Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multidropper FK


  • Please log in to reply
2 replies to this topic

#1 knyteflyte

knyteflyte

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:39 AM

Posted 27 September 2009 - 01:04 AM

Hi,

I found the Multidropper FK on my XP and Vista machines, via CA antispyware on both machines. I was able to delete a 0000 folder under HK Local Machine/System/CurrentControlSet/Root/Legacy_Ipfilterdriver/0000, on the XP machine, run CA antispyware and it reports it gone, but when I re-boot the XP machine, it's back. On the vista machine, same folder, Windows Security will not allow me to delete the folder. When I re-boot the Vista machine, I try to go into Safe Mode, but it won't go there. I have to boot with LAST GOOD CONFIGURATION, then it seems to boot normally. If I don't try SAFE MODE it goes to a screen that tells me that Windows was unable to start. It gives me a choice to Repair, I'll choose that, but it can't repair. Then another screen pops up for SYSTEM RESTORE, which I select, and then it'll boot to Vista normally. But then I'll have to re-download Mcafee. So the only way to boot my Vista machine is to attempt SAFE MODE, then LAST GOOD CONFIGURATION.

Any suggestions?

Malwarebytes doesn't detect it, nor does Mcafee Anti-Virus, or Spybot, or Adaware.

I'm stumped.


Thanks,





Here's an update,

After fiddling with both of my machines, one XP and the other Vista, I decided to call it a night. Well, this morning Sept 27, 2009 I re-booted both machines. They both booted fine, I ran CA anti-spyware on both. Low and behold, NOTHING is detected. The 0000 folder in question is still in the registry on both machines. I've decided to leave them there.

I don't know if this was a "date specific" trojan, (multidropper FK), but it no longer seems to be an issue, whew, strange. Starting to believe that maybe this was a false alarm. Who knows.

I'm very relieved, however I'm running some more tests


Henry

Edited by knyteflyte, 27 September 2009 - 08:15 AM.


BC AdBot (Login to Remove)

 


#2 Guest_The weatherman_*

Guest_The weatherman_*

  • Guests
  • OFFLINE
  •  

Posted 27 September 2009 - 02:22 AM

Moved from HJT to a more appropriate forum. Tw

#3 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio

Posted 28 September 2009 - 09:32 PM

You might want to run this



We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

----------------------------------

Please note: If Rootrepeal fails to run, try this step: Click Settings - Options. Set the Disk Access slider to High

Also try: right-click on rootrepeal.exe and rename it to tatertot.scr
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users