Reported threat hidden or non-existant

[essexboy]

OK so it needs to be removed at the kernel level - lets now get it off your system

• Download OTC to your desktop and run it
  
• Click Yes to beginning the Cleanup process and remove these components, including this application.
• You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.

Could you now confirm it really has gone 

[CarlS]

I ran OTC and rebooted the system per your instructions.
The threat is still there in the C:\Avenger folder.

--Carl

[essexboy]

If you could now delete the Avenger folder please

[CarlS]

It can not be deleted.
When I select C:Avenger and press delete, a window titled "Error Deleting File or Folder" opens saying "Cannot delet nul: The parameter is incorrect".

--Carl

[essexboy]

Can you rename the nul subfolder ?

[CarlS]

The same window opens saying "Cannot rename nul: The parameter is incorrect"

[essexboy]

OK sussed out why - that is a reserved name within 2k and as such windows will not allow you to delete it

I will have to do more investigation for a work around.  But it is not active since we deleted the control sets

[essexboy]

And as I speak I have found an old MS article about deleting reserved names lets give this a go

Type the following at either a command prompt in safe mode or from the run command

RD \\.\c:\Place here the path to the nul folder in avenger

[CarlS]

I entered the following from the Run command:

RD \\.\c:\Avenger\knlps2\nul

A window opened saying:

Cannot find the file 'RD' (or one of its components).  Make sure the path and filename are correct and that all required libraries are available.

--Carl

[CarlS]

For a test case, I made the following folder structure:
C:\TempFolder\TEMP

I then opened a cmd window and entered:
RD \\.\c:\TempFolder\TEMP

That worked.



I then tried:
RD \\.\c:\Avenger\knlps2\nul

The response was:
Access is denied.



I then tried:
RD \\.\c:\Avenger\knlps2

The response was:
The directory is not empty.


--Carl

[essexboy]

Back to the drawing board - more research here I feel.  Can you delete the files within the nul folder ? 

[CarlS]

I can not see or delete anything within the nul folder.
I can only see the directory and file structure in the Avast threat report, but when I try to apply an action, Avast says it can not find the file.

Are the usr and bin folder names reserved by windows like nul?
If so, that may be complicating the situation.



--Carl - appreciating all the effort on this

[essexboy]

OK lets now use Combofix with the reserved name indicator and see if that can do it

Download ComboFix from one of these locations:


Link 1
Link 2


1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Folder::
\\.\c:\Avenger\knlps\nul\usr\bin
\\.\c:\Avenger\knlps2\nul\usr
\\.\c:\Avenger\knlps2\nul

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below.  This will start ComboFix again.




6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt .

[CarlS]

OK, tried that, attaching the log file.

The folder structure is still there.

--Carl

[essexboy]

One more run with Combofix to see if it will delete Avenger, after this the only other option is to remove it from outside windows either via Linux or a Bart disc

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Folder::
c:\Avenger

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below.  This will start ComboFix again.




6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt .