Jump to content
nrhy

cp1041...weird problem

Recommended Posts

ahhh, thanks for the quick reply

forwardin addy... = email? :D

Fwiw you have one of the more severe infections,i suspect either your winlogon.exe is patched or you have rootkit main.sys loaded but don't panic were going to kick their malware butts shortly

yea! :D

thanks for the clear explanation :!:

Share this post


Link to post
Share on other sites

Tried with winzip and winrar, neither works:?

can I upload it the way it is? or will the server reject it?

yes, I received the update :) thanks

Share this post


Link to post
Share on other sites
Tried with winzip and winrar, neither works.

yes, I received the update :) thanks

:? I must admit i do not use 3rd part tools for compression/decompression of Zip formats.Inhouse on the OS is the *send to* option on right click when the file is highlighted and select *compressed(Zipped)folder* option.

Has that been disabled or is your ndis file 0 byte in size ?

Share this post


Link to post
Share on other sites

:idea: Ok try this approach towards harvesting the file.

Use IceSword file copy and save the file as ndis.old when you copy it.

If not no biggie as it will turn up sooner or later elsewhere but i will definetly like a copy of the spambot since SAS is not detcting that variant so i'm guessing it is a new repack :wink:

Share this post


Link to post
Share on other sites
alright, the zip file is up on the castlecops website...or so it said.

:D tell me if you can access it

thanks

Great job 8)

I have them now and will be be looking at them shortly.Thanks again for the upload :D

Share this post


Link to post
Share on other sites

:D

Those files not being present is not a problem,like i said earliar depending on which *variant* of the infection you had would govern which badboys were on your machine.So its a good thing if they are all not present in one way :wink:

Just to double check,did you upload your winlogon.exe from system32 folder to VT service ?

Share this post


Link to post
Share on other sites

yeah, except its taking a while :?

it stops scanning after some time with the winlogon file...

AhnLab-V3	2007.4.28.0	04.27.2007	no virus found
AntiVir	7.4.0.15	04.28.2007	no virus found
Authentium	4.93.8	04.27.2007	no virus found
Avast	4.7.981.0	04.26.2007	no virus found
AVG	7.5.0.464	04.26.2007	no virus found
BitDefender	7.2	04.29.2007	no virus found
CAT-QuickHeal	9.00	04.28.2007	no virus found
ClamAV	devel-20070416	04.29.2007	no virus found
DrWeb	4.33	04.28.2007	no virus found
eSafe	7.0.15.0	04.27.2007	no virus found
eTrust-Vet	30.7.3601	04.27.2007	no virus found
Ewido	4.0	04.27.2007	no virus found
FileAdvisor	1	04.29.2007	No threat detected
Fortinet	2.85.0.0	04.28.2007	no virus found
F-Prot	4.3.2.48	04.27.2007	no virus found

for the most part, its clean...

Share this post


Link to post
Share on other sites

Right when you say its stops scanning,do you mean a message appears at the top left of the page saying *Service has stopped* ?

If so click refresh to reload and keep repeating until it starts mal checking again.We need the full report before the all clear is sounded :!:

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×