-=PCTechTalk=- Re: Strange error report and resident shield findings
- From: Gman <gman.pctt@xxxxxxxxx>
- To: <pctechtalk@xxxxxxxxxxxxx>
- Date: Sun, 23 Aug 2009 17:53:09 -0400
Sandi,
The folder called WERfaf6.dir00 is just one that Windows puts there to
hold its reports following a crash. They can be deleted unless you plan to
use them to try and track down the actual problem. I should probably
mention that using them is a nightmare unless you have specialized (very
expensive) software designed for that task.
It sure sounds like a false positive to me (i.e. your AV is flagging
files that Windows created as part of a crash report), but that's easy to
say given that it's not a system sitting right in front of me. It could be
that the system crashed at the same time that the original false positive
files (from Weather Pulse?) were loaded into memory. The report includes a
dump of your memory contents, so it likely triggered a second false positive
based on that duplicated code in the report itself.
I suspect you won't have any more problems with it since you updated
Weather Pulse and quarantined the report files. Those two actions should
have removed the false positive from most locations on your system. The
only one left would be in your System Restore files. If you cone up with
any more alerts, check to see where the file is located before you panic.
If it's in the "System Volume Information" folder (as I suspect it will be),
ignore it. The alternative would be to turn off System Restore, reboot and
then turn it back on to clear out all of your restore points. That just
seems like overkill to me in this situation.
Peace,
Gman
http://www.thevenusproject.com/index.php
"The entire future of humankind is yet to be written"
----- Original Message -----
From: "Sandi Beach" <sandib2@xxxxxxxxx>
To: "pctechtalk" <pctechtalk@xxxxxxxxxxxxx>
Sent: Saturday, August 22, 2009 9:31 AM
Subject: -=PCTechTalk=- Strange error report and resident shield findings
> C:\DOCUME~1\Joyce\LOCALS~1\Temp\WERfaf6.dir00\Mini082209-01.dmp
>
> C:\DOCUME~1\Joyce\LOCALS~1\Temp\WERfaf6.dir00\sysdata.xml
>
> The above was reported in technical information following a popup saying
> your system has recovered from a serious error. I did not send this to
> Microsoft (never do).
> At the same time Win Patrol popped up reporting a new startup which had no
> identifying information. I declined to let it start up.
> AV Resident Shield has been reporting an infection. Yesterday it seemed
> to
> be in Weather Pulse so I quarantined the files, removed Weather Pulse,
> deleted all remaining files concerning Weather Pulse and downloaded a new
> WP
> which is from Tropical Zones. In the process I noted that it said it was
> correcting a bug (a false positive) so figured AV had reported that.
> New Weather Pulse is working (old one had ceased to function after I
> received the Resident Shield alert of an infection).
> Last night I ran full scan with Malwarebytes and found nothing. But right
> on top of the MB report was another report from AV that an infection had
> been found by the Resident Shield concerning the files I copied and pasted
> at the top of the screen. They are in quarantine for now.
> I have not had to deal with virus infections for so long I have about
> forgot
> how!
> Anything more I need to do about all this that just occurred last night?
> Sandi
---------------------------------------------------------------
Please remember to trim your replies (including this sentence and everything
below it) and adjust the subject line as necessary.
To subscribe, unsubscribe or modify your email settings:
//www.freelists.org/webpage/pctechtalk
OR
To subscribe to the mailing list, send an email to
pctechtalk-request@xxxxxxxxxxxxx with "subscribe" in the Subject. To
unsubscribe send email to pctechtalk-request@xxxxxxxxxxxxx with "unsubscribe"
in the Subject.
To access our Archives:
http://groups.yahoo.com/group/PCTechTalk/messages/
//www.freelists.org/archives/pctechtalk/
To contact only the PCTT Mod Squad, write to:
pctechtalk-moderators@xxxxxxxxxxxxx
To join our separate PCTableTalk off-topic group, send a blank email to:
pctabletalk+subscribe@xxxxxxxxxxxxxxxx
---------------------------------------------------------------
Other related posts:
