Reported threat hidden or non-existant

Hello,

I’m using Avast Pro on an old Athalon machine which is running Windows 2000 Pro.

The following Win32 Trojan-gen threat is being reported:
C:\WINNT\system32\drivers\knlps\nul\usr\bin_0_scl.exe

When I try to apply any action to the file, Avast says it can not find the file.
Checking with Windows Explorer shows there is no knlps folder in the system32\drivers folder.

I tried doing a forum search on “knlps” and found nothing, so figured the best thing to do ask about it.

Thanks in advance,
–Carl

Hi CarlS,

Download: http://www.f-secure.com/blacklight/try.shtml
Unpack into an new folder you create for it, start it, choose " I accept the agreement", and then “scan”, wait until it has scanned the computer, click “next” & “exit”. There will be a TXT file in the folder, where Blacklight resides, attach that file to your next reply please,
also send all that is in this folder, C:\WINNT\system32\drivers\knlps\nul\usr\bin to avast, together with all the files with extension .ren from the file C:\WINNT\system32\wbem
It is a rootkit driver…Also perform an additional scan with, see gmer: http://www.gmer.net/

polonus

Hi Polonus, thanks for the response.

I downloaded and ran Blacklight, and it exited saying it was unable to run. There was no TXT file created.

I tried GMER. It found problems, then said it had to shut down GMER and my computer. When I tried to turn off the computer, it said I didn’t have the authority.
I shut down the power, then got a BSOD on re-boot.

–Carl

Hi CarlS,

This should be fixed first with for instance Freefixer tool…
O23 - Service: ClipBook (ClipSrv) - Unknown owner - C:\WINNT\system32\wbem\clipsvr.exe (file missing)
O23 - Service: Network DDE (NetDDE) - Unknown owner - C:\WINNT\system32\wbem\netdde32.exe (file missing)
Then the rootkit tool should have found up something similar as this, see attached filer:
Wait for essexboy to appear and instruct you for eliminating this hidden rootkit driver, you may have to rename certain tools as the malware would not allow it to run under it’s real name,

polonus

I was able to get the machine to re-boot.

I downloaded and ran FreeFixer

Hidden processes The following processes appears to be hidden. Please consult the manual for more infomation on how the detection of hidden processes works.
  • clipsvr.exe 520
  • netdde32.exe 660
  • _0_bbt.exe 772
  • _0_mbt.exe 780
  • netdde32.exe 864
  • _0_stunnel.exe 880
  • _0_stunnel.exe 888

FreeFixer is giving me the option to delete each of these, but I don’t want to delete something my machine might need.

Thanks,
–Carl

Hi lets have a look to see what is happening

Please download MBRCheck.exe to your desktop.

[]Be sure to disable your security programs
[
]Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
[*]A window similar to this should open on your desktop:

http://i677.photobucket.com/albums/vv132/RPMcMurphy_album_photos/mbrcheck.png

[*]If you are prompted with options, enter N at the prompt and press [i]Enter[/i]
[*]Press [i]Enter[/i] again
[*]A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your deskop. Please post the contents of that file.

THEN

http://www.geekstogo.com/misc/guide_icons/OTLI.gif
OTL - Download or alternative link here and here to your desktop

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]Select All Users
[*]Under the Custom Scan box paste this in

netsvcs
drivers32
%SYSTEMDRIVE%*.*
%systemroot%\Fonts*.com
%systemroot%\Fonts*.dll
%systemroot%\Fonts*.ini
%systemroot%\Fonts*.ini2
%systemroot%\Fonts*.exe
%systemroot%\system32\spool\prtprocs\w32x86*.*
%systemroot%\REPAIR*.bak1
%systemroot%\REPAIR*.ini
%systemroot%\system32*.jpg
%systemroot%*.jpg
%systemroot%*.png
%systemroot%*.scr
%systemroot%*._sy
%APPDATA%\Adobe\Update*.*
%ALLUSERSPROFILE%\Favorites*.*
%APPDATA%\Microsoft*.*
%PROGRAMFILES%*.*
%APPDATA%\Update*.*
%systemroot%*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu*.lnk /x
%systemroot%\system32\config\systemprofile*.dat /x
%systemroot%*.config
%systemroot%\system32*.db
%APPDATA%\Microsoft\Internet Explorer\Quick Launch*.lnk /x
%USERPROFILE%\Desktop*.exe
%PROGRAMFILES%\Common Files*.*
%systemroot%*.src
%systemroot%\install*.*
%systemroot%\system32\DLL*.*
%systemroot%\system32\HelpFiles*.*
%systemroot%\system32\rundll*.*
%systemroot%\winn32*.*
%systemroot%\Java*.*
%systemroot%\system32\test*.*
%systemroot%\system32\Rundll32*.*
%systemroot%\AppPatch\Custom*.*
%APPDATA%\Roaming\Microsoft\Windows\Recent*.lnk /x
%PROGRAMFILES%\PC-Doctor\Downloads*.*
%PROGRAMFILES%\Internet Explorer*.tmp
%PROGRAMFILES%\Internet Explorer*.dat
%USERPROFILE%\My Documents*.exe
%USERPROFILE%*.exe
%systemroot%\ADDINS*.*
%systemroot%\assembly*.bak2
%systemroot%\Config*.*
%systemroot%\REPAIR*.bak2
%systemroot%\SECURITY\Database*.sdb /x
%systemroot%\SYSTEM*.bak2
%systemroot%\Web*.bak2
%systemroot%\Driver Cache*.*
%PROGRAMFILES%\Mozilla Firefox\0*.exe
%ProgramFiles%\Microsoft Common*.*
%ProgramFiles%\TinyProxy.
%USERPROFILE%\Favorites*.url /x
%systemroot%\System32\Wbem*.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs

[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Please attach all logs

Hi essexboy.

I ran MBRCheck and OTL and am attaching the output files.

Thanks,
–Carl

Hi as you are running 2000 there are a limited amount of tools that will work

However

Windows NT Clipboard DDE Server. Windows NT4/2000/XP/2003 service, installed by default as an Automatic service under Windows NT4 but as a Manual service from Windows 2000 onward. It enables ClipBook Viewer to store information and share it with remote computers.
But it is in the wrong folder, this is an old rootkit from the days of yore

However I believe combofix still works on 2000

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

I ran ComboFix and am attaching the output file.

Thanks,
–Carl

Combofix will make a backup and quarantine these files and registry entries

  1. Please open Notepad
    [*] Click Start , then Run[*]Type notepad .exe in the Run Box.

  2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

File::
c:\winnt\system32\wbem\clipsvr.exe
c:\winnt\system32\wbem\netdde32.exe
c:\winnt\system32\DarkSpyKernel.sys

Folder::
c:\winnt\system32\drivers\knlps

Driver::
ClipSrv
NetDDE
NetDDEdsdm

Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ClipSrv]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetDDE]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetDDEdsdm]

  1. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

  2. Save the above as CFScript.txt

  3. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

  1. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    [*]Combofix.txt .

I ran ComboFix as you said and am attaching the output file.

An error message appeared during reboot:

Registry Editor Cannot import creg.dat. Error accessing registry.

Hi CarlS,

If at the end of the day, that is when essexboy’s malware elimination has been finished, find that you cannot successfully uninstall ComboFix, just Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
When shown the disclaimer, Select “2”

polonus

Could you now reboot the system and let me know if that error re-occurs, then run a fresh quick scan OTL log please

Just to be clear, I should mention the error reading creg.dat occurred after ComboFix had rebooted the system. When it came back up, ComboFix was still running and writing the output file. Then the error window appeared. Since the system was waiting for a response, I clicked the OK button and ComboFix resumed running.

Unless I hear otherwise, I’ll do as you suggested, re-booting the system, then re-running OTL and attach the log file.

–Carl

I rebooted the system and the error did not occur.
I reran OTL, pasting the same commands into the Custom Scan box that were used the first time.
I’m attaching the log.

Thanks,
–Carl

That looks OK lets sweep for orphans now. The error was CF related and is to do with win 2K

On completion can you let me know what problems you have

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Please download Malwarebytes’ Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish,so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[
]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

OK, it ran and didn’t find anything according the log.

–Carl

OK lets tidy you up now

Looking at that I am a happy bunny :slight_smile:

I will remove my tools now and give some recommendations, but I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures.

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:Commands [resethosts] [purity] [emptytemp] [EMPTYFLASH] [Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself. MBAM can be uninstalled via control panel add/remove along with ERUNT. But they may be useful tools to keep

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[
]Click OK.

SPRING CLEAN

Download and run Puran Disc Defragmenter

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
[*]SpywareBlaster to help prevent spyware from installing in the first place.

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Malwarebytes. Run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe :wave:

I just used Avast! to re-scan the C:\WINNT\system32\drivers folder.
It is still reporting the original threat at C:\WINNT\system32\drivers\knlps\nul\usr\bin_0_scl.exe.
It still says it can not find the file when I try to apply an action to the threat.

I checked with Windows Explorer and saw that the knlps folder is now visible in the system32\driver folder.
When I first reported the problem, the knlps folder could not be seen at all.

The nul folder is visible inside the knlps folder, but it is not accessible (Access denied).

I could not delete the knlps folder because it is not empty.

I was able to rename the knlps to knlps2, but that did help anything.

Further ideas?

Thanks,
–Carl

Hmm I thought CF killed that - but as it is visible this should kill it

Please download OTM

[*] Save it to your desktop.
[*] Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
[*]Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

 
:Files 
C:\WINNT\system32\drivers\knlps2

:Commands 
[purity] 
[resethosts] 
[emptytemp] 
[EMPTYFLASH] 
[Reboot] 

[*]Return to OTM, right click in the “Paste Instructions for Items to be Moved” window (under the yellow bar) and choose Paste.

[*]Click the red Moveit! button.
[*]Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
[*]Close OTM and reboot your PC.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.