Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possibly infected with Exploit.Drop.2 / Trojan.Agent


  • Please log in to reply
18 replies to this topic

#1 zubadoo

zubadoo

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:41 PM

Posted 01 August 2011 - 10:51 PM

Hello, my computer was running slow, so I did a quick MBAM scan which revealed 2 results:
-0.4267402257311502.exe (Exploit.Drop.2)
-winword.doc (Trojan.Agent)

I restarted the computer and had MBAM delete the files. Following this a second scan did not return any infected files.

Do I need to do anything else to ensure I am no longer infected?

Any help would be appreciated. Thanks in advance!

BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,663 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:03:41 PM

Posted 02 August 2011 - 12:05 AM

Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

=============================================================================

Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List last 10 Event Viewer log
  • List Users, Partitions and Memory size
Click Go and post the result.

=============================================================================

Download Malwarebytes' Anti-Malware (aka MBAM): https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/ to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

=============================================================================

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 zubadoo

zubadoo
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:41 PM

Posted 03 August 2011 - 07:52 PM

Thank you for the help. See below for the information you requested:

=============================================================================

Security Check

Results of screen317's Security Check version 0.99.7
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Disabled!
Kaspersky Internet Security 2010
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
TuneUp Utilities
TuneUp Utilities Language Pack (en-US)
CCleaner
Java™ 6 Update 20
Out of date Java installed!
Adobe Flash Player 10.2.159.1
Adobe Reader 9.3.3
Out of date Adobe Reader installed!
Mozilla Firefox (3.6.18)
````````````````````````````````
Process Check:
objlist.exe by Laurent

Malwarebytes' Anti-Malware mbamservice.exe
Malwarebytes' Anti-Malware mbamgui.exe
``````````End of Log````````````

=============================================================================

MiniToolBox

=============================================================================

Malwarebytes' Anti-Malware


Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7366

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/3/2011 5:59:05 PM
mbam-log-2011-08-03 (17-59-05).txt

Scan type: Quick scan
Objects scanned: 242648
Time elapsed: 13 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

=============================================================================

GMER

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-08-03 20:28:43
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 ST350063 rev.3.AA
Running: 2hsnsff6.exe; Driver: C:\DOCUME~1\Gerry\LOCALS~1\Temp\fxtdqpob.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwAdjustPrivilegesToken [0xADC5E36E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwClose [0xADC5EA86]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwConnectPort [0xADC5F60C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateEvent [0xADC5FB40]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateFile [0xADC5ED78]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateKey [0xADC5D460]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateMutant [0xADC5FA18]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateNamedPipeFile [0xADC5CD0A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreatePort [0xADC5F8D4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateSection [0xADC5E102]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateSemaphore [0xADC5FC72]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateSymbolicLinkObject [0xADC6140E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateThread [0xADC5E886]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateWaitablePort [0xADC5F976]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDeleteKey [0xADC5DA20]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDeleteValueKey [0xADC5DCF8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDeviceIoControlFile [0xADC5F21C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDuplicateObject [0xADC61980]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwEnumerateKey [0xADC5DE3A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwEnumerateValueKey [0xADC5DEE4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwFsControlFile [0xADC5F016]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwLoadDriver [0xADC60EA6]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwLoadKey [0xADC5D43C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwLoadKey2 [0xADC5D44E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwNotifyChangeKey [0xADC5E030]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenEvent [0xADC5FBE2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenFile [0xADC5EB08]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenKey [0xADC5D604]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenMutant [0xADC5FAB0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenProcess [0xADC5E56E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenSection [0xADC61438]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenSemaphore [0xADC5FD14]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenThread [0xADC5E492]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueryKey [0xADC5DF8E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueryMultipleValueKey [0xADC5DBB6]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueryValueKey [0xADC5D8BC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueueApcThread [0xADC61128]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwRenameKey [0xADC5DB34]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwReplaceKey [0xADC5D0C2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwReplyPort [0xADC6009E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwReplyWaitReceivePort [0xADC5FF64]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwRequestWaitReplyPort [0xADC60C30]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwRestoreKey [0xADC5D224]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwResumeThread [0xADC61860]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSaveKey [0xADC5CEC4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSecureConnectPort [0xADC5F312]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetContextThread [0xADC5E984]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetInformationToken [0xADC605F2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetSecurityObject [0xADC60FA0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetSystemInformation [0xADC614C2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetValueKey [0xADC5D744]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSuspendProcess [0xADC615A6]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSuspendThread [0xADC616D2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSystemDebugControl [0xADC60DD2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwTerminateProcess [0xADC5E6EA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwTerminateThread [0xADC5E63C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwWriteVirtualMemory [0xADC5E7C8]

Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) FsRtlCheckLockForReadAccess
Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) IoIsOperationSynchronous

---- Kernel code sections - GMER 1.0.15 ----

.text TUKERNEL.EXE!ZwYieldExecution + DA 804E4934 4 Bytes JMP 9FE1ADC5
.text TUKERNEL.EXE!ZwYieldExecution + 13E 804E4998 16 Bytes [02, E1, C5, AD, 72, FC, C5, ...]
.text TUKERNEL.EXE!ZwYieldExecution + 1FA 804E4A54 12 Bytes [A6, 0E, C6, AD, 3C, D4, C5, ...]
.text TUKERNEL.EXE!ZwYieldExecution + 376 804E4BD0 16 Bytes [34, DB, C5, AD, C2, D0, C5, ...]
.text TUKERNEL.EXE!ZwYieldExecution + 3CA 804E4C24 4 Bytes JMP C38EF9EE
.text ...
.text TUKERNEL.EXE!IoIsOperationSynchronous 804EAFCE 5 Bytes JMP ADC537DE \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)
.text TUKERNEL.EXE!FsRtlCheckLockForReadAccess 804F45B3 5 Bytes JMP ADC53424 \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)
init C:\WINDOWS\system32\DRIVERS\mohfilt.sys entry point in "init" section [0xF7722760]

---- User code sections - GMER 1.0.15 ----

? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe[800] C:\WINDOWS\system32\ntdll.dll time/date stamp mismatch;
? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe[800] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe[800] USER32.dll!AlignRects 7E412A78 4 Bytes [70, 11, 32, 6D]
.text C:\WINDOWS\system32\SearchIndexer.exe[988] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe[1396] C:\WINDOWS\system32\ntdll.dll time/date stamp mismatch;
? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe[1396] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe[1396] USER32.dll!AlignRects 7E412A78 4 Bytes [70, 11, 32, 6D]

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\tcpip.sys[TDI.SYS!TdiRegisterDeviceObject] [BA302DA0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\netbt.sys[TDI.SYS!TdiRegisterDeviceObject] [BA302DA0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
---- Processes - GMER 1.0.15 ----

Library C:\Documents (*** hidden *** ) @ C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe [800] 0x106E0000
Library C:\Documents (*** hidden *** ) @ C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe [800] 0x00A60000
Library C:\Documents (*** hidden *** ) @ C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe [800] 0x021E0000
Library C:\Documents (*** hidden *** ) @ C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe [800] 0x0FA80000

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\Gerry\Application Data\systemfl.$dk 990 bytes
File C:\WINDOWS\system32\WinFLdrv.sys 17984 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\sys_drv.dat 6024 bytes
File C:\WINDOWS\system32\sys_drv_2.dat 5020 bytes

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\WinFLdrv.sys [AUTO] WinFLdrv <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----

Edited by zubadoo, 03 August 2011 - 08:59 PM.


#4 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,663 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:03:41 PM

Posted 03 August 2011 - 07:58 PM

Are you using FolderLock program?

Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders.
NOTE. Make sure to reverse the above changes, when done with this step.
Upload following files to http://www.virustotal.com/ for security check:
- C:\WINDOWS\system32\WinFLdrv.sys
IMPORTANT! If the file is listed as already analyzed, click on Reanalyse file now button.
Post scan results.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#5 zubadoo

zubadoo
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:41 PM

Posted 03 August 2011 - 08:28 PM

Yes, I used folder lock previously and have it installed, but not using it anymore. I followed your instructions, but that file is not there. The closest file is WinFLsrv.exe

#6 zubadoo

zubadoo
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:41 PM

Posted 03 August 2011 - 08:33 PM

I also searched my c drive for a file by that name after making the hidden files viewable. Nothing came up as a result of the search

#7 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,663 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:03:41 PM

Posted 03 August 2011 - 08:36 PM

My bad...
Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders, UN-check Hide protected operating system files.

Press F5 to refresh Windows Explorer and you should see the file now.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#8 zubadoo

zubadoo
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:41 PM

Posted 03 August 2011 - 08:50 PM

I did that, but I still do not see that file and a search of all files (incl hidden & sys files) does not find anything

#9 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,663 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:03:41 PM

Posted 03 August 2011 - 08:54 PM

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

64-bit users go HERE
  • Double-click SystemLook.exe to run it.
  • Vista\Win 7 users:: Right click on SystemLook.exe, click Run As Administrator
  • Copy the content of the following box into the main textfield:
    :filefind
    WinFLdrv.sys
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#10 zubadoo

zubadoo
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:41 PM

Posted 03 August 2011 - 08:57 PM

SystemLook 30.07.11 by jpshortstuff
Log created at 21:55 on 03/08/2011 by Gerry
Administrator - Elevation successful

========== filefind ==========

Searching for "WinFLdrv.sys"
C:\WINDOWS\system32\WinFLdrv.sys --a---- 17984 bytes [01:56 25/06/2010] [01:56 25/06/2010] 7ACC77E135A709AE0F7E1DF428A2F908

-= EOF =-

#11 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,663 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:03:41 PM

Posted 03 August 2011 - 09:01 PM

It's definitely there. Not even hidden or a system file.

In Windows Explorer go Tools>Folder options>View tab and UN-check "Hide extensions for known file types".

Restart Windows Explorer and take another look.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#12 zubadoo

zubadoo
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:41 PM

Posted 03 August 2011 - 09:30 PM

I followed your instruction but getting the same result. Not sure what I am doing wrong, but the WinFLdrv.sys file is not there

Posted Image

#13 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,663 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:03:41 PM

Posted 03 August 2011 - 09:39 PM

Strange....

Go Start>Run type in:
cmd
Click OK.

At command prompt paste the following:
copy C:\WINDOWS\system32\WinFLdrv.sys c:\WinFLdrv.sys (<---watch for "spaces")
Press Enter.

You should see "1 file(s) copied" message.

Check if the file is present in root C:\ directory.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#14 zubadoo

zubadoo
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:41 PM

Posted 03 August 2011 - 10:14 PM

That worked.
Scanned it:

Antivirus Version Last Update Result
AhnLab-V3 2011.08.03.04 2011.08.03 -
AntiVir 7.11.12.210 2011.08.03 -
Antiy-AVL 2.0.3.7 2011.08.03 -
Avast 4.8.1351.0 2011.08.03 -
Avast5 5.0.677.0 2011.08.03 -
AVG 10.0.0.1190 2011.08.04 -
BitDefender 7.2 2011.08.04 -
CAT-QuickHeal 11.00 2011.08.03 -
ClamAV 0.97.0.0 2011.08.04 -
Commtouch 5.3.2.6 2011.08.03 -
Comodo 9620 2011.08.04 -
DrWeb 5.0.2.03300 2011.08.04 -
Emsisoft 5.1.0.8 2011.08.04 -
eSafe 7.0.17.0 2011.08.03 -
eTrust-Vet 36.1.8482 2011.08.03 -
F-Prot 4.6.2.117 2011.08.03 -
F-Secure 9.0.16440.0 2011.08.04 -
Fortinet 4.2.257.0 2011.08.04 -
GData 22 2011.08.04 -
Ikarus T3.1.1.104.0 2011.08.04 -
Jiangmin 13.0.900 2011.08.03 -
K7AntiVirus 9.109.4973 2011.08.02 -
Kaspersky 9.0.0.837 2011.08.04 -
McAfee 5.400.0.1158 2011.08.04 -
McAfee-GW-Edition 2010.1D 2011.08.04 -
Microsoft 1.7104 2011.08.03 -
NOD32 6348 2011.08.04 -
Norman 6.07.10 2011.08.03 -
nProtect 2011-08-03.04 2011.08.03 -
Panda 10.0.3.5 2011.08.03 -
PCTools 8.0.0.5 2011.08.03 -
Prevx 3.0 2011.08.04 -
Rising 23.69.02.03 2011.08.03 -
Sophos 4.67.0 2011.08.04 -
SUPERAntiSpyware 4.40.0.1006 2011.08.04 -
Symantec 20111.2.0.82 2011.08.04 -
TheHacker 6.7.0.1.269 2011.08.03 -
TrendMicro 9.200.0.1012 2011.08.03 -
TrendMicro-HouseCall 9.200.0.1012 2011.08.04 -
VBA32 3.12.16.4 2011.08.03 -
VIPRE 10058 2011.08.04 -
ViRobot 2011.8.4.4604 2011.08.04 -
VirusBuster 14.0.151.1 2011.08.03 -
Additional information
Show all
MD5 : 7acc77e135a709ae0f7e1df428a2f908
SHA1 : 2a7713d661d840d6c9cd8ccf1c4206570c3eb606
SHA256: d27284964b3f2ac9e8c8c8252cc3f9143bdd600c91b5a6c3bcd788fcb7da0d1c
ssdeep: 384:jIYzlSG7nTjYqI/Nb2unpdom/UJNE5FIdY:jJI/NSuHMS
File size : 17984 bytes
First seen: 2009-11-24 11:41:01
Last seen : 2011-08-04 03:07:28
TrID:
Generic Win/DOS Executable (49.9%)
DOS Executable Generic (49.8%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0x61D6
timedatestamp....: 0x4B03B4D3 (Wed Nov 18 08:48:19 2009)
machinetype......: 0x14c (I386)

[[ 6 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x1000, 0x1270, 0x1400, 5.98, 78e7c5b54125f44432ea123e5045b553
.rdata, 0x3000, 0x1F4, 0x200, 3.79, 9759d311ce9b863b05aa612759615882
.data, 0x4000, 0xD8, 0x200, 0.24, 312651a6f76490d97aff95c683a68247
PAGE, 0x5000, 0x33A, 0x400, 5.28, 0d710e376b95f9702342a131f723ef66
INIT, 0x6000, 0x78A, 0x800, 5.29, 61acd716ab0b71a0836baf1b0ee14b9c
.reloc, 0x7000, 0x218, 0x400, 3.48, 23c5fe8351f1bb963814767d50ced84e

[[ 3 import(s) ]]
ntoskrnl.exe: RtlUnwind, KeBugCheckEx, KeTickCount, ZwCreateFile, ZwQueryInformationFile, ZwReadFile, ZwClose, RtlAppendUnicodeToString, ExAllocatePoolWithTag, _vsnwprintf, RtlCompareUnicodeString, memcpy, RtlAppendUnicodeStringToString, ProbeForRead, RtlInitUnicodeString, PsGetVersion, ExAllocatePool, ExFreePoolWithTag, DbgPrint
HAL.dll: KeGetCurrentIrql
FLTMGR.SYS: FltGetFileNameInformation, FltParseFileNameInformation, FltGetVolumeFromFileObject, FltGetVolumeGuidName, FltReleaseFileNameInformation, FltRegisterFilter, FltBuildDefaultSecurityDescriptor, FltCreateCommunicationPort, FltFreeSecurityDescriptor, FltStartFiltering, FltEnumerateVolumes, FltEnumerateVolumeInformation, FltGetVolumeFromName, FltAttachVolume, FltObjectDereference, FltCloseClientPort, FltCloseCommunicationPort, FltUnregisterFilter

#15 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,663 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:03:41 PM

Posted 03 August 2011 - 10:27 PM

Very well.
You can delete that file from C:\ directory.

Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.

=============================================================================

Please run a free online scan with the ESET Online Scanner

  • Disable your antivirus program
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • Accept any security warnings from your browser.
  • Check Scan archives
  • Click Start
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push List of found threats
  • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users