Story,

A friend phoned my up asking for tech help..(shoot the bastard).. His machine was hanging on shutdown.. the file KCfetaic.exe ..

OS: WinXP pro

A quick Google revealed nothing.. that don't mean much..

the i got him to d/l some of my regular tools.. Spybot and adaware were clean reports.. next CWShredder.. it errored half way through and closed out..

Next the HJT log.. had him email it to me..

while I perused the HJT log I had him restart in safemode and re-run the scanns including a AVG scann.. clean.

A scann of the registry for the file name.... no mention.. OK.. Rename the bugger

now .. lets ahve a look at the Firewall logs.. Zonealarm.. ouch every prog he was using in the last 2 hrs were being blocked.. ?? we are talking about even wrodpad..

Ok this file may be used by another prog and therefor won't have a registry entry.. so what prog.. I didn'tt get him to d/l a process viewer..


Location of the File.. c:\windows\system32\ ..0k we renamed it.. and moved it

Restarted in the machine in Normal mode.. Zonealarm was poping mad. " " program was trying to access the internet?? rechecked taskmon.. no strange entries.. shutdown the machine and restarted.. no problerm.. and no probs with ZA.. Had him run The Cleaner.. only files he had were Istbar.. nothing else ..

I had him go in and disable a number of unwanted services.. and email me a copy of the renamed file..

I will post a Ziped version of it here for those who wish to have a look.. a quick look using a hex editor nothing stands out.. the text "instructions" toward the end of the file could be a clue.

but not being into reverse engineering software.. have a lok if you like.. I will be putting it into my Crash Test Dummy in the next day or so to see what it does if anything..

Now don't get bitten..


Cheers