Hello,
I ran a full system scan with avast pro and the scan found two threats…

C:\Windows.…\CFRMD.sys
C:\Windows\system32.…\npf.sys

Both were Threat:Rootkit:Hidden File and both produced the error - Error:The request is not supported(50) when I tried to move to chest.

I know these may be false positives so i ran a aswMBR scan afterward and I’m a little concerned about the number of hidden files found.
Included is the aswMBR log

Oh I checked the “SUSPICIOUS” files with virus total and all were clean!

if you reboot and scan again…are they still there?

Thank’s for your reply,

I’m doing a full scan now and will post afterward… I used the program “Everything” to search for these files on my system but they can’t be found and that’s why I’m thinking false positive.

Yes both files still show up on full scan…I stopped the scan short after viewing two found threats and both are the same as the first full scan.

OK, essexboy is notified and will check when he is online later today…

OK thanks Pondus … I’ll get some needed zzzzzzzzz’s and check back later!

Hmm Avast is finding a lot files being hidden when they should not be

[*] Download RogueKiller and save it on your desktop.

NOTE: If using IE8 or better Smartscreen Filter will need to be disabled

[*]Quit all programs
[*] Start RogueKiller.exe.
[*] Wait until Prescan has finished …
[*] Click on Scan

https://dl.dropbox.com/u/73555776/RKScan.GIF

[*]Wait for the end of the scan.
[*] The report has been created on the desktop.
[*] Click on the Delete button.

https://dl.dropbox.com/u/73555776/RKDelete.GIF

[*]The report has been created on the desktop.

[*]Next click on the ShortcutsFix

https://dl.dropbox.com/u/73555776/RKFixShortcuts.GIF

[*]The report has been created on the desktop.

Please attach: All RKreport.txt text files located on your desktop.

THEN

Download OTL to your Desktop
Secondary link

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

https://dl.dropbox.com/u/73555776/OTL_Main_Tutorial.gif

[*]Select All Users
[*]Under the Custom Scan box paste this in

netsvcs
BASESERVICES
%SYSTEMDRIVE%*.exe
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
winsock.*
/md5stop
CREATERESTOREPOINT

[*]Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Post both logs

OK I’m attaching RogueKiller files now and will follow up with OTL.

For your information I got the flashing yield Root MBR icon during scanning.

RK is suspicious of the MBR ¤¤¤ Infection : Root.MBR ¤¤¤

OTL scan completed and there was only one log… no Extras.Txt.

I have comodo time machine installed so I’m not sure if this is causing “RK is suspicious of the MBR ¤¤¤ Infection : Root.MBR ¤¤¤” I’ve read in other forums it could.

Worth checking out though as AswMBR also said the MBR was hidden

Download the latest version of TDSSKiller from here and save it to your Desktop.

[*]Doubleclick on TDSSKiller.exe to run the application

https://dl.dropbox.com/u/73555776/tdss%20start.JPG

[*]Then click on Change parameters.

https://dl.dropbox.com/u/73555776/tdss%20Change%20param.JPG

[*]Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

[*]Click the Start Scan button.

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

https://dl.dropbox.com/u/73555776/tdss%20threat.JPG

[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

[*]Get the report by selecting Reports

https://dl.dropbox.com/u/73555776/tdss%20report.JPG

[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

Please copy and paste its contents on your next reply.

Hello I’ve been unable to copy and paste directly to reply because I kept getting redirected after using keyboard shortcuts.
I’ve tried copying to notepad but the file is to big 26 mb.

The scan only found suspicious objects though as usual and all were to be skipped, sorry!

No problem, is it a keyboard problem ?

Is Avast still reporting the hidden files ?

No it’s not a keyboard problem, I’ve used the keyboard shortcuts for copy & Paste ctrl>c and ctrl>v because of course I couldn’t use the usual mouse but the site keeps getting redirected when I try and send the reply.

Where are you getting redirected to ?

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

• IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Oh, lol!! No I’m not being redirected anywhere I’m just getting the usual window pop up that say’s I’ve been redirected…you know, would you like to resend and the site may be to busy blah blah blah. Sorry I didn’t sleep yet so my concentration is a little off. Anyway I did do a Full scan and the same two threats were found… I stopped the scan short after they were found. I’m proceeding with the combo fix scan now and will get back soon.

Thanks!

Phew, I wonder does the Comodo programme hide system files ?

I’m not sure but I got the MBR suspicious thing after scanning with Emsisoft Emergency Scanner and did some research and there were a few people with the same results and the outcome was programs like comodo time machine do trigger MBR suspicions during some scans, I would have to read the forums all over to explain fully but I did read a few of them. OK on with the combo fix and I’ll return the info when finished.

Hi comodo time machine does modify the mbr in order to use the recovery console. Be careful or you may not be able to boot to your snapshots.

Ahhh yes that was it…thanks for the info RNfromTN, I’ll be deleting the snapshots most likely anyway once I’m all finished here and making new ones. I only keep two or three anyway to save disc space…the program could very well be the cause of the findings but it’s saved my butt a few times so I’ll keep it. Alright I’m including the combofix log…all went well and the only changes were users-pc and the computer icon being put on the desktop so here you go!