Multidropper FK

Hi,

I found the Multidropper FK on my XP and Vista machines, via CA antispyware on both machines. I was able to delete a 0000 folder under HK Local Machine/System/CurrentControlSet/Root/Legacy_Ipfilterdriver/0000, on the XP machine, run CA antispyware and it reports it gone, but when I re-boot the XP machine, it's back. On the vista machine, same folder, Windows Security will not allow me to delete the folder. When I re-boot the Vista machine, I try to go into Safe Mode, but it won't go there. I have to boot with LAST GOOD CONFIGURATION, then it seems to boot normally. If I don't try SAFE MODE it goes to a screen that tells me that Windows was unable to start. It gives me a choice to Repair, I'll choose that, but it can't repair. Then another screen pops up for SYSTEM RESTORE, which I select, and then it'll boot to Vista normally. But then I'll have to re-download Mcafee. So the only way to boot my Vista machine is to attempt SAFE MODE, then LAST GOOD CONFIGURATION.

Any suggestions?

Malwarebytes doesn't detect it, nor does Mcafee Anti-Virus, or Spybot, or Adaware.

I'm stumped.


Thanks,





Here's an update,

After fiddling with both of my machines, one XP and the other Vista, I decided to call it a night. Well, this morning Sept 27, 2009 I re-booted both machines. They both booted fine, I ran CA anti-spyware on both. Low and behold, NOTHING is detected. The 0000 folder in question is still in the registry on both machines. I've decided to leave them there.

I don't know if this was a "date specific" trojan, (multidropper FK), but it no longer seems to be an issue, whew, strange. Starting to believe that maybe this was a false alarm. Who knows.

I'm very relieved, however I'm running some more tests


Henry

Edited by knyteflyte, 27 September 2009 - 08:15 AM.

Moved from HJT to a more appropriate forum. Tw

You might want to run this



We Need to check for Rootkits with RootRepeal

• Download RootRepeal from the following location and save it to your desktop.
  • Direct Download (Recommended)
    • Primary Mirror
    • Secondary Mirror
    • Secondary Mirror
    • Secondary Mirror
  • Zip Mirrors (Recommended if you have a slower connection or if the Direct Download mirror is down)
    
    • Primary Mirror
    • Secondary Mirror
    • Secondary Mirror
  • Rar Mirrors - Only if you know what a RAR is and can extract it.
    
    • Primary Mirror
    • Secondary Mirror
    • Secondary Mirror
• Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
• Open on your desktop.
• Click the tab.
• Click the button.
• Check all seven boxes:
• Push Ok
• Check the box for your main system drive (Usually C:), and press Ok.
• Allow RootRepeal to run a scan of your system. This may take some time.
• Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

----------------------------------

Please note: If Rootrepeal fails to run, try this step: Click Settings - Options. Set the Disk Access slider to High

Also try: right-click on rootrepeal.exe and rename it to tatertot.scr