Rootkit.zeroaccess infection - I think

[housailorr]

After years of malware free computers (thanks to MajorGeeks) I carelessly opened an exe file and now I appear to have the rootkit.zeroaccess infection on my Win XP machine. I use Norton Security Suite, MBAM, SAS.

Although some malware removal programs have improved the situation, I have telltale signs that concern me: MalwareBytes keeps notifying me that it has “successfully blocked access to a potentially malicious website: ...”. This message pops up every minute or so, and the referenced URL is one of the same two each time.

When rebooting, I often get a BSOD during the shutdown sequence, resulting in one of these messages:
Bad_Pool_Header, Stop: 0x00000019
Page_Fault_In_NonPaged_Area, Stop: 0x00000050
Driver_Corrupted_nmpool Stop: 0x000000D0

The discovery event:
On 3/14 when I opened the suspect file Norton popped up a message “An intrusion attempt by 174.118.90.110 requiring manual removal detected. I then locked down the firewall, disconnected the lan cable, and received the following additional Norton notices before I was able to perform the manual removal:
“atinevxx.dll contained threat Trojan.Zeroaccess!inf. Resolved-NO Action Required.”
“qwavedrv.dll contained threat Trojan.Zeroaccess!inf. Resolved-NO Action Required.”

Removal attempts:
1. I followed the Norton recommended manual removal process – running the Trojan.Zeroaccess Removal Tool.

Upon restart, Malwarebytes began showing messages: “successfully blocked access to a potentially malicious website: ...”.

2. Deleted the file I suspected of causing the problem.

3. Ran the series of XP Malware removal programs. ComboFix produced a warning message similar to: “Rootkit.ZeroAccess inserted itself into TCP/IP stack. This is a particularly difficult...” ComboFix then rebooted the computer and resumed thru all 50 stages. When it tried to reboot again I got a BSOD: Bad_Pool_Header, Stop: 0x00000019 – this was the first such instance of the BSOD.

4. I have run ComboFix and Mgtools a couple of times but received no additional alerts and no change in behavior.

5. Ran TDSSKiller.exe – no noticeable change in behavior.

Thanks in advance for any help with this.

[thisisu]

Hello housailorr,

I want you to read and follow these instructions (UPDATED): TDSSKiller - How to run


Scan with: yorkyt.exe by Panda Security

• Download it to your desktop and run it.

• Yes, restart

• Let it restart again.

• Be patient as the tool is working after the 2nd reboot.

• When you see the above, test to see if browser redirects to Abnow are present or not.
• Attach the Yorkyt.exe.log to your next message (it should be on your desktop). (How to attach)

__

Please download OTL by OldTimer.

• Save it to your desktop.
• Double click on the OTL icon on your desktop.
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the text-field.
  
  Code:

  activex
  netsvcs
  /md5start
  afd.sys
  i8042prt.sys
  ipsec.sys
  netbt.sys
  svchost.exe
  tcpip.sys
  /md5stop
  %windir%\$ntuninstallkb*. /30
  %windir%\system32\drivers\*.sys /lockedfiles
  %windir%\*.* /mp
  %windir%\*.* /rp
  %windir%\*.* /sl
  %systemdrive%\mgtools\*.*

• Now click the button.
• One report will be created:
  • OTL.txt <-- Will be opened
• Attach OTL.txt to your next message. (How to attach)

[housailorr]

Good morning, thisisu:

Thank you for your help! I ran the programs you requested. You should know that I have ran TDSSKiller and yorkyt.exe recently and have logs from the first instances also. I have included the first logs and the recent logs here so you can see if anything may have been fixed in an earlier scan.

You should also know I ran RootRepeal and AntiZeroAccess a few days ago. After running AntiZeroAccess I noticed MalwareBytes AM reports of blocked URL access was reduced from 3 URLs to 2URLs.

In addition, I have blocked my computer form all Internet traffic at the router firewall, so there may be some errors from services trying to access the Internet. I access via Ethernet cable, and as far as I know I have not experienced any problems accessing the Internet.

I have attached the TDSSKiller logs and the yorkyt.exe here and will attach the OTL logs on another post.

[housailorr]

thisisu,

Here are the OTL logs.

[thisisu]

Please update TDSSKiller before scanning.
Download the updated version here
Attach the log when you have used the latest version. (How to attach)

[thisisu]

Code:

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 
.
CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR 
kernel: MBR read successfully
user != kernel MBR !!!

Code:

      Size  Device Name          MBR Status
  --------------------------------------------
    232 GB  \\.\PhysicalDrive0   Unknown MBR code
            SHA1: 4F43A1F8C85AB60B1AECF0A4356AF8F36180AAE3

Do you have your data backed up? Since you are experiencing BSODs and due to the above info in your logs, you most likely have an MBR infection.

The vast majority of the time, restoring a clean MBR to a system goes without fail but just in case I am unable to restore your system to a booting state (if something does go wrong), you at least have your data handy.

Let me know before we proceed.

You should still scan with the new TDSSKiller though

[housailorr]

thisisu,

Sorry for the mistake. Here is the log from the latest version of TSSDKiller.

[housailorr]

I have backups that are 2 weeks old, but I will create a new set and let you know when I am ready.

I also use BootIT NG to manage partitions and disk imaging. This program works with a modified MBR and it may be interfering with the MBR scan.

[thisisu]

Quote:

Originally Posted by housailorr

This program works with a modified MBR and it may be interfering with the MBR scan.

Ok, the MBR most likely is not the issue then. Let's proceed cleaning what I could find and then let me know how the system is running.

Go ahead and create your new backup set and then proceed with the below.

__

From Add/Remove Programs (via Control Panel), please uninstall the below:

• Driver Cleaner.NET
• HijackThis 2.0.2
• IE7Pro (for troubleshooting purposes / feel free to reinstall after malware removal is complete)
• Napster
• Norton Security Suite (for troubleshooting purposes / feel free to reinstall after malware removal is complete)
• Spybot - Search & Destroy (for troubleshooting purposes / feel free to reinstall after malware removal is complete)
• The Ultimate Troubleshooter
• Uniblue DriverScanner 2009

/!\ Now download and run: Norton_Removal_Tool.exe

Please download Disable/Remove Windows Messenger to your desktop.

• Double-click MessengerDisable.exe to run it.
• Place checkmarks in "Uninstall Windows Messenger" and "Hide Messenger from Outlook Express"
• Click Apply
• Click Exit

Run C:\MGtools\analyse.exe by double-clicking it (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Choose "Do a system scan only" and select the following lines but do not click fix until you exit all explorer windows and all browser sessions including the one you are reading in right now:

• R3 - URLSearchHook: (no name) - {BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - (no file)
• R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
• O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - (no file)
• O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)

After clicking Fix, exit out of Trend Micro HiJackThis - v2.0.4

Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the text-field.

Code:

:processes
killallprocesses
:otl
SRV - File not found [Disabled | Stopped] -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe -- (RoxLiveShare9)
SRV - File not found [Disabled | Stopped] -- %systemroot%\system32\QWAVEDRV.dll -- (pinnaclemarvinusb)Suite\IDVaultSvc.exe -- (IDVaultSvc)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\VNUSB.sys -- (VNUSB)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (ViaIde)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (ultra)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (TosIde)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (symc8xx)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (symc810)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (sym_u3)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (sym_hi)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Sparrow)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Simbad)
DRV - File not found [Kernel | On_Demand | Stopped] -- System32\Drivers\RimUsb.sys -- (RimUsb)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (ql1280)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (ql1240)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (ql12160)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Ql10wnt)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (ql1080)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (perc2hib)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (perc2)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] --  -- (PCIDump)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (mraid35x)
DRV - File not found [Kernel | System | Stopped] --  -- (lbrtfdc)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (ini910u)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (i2omp)
DRV - File not found [Kernel | System | Stopped] --  -- (i2omgmt)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (hpn)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (dpti2o)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (dac960nt)
DRV - File not found [Kernel | Disabled | Unknown] --  -- (dac2w2k)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Cpqarray)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (CmdIde)
DRV - File not found [Kernel | System | Stopped] --  -- (Changer)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (cd20xrnt)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\RAYMON~1\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Atdisk)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (asc3550)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (asc3350p)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (asc)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (amsint)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (AliIde)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (aic78xx)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (aic78u2)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Aha154x)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (adpu160m)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (abp480n5)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Abiosdsk)
IE - HKU\S-1-5-21-2025429265-1292428093-725345543-1003\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found
IE - HKU\S-1-5-21-2025429265-1292428093-725345543-1003\..\SearchScopes\{79B4F60A-D530-4DC8-82CE-D99A9A8E81DA}: "URL" = http://www.ask.com/web?q={searchTerms}&qsrc=0&o=0&l=dir
IE - HKU\S-1-5-21-2025429265-1292428093-725345543-1003\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://search.babylon.com/web/{searchTerms}?babsrc=SP_ss&affID=100842&mntrId=f0512a4d00000000000000111159e252
IE - HKU\S-1-5-21-2025429265-1292428093-725345543-1003\..\SearchScopes\{B6CC3541-2CAB-4982-AA87-21DC2EC30867}: "URL" = http://search.ebay.com/search/search.dll?satitle={searchTerms}
FF - HKLM\Software\MozillaPlugins\@bittorrent.com/BitTorrentDNA: C:\Program Files\DNA\plugins\npbtdna.dll (BitTorrent, Inc.)
FF - HKLM\Software\MozillaPlugins\@mcafee.com/MVT:  File not found
[2011/03/17 12:52:00 | 000,000,000 | ---D | M] (Conduit Engine) -- C:\Documents and Settings\Raymond Orr\Application Data\Mozilla\Firefox\Profiles\c9rmjoir.RayOrr\extensions\engine@conduit.com
[2008/09/03 19:11:24 | 000,054,600 | ---- | M] (BitTorrent, Inc.) -- C:\Program Files\mozilla firefox\plugins\npbittorrent.dll
O2 - BHO: (IE7Pro BHO) - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\IEPro.dll (IE7Pro.com)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
ActiveX: {03F998B2-0E00-11D3-A498-00104B6EB52E} - Viewpoint Media Player
ActiveX: {1B00725B-C455-4DE6-BFB6-AD540AD427CD} - Viewpoint Media Player
NetSvcs: pinnaclemarvinusb - %systemroot%\system32\QWAVEDRV.dll File not found
NetSvcs: AlteraByteBlaster -  File not found
[2012/03/16 14:55:10 | 000,187,464 | ---- | C] (Webroot) -- C:\Documents and Settings\Raymond Orr\Desktop\antizeroaccess.exe
[2012/03/14 21:57:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Raymond Orr\Application Data\FixZeroAccess
[2012/03/14 21:55:06 | 001,805,736 | ---- | C] (Symantec Corporation) -- C:\Documents and Settings\Raymond Orr\Desktop\FixZeroAccess.exe
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\Documents and Settings\Raymond Orr\My Documents\*.tmp files -> C:\Documents and Settings\Raymond Orr\My Documents\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
@Alternate Data Stream - 88 bytes -> C:\WINDOWS\System32\ntbackup.exe:SummaryInformation
:files
rd /s/q C:\WINDOWS\$NtUninstallKB1780$ /c
C:\WINDOWS\8v2yf5b7x4m4m5g
C:\Program Files\Norton Security Suite
C:\Program Files\IEPro
C:\Program Files\Spybot - Search & Destroy
rd /s/q C:\WINDOWS\$NtUninstallKB1780$ /c
type "C:\Documents and Settings\Raymond Orr\Desktop\AntiZeroAccess_Log.txt" /c
type "C:\Documents and Settings\Raymond Orr\Desktop\fss.txt" /c
:reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{79B4F60A-D530-4DC8-82CE-D99A9A8E81DA}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{B6CC3541-2CAB-4982-AA87-21DC2EC30867}]
:commands
[emptyjava]
[emptyflash]

Now click the button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

Now run C:\MGtools\GetLogs.bat by double-clicking it.
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

[housailorr]

thisisu,

Reboots after removal of some programs is going slowly... not sure why. But, I'm still plugging away. Get back to you soon.

[housailorr]

thisisu,

I ran OTL with the script, but it has hung up after the fourth line:
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\VNUSB.sys -- (VNUSB).

I has been at this stage for over 30 minutes. The computer will not respond to any keyboard input.

How should I proceed after I shut the computer down with the master switch?

[thisisu]

Quote:

Originally Posted by housailorr

How should I proceed after I shut the computer down with the master switch?

Try the same fix while in Safe Mode. See: How to start your computer in Safe mode

The OTL fix will want to reboot - Allow it to return to Normal Mode.

[housailorr]

Ok, that was challenging!

Gee, without my anti-malware stuff running I feel like I'm standing naked in the doorway hoping no one can see in!

OTL ran in safe mode so I completed the assignment. The logs are attached.

[thisisu]

Let me know how the system is running whenever you get a chance to experiment with it for a bit.

Latest logs look good.

[housailorr]

The Malwarebytes AM warnings are still showing every minute or so, with the same two IP addresses.

No change yet.

[thisisu]

Update MBAM
Run a Quick Scan with MBAM
Attach the log from MBAM (How to attach)

Update SAS
Run a Quick Scan with SAS
Attach the log from SAS (How to attach)

Please download RogueKiller to your desktop.

Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
When it opens, press the Scan button
When it is finished, there will be a log on your desktop called: RKreport[1].txt
Attach RKreport[1].txt to your next message. (How to attach)

[housailorr]

Thanks, I'll have to do that in the morning as I have to get a video out this evening yet. It will be around noon before I can get to it.

I'm also still getting the BSOD's during shutdown when I reboot.

Thanks for your help so far.

[housailorr]

thisisu,

Here are the logs you requested.

When I ran SAS with the Quick Scan button checked, it performs a complete scan instead. The complete scan takes several hours, so I left it run while I was out. When I returned, it was still running (over 2x as long as a normal complete scan) so I stopped it.

I again attempted the Quick Scan but it ran a complete scan which I left running and went to bed. This morning it was still running so I stopped it.

I have SAS set to run a daily scan automatically and that scan completed, so I have included the log for the complete scan.

Not sure why SAS is working that way, but will address it later.

[thisisu]

Here are the next steps I'd like you to take. Let me know how the PC runs after you have completed them.

Fixing items using ComboFix
Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop -- but do not run it.
If it is not on your desktop, the below will not work.
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

KillAll::
RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\.tab\PersistentHandler]
@DACL=(02 0000)
@="{5e941d80-bf96-11cd-b579-08002b30bfeb}"
.
[HKEY_LOCAL_MACHINE\software\Classes\cfexefile\DefaultIcon]
@DACL=(02 0000)
@SACL=
@="%1"
.
[HKEY_LOCAL_MACHINE\software\Classes\cfexefile\shell]
@DACL=(02 0000)
@SACL=
.
[HKEY_LOCAL_MACHINE\software\Classes\cfexefile\shellex]
@DACL=(02 0000)
@SACL=
[HKEY_LOCAL_MACHINE\software\Classes\mapi\Shell]
RegLockDel::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{0C0DD146-A2A6-BFA4-F4B84228CE730E88}\{718890A1-4FA8-4866-06B3B07592C0C36E}\{C0B10667-122D-45CB-48A7F7AE622314D0}*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{11B5C8DC-3FEA-1682-D4F0355518481497}\{414E0745-768E-27E6-1A22BEEA50FFC306}\{0F77990A-A8C5-E83C-A2DEB9098A2A23DE}*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{20182402-24ED-DBEE-0C047CC941A92C12}\{18337038-91FA-1511-718667CAE01F35A0}\{7E9CBDE1-C583-B4C7-27A5326796C918BF}*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{969D404C-EC53-A9AF-A02B8ED8C194B4B8}\{49CEC6C1-E90A-6C40-7DC9D5345834AD37}\{B3C560DA-C3C9-1298-A5CC78F93CD65657}*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A3898AE7-11D1-364C-50B629D3BDD33730}\{75E2AEA1-D0D7-F395-00074BFE3B49B652}\{C6A3DC00-042F-33E6-17A49D873A8D73F7}*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B3A3A58F-967E-A40A-C7DDFB524B0CDFB3}\{B28E8422-363F-1C4B-CC056478281B7FCE}\{569EFB20-10B3-C9F5-895B6A19B8852344}*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
RegNull::
[HKEY_USERS\S-1-5-21-2025429265-1292428093-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{26FD9D71-8F27-8990-0A17-048347883521}*]
Suspect::[137]
c:\windows\system32\drivers\mf.sys
c:\windows\system32\drivers\mtlstrm.sys
c:\windows\system32\drivers\nwlnknb.sys
c:\windows\system32\drivers\slnt7554.sys

Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.exe on your desktop.
Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.

This will launch ComboFix.
Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Allow ComboFix to update itself if prompted.
When ComboFix finishes, a log will be produced at C:\ComboFix.txt
Attach this log to your next message. (How to attach)

Now run C:\MGtools\GetLogs.bat by double-clicking it.
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

[housailorr]

Thisisu,

I had to boot into Safe Mode to get CF to finish.

When CF rebooted, prior to finishing the reports I got a message: CF needs to submit malware files for further analysis.

I unblocked Internet access momentarily, then clicked the OK button and files were uploaded.

Attached are the reports.