Is this really virus code?

I am using Windows 7, service pack 1 unless it auto-updated to service pack 2.

Catchme says that the following code modification has been made in my ntdll.dll kernel file.

ZwEnumerateKey 0 != 116, ZwQueryKey 0 != 244, ZwOpenKey 0 != 182, ZwClose 0 != 50, ZwEnumerateValueKey 0 != 119, ZwQueryValueKey 0 != 266, ZwOpenFile 0 != 179, ZwQueryDirectoryFile 0 != 223, ZwQuerySystemInformation 0 != 261Initialization error

When I googled that entire line, I learned that quite a number of people, who turned out to have actual virus infections, but they were very different viruses with very different solutions, reported this output from Catchme. The solutions for each individual never included doing anything at all to fix ntdll.dll . However, atleast one forum “helper” explicitly noticed this output and explained that usually that would mean a rootkit but in Windows 7 that is more likely to mean a trojan than a rootkit. Typically the solution was to scan with something, what that was being different in every case, then making a registry fix, which in one case stopped three specific services, the names of which jumped out at one from the scans, from running.

But if a kernel file was really infected with a virus it seems like the solution would have included fixing it.

I am wondering if maybe these ntdll.dll code modifications are really standard Windows 7 code, and catchme doesn’t know it?

Dora

Hi,

I am using Windows 7, service pack 1 unless it auto-updated to service pack 2.
Widnows 7 will not get SP2.

ntdll.dll is leght windows core file used by “Zw” function … these are API functions (some set of functions).
example:
http://en.wikipedia.org/wiki/Native_API

This is just a small part of the story becouse it’s much complex story …

I am wondering if maybe these ntdll.dll code modifications are really standard Windows 7 code, and catchme doesn't know it?
Catchme is a tool created by Gmer. http://www.gmer.net/ They (i mean gmers tool ) search rootkits on a different way. If the tool has been run successful, he will very probably see some or all rootkit functions.

Ah yes, I forgot to wrote, if you want malware check, follow this guide. :slight_smile:
http://forum.avast.com/index.php?topic=53253.0