Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

RootKit.ZeroAccess vs. other malware


  • This topic is locked This topic is locked
31 replies to this topic

#1 tweaked17

tweaked17

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:43 AM

Posted 21 September 2011 - 07:47 PM

Good evening,

I recently noticed some odd activity on a shared laptop and after a restart the issues seemed to have worsen/multiply - my AV software (ESET NOD32) hangs at start up and is followed by an error about communication with the kernel, along with Malware Bytes & Spybot S&D being restricted. I have also experienced various connectivity issues, but when I do manage to connect I am redirected when utilizing search engines.

I was encouraged to run ComboFix, and unfortunately/fortunately ran that before recalling this forum (thus, files have been deleted/altered, and a log exists should you need it). To be clear, I followed the suggested steps for a new post after running ComboFix once (the problem does not appear to be resolved).

Please let me know if I can provide any further information or logs. Any advice/assistance is greatly appreciated!

DDS log:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_24
Run by at 19:40:47 on 2011-09-21
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3539.2894 [GMT -4:00]
.
AV: ESET NOD32 Antivirus 4.0 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.
============== Running Processes ===============
.
C:\Program Files\Fingerprint Sensor\AtService.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\drivers\audio\r205445\stacsv.exe
C:\Program Files\Dell\Dell ControlPoint\Connection Manager\SMManager.exe
C:\Program Files\Broadcom\MgmtAgent\BrcmMgmtAgent.exe
C:\Program Files\Dell\Dell ControlPoint\DCPButtonSvc.exe
C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtTray.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\DellTPad\HidFind.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
.
============== Pseudo HJT Report ===============
.
mStart Page = hxxp://www.dell.com
uInternet Settings,ProxyServer = gate.temple.edu:8080
uInternet Settings,ProxyOverride = *.local
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [ChangeTPMAuth] c:\program files\wave systems corp\common\ChangeTPMAuth.exe /T:NTRU12
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1239482807451
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{B09AA0DF-A2A4-4040-A2CA-4B4122242653} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{CD9EF5DF-4262-4C5A-9F9A-64C48556802B} : DhcpNameServer = 192.168.1.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
================= FIREFOX ===================
.
FF - ProfilePath -
.
============= SERVICES / DRIVERS ===============
.
R2 ATService;AuthenTec Fingerprint Service;c:\program files\fingerprint sensor\AtService.exe [2008-6-27 1664248]
R2 BrcmMgmtAgent;Broadcom Management Agent;c:\program files\broadcom\mgmtagent\BrcmMgmtAgent.exe [2008-7-1 110592]
R2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\dell\dell controlpoint\DCPButtonSvc.exe [2008-9-4 406808]
R2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\dell\dell controlpoint\system manager\DCPSysMgrSvc.exe [2008-11-11 451872]
R2 SMManager;Smith Micro Connection Manager Service;c:\program files\dell\dell controlpoint\connection manager\SMManager.exe [2008-10-1 90112]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2009-3-18 112128]
R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [2009-3-18 476672]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2009-3-18 110080]
.
=============== Created Last 30 ================
.
2011-09-21 23:03:16 -------- d-sha-r- C:\cmdcons
2011-09-21 23:03:16 -------- d-sha-r- \cmdcons
2011-09-21 23:01:35 98816 ----a-w- c:\windows\sed.exe
2011-09-21 23:01:35 518144 ----a-w- c:\windows\SWREG.exe
2011-09-21 23:01:35 256000 ----a-w- c:\windows\PEV.exe
2011-09-21 23:01:35 208896 ----a-w- c:\windows\MBR.exe
2011-09-21 23:01:07 -------- d-----w- \Qoobox
2011-09-21 22:55:41 162304 ----a-w- c:\windows\system32\wuaucpl.cpl
2011-09-19 02:34:50 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-09-19 02:34:30 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2011-09-03 10:17:37 599040 -c----w- c:\windows\system32\dllcache\crypt32.dll
.
==================== Find3M ====================
.
2011-09-19 03:00:33 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32(2).dll
2011-09-03 10:17:37 599040 ----a-w- c:\windows\system32\crypt32(3).dll
2011-07-18 18:29:38 499712 ----a-w- c:\windows\system32\msvcp71.dll
2011-07-18 18:29:38 348160 ----a-w- c:\windows\system32\msvcr71.dll
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
============= FINISH: 19:41:08.92 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 tweaked17

tweaked17
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:43 AM

Posted 22 September 2011 - 05:47 PM

Update: I don't know if this helps or if this simply elucidates the mechanism by which this malware blocks programs, but I attempted to re-install Spybot S&D and the installation process is interrupted by an alert: "C:\...SpybotSD.exe The existing file is marked as read-only."

Thanks again to anyone who takes a shot at this.

#3 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:43 AM

Posted 23 September 2011 - 06:37 PM

Hi

Please do the following:

  • Please download Junction.zip and save it to your desktop.
  • Unzip it and put junction.exe in the Windows directory (C:\Windows).
  • Now go to Start > Run to open a run box > Copy and paste the following command in the open run box and click OK:

    cmd /c junction -s c:\ >log.txt&log.txt& del log.txt

  • A command window will open and the system will be scanned.
  • Wait until a log file opens.
  • Copy and paste or attach the content of it in your next reply


NEXT


  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

KillAll::

Rootkit::
c:\windows\$NtUninstallKB37092$ 

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#4 tweaked17

tweaked17
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:43 AM

Posted 23 September 2011 - 07:49 PM

Hi CatByte, thanks for the response.

I was able to run Junction and execute the CFscript & update, but received an error that ESET NOD32 AV4 was still running. I attempted to locate any processes that would be associated with the program, but could not (and closed everything I thought I could get away with before finally allowing CF to run).

CF ran and I got a blue screen reporting Plug & Play detected an error possibly due to a corrupted/faulty driver. Upon a hard restart, I got another blue screen at the Windows user/pw screen. Hard restart --> last known good settings, and here I am. I'm worried about running CF again without further advice. I tried looking up system processes assoc. w/ NOD32 but couldn't find any that were running on my machine.

Any advice on where to go from here?

Attached Files



#5 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:43 AM

Posted 23 September 2011 - 07:53 PM

Hi

Please do the following:

Please run the following:
  • please download GrantPerms.zip and save it to your desktop.
  • Unzip the file and run GrantPerms.exe
  • Copy and paste the following in the edit box:


c:\\Program Files\Malwarebytes' Anti-Malware\mbam.exe
c:\\Program Files\Spybot - Search & Destroy\SpybotSD.exe
c:\\WINDOWS\$NtUninstallKB37092$\3742543881


  • Now Click Unlock.
  • When it is done click "OK".
  • Now click List Permissions and post the result (Perms.txt) that pops up.
  • A copy of Perms.txt will be saved in the same directory the tool is run.


NEXT

Go Start > Run and copy/paste the following single-line command into the Run box and click OK:

cmd /c rd /q/s "c:\WINDOWS\$NtUninstallKB37092$\3742543881"



NEXT


Please download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • Press Start Scan
    • Only if Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#6 tweaked17

tweaked17
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:43 AM

Posted 23 September 2011 - 08:08 PM

Thanks - TDSSKiller didn't seem to find anything malicious, no reboot.

Attached Files



#7 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:43 AM

Posted 23 September 2011 - 08:13 PM

OK

Looks good, please delete the copy of ComboFix that you have on your desktop and download a fresh copy

make sure your security programs are disabled, post the resulting log

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#8 tweaked17

tweaked17
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:43 AM

Posted 23 September 2011 - 08:47 PM

ComboFix made it all the way through its initial scripts, and upon reboot I got an error once again at the Windows user/pw screen - "A specified authentication path is unknown." - this was followed by a blue screen/fatal error. Hard restart, same. Resorted to last known good config again, and made it to Windows - CF resumed, thankfully, and produced the following log.

Important to note that ESET NOD32 AV tried to start again and threw up the same error about not being able to communicate with the kernel.

Thoughts?

Attached Files



#9 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:43 AM

Posted 23 September 2011 - 08:55 PM

Hi

Please do the following:

  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#10 tweaked17

tweaked17
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:43 AM

Posted 23 September 2011 - 10:19 PM

MBAM turned up clean, but ESET's scan detected quite a few suspicious items..

Attached Files



#11 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:43 AM

Posted 23 September 2011 - 10:24 PM

Hi

Please do the following:

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    :filefind
    *netbt*
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#12 tweaked17

tweaked17
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:43 AM

Posted 23 September 2011 - 10:29 PM

Done, turned up two entries..

Attached Files



#13 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:43 AM

Posted 23 September 2011 - 11:00 PM

Hi

we need to expand the copy in the i386 folder then replace it with ComboFix

Please do the following:


Go to Start > Run.In the Run box, type in cmd and hit enter.

This opens the command prompt window.

Now type in the following red text exactly as seen.

expand -r C:\I386\NETBT.SY_ c:\

There are three spaces in there, so I have pointed out below where they are.

ExpandSPACE-r[SPACE]C:\I386\NETBT.SY_SPACEc:\

If done correctly, it will say "expanded to {xxxxxx} bytes, {xx}% increase"


NEXT


  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

FCopy::
C:\netbt.sys | C:\WINDOWS\system32\drivers\netbt.sys

File::
C:\Documents and Settings\James\Application Data\Sun\Java\Deployment\cache\6.0\29\61a815d-4ca06387	
C:\Documents and Settings\James\Application Data\Sun\Java\Deployment\cache\6.0\3\465c2a43-75066a71	
C:\Documents and Settings\James\Application Data\Sun\Java\Deployment\cache\6.0\52\640f9e74-214bd527

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Edited by CatByte, 23 September 2011 - 11:06 PM.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#14 tweaked17

tweaked17
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:43 AM

Posted 24 September 2011 - 06:59 AM

Good morning,

CF made it to about step 20 when another blue screen appeared - same error

Plug & Play detected an error most likely caused by a faulty driver

Technical information:
***STOP: 0x000000CA (0x00000004, 0x89944B48, 0x00000000, 0x00000000)


Followed by physical memory dump; hard restart & last known good. This time, CF did not resume when I returned to Windows and I received an error from Windows error reporter when I reached the desktop:

"BCCode : ca BCP1 : 00000004 BCP2 : 89944B48 BCP3 : 00000000
BCP4 : 00000000 OSVer : 5_1_2600 SP : 3_0 Product : 256_1"


and the files involved:
C:\DOCUME~1\James\LOCALS~1\Temp\WERe93d.dir00\Mini092411-01.dmp
C:\DOCUME~1\James\LOCALS~1\Temp\WERe93d.dir00\sysdata.xml

Should I just re-download CF and try to repeat the process with the last CFscript you provided?

#15 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:43 AM

Posted 24 September 2011 - 07:09 AM

Can you confirm for me that his file expanded properly to your C:\ drive C:\netbt.sys


if it is there, then please up load it

submit a file to virustotal for analysis
  • Use the browse button on that page to navigate to the location of the file to be scanned.
  • In the right hand panel,
  • click on the file C:\netbt.sys
  • then click the open button.
  • The file will now be displayed in the submit box.
  • Scroll down a bit and click "send file", wait for the results
  • If you get a message saying File has already been analyzed: click Reanalyze file now
  • Once scanned, copy and paste the link to the results page in your next reply.

Edited by CatByte, 24 September 2011 - 07:09 AM.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users