Solved Inaccessible, strange %windir&\$NtUninstallKBxxxxx$ Folder

February 17, 2012 at 23:51:48
Specs: Windows XP

recently I encountered the same strange problem on two different (and never networked or otherwise connected) PC:

%windir% contains a folder "$NtUninstallKBxxxxx$" which is not accessible by any means. Obviously it's purposefully made to look like a regular Windows Update folder, but it's really NOT.
The "KBxxxxx" contains random numbers, which when put into google show no KB article with those numbers exists, so it's obviously fake.

I can view the properties of the folder, it's got no security tab at all. The attributes are 'hsdc", Windows reports 0 bytes being used by the folder. 'If I want to view the contents, it's always "access denied". I tried everything to delete it, cmd tricks, various tools, Linux Live CD, BartPE CD, nothing works. Strangely, from a Knoppix boot, the directory doesn't even show up! From a BartPE boot I can see it, but it gives the same "access denied" errors as in regular Windows (XP/W2k3).

As I said, this happened to me at two unrelated PCs in the last two weeks, one of them was heavily infected with viruses, had to reformat (XP). The other one is my main PC and it has this same problem (the folder having a different, obviously random 'KBxxxxx' number and it so far that PC shows no signs of virus activity after most thorough scans with many tools, just that omnious inaccessible folder.

Would be most grateful for any suggestions!

See More: Inaccessible, strange %windir&\$NtUninstallKBxxxxx$ Folder

Report •

February 18, 2012 at 20:23:25
✔ Best Answer

Report •

February 19, 2012 at 10:36:20
Thanks for that link! It seems indeed that omnious undeletable folder is part of something called 'Zero access rootkit'. I scanned with all the tools mentioned on that page but none of them reported the actual virus on my system.

The only explanation I have for that is that I remember maybe two months ago I downloaded and executed something a bit fishy. When I executed the file, nothing happened on screen, I immediately became suspicious and quickly hit the reset button on my PC, booted with a BartPE CD and did a scan with DrWeb and Avira. There was a dubious file ready to autorun next boot, I removed that and started normally, did a few other scans with Malwarebytes, Spybot, etc. with nothing evil coming up. The PC has run normally all the time ever since.

So my suspicion is that it was that "zero access rootkit" trying to infect my system but I interrupted the infection early enough. Now the only nuisance is that I seem stuck with that undeletable (but apparently otherwise harmless) folder under my Windows directory.

I guess doing a full Acronis Backup, reformating the drive, then instead of restoring the backup, mounting it on another machine and robocopying everything onto the fresh formatted HD over the network (of course excluding the omnious directory) should do the trick?

Thanks again for pointing me into the right directions!

Report •

February 19, 2012 at 17:36:57

I didn't contribute to this thread but thanks for popping back with feedback.
Yes, what you propose should do the trick.

Report •

Related Solutions

Ask Question