tlb
2012-04-02 10:50:11: ... Unhidding folder C:\WINDOWS\$NtUninstallKB23779$\877762381\loader.tlb
2012-04-02 10:50:11: ... Folder: C:\WINDOWS\$NtUninstallKB23779$\877762381
2012-04-02 10:50:11: ... Folder: C:\WINDOWS\$NtUninstallKB23779$\877762381\L
2012-04-02 10:50:11: ... Folder: C:\WINDOWS\$NtUninstallKB23779$\877762381\U
2012-04-02 10:50:11: ... File: C:\WINDOWS\$NtUninstallKB23779$\3685830877
2012-04-02 10:50:11: ... Breaking file junction C:\WINDOWS\$NtUninstallKB23779$\3685830877
2012-04-02 10:50:11: ... File: C:\WINDOWS\$NtUninstallKB23779$\877762381\@
2012-04-02 10:50:11: ... File: C:\WINDOWS\$NtUninstallKB23779$\877762381\loader.tlb
2012-04-02 10:50:11: ... File: C:\WINDOWS\$NtUninstallKB23779$\877762381\L\akygdmgo
2012-04-02 10:50:11: ... File: C:\WINDOWS\$NtUninstallKB23779$\877762381\U\@00000001
2012-04-02 10:50:11: ... File: C:\WINDOWS\$NtUninstallKB23779$\877762381\U\@000000c0
2012-04-02 10:50:11: ... File: C:\WINDOWS\$NtUninstallKB23779$\877762381\U\@000000cb
2012-04-02 10:50:11: ... File: C:\WINDOWS\$NtUninstallKB23779$\877762381\U\@000000cf
2012-04-02 10:50:11: ... File: C:\WINDOWS\$NtUninstallKB23779$\877762381\U\@80000000
2012-04-02 10:50:11: ... File: C:\WINDOWS\$NtUninstallKB23779$\877762381\U\@800000c0
2012-04-02 10:50:11: ... File: C:\WINDOWS\$NtUninstallKB23779$\877762381\U\@800000cb
2012-04-02 10:50:11: ... File: C:\WINDOWS\$NtUninstallKB23779$\877762381\U\@800000cf
2012-04-02 10:50:11: Requesting bad file: C:\DOCUMENTS AND SETTINGS\MAK\LOCAL SETTINGS\APPLICATION DATA\3451974d\@
2012-04-02 10:50:11: Requesting bad file: C:\DOCUMENTS AND SETTINGS\MAK\LOCAL SETTINGS\APPLICATION DATA\3451974d\X.BAD
2012-04-02 10:50:11: Requesting bad file: C:\DOCUMENTS AND SETTINGS\MAK\LOCAL SETTINGS\APPLICATION DATA\3451974d\U\[email protected]
2012-04-02 10:50:11: Requesting bad file: C:\DOCUMENTS AND SETTINGS\MAK\LOCAL SETTINGS\APPLICATION DATA\3451974d\U\[email protected]
2012-04-02 10:50:11: Requesting bad file: C:\DOCUMENTS AND SETTINGS\MAK\LOCAL SETTINGS\APPLICATION DATA\3451974d\U\[email protected]
2012-04-02 10:50:11: Requesting bad file: C:\DOCUMENTS AND SETTINGS\MAK\LOCAL SETTINGS\APPLICATION DATA\3451974d\U\[email protected]
2012-04-02 10:50:11: Requesting bad file: C:\DOCUMENTS AND SETTINGS\MAK\LOCAL SETTINGS\APPLICATION DATA\3451974d\U\[email protected]
2012-04-02 10:50:11: Requesting bad file: C:\DOCUMENTS AND SETTINGS\MAK\LOCAL SETTINGS\APPLICATION DATA\3451974d\U\[email protected]
2012-04-02 10:50:11: Requesting bad file: C:\DOCUMENTS AND SETTINGS\MAK\LOCAL SETTINGS\APPLICATION DATA\3451974d\U\[email protected]
2012-04-02 10:50:11: Requesting bad file: C:\DOCUMENTS AND SETTINGS\MAK\LOCAL SETTINGS\APPLICATION DATA\3451974d\U\[email protected]
2012-04-02 10:50:11: Requesting bad file: C:\WINDOWS\assembly\GAC_MSIL\desktop.ini
2012-04-02 10:50:11: Requesting bad file: C:\WINDOWS\$NtUninstallKB23779$\3685830877
2012-04-02 10:50:11: Requesting bad file: C:\WINDOWS\$NtUninstallKB23779$\877762381\@
2012-04-02 10:50:11: Requesting bad file: C:\WINDOWS\$NtUninstallKB23779$\877762381\loader.tlb
2012-04-02 10:50:11: Requesting bad file: C:\WINDOWS\$NtUninstallKB23779$\877762381\L\akygdmgo
2012-04-02 10:50:11: Requesting bad file: C:\WINDOWS\$NtUninstallKB23779$\877762381\U\@00000001
2012-04-02 10:50:11: Requesting bad file: C:\WINDOWS\$NtUninstallKB23779$\877762381\U\@000000c0
2012-04-02 10:50:12: Requesting bad file: C:\WINDOWS\$NtUninstallKB23779$\877762381\U\@000000cb
2012-04-02 10:50:12: Requesting bad file: C:\WINDOWS\$NtUninstallKB23779$\877762381\U\@000000cf
2012-04-02 10:50:12: Requesting bad file: C:\WINDOWS\$NtUninstallKB23779$\877762381\U\@80000000
2012-04-02 10:50:12: Requesting bad file: C:\WINDOWS\$NtUninstallKB23779$\877762381\U\@800000c0
2012-04-02 10:50:12: Requesting bad file: C:\WINDOWS\$NtUninstallKB23779$\877762381\U\@800000cb
2012-04-02 10:50:12: Requesting bad file: C:\WINDOWS\$NtUninstallKB23779$\877762381\U\@800000cf
2012-04-02 10:50:12: Running Extractor
2012-04-02 10:50:15: Uploading file
2012-04-02 10:50:20: Locking file: C:\DOCUMENTS AND SETTINGS\MAK\LOCAL SETTINGS\APPLICATION DATA\3451974d\@
2012-04-02 10:50:20: Locking file: C:\DOCUMENTS AND SETTINGS\MAK\LOCAL SETTINGS\APPLICATION DATA\3451974d\X.BAD
2012-04-02 10:50:20: Locking file: C:\DOCUMENTS AND SETTINGS\MAK\LOCAL SETTINGS\APPLICATION DATA\3451974d\U\[email protected]
2012-04-02 10:50:20: Locking file: C:\DOCUMENTS AND SETTINGS\MAK\LOCAL SETTINGS\APPLICATION DATA\3451974d\U\[email protected]
2012-04-02 10:50:20: Locking file: C:\DOCUMENTS AND SETTINGS\MAK\LOCAL SETTINGS\APPLICATION DATA\3451974d\U\[email protected]
2012-04-02 10:50:20: Locking file: C:\DOCUMENTS AND SETTINGS\MAK\LOCAL SETTINGS\APPLICATION DATA\3451974d\U\[email protected]
2012-04-02 10:50:21: Locking file: C:\DOCUMENTS AND SETTINGS\MAK\LOCAL SETTINGS\APPLICATION DATA\3451974d\U\[email protected]
2012-04-02 10:50:21: Locking file: C:\DOCUMENTS AND SETTINGS\MAK\LOCAL SETTINGS\APPLICATION DATA\3451974d\U\[email protected]
2012-04-02 10:50:21: Locking file: C:\DOCUMENTS AND SETTINGS\MAK\LOCAL SETTINGS\APPLICATION DATA\3451974d\U\[email protected]
2012-04-02 10:50:21: Locking file: C:\DOCUMENTS AND SETTINGS\MAK\LOCAL SETTINGS\APPLICATION DATA\3451974d\U\[email protected]
2012-04-02 10:50:21: Locking file: C:\WINDOWS\assembly\GAC_MSIL\desktop.ini
2012-04-02 10:50:21: Locking file: C:\WINDOWS\$NtUninstallKB23779$\3685830877
2012-04-02 10:50:21: Locking file: C:\WINDOWS\$NtUninstallKB23779$\877762381\@
2012-04-02 10:50:21: Locking file: C:\WINDOWS\$NtUninstallKB23779$\877762381\loader.tlb
2012-04-02 10:50:21: Locking file: C:\WINDOWS\$NtUninstallKB23779$\877762381\L\akygdmgo
2012-04-02 10:50:21: Locking file: C:\WINDOWS\$NtUninstallKB23779$\877762381\U\@00000001
2012-04-02 10:50:21: Locking file: C:\WINDOWS\$NtUninstallKB23779$\877762381\U\@000000c0
2012-04-02 10:50:21: Locking file: C:\WINDOWS\$NtUninstallKB23779$\877762381\U\@000000cb
2012-04-02 10:50:21: Locking file: C:\WINDOWS\$NtUninstallKB23779$\877762381\U\@000000cf
2012-04-02 10:50:21: Locking file: C:\WINDOWS\$NtUninstallKB23779$\877762381\U\@80000000
2012-04-02 10:50:21: Locking file: C:\WINDOWS\$NtUninstallKB23779$\877762381\U\@800000c0
2012-04-02 10:50:21: Locking file: C:\WINDOWS\$NtUninstallKB23779$\877762381\U\@800000cb
2012-04-02 10:50:21: Locking file: C:\WINDOWS\$NtUninstallKB23779$\877762381\U\@800000cf
2012-04-02 10:50:21: Some drivers where replaced. We need to enforce...
2012-04-02 10:50:21: Drivers replaced:
2012-04-02 10:50:21:
2012-04-02 10:50:21: Autonomous mode, clearing out yt folder
2012-04-02 10:50:21: cmd.exe /c start "C:\Documents and Settings\Mak\Mes documents\Downloads\yorkyt.exe"
2012-04-02 10:55:31: Restarting...
2012-04-02 10:56:22: ****************************************************
2012-04-02 10:56:22: Starting UP ... v 0.0.0.192
2012-04-02 10:56:22: ****************************************************
2012-04-02 10:56:22: Listing processes...
2012-04-02 10:56:22: :[System Process]:0
2012-04-02 10:56:22: :System:4
2012-04-02 10:56:22: :smss.exe:580
2012-04-02 10:56:22: :csrss.exe:644
2012-04-02 10:56:22: :winlogon.exe:668
2012-04-02 10:56:22: :services.exe:712
2012-04-02 10:56:22: :lsass.exe:724
2012-04-02 10:56:22: :vmacthlp.exe:876
2012-04-02 10:56:22: :svchost.exe:892
2012-04-02 10:56:22: :svchost.exe:972
2012-04-02 10:56:22: :svchost.exe:1052
2012-04-02 10:56:22: :svchost.exe:1112
2012-04-02 10:56:22: :svchost.exe:1168
2012-04-02 10:56:22: :userinit.exe:1516
2012-04-02 10:56:22: :explorer.exe:1532
2012-04-02 10:56:22: :spoolsv.exe:1576
2012-04-02 10:56:22: :yorkyt.exe:1652
2012-04-02 10:56:22: :winvnc.exe:1716
2012-04-02 10:56:22: :VMwareTray.exe:1724
2012-04-02 10:56:22: :vmtoolsd.exe:1732
2012-04-02 10:56:22: :ctfmon.exe:1740
2012-04-02 10:56:22: :msmsgs.exe:1748
2012-04-02 10:56:22: :reader_sl.exe:1764
2012-04-02 10:56:22: :jqs.exe:1964
2012-04-02 10:56:22: :winvnc.exe:136
2012-04-02 10:56:22: :vmtoolsd.exe:424
2012-04-02 10:56:22: :wmiprvse.exe:1032
2012-04-02 10:56:22: :alg.exe:1240
2012-04-02 10:56:22:
2012-04-02 10:56:22: Starting cleanup mode...
2012-04-02 10:56:24: At item: 1 C:\WINDOWS\$NtUninstallKB23779$\877762381
2012-04-02 10:56:24: At item: 2 C:\WINDOWS\$NtUninstallKB23779$\3685830877
2012-04-02 10:56:24: At item: 3 C:\WINDOWS\$NtUninstallKB23779$\877762381\@
2012-04-02 10:56:24: At item: 4 C:\WINDOWS\$NtUninstallKB23779$\877762381\loader.tlb
2012-04-02 10:56:24: At item: 5 C:\WINDOWS\$NtUninstallKB23779$\877762381\L\akygdmgo
2012-04-02 10:56:25: At item: 6 C:\WINDOWS\$NtUninstallKB23779$\877762381\U\@00000001
2012-04-02 10:56:25: At item: 7 C:\WINDOWS\$NtUninstallKB23779$\877762381\U\@000000c0
2012-04-02 10:56:25: At item: 8 C:\WINDOWS\$NtUninstallKB23779$\877762381\U\@000000cb
2012-04-02 10:56:25: At item: 9 C:\WINDOWS\$NtUninstallKB23779$\877762381\U\@000000cf
2012-04-02 10:56:25: At item: 10 C:\WINDOWS\$NtUninstallKB23779$\877762381\U\@80000000
2012-04-02 10:56:25: At item: 11 C:\WINDOWS\$NtUninstallKB23779$\877762381\U\@800000c0
2012-04-02 10:56:25: At item: 12 C:\WINDOWS\$NtUninstallKB23779$\877762381\loader.tlb
2012-04-02 10:56:25: At item: 13 C:\WINDOWS\$NtUninstallKB23779$\877762381
2012-04-02 10:56:25: At item: 14 C:\WINDOWS\$NtUninstallKB23779$\877762381\L
2012-04-02 10:56:25: At item: 15 C:\WINDOWS\$NtUninstallKB23779$\877762381\U
2012-04-02 10:56:25: At item: 16 C:\WINDOWS\$NtUninstallKB23779$\877762381\U\@800000cb
2012-04-02 10:56:25: At item: 17 C:\WINDOWS\$NtUninstallKB23779$\877762381\U\@800000cf
2012-04-02 10:56:25: .... Skipping folder.
2012-04-02 10:56:25: ... Delete file: C:\WINDOWS\$NtUninstallKB23779$\3685830877
2012-04-02 10:56:25: !... File does not exist. Cannot be deleted.
2012-04-02 10:56:25: ... Delete file: C:\WINDOWS\$NtUninstallKB23779$\877762381\@
2012-04-02 10:56:25: !... File does not exist. Cannot be deleted.
2012-04-02 10:56:25: ... Delete file: C:\WINDOWS\$NtUninstallKB23779$\877762381\loader.tlb
2012-04-02 10:56:25: .... File exists... Deleting returns 0
2012-04-02 10:56:25: !!.. File did not delete.
2012-04-02 10:56:25: ... Delete file: C:\WINDOWS\$NtUninstallKB23779$\877762381\L\akygdmgo
2012-04-02 10:56:25: !... File does not exist. Cannot be deleted.
2012-04-02 10:56:25: ... Delete file: C:\WINDOWS\$NtUninstallKB23779$\877762381\U\@00000001
2012-04-02 10:56:25: !... File does not exist. Cannot be deleted.
2012-04-02 10:56:25: ... Delete file: C:\WINDOWS\$NtUninstallKB23779$\877762381\U\@000000c0
2012-04-02 10:56:25: !... File does not exist. Cannot be deleted.
2012-04-02 10:56:25: ... Delete file: C:\WINDOWS\$NtUninstallKB23779$\877762381\U\@000000cb
2012-04-02 10:56:25: !... File does not exist. Cannot be deleted.
2012-04-02 10:56:25: ... Delete file: C:\WINDOWS\$NtUninstallKB23779$\877762381\U\@000000cf
2012-04-02 10:56:25: !... File does not exist. Cannot be deleted.
2012-04-02 10:56:25: ... Delete file: C:\WINDOWS\$NtUninstallKB23779$\877762381\U\@80000000
2012-04-02 10:56:25: !... File does not exist. Cannot be deleted.
2012-04-02 10:56:25: ... Delete file: C:\WINDOWS\$NtUninstallKB23779$\877762381\U\@800000c0
2012-04-02 10:56:25: !... File does not exist. Cannot be deleted.
2012-04-02 10:56:25: .... Skipping folder.
2012-04-02 10:56:25: .... Skipping folder.
2012-04-02 10:56:25: .... Skipping folder.
2012-04-02 10:56:25: .... Skipping folder.
2012-04-02 10:56:25: ... Delete file: C:\WINDOWS\$NtUninstallKB23779$\877762381\U\@800000cb
2012-04-02 10:56:25: !... File does not exist. Cannot be deleted.
2012-04-02 10:56:25: ... Delete file: C:\WINDOWS\$NtUninstallKB23779$\877762381\U\@800000cf
2012-04-02 10:56:25: !... File does not exist. Cannot be deleted.
2012-04-02 10:56:25: ... Done with files, now folders
2012-04-02 10:56:25: ... Processing folder: C:\WINDOWS\$NtUninstallKB23779$\877762381\U
2012-04-02 10:56:25: ... Processing folder: C:\WINDOWS\$NtUninstallKB23779$\877762381\L
2012-04-02 10:56:25: ... Processing folder: C:\WINDOWS\$NtUninstallKB23779$\877762381
2012-04-02 10:56:25: !... Delete folder failed.
2012-04-02 10:56:25: ... Processing folder: C:\WINDOWS\$NtUninstallKB23779$\877762381\loader.tlb
2012-04-02 10:56:25: .... Folder is gone.
2012-04-02 10:56:25: ... Processing folder: C:\WINDOWS\$NtUninstallKB23779$\877762381
2012-04-02 10:56:25: !... Delete folder failed.
2012-04-02 10:56:25: ... Done with folders.
2012-04-02 11:05:40: All DONE