I am using Windows 7, service pack 1 unless it auto-updated to service pack 2.
Catchme says that the following code modification has been made in my ntdll.dll kernel file.
ZwEnumerateKey 0 != 116, ZwQueryKey 0 != 244, ZwOpenKey 0 != 182, ZwClose 0 != 50, ZwEnumerateValueKey 0 != 119, ZwQueryValueKey 0 != 266, ZwOpenFile 0 != 179, ZwQueryDirectoryFile 0 != 223, ZwQuerySystemInformation 0 != 261Initialization error
When I googled that entire line, I learned that quite a number of people, who turned out to have actual virus infections, but they were very different viruses with very different solutions, reported this output from Catchme. The solutions for each individual never included doing anything at all to fix ntdll.dll . However, atleast one forum “helper” explicitly noticed this output and explained that usually that would mean a rootkit but in Windows 7 that is more likely to mean a trojan than a rootkit. Typically the solution was to scan with something, what that was being different in every case, then making a registry fix, which in one case stopped three specific services, the names of which jumped out at one from the scans, from running.
But if a kernel file was really infected with a virus it seems like the solution would have included fixing it.
I am wondering if maybe these ntdll.dll code modifications are really standard Windows 7 code, and catchme doesn’t know it?
Dora