Author Topic: Reported threat hidden or non-existant  (Read 18780 times)

0 Members and 1 Guest are viewing this topic.

CarlS

  • Guest
Re: Reported threat hidden or non-existant
« Reply #45 on: September 15, 2010, 03:32:01 AM »
I ran ComboFix as directed and am attaching the log file.
The inaccessible nul folder is still there.

Two questions:
What would be involved in removing it from outside Windows?
What actual danger does the threat pose now that we deleted its control sets?

--Carl

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Reported threat hidden or non-existant
« Reply #46 on: September 15, 2010, 10:07:10 PM »
At the moment it is just an embuggerance - However, I am talking with a win2k expert at the moment and he is trying various routes

There will be no danger deleting it outside windows you will just need to create a boot cd to access the file system

CarlS

  • Guest
Re: Reported threat hidden or non-existant
« Reply #47 on: September 16, 2010, 01:07:29 PM »
Thanks, I'll definitely want to remove the folders, embuggerance or no.

I've made some progress at this end.
I ran the FileAssassin utility included in the AntiMalware program.
I was able to see and navigate the hidden structure and files.
I deleted all of the files in the bin folder.
I was able to rename the usr and bin folders to usr2 and bin2.

The usr2\bin2 folder structure (with no files) is stuck in my Recycle Bin.
When I try to do a final delete, I am told "access denied, file may be in use".

The C:\Avenger\knlps2\nul folder structure (with no files) is still present, access denied on the nul folder.

I ran a Quick Scan with Avast and found 1 malware threat:
C:\WINNT\system32\spool\drivers\w32x86\3\hpzstv01.exe
I was able to move the threat to the Chest with no problems.

I'm going to try re-booting the system to see if I can clear the Recycle Bin, then start a Full System Scan with Avast before I head off to work.

Will let you know how it turns out,
--Carl

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Reported threat hidden or non-existant
« Reply #48 on: September 16, 2010, 09:25:58 PM »
Yes please - I have a student running another problem on a win2k system and that is being a nightmare as well  ;D

CarlS

  • Guest
Re: Reported threat hidden or non-existant
« Reply #49 on: September 16, 2010, 09:49:41 PM »
I'm still at work so it will be a few hours before I know how the Full System Scan turned out, but I can tell you now that rebooting did not help with being able to clear the usr2 folder from the Recycle Bin.  I was hoping the "access denied, file may be in use" meant that it was associated with the FileAssassin, but that was not the case.

--Carl - wishing the student luck ;D

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Reported threat hidden or non-existant
« Reply #50 on: September 16, 2010, 09:54:58 PM »
Hi CarlS,

Yes a very interesting case we have here, so we have learned a lot, all of us, thanks to essexboy for guiding us all through the elimination process and you for hanging in,

polonus

Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

CarlS

  • Guest
Re: Reported threat hidden or non-existant
« Reply #51 on: September 17, 2010, 12:54:23 AM »
Well thanks polonus and essexboy for all your assistance on this matter. :)

The Full System Scan was finished when I got home from work.
The Scan Results said "Some files could not be scanned."
File name is "Disk Boot Record".
Error is "The filename, directory name, or volume label syntax is incorrect(123)"

On the bright side, no threats were found, though the immovable folders are still there.

Thanks,
--Carl