Avast WEBforum

Other => Viruses and worms => Topic started by: CarlS on September 06, 2010, 02:12:58 AM

Title: Reported threat hidden or non-existant
Post by: CarlS on September 06, 2010, 02:12:58 AM

Hello,

I'm using Avast Pro on an old Athalon machine which is running Windows 2000 Pro.

The following Win32 Trojan-gen threat is being reported:
C:\WINNT\system32\drivers\knlps\nul\usr\bin\_0_scl.exe

When I try to apply any action to the file, Avast says it can not find the file.
Checking with Windows Explorer shows there is no knlps folder in the system32\drivers folder.

I tried doing a forum search on "knlps" and found nothing, so figured the best thing to do ask about it.

Thanks in advance,
--Carl

Title: Re: Reported threat hidden or non-existant
Post by: polonus on September 06, 2010, 02:33:35 AM

Hi CarlS,

Download: http://www.f-secure.com/blacklight/try.shtml
Unpack into an new folder you create for it, start it, choose " I accept the agreement", and then "scan", wait until it has scanned the computer, click "next" & "exit". There will be a TXT file in the folder, where Blacklight resides, attach that file to your next reply please,
also send all that is in this folder, C:\WINNT\system32\drivers\knlps\nul\usr\bin to avast, together with all the files with extension .ren from the file C:\WINNT\system32\wbem
It is a rootkit driver..Also perform an additional scan with, see gmer: http://www.gmer.net/

polonus

Title: Re: Reported threat hidden or non-existant
Post by: CarlS on September 06, 2010, 05:45:44 PM

Hi Polonus, thanks for the response.

I downloaded and ran Blacklight, and it exited saying it was unable to run. There was no TXT file created.

I tried GMER. It found problems, then said it had to shut down GMER and my computer. When I tried to turn off the computer, it said I didn't have the authority.
I shut down the power, then got a BSOD on re-boot.

--Carl

Title: Re: Reported threat hidden or non-existant
Post by: polonus on September 06, 2010, 05:58:52 PM

Hi CarlS,

This should be fixed first with for instance Freefixer tool...
O23 - Service: ClipBook (ClipSrv) - Unknown owner - C:\WINNT\system32\wbem\clipsvr.exe (file missing)
O23 - Service: Network DDE (NetDDE) - Unknown owner - C:\WINNT\system32\wbem\netdde32.exe (file missing)
Then the rootkit tool should have found up something similar as this, see attached filer:
Wait for essexboy to appear and instruct you for eliminating this hidden rootkit driver, you may have to rename certain tools as the malware would not allow it to run under it's real name,

polonus

Title: Re: Reported threat hidden or non-existant
Post by: CarlS on September 06, 2010, 08:48:06 PM

I was able to get the machine to re-boot.

I downloaded and ran FreeFixer

Quote

Hidden processes
The following processes appears to be hidden. Please consult the manual for more infomation on how the detection of hidden processes works.

- clipsvr.exe 520
- netdde32.exe 660
- _0_bbt.exe 772
- _0_mbt.exe 780
- netdde32.exe 864
- _0_stunnel.exe 880
- _0_stunnel.exe 888

FreeFixer is giving me the option to delete each of these, but I don't want to delete something my machine might need.

Thanks,
--Carl

Title: Re: Reported threat hidden or non-existant
Post by: essexboy on September 06, 2010, 09:35:52 PM

Hi lets have a look to see what is happening

Please download MBRCheck.exe (http://ad13.geekstogo.com/MBRCheck.exe) to your desktop.

Be sure to disable your security programs (http://forums.whatthetech.com/index.php?showtopic=96260)
Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
A window similar to this should open on your desktop:

(http://i677.photobucket.com/albums/vv132/RPMcMurphy_album_photos/mbrcheck.png)

If you are prompted with options, enter N at the prompt and press Enter[/i]
Press Enter[/i] again
A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your deskop. Please post the contents of that file.

THEN

(http://www.geekstogo.com/misc/guide_icons/OTLI.gif) OTL - Download (http://oldtimer.geekstogo.com/OTL.exe) or alternative link here (http://www.itxassociates.com/OT-Tools/OTL.exe) and here (http://www.itxassociates.com/OT-Tools/OTL.com) to your desktop

Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
Select All Users
Under the Custom Scan box paste this in

netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
%systemroot%\AppPatch\Custom\*.*
%APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
%PROGRAMFILES%\PC-Doctor\Downloads\*.*
%PROGRAMFILES%\Internet Explorer\*.tmp
%PROGRAMFILES%\Internet Explorer\*.dat
%USERPROFILE%\My Documents\*.exe
%USERPROFILE%\*.exe
%systemroot%\ADDINS\*.*
%systemroot%\assembly\*.bak2
%systemroot%\Config\*.*
%systemroot%\REPAIR\*.bak2
%systemroot%\SECURITY\Database\*.sdb /x
%systemroot%\SYSTEM\*.bak2
%systemroot%\Web\*.bak2
%systemroot%\Driver Cache\*.*
%PROGRAMFILES%\Mozilla Firefox\0*.exe
%ProgramFiles%\Microsoft Common\*.*
%ProgramFiles%\TinyProxy.
%USERPROFILE%\Favorites\*.url /x
%systemroot%\System32\Wbem\*.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs

Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
- Please attach all logs

Title: Re: Reported threat hidden or non-existant
Post by: CarlS on September 07, 2010, 12:15:30 AM

Hi essexboy.

I ran MBRCheck and OTL and am attaching the output files.

Thanks,
--Carl

Title: Re: Reported threat hidden or non-existant
Post by: essexboy on September 07, 2010, 09:38:10 PM

Hi as you are running 2000 there are a limited amount of tools that will work

However

Quote

Windows NT Clipboard DDE Server. Windows NT4/2000/XP/2003 service, installed by default as an Automatic service under Windows NT4 but as a Manual service from Windows 2000 onward. It enables ClipBook Viewer to store information and share it with remote computers.

But it is in the wrong folder, this is an old rootkit from the days of yore

However I believe combofix still works on 2000

Download ComboFix from one of these locations:

Link 1 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 2 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

(http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif)

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

(http://img.photobucket.com/albums/v706/ried7/whatnext.png)

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Title: Re: Reported threat hidden or non-existant
Post by: CarlS on September 08, 2010, 12:34:05 AM

I ran ComboFix and am attaching the output file.

Thanks,
--Carl

Title: Re: Reported threat hidden or non-existant
Post by: essexboy on September 08, 2010, 09:17:25 PM

Combofix will make a backup and quarantine these files and registry entries

1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Quote

KillAll::

File::
c:\winnt\system32\wbem\clipsvr.exe
c:\winnt\system32\wbem\netdde32.exe
c:\winnt\system32\DarkSpyKernel.sys

Folder::
c:\winnt\system32\drivers\knlps

Driver::
ClipSrv
NetDDE
NetDDEdsdm

Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ClipSrv]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetDDE]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetDDEdsdm]

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

(http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif)

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt .

Title: Re: Reported threat hidden or non-existant
Post by: CarlS on September 08, 2010, 11:31:02 PM

I ran ComboFix as you said and am attaching the output file.

An error message appeared during reboot:

Quote

Registry Editor
Cannot import creg.dat. Error accessing registry.

Title: Re: Reported threat hidden or non-existant
Post by: polonus on September 08, 2010, 11:35:19 PM

Hi CarlS,

If at the end of the day, that is when essexboy's malware elimination has been finished, find that you cannot successfully uninstall ComboFix, just Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
When shown the disclaimer, Select "2"

polonus

Title: Re: Reported threat hidden or non-existant
Post by: essexboy on September 08, 2010, 11:57:49 PM

Could you now reboot the system and let me know if that error re-occurs, then run a fresh quick scan OTL log please

Title: Re: Reported threat hidden or non-existant
Post by: CarlS on September 09, 2010, 12:32:48 AM

Just to be clear, I should mention the error reading creg.dat occurred after ComboFix had rebooted the system. When it came back up, ComboFix was still running and writing the output file. Then the error window appeared. Since the system was waiting for a response, I clicked the OK button and ComboFix resumed running.

Unless I hear otherwise, I'll do as you suggested, re-booting the system, then re-running OTL and attach the log file.

--Carl

Title: Re: Reported threat hidden or non-existant
Post by: CarlS on September 09, 2010, 01:20:37 AM

I rebooted the system and the error did not occur.
I reran OTL, pasting the same commands into the Custom Scan box that were used the first time.
I'm attaching the log.

Thanks,
--Carl

Title: Re: Reported threat hidden or non-existant
Post by: essexboy on September 09, 2010, 09:04:23 PM

That looks OK lets sweep for orphans now. The error was CF related and is to do with win 2K

On completion can you let me know what problems you have

(http://img233.imageshack.us/img233/7729/mbamicontw5.gif) Please download Malwarebytes' Anti-Malware from Here (http://www.malwarebytes.org/mbam-download.php).

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Title: Re: Reported threat hidden or non-existant
Post by: CarlS on September 09, 2010, 10:09:49 PM

OK, it ran and didn't find anything according the log.

--Carl

Title: Re: Reported threat hidden or non-existant
Post by: essexboy on September 09, 2010, 11:29:48 PM

OK lets tidy you up now

Looking at that I am a happy bunny :)

I will remove my tools now and give some recommendations, but I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so..The following will implement some cleanup procedures.

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

Quote
:Commands
[resethosts]
[purity]
[emptytemp]
[EMPTYFLASH]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself. MBAM can be uninstalled via control panel add/remove along with ERUNT. But they may be useful tools to keep

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Do not show hidden files and folders.
Click Yes to confirm.
Click OK.

SPRING CLEAN

Download and run Puran Disc Defragmenter (http://www.puransoftware.com/Puran-Defrag-Download.html)

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html) to help prevent spyware from installing in the first place.
(http://img233.imageshack.us/img233/7729/mbamicontw5.gif) Malwarebytes (http://www.malwarebytes.org/mbam-download.php). Run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit

Microsoft Windows Update (http://windowsupdate.microsoft.com)

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ? (http://www.geekstogo.com/forum/topic/225044-preventing-malware-and-safe-computing/)
Keep safe :wave:

Title: Re: Reported threat hidden or non-existant
Post by: CarlS on September 10, 2010, 02:52:10 AM

I just used Avast! to re-scan the C:\WINNT\system32\drivers folder.
It is still reporting the original threat at C:\WINNT\system32\drivers\knlps\nul\usr\bin\_0_scl.exe.
It still says it can not find the file when I try to apply an action to the threat.

I checked with Windows Explorer and saw that the knlps folder is now visible in the system32\driver folder.
When I first reported the problem, the knlps folder could not be seen at all.

The nul folder is visible inside the knlps folder, but it is not accessible (Access denied).

I could not delete the knlps folder because it is not empty.

I was able to rename the knlps to knlps2, but that did help anything.

Further ideas?

Thanks,
--Carl

Title: Re: Reported threat hidden or non-existant
Post by: essexboy on September 10, 2010, 08:57:45 PM

Hmm I thought CF killed that - but as it is visible this should kill it

Please download OTM (http://oldtimer.geekstogo.com/OTM.exe)

Save it to your desktop.
Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

Code: [Select]

 
:Files 
C:\WINNT\system32\drivers\knlps2

:Commands 
[purity] 
[resethosts] 
[emptytemp] 
[EMPTYFLASH] 
[Reboot]

Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTM and reboot your PC.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Title: Re: Reported threat hidden or non-existant
Post by: CarlS on September 11, 2010, 03:05:20 AM

I downloaded and ran OTM.

As soon as information was shown in the Results window, a dialog box appeared saying OTM needed to reboot the system. Closing the box rebooted the system just as though I had hit the OK button. As a result, I was unable to get the contents of the Results window.

After the system rebooted, the attached file was produced.

Windows Explorer still cannot see the contents of the nul folder.

--Carl

Title: Re: Reported threat hidden or non-existant
Post by: essexboy on September 11, 2010, 11:17:18 AM

Dang it

Redownload Combofix when you run this you will lose your desktop until reboot

1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Quote

KillAll::

Folder::
C:\WINNT\system32\drivers\knlps2\nul
C:\WINNT\system32\drivers\knlps2

Combofix.txt .

Title: Re: Reported threat hidden or non-existant
Post by: CarlS on September 11, 2010, 01:29:00 PM

OK, I ran ComboFix again and got the attached log file.
The nul folder (and it's hidden contents) is still there inside the knlps2 folder.

Thanks,
--Carl

Title: Re: Reported threat hidden or non-existant
Post by: essexboy on September 11, 2010, 02:34:29 PM

OK lets try a batch command from safe mode

Boot into safe mode and create the following batch file

Quote

@echo off
attrib -s -r -h "C:\WINNT\system32\drivers\knlps2\nul\*.*"
del /q "C:\WINNT\system32\drivers\knlps2\nul\*.*"
attrib -s -r -h "C:\WINNT\system32\drivers\knlps2\*.*"
del /q "C:\WINNT\system32\drivers\knlps2\*.*"
attrib -s -r -h "C:\WINNT\system32\drivers\knlps2
DELTREE "C:\WINNT\system32\drivers\knlps2"
exit

Next you will need to create the batch fix to do that copy and paste ALL of the above in the quote box to a notepad file.
Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
Then in the FILE NAME box type fix.bat

This will create a batch file (http://img524.imageshack.us/img524/9383/batmp6.jpg) (http://imageshack.us)

Then run fix.bat by double clicking you may see a black box appear this is normal

Title: Re: Reported threat hidden or non-existant
Post by: CarlS on September 12, 2010, 12:28:00 AM

I had trouble getting into Save mode.
Holding down the F8 key at bootup had no effect - I never saw the window for choosing Save mode.
I killed the power on the machine to force it to show that window on reboot, but when the window came up, it wouldn't accept the Enter key, or respond to the arrow keys to switch modes.
It's possible that the F8 was still stored in the keyboard buffer, blocking the other keystrokes.
It's also possible that the USB KVM switch I'm using wasn't initialized yet, so I'll be unplugging it and running the mouse and keyboard straight into the computer the old fashioned way.

I did try running the bat file inNormal mode, and piped the log into the attached text file.

--Carl

Title: Re: Reported threat hidden or non-existant
Post by: CarlS on September 12, 2010, 02:52:08 AM

I was able to get into Safe mode after removing the USB KVM switch from the system.

I reran fix.bat and got the same results as before:

Quote

File not found - C:\WINNT\system32\drivers\knlps2\nul\*.*
File not found - C:\WINNT\system32\drivers\knlps2\*.*
Parameter format not correct -

Further ideas?

Thanks,
--Carl

Title: Re: Reported threat hidden or non-existant
Post by: essexboy on September 12, 2010, 12:39:03 PM

Never give up is my motto - trying variations on theme will work. I will need to recheck my win2K formating as it does not appear to like the wild card

1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Quote

KillAll::

Rootkit::
C:\WINNT\system32\drivers\knlps\nul\usr\bin\_0_scl.exe

Files::
C:\WINNT\system32\drivers\knlps2\nul\usr\bin\*.*
C:\WINNT\system32\drivers\knlps2\nul\usr\*.*
C:\WINNT\system32\drivers\knlps2\nul\*.*
C:\WINNT\system32\drivers\knlps2\*.*

Folder::
C:\WINNT\system32\drivers\knlps2\nul\usr\bin
C:\WINNT\system32\drivers\knlps2\nul\usr
C:\WINNT\system32\drivers\knlps2\nul
C:\WINNT\system32\drivers\knlps2

Combofix.txt .

Title: Re: Reported threat hidden or non-existant
Post by: CarlS on September 12, 2010, 04:01:26 PM

I ran ComboFix twice, once in Normal mode and once in Safe mode and am attaching the log files.

Just in case it affected the results:
After running ComboFix in Normal mode, I cleaned some of the items off the desktop to make it easier to navigate in Safe mode.

The unreadable nul folder is still there inside knlps2.

Thanks,
--Carl

Title: Re: Reported threat hidden or non-existant
Post by: essexboy on September 12, 2010, 05:18:44 PM

OK lets go for a kernel mode deletion, and we cannot get any lower than that unless we work outside of windows

1. Please download The Avenger2 (http://swandog46.geekstogo.com/avenger2/download.php) by Swandog46 to your Desktop.

Right click on the Avenger.zip folder and select "Extract All..."
Follow the prompts and extract the avenger folder to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Quote

Begin copying here:

Folders to delete:
C:\WINNT\system32\drivers\knlps2

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

Right click on the window under Input script here:, and select Paste.
You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
Click on Execute
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete" or "Drivers to Disable", The Avenger will actually restart your system twice.)
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply

Title: Re: Reported threat hidden or non-existant
Post by: CarlS on September 12, 2010, 07:02:30 PM

OK, I ran Avenger.
The threat has been moved from the system32 folder structure.
It is now at C:\Avenger\knlps2\nul\usr\bin\_0_scl.exe.

I'm attaching the log from Avenger.

Thanks,
--Carl

Title: Re: Reported threat hidden or non-existant
Post by: essexboy on September 12, 2010, 07:11:55 PM

OK so it needs to be removed at the kernel level - lets now get it off your system

Download OTC (http://oldtimer.geekstogo.com/OTC.exe) to your desktop and run it
Click Yes to beginning the Cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.

Could you now confirm it really has gone ;D

Title: Re: Reported threat hidden or non-existant
Post by: CarlS on September 12, 2010, 07:34:33 PM

I ran OTC and rebooted the system per your instructions.
The threat is still there in the C:\Avenger folder.

--Carl

Title: Re: Reported threat hidden or non-existant
Post by: essexboy on September 12, 2010, 09:06:59 PM

If you could now delete the Avenger folder please

Title: Re: Reported threat hidden or non-existant
Post by: CarlS on September 12, 2010, 09:30:27 PM

It can not be deleted.
When I select C:Avenger and press delete, a window titled "Error Deleting File or Folder" opens saying "Cannot delet nul: The parameter is incorrect".

--Carl

Title: Re: Reported threat hidden or non-existant
Post by: essexboy on September 12, 2010, 09:31:43 PM

Can you rename the nul subfolder ?

Title: Re: Reported threat hidden or non-existant
Post by: CarlS on September 12, 2010, 09:47:47 PM

The same window opens saying "Cannot rename nul: The parameter is incorrect"

Title: Re: Reported threat hidden or non-existant
Post by: essexboy on September 12, 2010, 10:08:33 PM

OK sussed out why - that is a reserved name within 2k and as such windows will not allow you to delete it

I will have to do more investigation for a work around. But it is not active since we deleted the control sets

Title: Re: Reported threat hidden or non-existant
Post by: essexboy on September 12, 2010, 10:15:50 PM

And as I speak I have found an old MS article about deleting reserved names lets give this a go

Type the following at either a command prompt in safe mode or from the run command

RD \\.\c:\Place here the path to the nul folder in avenger

Title: Re: Reported threat hidden or non-existant
Post by: CarlS on September 12, 2010, 10:30:07 PM

I entered the following from the Run command:

Quote

RD \\.\c:\Avenger\knlps2\nul

A window opened saying:

Quote

Cannot find the file 'RD' (or one of its components). Make sure the path and filename are correct and that all required libraries are available.

--Carl

Title: Re: Reported threat hidden or non-existant
Post by: CarlS on September 12, 2010, 10:59:22 PM

For a test case, I made the following folder structure:
C:\TempFolder\TEMP

I then opened a cmd window and entered:
RD \\.\c:\TempFolder\TEMP

That worked.

I then tried:
RD \\.\c:\Avenger\knlps2\nul

The response was:
Access is denied.

I then tried:
RD \\.\c:\Avenger\knlps2

The response was:
The directory is not empty.

--Carl

Title: Re: Reported threat hidden or non-existant
Post by: essexboy on September 12, 2010, 11:29:30 PM

Back to the drawing board - more research here I feel. Can you delete the files within the nul folder ?

Title: Re: Reported threat hidden or non-existant
Post by: CarlS on September 12, 2010, 11:58:34 PM

I can not see or delete anything within the nul folder.
I can only see the directory and file structure in the Avast threat report, but when I try to apply an action, Avast says it can not find the file.

Are the usr and bin folder names reserved by windows like nul?
If so, that may be complicating the situation.

--Carl - appreciating all the effort on this

Title: Re: Reported threat hidden or non-existant
Post by: essexboy on September 13, 2010, 09:14:56 PM

OK lets now use Combofix with the reserved name indicator and see if that can do it

Download ComboFix from one of these locations:

Link 1 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 2 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)

1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Quote

KillAll::

Folder::
\\.\c:\Avenger\knlps\nul\usr\bin
\\.\c:\Avenger\knlps2\nul\usr
\\.\c:\Avenger\knlps2\nul

Combofix.txt .

Title: Re: Reported threat hidden or non-existant
Post by: CarlS on September 14, 2010, 05:40:41 AM

OK, tried that, attaching the log file.

The folder structure is still there.

--Carl

Title: Re: Reported threat hidden or non-existant
Post by: essexboy on September 14, 2010, 09:21:40 PM

One more run with Combofix to see if it will delete Avenger, after this the only other option is to remove it from outside windows either via Linux or a Bart disc

1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Quote

KillAll::

Folder::
c:\Avenger

Combofix.txt .

Title: Re: Reported threat hidden or non-existant
Post by: CarlS on September 15, 2010, 03:32:01 AM

I ran ComboFix as directed and am attaching the log file.
The inaccessible nul folder is still there.

Two questions:
What would be involved in removing it from outside Windows?
What actual danger does the threat pose now that we deleted its control sets?

--Carl

Title: Re: Reported threat hidden or non-existant
Post by: essexboy on September 15, 2010, 10:07:10 PM

At the moment it is just an embuggerance - However, I am talking with a win2k expert at the moment and he is trying various routes

There will be no danger deleting it outside windows you will just need to create a boot cd to access the file system

Title: Re: Reported threat hidden or non-existant
Post by: CarlS on September 16, 2010, 01:07:29 PM

Thanks, I'll definitely want to remove the folders, embuggerance or no.

I've made some progress at this end.
I ran the FileAssassin utility included in the AntiMalware program.
I was able to see and navigate the hidden structure and files.
I deleted all of the files in the bin folder.
I was able to rename the usr and bin folders to usr2 and bin2.

The usr2\bin2 folder structure (with no files) is stuck in my Recycle Bin.
When I try to do a final delete, I am told "access denied, file may be in use".

The C:\Avenger\knlps2\nul folder structure (with no files) is still present, access denied on the nul folder.

I ran a Quick Scan with Avast and found 1 malware threat:
C:\WINNT\system32\spool\drivers\w32x86\3\hpzstv01.exe
I was able to move the threat to the Chest with no problems.

I'm going to try re-booting the system to see if I can clear the Recycle Bin, then start a Full System Scan with Avast before I head off to work.

Will let you know how it turns out,
--Carl

Title: Re: Reported threat hidden or non-existant
Post by: essexboy on September 16, 2010, 09:25:58 PM

Yes please - I have a student running another problem on a win2k system and that is being a nightmare as well ;D

Title: Re: Reported threat hidden or non-existant
Post by: CarlS on September 16, 2010, 09:49:41 PM

I'm still at work so it will be a few hours before I know how the Full System Scan turned out, but I can tell you now that rebooting did not help with being able to clear the usr2 folder from the Recycle Bin. I was hoping the "access denied, file may be in use" meant that it was associated with the FileAssassin, but that was not the case.

--Carl - wishing the student luck ;D

Title: Re: Reported threat hidden or non-existant
Post by: polonus on September 16, 2010, 09:54:58 PM

Hi CarlS,

Yes a very interesting case we have here, so we have learned a lot, all of us, thanks to essexboy for guiding us all through the elimination process and you for hanging in,

polonus

Title: Re: Reported threat hidden or non-existant
Post by: CarlS on September 17, 2010, 12:54:23 AM

Well thanks polonus and essexboy for all your assistance on this matter. :)

The Full System Scan was finished when I got home from work.
The Scan Results said "Some files could not be scanned."
File name is "Disk Boot Record".
Error is "The filename, directory name, or volume label syntax is incorrect(123)"

On the bright side, no threats were found, though the immovable folders are still there.

Thanks,
--Carl