Author Topic: Catchme false positive for ntdll.dll modifications in Windows 7  (Read 1400 times)

Offline villandra

  • Jr. Member
  • **
  • Posts: 28
    • Personal Message (Offline)
Catchme false positive for ntdll.dll modifications in Windows 7
« on: December 11, 2012, 03:40:24 AM »
Catchme told me that a virus had modified my ntdll.dll file, in Windows 7.

detected NTDLL code modification:
ZwEnumerateKey 0 != 116, ZwQueryKey 0 != 244, ZwOpenKey 0 != 182, ZwClose 0 != 50, ZwEnumerateValueKey 0 != 119, ZwQueryValueKey 0 != 266, ZwOpenFile 0 != 179, ZwQueryDirectoryFile 0 != 223, ZwQuerySystemInformation 0 != 261Initialization error

When I googled that whole line, I learned that people have reported that same identical code modification for a half dozen very different viruses, on the tech forums, and the half dozen completely different solutions never included any repair to ntdll.dll .   

Well, I just finally after a week of research, and deleting all actual and pretended signs of Trojan activity in my system, I managed to extract a replacement copy of ntdll.dll from my Windows install file, and then replace the copy in my system32 file.   Then I rebooted my system and promptly ran Catchme. 

Guess what.   Here's the output from Catchme.

detected NTDLL code modification:
ZwEnumerateKey 0 != 116, ZwQueryKey 0 != 244, ZwOpenKey 0 != 182, ZwClose 0 != 50, ZwEnumerateValueKey 0 != 119, ZwQueryValueKey 0 != 266, ZwOpenFile 0 != 179, ZwQueryDirectoryFile 0 != 223, ZwQuerySystemInformation 0 != 261Initialization error

In other words, it's a false positive.  My guess is that the creators of Catchme don't know what Windows 7 ntdll.dll code is.   

Thanks so much to the person who answered this question with everything in God's earth but the answer to the question, when I asked on this forum if this code is really a virus or false positive.

And you know what else?  The two Dll's that depend on ntdll.dll, that I couldn't register, because allegedly the registration module is missing?  Now, this is Windows 7.   My original problem that set me looking into viruses was funny behavior by Internet Explofer 9, and inability to run a utility I need to run for work.   

Well, I got a new hard drive, installed Windows XP and Internet Explorer 8, and ran the utility I need for work with no problem.

Guess what.   The same two dll's can't be registered on that system either, for the same alleged reason.   The two DLLs are oleaut32.dll and mshtml.dll

Thanks again for y'all's help.




Offline Pondus

  • avast! √úberevangelist
  • Maybe Bot
  • *****
  • Posts: 21653
  • Gender: Male
    • Personal Message (Offline)
Re: Catchme false positive for ntdll.dll modifications in Windows 7
« Reply #1 on: December 11, 2012, 05:42:05 AM »
upload suspicious file(s) to www.virustotal.com and test with 40+ malware scanners

alternative jotti.org or metascan-online.com
Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


 

Google Chrome

AVAST recommends using the FREE Google Chrome™ browser.

Download Google Chrome Now