Author Topic: Reported threat hidden or non-existant  (Read 18777 times)

0 Members and 1 Guest are viewing this topic.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Reported threat hidden or non-existant
« Reply #15 on: September 09, 2010, 09:04:23 PM »
That looks OK lets sweep for orphans now.  The error was CF related and is to do with win 2K 

On completion can you let me know what problems you have

Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

CarlS

  • Guest
Re: Reported threat hidden or non-existant
« Reply #16 on: September 09, 2010, 10:09:49 PM »
OK, it ran and didn't find anything according the log.

--Carl

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Reported threat hidden or non-existant
« Reply #17 on: September 09, 2010, 11:29:48 PM »
OK lets tidy you up now

Looking at that I am a happy bunny  :)

I will remove my tools now and give some recommendations, but I would like you to run for 24 hours or so and come back if you have any problems

 Now the best part of the day ----- Your log now appears clean  :thumbsup:

A good workman always cleans up after himself so..The following will implement some cleanup procedures.

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    Quote
    :Commands
    [resethosts]
    [purity]
    [emptytemp]
    [EMPTYFLASH]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done

Click Start > Run  and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

Run OTL and hit the cleanup button.  It will remove all the programmes we have used plus itself.  MBAM can be uninstalled via control panel add/remove along with ERUNT.  But they may be useful tools to keep

We will now confirm that your hidden files are set to that, as some of the tools I use will change that
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Do not show hidden files and folders.
  • Click Yes to confirm.
  • Click OK.


SPRING CLEAN
 
Download and run Puran Disc Defragmenter

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes: It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit To learn more about how to protect yourself while on the internet read our little guide  How did I get infected in the first place ?
Keep safe  :wave:

CarlS

  • Guest
Re: Reported threat hidden or non-existant
« Reply #18 on: September 10, 2010, 02:52:10 AM »
I just used Avast! to re-scan the C:\WINNT\system32\drivers folder.
It is still reporting the original threat at C:\WINNT\system32\drivers\knlps\nul\usr\bin\_0_scl.exe.
It still says it can not find the file when I try to apply an action to the threat.

I checked with Windows Explorer and saw that the knlps folder is now visible in the system32\driver folder.
When I first reported the problem, the knlps folder could not be seen at all.

The nul folder is visible inside the knlps folder, but it is not accessible (Access denied).

I could not delete the knlps folder because it is not empty.

I was able to rename the knlps to knlps2, but that did help anything.

Further ideas?

Thanks,
--Carl

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Reported threat hidden or non-existant
« Reply #19 on: September 10, 2010, 08:57:45 PM »
Hmm I thought CF killed that - but as it is visible this should kill it

Please download OTM 
  • Save it to your desktop.
  • Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
     
Code: [Select]

:Files
C:\WINNT\system32\drivers\knlps2

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[Reboot]
  • Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
     
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM and reboot your PC.
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.


CarlS

  • Guest
Re: Reported threat hidden or non-existant
« Reply #20 on: September 11, 2010, 03:05:20 AM »
I downloaded and ran OTM.

As soon as information was shown in the Results window, a dialog box appeared saying OTM needed to reboot the system.  Closing the box rebooted the system just as though I had hit the OK button.  As a result, I was unable to get the contents of the Results window.

After the system rebooted, the attached file was produced.

Windows Explorer still cannot see the contents of the nul folder.

--Carl

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Reported threat hidden or non-existant
« Reply #21 on: September 11, 2010, 11:17:18 AM »
Dang it 

Redownload Combofix when you run this you will lose your desktop until reboot

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

Quote
KillAll::

Folder::
C:\WINNT\system32\drivers\knlps2\nul
C:\WINNT\system32\drivers\knlps2



3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below.  This will start ComboFix again.




6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt .

CarlS

  • Guest
Re: Reported threat hidden or non-existant
« Reply #22 on: September 11, 2010, 01:29:00 PM »
OK, I ran ComboFix again and got the attached log file.
The nul folder (and it's hidden contents) is still there inside the knlps2 folder.

Thanks,
--Carl

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Reported threat hidden or non-existant
« Reply #23 on: September 11, 2010, 02:34:29 PM »
OK lets try a batch command from safe mode

Boot into safe mode and create the following batch file 

Quote
@echo off
attrib -s -r -h "C:\WINNT\system32\drivers\knlps2\nul\*.*"
del /q "C:\WINNT\system32\drivers\knlps2\nul\*.*"
attrib -s -r -h "C:\WINNT\system32\drivers\knlps2\*.*"
del /q "C:\WINNT\system32\drivers\knlps2\*.*"
attrib -s -r -h "C:\WINNT\system32\drivers\knlps2
DELTREE "C:\WINNT\system32\drivers\knlps2"
exit
Next you will need to create the batch fix to do that copy and paste ALL of the above in the quote box to a notepad file. 
Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
Then in the FILE NAME box type fix.bat

This will create a batch file

Then run fix.bat by double clicking you may see a black box appear this is normal

CarlS

  • Guest
Re: Reported threat hidden or non-existant
« Reply #24 on: September 12, 2010, 12:28:00 AM »
I had trouble getting into Save mode.
Holding down the F8 key at bootup had no effect - I never saw the window for choosing Save mode.
I killed the power on the machine to force it to show that window on reboot, but when the window came up, it wouldn't accept the Enter key, or respond to the arrow keys to switch modes.
It's possible that the F8 was still stored in the keyboard buffer, blocking the other keystrokes.
It's also possible that the USB KVM switch I'm using wasn't initialized yet, so I'll be unplugging it and running the mouse and keyboard straight into the computer the old fashioned way.

I did try running the bat file inNormal mode, and piped the log into the attached text file.

--Carl

CarlS

  • Guest
Re: Reported threat hidden or non-existant
« Reply #25 on: September 12, 2010, 02:52:08 AM »
I was able to get into Safe mode after removing the USB KVM switch from the system.

I reran fix.bat and got the same results as before:
Quote
File not found - C:\WINNT\system32\drivers\knlps2\nul\*.*
File not found - C:\WINNT\system32\drivers\knlps2\*.*
Parameter format not correct -

Further ideas?

Thanks,
--Carl

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Reported threat hidden or non-existant
« Reply #26 on: September 12, 2010, 12:39:03 PM »
Never give up is my motto - trying variations on theme will work.  I will need to recheck my win2K formating as it does not appear to like the wild card  


1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

Quote
KillAll::

Rootkit::
C:\WINNT\system32\drivers\knlps\nul\usr\bin\_0_scl.exe

Files::
C:\WINNT\system32\drivers\knlps2\nul\usr\bin\*.*
C:\WINNT\system32\drivers\knlps2\nul\usr\*.*
C:\WINNT\system32\drivers\knlps2\nul\*.*
C:\WINNT\system32\drivers\knlps2\*.*

Folder::
C:\WINNT\system32\drivers\knlps2\nul\usr\bin
C:\WINNT\system32\drivers\knlps2\nul\usr
C:\WINNT\system32\drivers\knlps2\nul
C:\WINNT\system32\drivers\knlps2


3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below.  This will start ComboFix again.




6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt .

CarlS

  • Guest
Re: Reported threat hidden or non-existant
« Reply #27 on: September 12, 2010, 04:01:26 PM »
I ran ComboFix twice, once in Normal mode and once in Safe mode and am attaching the log files.

Just in case it affected the results:
After running ComboFix in Normal mode, I cleaned some of the items off the desktop to make it easier to navigate in Safe mode.

The unreadable nul folder is still there inside knlps2.

Thanks,
--Carl

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Reported threat hidden or non-existant
« Reply #28 on: September 12, 2010, 05:18:44 PM »
OK lets go for a kernel mode deletion, and we cannot get any lower than that unless we work outside of windows

1. Please download The Avenger2 by Swandog46 to your Desktop.
  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the avenger folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Quote
Begin copying here:

Folders to delete:
C:\WINNT\system32\drivers\knlps2

Note: the above code was created specifically for this user.  If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, open the avenger folder and start The Avenger program by clicking on its icon.
  • Right click on the window under Input script here:, and select Paste.
  • You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete" or "Drivers to Disable", The Avenger will actually restart your system twice.)
  • After the restart, it creates a log file that should open with the results of Avenger’s actions.  This log file will be located at  C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply

CarlS

  • Guest
Re: Reported threat hidden or non-existant
« Reply #29 on: September 12, 2010, 07:02:30 PM »
OK, I ran Avenger.
The threat has been moved from the system32 folder structure.
It is now at C:\Avenger\knlps2\nul\usr\bin\_0_scl.exe.

I'm attaching the log from Avenger.

Thanks,
--Carl