I found the Multidropper FK on my XP and Vista machines, via CA antispyware on both machines. I was able to delete a 0000 folder under HK Local Machine/System/CurrentControlSet/Root/Legacy_Ipfilterdriver/0000, on the XP machine, run CA antispyware and it reports it gone, but when I re-boot the XP machine, it's back. On the vista machine, same folder, Windows Security will not allow me to delete the folder. When I re-boot the Vista machine, I try to go into Safe Mode, but it won't go there. I have to boot with LAST GOOD CONFIGURATION, then it seems to boot normally. If I don't try SAFE MODE it goes to a screen that tells me that Windows was unable to start. It gives me a choice to Repair, I'll choose that, but it can't repair. Then another screen pops up for SYSTEM RESTORE, which I select, and then it'll boot to Vista normally. But then I'll have to re-download Mcafee. So the only way to boot my Vista machine is to attempt SAFE MODE, then LAST GOOD CONFIGURATION.
Any suggestions?
Malwarebytes doesn't detect it, nor does Mcafee Anti-Virus, or Spybot, or Adaware.
I'm stumped.
Thanks,
Here's an update,
After fiddling with both of my machines, one XP and the other Vista, I decided to call it a night. Well, this morning Sept 27, 2009 I re-booted both machines. They both booted fine, I ran CA anti-spyware on both. Low and behold, NOTHING is detected. The 0000 folder in question is still in the registry on both machines. I've decided to leave them there.
I don't know if this was a "date specific" trojan, (multidropper FK), but it no longer seems to be an issue, whew, strange. Starting to believe that maybe this was a false alarm. Who knows.
I'm very relieved, however I'm running some more tests
Henry
Edited by knyteflyte, 27 September 2009 - 08:15 AM.