Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows XP loading strange file (oflpydin.sys) on Startup


  • This topic is locked This topic is locked
5 replies to this topic

#1 gurgy

gurgy

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:10 PM

Posted 26 February 2013 - 10:08 AM

Hello and greetings.

I need a little help. I am really not sure if i am infected or not; i just see an unusual entry on my system.

I downloaded "Autorun" from sysinternals, and found that my windows xp is loading a file called oflpydin.sys on startup. Here are some observations:

It is located in C:\Documents and Settings\DavidW\Local Settings\Temp

I don't believe it has been there for very long; I often check this folder after running ccleaner. Trendmicro housecall keeps directories for its files in this area, and ccleaner normally would not take them out. The last time i ran ccleaner, they went bye bye, along with some other temp directories that had been stored there for weeks; that is when i first noticed the oflpydin.sys file. Luckily, i had backups
of those housecall folders.

Browsing through various virus removal forums on the net, i see i am not the only one who has had this entry in the exact same place on the computer.

The file's "date modified" changes. When i first noticed it 2 days ago, it was 2/22/2004. Yesterday it was 3/4/2004. Today (2/26/2013) it is 11/11/2004. My computer system date and time is correct.

I am not able to copy or delete it (it is in use). I did boot in safe mode and made a copy which i submitted to www.virustotal.com and virusscan.jotti.org for scanning; found nothing. The copy i made still has the 2/22/2004 date.

Though i was tempted, i did not try to delete it with malwarebytes file assassin.

I have found in various registry locations entries/folders labeled LEGACY_OFLPYDIN

Full system scans with etrust antivirus, trendmicro housecall and malwarebytes found nothing.

I don't see any obvious problems in the operation of my computer; no popups, programs not running, no browser redirects, etc.

The only thing i had noticed (once) was that after using internet explorer with multiple open windows, after i exited i saw one copy of it was still running in the task manager at 50% cpu usage. I saw no internet activity lights in the task bar (i am on a dial up modem), and i was able to kill the process with no problem. I have seen this happen on the computers where i work, so maybe this is unrelated.

For many months i have had problems with internet explorer not loading certain web sites (eg www.dvdtalk.com), yet my old netscape 4.79 browser will load them just fine. I can get to them if i go through www.proxify.com. i dont think this is related to my current oflpydin.sys problem.

I tried some scans with some of the various tools you use. I took no "fix it" actions. These are just short summaries:

TDSSkiller:
20:14:34.0984 3076 [ 03BFF1DE5B708E92A1926BA4A33595D0 ] oflpydin C:\DOCUME~1\DavidW\LOCALS~1\Temp\oflpydin.sys
20:14:34.0984 3076 Suspicious file (NoAccess): C:\DOCUME~1\DavidW\LOCALS~1\Temp\oflpydin.sys. md5: 03BFF1DE5B708E92A1926BA4A33595D0
20:14:34.0984 3076 oflpydin ( LockedFile.Multi.Generic ) - warning
20:14:34.0984 3076 oflpydin - detected LockedFile.Multi.Generic (1)

aswMBR (no virus definitions downloaded):
20:17:31.421 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
20:17:31.421 Disk 0 Vendor: SAMSUNG_SP0802N TK100-30 Size: 76351MB BusType: 3
20:17:31.453 Disk 0 MBR read successfully
20:17:31.453 Disk 0 MBR scan
20:17:31.453 Disk 0 unknown MBR code
20:17:31.453 Disk 0 Partition 1 80 (A) 0C FAT32 LBA MSWIN4.1 65868 MB offset 63
20:17:31.453 Disk 0 Partition - 00 0F Extended LBA 10479 MB offset 134897805
20:17:31.468 Disk 0 Partition 2 00 0B FAT32 MSWIN4.1 10479 MB offset

20:17:35.781 Service scanning
20:17:52.687 Service oflpydin C:\DOCUME~1\DavidW\LOCALS~1\Temp\oflpydin.sys **LOCKED** 32
The above line was in yellow.

Another scan included this (in yellow):
22:50:10.953 \Driver\atapi[0x8abb5268] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> sfsync02.sys[0xf7717d60]
But this time around it did not list the locked "oflpydin.sys" file listed above

Gmer (results of scan on program load only):
---- Disk sectors - GMER 2.1 ----

Disk \Device\Harddisk0\DR0 unknown MBR code

---- Devices - GMER 2.1 ----

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 oflpydin.sys
Device \Driver\atapi \Device\Ide\IdePort0 oflpydin.sys
Device \Driver\atapi \Device\Ide\IdePort1 oflpydin.sys
Device \Driver\atapi \Device\Ide\IdePort2 oflpydin.sys
Device \Driver\atapi \Device\Ide\IdePort3 oflpydin.sys
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-1b oflpydin.sys
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-13 oflpydin.sys

AttachedDevice \FileSystem\Ntfs \Ntfs ino_flpy.sys (CA eTrust Antivirus/InoculateIT File System Mounting Filter Driver for Windows 2000/XP/.Net/Computer Associates)
AttachedDevice \FileSystem\Fastfat \Fat ino_flpy.sys (CA eTrust Antivirus/InoculateIT File System Mounting Filter Driver for Windows 2000/XP/.Net/Computer Associates)
AttachedDevice \FileSystem\Fastfat \Fat ino_fltr.sys (CA eTrust Antivirus/InoculateIT File System Filter Driver for Windows 2000/XP/2003/Computer Associates)
AttachedDevice \FileSystem\Fastfat \Fat oflpydin.sys

Avenger:
Rootkit scan active.
No rootkits found!

Trend Micro RootkitBuster:
found nothing

Stealth MBR rootkit:
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

catchme.exe (gmer.net)
only found backup registry entries made by ccleaner


Roguekiller:
IRP[IRP_MJ_INTERNAL_DEVICE_CONTROL] : atapi.sys -> HOOKED ([MAJOR] sfsync02.sys @ 0xF7717D60)

+++++ PhysicalDrive0: SAMSUNG SP0802N +++++
--- User ---
[MBR] 2e3fba4c5f7229ad88d696286575ece3
[BSP] 53a70ded3e02e76f52adcefe6df37044 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 63 | Size: 65868 Mo
1 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 134897805 | Size: 10479 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Adwcleaner:
other than internet explorer, nothing found

This is as far as i have gone. Hopefully it will give you a head start on things.

Thank you very much in advance for any help you can give me. I have been on the internet since the mid 90's, and this is my first (possible) "nasty" I have come across. I guess I have been lucky.

Note: I am unable to "press" the "Attach Files" button (it appears as only text on my screen, not as a button) in order to send the "attach.txt" file. I'll leave the filename in the browse window just in case the "Attach files" button is only text and not a button, and choosing "Post New Topic" sends it anyway.


David

------------------------------------------------

DDS (Ver_2012-11-20.01) - FAT32_x86
Internet Explorer: 6.0.2900.2180
Run by DavidW at 20:44:44 on 2013-02-25
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3071.2715 [GMT -5:00]
.
.
============== Running Processes ================
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Ralink\Common\RaRegistry.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://home.dmv.com/~gurgy/search5.htm
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
mWinlogon: SFCDisable = dword:-99
BHO: AcroIEHlprObj Class: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
mRun: [Realtime Monitor] c:\progra~1\ca\etrust~1\realmon.exe -s
mRun: [CTSysVol] c:\program files\creative\sb live! 24-bit\surround mixer\CTSysVol.exe /r
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [USB2Check] RUNDLL32.EXE "c:\windows\system32\PCLECoInst.dll",CheckUSBController
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1347542145984
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
Notify: AtiExtEvent -
SEH: Internet Shortcut - {FBF23B40-E3F0-101B-8488-00AA003E56F8} -
.
============= SERVICES / DRIVERS ===============
.
R2 RalinkRegistryWriter;Ralink Registry Writer;c:\program files\ralink\common\RaRegistry.exe [2012-9-8 374112]
R2 Scutum50;Scutum50 NDIS Protocol Driver;c:\windows\system32\drivers\Scutum50.sys [2012-9-8 19072]
R3 qic157;qic157;c:\windows\system32\drivers\qic157.sys [2005-2-1 6016]
S3 oflpydin;oflpydin;c:\docume~1\davidw\locals~1\temp\oflpydin.sys [2004-11-11 31744]
S3 RaMediaServer;RaMediaServer;c:\program files\ralink\common\RaMediaServer.exe [2012-9-8 619872]
S3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2012-9-8 1139040]
S3 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]
.
=============== File Associations ===============
.
ShellExec: aim.exe: open=c:\comm\bdsnet\net479\program\aim\aim.exe
.
=============== Created Last 30 ================
.
2013-02-26 01:13:12 -------- d-----w- c:\program files\test
2013-02-25 19:28:15 190032 ------w- c:\windows\system32\drivers\tmcomm.sys
2013-02-25 15:24:49 -------- d-----w- c:\program files\autorun
2013-02-14 00:21:01 1409 ------w- c:\windows\QTFont.for
2013-02-04 14:25:28 -------- d-----w- c:\program files\Anvil Studio
2013-02-03 15:57:39 -------- d-----w- c:\program files\TCP-Optimizer
.
==================== Find3M ====================
.
2013-02-26 01:01:46 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2013-02-18 22:25:58 848 --sh--w- c:\windows\system32\KGyGaAvL.sys
2012-12-14 21:49:28 21104 ------w- c:\windows\system32\drivers\mbam.sys
.
============= FINISH: 20:44:55.07 ===============

BC AdBot (Login to Remove)

 


#2 gurgy

gurgy
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:10 PM

Posted 27 February 2013 - 09:07 PM

>> windows xp is loading a file called oflpydin.sys on startup

>> located in C:\Documents and Settings\DavidW\Local Settings\Temp

>> Browsing through various virus removal forums on the net, I see I am
>> not the only one who has had this entry in the exact same place on
>> the computer.

>> The file's "date modified" changes. When I first noticed it 2 days ago,
>> it was 2/22/2004. Yesterday it was 3/4/2004. Today (2/26/2013) it
>> is 11/11/2004. My computer system date and time is correct.

>> I am not able to copy or delete it (it is in use)

Hello,

I am quoting parts of (and replying to) my own message because I have an update on my problem, and to save the nice people here some time and hassle so they can devote it to people with real problems.

Maybe I do not have a problem, and my computer is okay.

--------

When I first discovered the "oflpydin.sys" file, I naturally went to Google to research it, and found information like this:

http://www.exterminate-it.com/malpedia/file/oflpydin.sys

http://virus-com.com/viruscom/viruscom_128613.html

http://greatis.com/appdata/d/o/oflpydin.sys.htm

http://www.incodesolutions.com/threats4/ProfileFolderlocal%20settingstempoflpydinsys.php

... which all contain bad news. Naturally, I was having kittens over this.

Today, I Googled some more, and dug a little deeper, reading posts that did not contain the word "oflpydin.sys" and just by accident or luck, ran across a post entitled:

"iatmunin.sys An Interesting Discovery-Please, read! "

located at:

http://forums.relicnews.com/printthread.php?t=40561&pp=50&page=1

Of interest are messages:

#4 - Mentions a changing time stamp on their "iatmunin.sys" file (just like my "oflpydin.sys") file. It also mentions files in the user temp folder named SIntf16.dll, SIntf32.dll and SIntfNT.dll, which I also had (but was able to delete with no problem).

#8 - Earlier today, I loaded a copy of "oflpydin.sys" into Notepad, just to take a peek at it. While I knew that it would look like gibberish, some parts of it were quite readable. The poster in message #8 had done the same thing to his "iatmunin.sys" file and posted the results. It looked identical to my file in Notepad.

#21 - And finally, this poster says he found a file in his user temp folder too, except his was called ... yep, you guessed it: "oflpydin.sys".

Other posters mention weirdly named .sys files in their user temp directories, but they all are basically the same file with different names.

These posters feel that this file (and its named variants) are part of a CD copy protection program from an outfit called SecuROM. The inital poster mentioned the creation of this file was associated with the running of a game called "Dawn of War".

I recently had (re)installed a game called "Men or Honor". I could not find any mention of SecuROM in the games docs, but still ... coincidence?

---------

Though I do think that initially I did all the research I could (and based on what I found, posted the problem here), I do apologize for all this, and hope I did not waste anyones time and resources. Hopefully it may be of use to people who find this same type of situation on their computer. I certainly learned a few things from all this.

Presently I am of the opinion that my computer is okay. Differing opinions from the experts would certainly be welcome. The same opinion would be even more welcome :)

One final note. I read these forums a lot (even before becoming a member) and I am awed by the expertise presented, and am amazed that it is all volunteer work. I try to imagine what it would cost if one took their computer to a repair shop for these types of problems.

In other words ... where is the Donate link?

Thank you for your time,

David

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:10 PM

Posted 28 February 2013 - 08:17 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.
  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.
  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#4 gurgy

gurgy
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:10 PM

Posted 01 March 2013 - 11:44 AM

>> Please reply to this post so I know you are there.
>> Once I receive a reply then I will return with your first instructions

Still here.

Thank you,
David

#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:10 PM

Posted 01 March 2013 - 09:08 PM

Thanks for the write-up and links. Sometimes you have to ignore certain information on sites that say it is undesireable. Often the analysis produces results based on the fact that the file is unknown, or that it displays some of the properties that malware uses.

In this case the forum points to SecuROM which is connected to DRM. This is the origin of rootkits, they were originally used non-maliciously though unfairly stealthily (see Sony BMG Scandal) but they do display malicious properties.

 

Difficult to remove but that's the idea. However, totally harmless.


Posted Image
m0le is a proud member of UNITE

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:10 PM

Posted 07 March 2013 - 08:37 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users