Author Topic: Reported threat hidden or non-existant  (Read 18781 times)

0 Members and 1 Guest are viewing this topic.

CarlS

  • Guest
Reported threat hidden or non-existant
« on: September 06, 2010, 02:12:58 AM »
Hello,

I'm using Avast Pro on an old Athalon machine which is running Windows 2000 Pro.

The following Win32 Trojan-gen threat is being reported:
C:\WINNT\system32\drivers\knlps\nul\usr\bin\_0_scl.exe

When I try to apply any action to the file, Avast says it can not find the file.
Checking with Windows Explorer shows there is no knlps folder in the system32\drivers folder.

I tried doing a forum search on "knlps" and found nothing, so figured the best thing to do ask about it.

Thanks in advance,
--Carl

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Reported threat hidden or non-existant
« Reply #1 on: September 06, 2010, 02:33:35 AM »
Hi CarlS,

Download: http://www.f-secure.com/blacklight/try.shtml
Unpack into an new folder you create for it, start it, choose " I accept the agreement", and then "scan", wait until it has scanned the computer, click  "next" & "exit". There will be a TXT file in the folder, where Blacklight resides, attach that file to your next reply please,
also send all that is in this folder, C:\WINNT\system32\drivers\knlps\nul\usr\bin  to avast, together with all the files with extension .ren from the file C:\WINNT\system32\wbem
It is a rootkit driver..Also perform an additional scan with, see gmer: http://www.gmer.net/

polonus
« Last Edit: September 06, 2010, 02:42:27 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

CarlS

  • Guest
Re: Reported threat hidden or non-existant
« Reply #2 on: September 06, 2010, 05:45:44 PM »
Hi Polonus, thanks for the response.

I downloaded and ran Blacklight, and it exited saying it was unable to run.  There was no TXT file created.

I tried GMER.  It found problems, then said it had to shut down GMER and my computer.  When I tried to turn off the computer, it said I didn't have the authority.
I shut down the power, then got a BSOD on re-boot.

--Carl

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Reported threat hidden or non-existant
« Reply #3 on: September 06, 2010, 05:58:52 PM »
Hi CarlS,

This should be fixed first with for instance Freefixer tool...
O23 - Service: ClipBook (ClipSrv) - Unknown owner - C:\WINNT\system32\wbem\clipsvr.exe (file missing)
O23 - Service: Network DDE (NetDDE) - Unknown owner - C:\WINNT\system32\wbem\netdde32.exe (file missing)
Then the rootkit tool should have found up something similar as this, see attached filer:
Wait for essexboy to appear and instruct you for eliminating this hidden rootkit driver, you may have to rename certain tools as the malware would not allow it to run under it's real name,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

CarlS

  • Guest
Re: Reported threat hidden or non-existant
« Reply #4 on: September 06, 2010, 08:48:06 PM »
I was able to get the machine to re-boot.

I downloaded and ran FreeFixer
Quote
Hidden processes
The following processes appears to be hidden. Please consult the manual for more infomation on how the detection of hidden processes works.

   - clipsvr.exe 520
   - netdde32.exe 660
   - _0_bbt.exe 772
   - _0_mbt.exe 780
   - netdde32.exe 864
   - _0_stunnel.exe 880
   - _0_stunnel.exe 888

FreeFixer is giving me the option to delete each of these, but I don't want to delete something my machine might need.

Thanks,
--Carl

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Reported threat hidden or non-existant
« Reply #5 on: September 06, 2010, 09:35:52 PM »
Hi lets have a look to see what is happening

Please download MBRCheck.exe to your desktop.
  • Be sure to disable your security programs
  • Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
  • A window similar to this should open on your desktop:



  • If you are prompted with options, enter N at the prompt and press Enter[/i]
  • Press Enter[/i] again
  • A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your deskop.  Please post the contents of that file.
THEN

OTL - Download or alternative link here and here to your desktop

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Select All Users
  • Under the Custom Scan box paste this in
netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
%systemroot%\AppPatch\Custom\*.*
%APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
%PROGRAMFILES%\PC-Doctor\Downloads\*.*
%PROGRAMFILES%\Internet Explorer\*.tmp
%PROGRAMFILES%\Internet Explorer\*.dat
%USERPROFILE%\My Documents\*.exe
%USERPROFILE%\*.exe
%systemroot%\ADDINS\*.*
%systemroot%\assembly\*.bak2
%systemroot%\Config\*.*
%systemroot%\REPAIR\*.bak2
%systemroot%\SECURITY\Database\*.sdb /x
%systemroot%\SYSTEM\*.bak2
%systemroot%\Web\*.bak2
%systemroot%\Driver Cache\*.*
%PROGRAMFILES%\Mozilla Firefox\0*.exe
%ProgramFiles%\Microsoft Common\*.*
%ProgramFiles%\TinyProxy.
%USERPROFILE%\Favorites\*.url /x
%systemroot%\System32\Wbem\*.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs


  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please attach all logs

CarlS

  • Guest
Re: Reported threat hidden or non-existant
« Reply #6 on: September 07, 2010, 12:15:30 AM »
Hi essexboy.

I ran MBRCheck and OTL and am attaching the output files.

Thanks,
--Carl

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Reported threat hidden or non-existant
« Reply #7 on: September 07, 2010, 09:38:10 PM »
Hi as you are running 2000 there are a limited amount of tools that will work

However
Quote
Windows NT Clipboard DDE Server. Windows NT4/2000/XP/2003 service, installed by default as an Automatic service under Windows NT4 but as a Manual service from Windows 2000 onward. It enables ClipBook Viewer to store information and share it with remote computers.
But it is in the wrong folder, this is an old rootkit from the days of yore

However I believe combofix still works on 2000

Download ComboFix from one of these locations:


Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

CarlS

  • Guest
Re: Reported threat hidden or non-existant
« Reply #8 on: September 08, 2010, 12:34:05 AM »
I ran ComboFix and am attaching the output file.

Thanks,
--Carl

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Reported threat hidden or non-existant
« Reply #9 on: September 08, 2010, 09:17:25 PM »
Combofix will make a backup and quarantine these files and registry entries

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

Quote
KillAll::

File::
c:\winnt\system32\wbem\clipsvr.exe
c:\winnt\system32\wbem\netdde32.exe
c:\winnt\system32\DarkSpyKernel.sys
 
Folder::
c:\winnt\system32\drivers\knlps

Driver::
ClipSrv
NetDDE
NetDDEdsdm

Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ClipSrv]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetDDE]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetDDEdsdm]

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below.  This will start ComboFix again.




6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt .

CarlS

  • Guest
Re: Reported threat hidden or non-existant
« Reply #10 on: September 08, 2010, 11:31:02 PM »
I ran ComboFix as you said and am attaching the output file.

An error message appeared during reboot:
Quote
Registry Editor
Cannot import creg.dat.  Error accessing registry.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Reported threat hidden or non-existant
« Reply #11 on: September 08, 2010, 11:35:19 PM »
Hi CarlS,

If at the end of the day, that is when essexboy's malware elimination has been finished, find that you cannot successfully uninstall ComboFix, just Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
When shown the disclaimer, Select "2"

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Reported threat hidden or non-existant
« Reply #12 on: September 08, 2010, 11:57:49 PM »
Could you now reboot the system and let me know if that error re-occurs, then run a fresh quick scan OTL log please

CarlS

  • Guest
Re: Reported threat hidden or non-existant
« Reply #13 on: September 09, 2010, 12:32:48 AM »
Just to be clear, I should mention the error reading creg.dat occurred after ComboFix had rebooted the system.  When it came back up, ComboFix was still running and writing the output file.  Then the error window appeared.  Since the system was waiting for a response, I clicked the OK button and ComboFix resumed running.

Unless I hear otherwise, I'll do as you suggested, re-booting the system, then re-running OTL and attach the log file.

--Carl

CarlS

  • Guest
Re: Reported threat hidden or non-existant
« Reply #14 on: September 09, 2010, 01:20:37 AM »
I rebooted the system and the error did not occur.
I reran OTL, pasting the same commands into the Custom Scan box that were used the first time.
I'm attaching the log.

Thanks,
--Carl