Hi polonus, just want you to know that the result i got from virustotal on the file “cd.dll”…
0 bytes size received / Se ha recibido un archivo vacio
What does it mean? Does it mean it’s just a ghost file?
This is what I got after running avz4…
[b]AVZ Antiviral Toolkit log; AVZ version is 4.29
Scanning started at 12/16/2007 4:54:41 AM
Database loaded: signatures - 139338, NN profile(s) - 2, microprograms of healing - 55, signature database released 15.12.2007 17:17
Heuristic microprograms loaded: 371
SPV microprograms loaded: 9
Digital signatures of system files loaded: 67629
Heuristic analyzer mode: Medium heuristics level
Healing mode: enabled
Windows version: 5.1.2600, Service Pack 2 ; AVZ is launched with administrator rights
System Recovery: Disabled
- Searching for Rootkits and programs intercepting API functions
1.1 Searching for user-mode API hooks
Analysis: kernel32.dll, export table found in section .text
Analysis: ntdll.dll, export table found in section .text
Analysis: user32.dll, export table found in section .text
Analysis: advapi32.dll, export table found in section .text
Analysis: ws2_32.dll, export table found in section .text
Analysis: wininet.dll, export table found in section .text
Analysis: rasapi32.dll, export table found in section .text
Analysis: urlmon.dll, export table found in section .text
Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
Driver loaded successfully
SDT found (RVA=07B180)
Kernel ntkrnlpa.exe found in memory at address 804D7000
SDT = 80552180
KiST = 80501030 (284)
Function NtOpenProcess (7A) intercepted (805BFB78->F7C078AC), hook C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys
Function recovered successfully !
Hook code blocked
Function NtTerminateProcess (101) intercepted (805C74C8->F7C07812), hook C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys
Function recovered successfully !
Hook code blocked
Function ObOpenObjectByName (805AFA54) - machine code modification Method not defined.
Function recovered successfully !
Functions checked: 284, intercepted: 2, restored: 3
1.3 Checking IDT and SYSENTER
Analysis for CPU 1
Checking IDT and SYSENTER - completeSuspicion for Rootkit mzcxlbyk C:\WINDOWS\system32\drivers\ewjppfle.dat
1.4 Searching for masking processes and drivers
Checking not performed: the extended monitoring driver (AVZPM) is not installed
- Scanning memory
Number of processes found: 36
Number of modules loaded: 396
Memory checking - complete - Scanning disks
Direct reading C:\Documents and Settings\jase\Local Settings\Temp~DF2490.tmp
Direct reading C:\Program Files\Trend Micro\HijackThis\backups\backup-20071216-033203-223.dll
Quarantine file: failed (error), attempt of direct disk reading (C:\Program Files\Trend Micro\HijackThis\backups\backup-20071216-033203-223.dll)
Quarantine file (direct disk reading) “%S” - successful
File quarantined succesfully (C:\Program Files\Trend Micro\HijackThis\backups\backup-20071216-033203-223.dll)
C:\Program Files\Trend Micro\HijackThis\backups\backup-20071216-033203-223.dll >>>>> Trojan.Win32.BHO.abo deleted successfully
Direct reading C:\Program Files\Trend Micro\HijackThis\backups\backup-20071216-033328-126.dll
Quarantine file: failed (error), attempt of direct disk reading (C:\Program Files\Trend Micro\HijackThis\backups\backup-20071216-033328-126.dll)
Quarantine file (direct disk reading) “%S” - successful
File quarantined succesfully (C:\Program Files\Trend Micro\HijackThis\backups\backup-20071216-033328-126.dll)
C:\Program Files\Trend Micro\HijackThis\backups\backup-20071216-033328-126.dll >>>>> Trojan.Win32.BHO.abo deleted successfully
Direct reading C:\WINDOWS\system32\cd.dll
Quarantine file: failed (error), attempt of direct disk reading (C:\WINDOWS\system32\cd.dll)
Quarantine file (direct disk reading) “%S” - successful
File quarantined succesfully (C:\WINDOWS\system32\cd.dll)
To delete the file C:\WINDOWS\system32\cd.dll reboot is required
C:\WINDOWS\system32\cd.dll >>>>> Trojan.Win32.BHO.abo error deleting
Removing traces of deleted files…
- Checking Winsock Layered Service Provider (SPI/LSP)
LSP settings checked. No errors detected - Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)
- Searching for opened TCP/UDP ports used by malicious programs
Checking disabled by user - Heuristic system check
Checking complete - Searching for vulnerabilities
Services: potentially dangerous service allowed TermService (Terminal Services)
Services: potentially dangerous service allowed SSDPSRV (SSDP Discovery Service)
Services: potentially dangerous service allowed Schedule (Task Scheduler)
Services: potentially dangerous service allowed RDSessMgr (Remote Desktop Help Session Manager)
Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
Security: disk drives’ autorun is enabled
Security: administrative shares (C$, D$ …) are enabled
Security: anonymous user access is enabled
Security: sending Remote Assistant queries is enabled
Checking complete
- Troubleshooting wizard
Thaw-maut end of services is outside of admissible values
Checking complete
Files scanned: 48080, extracted from archives: 36217, malicious programs found 3, suspicions - 0
Scanning finished at 12/16/2007 5:01:16 AM
Attention !!! Reboot is required to complete the healing.
!!! Attention !!! Recovered 3 KiST functions during Anti-Rootkit operation
This may affect execution of several programs, so it is strongly recommended to reboot
Time of scanning: 00:06:36
If you have a suspicion on presence of viruses or questions on the suspected objects,
you can address http://virusinfo.info conference
Creating archive of files from Quarantine
Creating archive of files from Quarantine - complete
System Analysis in progress
System Analysis - complete[/b]
Hi Jase,
That explains what I have said before, what you cannot upload, …So avz4 should help us here further. Let essexboy fly you home, and hopefully you land with a secure system, that is the way the avast “crew” does it. Your hjt log just has the same cd.dll as questionable.
polonus
ok this is what I got from the Advanced system analysis…
[b]AVZ Antiviral Toolkit log; AVZ version is 4.29
Scanning started at 12/16/2007 5:12:17 AM
Database loaded: signatures - 139338, NN profile(s) - 2, microprograms of healing - 55, signature database released 15.12.2007 17:17
Heuristic microprograms loaded: 371
SPV microprograms loaded: 9
Digital signatures of system files loaded: 67629
Heuristic analyzer mode: Maximum heuristics level
Healing mode: disabled
Windows version: 5.1.2600, Service Pack 2 ; AVZ is launched with administrator rights
System Recovery: Disabled
- Searching for Rootkits and programs intercepting API functions
1.1 Searching for user-mode API hooks
Analysis: kernel32.dll, export table found in section .text
Analysis: ntdll.dll, export table found in section .text
Analysis: user32.dll, export table found in section .text
Analysis: advapi32.dll, export table found in section .text
Analysis: ws2_32.dll, export table found in section .text
Analysis: wininet.dll, export table found in section .text
Analysis: rasapi32.dll, export table found in section .text
Analysis: urlmon.dll, export table found in section .text
Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
Driver loaded successfully
SDT found (RVA=07B180)
Kernel ntkrnlpa.exe found in memory at address 804D7000
SDT = 80552180
KiST = 80501030 (284)
Function NtOpenProcess (7A) intercepted (805BFB78->F7BEB8AC), hook C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys
Function NtTerminateProcess (101) intercepted (805C74C8->F7BEB812), hook C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys
Function ObOpenObjectByName (805AFA54) - machine code modification Method not defined.
Functions checked: 284, intercepted: 2, restored: 0
1.3 Checking IDT and SYSENTER
Analysis for CPU 1
Checking IDT and SYSENTER - complete
1.4 Searching for masking processes and drivers
Checking not performed: the extended monitoring driver (AVZPM) is not installed - Scanning memory
Number of processes found: 36
Analyzer - the process under analysis is 1528 C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
Analyzer - the process under analysis is 1584 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
[ES]:Application has no visible windows
[ES]:Registered in autoruns !!
Analyzer - the process under analysis is 1620 C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
[ES]:Application has no visible windows
[ES]:Registered in autoruns !!
Analyzer - the process under analysis is 512 C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
[ES]:Registered in autoruns !!
Analyzer - the process under analysis is 536 C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
[ES]:Application has no visible windows
[ES]:Registered in autoruns !!
Analyzer - the process under analysis is 136 C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
[ES]:Application has no visible windows
[ES]:Registered in autoruns !!
Analyzer - the process under analysis is 972 C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
Analyzer - the process under analysis is 2304 C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
Analyzer - the process under analysis is 2384 C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
[ES]:Application has no visible windows
Number of modules loaded: 379
Memory checking - complete - Scanning disks
- Checking Winsock Layered Service Provider (SPI/LSP)
LSP settings checked. No errors detected - Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)
- Searching for opened TCP/UDP ports used by malicious programs
Checking disabled by user - Heuristic system check
Checking complete - Searching for vulnerabilities
Services: potentially dangerous service allowed TermService (Terminal Services)
Services: potentially dangerous service allowed SSDPSRV (SSDP Discovery Service)
Services: potentially dangerous service allowed Schedule (Task Scheduler)
Services: potentially dangerous service allowed RDSessMgr (Remote Desktop Help Session Manager)
Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
Security: disk drives’ autorun is enabled
Security: administrative shares (C$, D$ …) are enabled
Security: anonymous user access is enabled
Security: sending Remote Assistant queries is enabled
Checking complete
- Troubleshooting wizard
Thaw-maut end of services is outside of admissible values
Checking complete
Files scanned: 415, extracted from archives: 0, malicious programs found 0, suspicions - 0
Scanning finished at 12/16/2007 5:12:51 AM
Time of scanning: 00:00:35
If you have a suspicion on presence of viruses or questions on the suspected objects,
you can address http://virusinfo.info conference
System Analysis in progress
System Analysis - complete[/b]
Hi polonus,
Thank you and sorry for the trouble…
after all the scanning I could still find the file “cd.dll” in system32 folder and the antivirus is picking it up whenever i open a window or a browser window.
Is there a possible way to delete this ghost file? Am not sure if this is a ghost file though.
Hi jase,
Be calm, this cd.dll can be part of something that your computer say is there, or keeps telling that should be there. Shortly we will have essexboys’ analysis, and he will help you with the further cleansing. Wait a bit until he has done his homework. In the meantime I have glanced in the log for an executable named ntkrnlpa.exe, this could be a legit Microsoft file, but in some cases it could be overwritten by a trojan, also depending where this file resides, see info under:
Process: Ntkrnlpa.exe
Program: Operating System Kernel
Publisher: Microsoft Corporation
Purpose: Main OS file
Propriety: Potentially Undesirable
Perception: System
Postscript: Operating System Kernel could be legitimate Windows OS process. Operating System Kernel is the Operating System (OS) kernel for computers with memory of 4GB or more. CAUTION: Various trojan/worm/spyware overwrite or create a file by this name. You could try to upload this ntkrnlpa.exe to virustotal.
The info for cd.dll you can analyse here:
http://www.spywaredata.com/spyware/malware/cd.dll.php
We will get there, do not worry, it will take some time, but it will all be solved.
polonus
Hi Jase,
Just a question, just because of the cd.dll. Did you have half life or a similar game on your comp? If this program is no longer there, this could explain a lot, thinking of Agobot or an Rbot infection. Just run this tool: http://www.microsoft.com/downloads/details.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en
Damian
hi guys…
this is the report I’ve got from virustotal about ntkrnlpa.exe
[b]File ntkrnlpa.exe received on 12.14.2007 08:26:19 (CET)Antivirus Version Last Update Result
AhnLab-V3 2007.12.14.10 2007.12.13 -
AntiVir 7.6.0.45 2007.12.13 -
Authentium 4.93.8 2007.12.13 -
Avast 4.7.1098.0 2007.12.13 -
AVG 7.5.0.503 2007.12.13 -
BitDefender 7.2 2007.12.14 -
CAT-QuickHeal 9.00 2007.12.13 -
ClamAV 0.91.2 2007.12.13 -
DrWeb 4.44.0.09170 2007.12.13 -
eSafe 7.0.15.0 2007.12.13 -
eTrust-Vet 31.3.5374 2007.12.13 -
Ewido 4.0 2007.12.13 -
FileAdvisor 1 2007.12.14 No threat detected, but known vulnerabilities exist
Fortinet 3.14.0.0 2007.12.14 -
F-Prot 4.4.2.54 2007.12.13 -
F-Secure 6.70.13030.0 2007.12.14 -
Ikarus T3.1.1.15 2007.12.14 -
Kaspersky 7.0.0.125 2007.12.14 -
McAfee 5185 2007.12.13 -
Microsoft 1.3109 2007.12.14 -
NOD32v2 2722 2007.12.14 -
Norman 5.80.02 2007.12.13 -
Panda 9.0.0.4 2007.12.14 -
Prevx1 V2 2007.12.14 -
Rising 20.22.40.00 2007.12.14 -
Sophos 4.24.0 2007.12.14 -
Sunbelt 2.2.907.0 2007.12.14 -
Symantec 10 2007.12.14 -
TheHacker 6.2.9.159 2007.12.14 -
VBA32 3.12.2.5 2007.12.14 -
VirusBuster 4.3.26:9 2007.12.13 -
Webwasher-Gateway 6.6.2 2007.12.14 -
Additional information
File size: 2056832 bytes
MD5: 947fb1d86d14afcffdb54bf837ec25d0
SHA1: cf8d0e6a71ecfc7e49a3fb1313a0b246f379f311
PEiD: -
Bit9 info: http://fileadvisor.bit9.com/services/extinfo.aspx?md5=947fb1d86d14afcffdb54bf837ec25d0
[/b]
hi… hmm… no I didn’t have any game like half life installed. I came to know when it got infected was when I was looking for a crack on the internet for the game starship troopers. Found the cracked file and downloaded and ran it. That’s when the warning sign (small triangle with exclaimation mark in the system tray) came up and stated “Warning, your antivirus might not be installed”. Where at that time Avast was installed. And it didn’t sniff out the virus.
So had to check to be sure and I installed AVG and yes AVG done the job but not completely. not able to delete the file even after reboot.
Hi jase I need you to attach the 2 zip files as will use my copy of AVZ to analyse and create a fix. The zip files will be in
A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.
Could you please attach those two zip files to your next post. To do this when you are posting on the left will be ADDITIONAL OPTIONS select this then using the BROWSE button add the two files
Hi essexboy,
I tried to upload the file but it wouldn’t allow zip extensions. It allows txt, jpg, gif, png, log only. How do you want me to send it to you now?
Did you get the pm with my address ? If not here it is again I will remove it as soon as I get the files TA
yes i did just now as i logged in. I’ll send it right away. thank you so much!!!
Hi Jase and here are the results from the kill rootkit jury I found it so lets kill it
AVZ FIX
[*] Double click on AVZ.exe
[*] Click File > Custom scripts
[*] Copy & paste the contents of the following codebox in the box in the program (start with begin and end with end )
begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
DelBHO('-{9828DDAB-2B7A-4626-885A-5579EA690FEB}');
DelBHO('{9828DDAB-2B7A-4626-885A-5579EA690FEB}');
DeleteService('mzcxlbyk');
DeleteFile('C:\WINDOWS\system32\Drivers\ewjppfle.dat');
DeleteFile('C:\WINDOWS\system32\cd.dll');
DeleteFile('C:\WINDOWS\system32\drivers\ewjppfle.dat');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.
[*] Note: When you run the script, your PC will be restarted
[*] Click Run
[*] Restart your PC if it doesn't do it automatically.
ON COMPLETION
[*] Start AVZ.
[] Choose from the menu “File” => “Standard scripts " and mark the “Advanced System Investigation” check box.
[] Click on the “Execute selected scripts”.
[*] A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.
Mail the zip file to your next post
hi essexboy, Can you please don’t go offline? Can you please help me sort this out…
Yes! I have run the script that you posted here. After running, the computer rebooted and the log file .htm has been sent to your mail. Please do check your mail now.
Thanks…
Got it
Hi Jase,
He won’t let you dangle, ol’ essexboy as I know the chap is as tenacious as a Rotweiler, he will sort it out with all his friends on the web, he will get you and your problem sorted out. I am curious and watching on from the sideline,
pol
If you could now run DSS again please ;D that rootkit appears to have left the building
What is DSS???
Hi polonus, good to see you online. Earlier I checked and found you offline. 