Jay Bee Kay
New Member
Pls HELP ME ASAP!! this error been workin on my @ss for sum time now
first of all no its not just with one program so that "fix" of try re installing the program its not that
i searched google cnt find anything
the ntdll is stopping a few programs (the most important ones) from running
i found this AVZ Antiviral Toolkit and it gave me this results :
------------------------------------------------------------------
Attention !!! Database was last updated 2/8/2009 it is necessary to update the bases using automatic updates (File/Database update)
>>>> Danger - the avz.exe file is changed, check of its CRC by Trusted Objects Database failed
AVZ Antiviral Toolkit log; AVZ version is 4.30
Scanning started at 7/9/2009 4:13:15 AM
Database loaded: signatures - 209302, NN profile(s) - 2, microprograms of healing - 56, signature database released 08.02.2009 18:56
Heuristic microprograms loaded: 372
SPV microprograms loaded: 9
Digital signatures of system files loaded: 91560
Heuristic analyzer mode: Medium heuristics level
Healing mode: disabled
Windows version: 6.0.6000, ; AVZ is launched with administrator rights
System Restore: enabled
1. Searching for Rootkits and programs intercepting API functions
1.1 Searching for user-mode API hooks
Analysis: kernel32.dll, export table found in section .text
Analysis: ntdll.dll, export table found in section .text
Function ntdll.dll:NtCreateFile (228) intercepted, method CodeHijack (method not defined)
Function ntdll.dll:NtCreateProcess (241) intercepted, method CodeHijack (method not defined)
Function ntdll.dll:NtCreateProcessEx (242) intercepted, method CodeHijack (method not defined)
Function ntdll.dll:NtCreateUserProcess (254) intercepted, method CodeHijack (method not defined)
Function ntdll.dll:NtDeviceIoControlFile (269) intercepted, method CodeHijack (method not defined)
Function ntdll.dll:NtOpenFile (340) intercepted, method CodeHijack (method not defined)
Function ntdll.dll:NtQueryInformationProcess (394) intercepted, method CodeHijack (method not defined)
Function ntdll.dll:ZwCreateFile (1431) intercepted, method CodeHijack (method not defined)
Function ntdll.dll:ZwCreateProcess (1444) intercepted, method CodeHijack (method not defined)
Function ntdll.dll:ZwCreateProcessEx (1445) intercepted, method CodeHijack (method not defined)
Function ntdll.dll:ZwCreateUserProcess (1457) intercepted, method CodeHijack (method not defined)
Function ntdll.dll:ZwDeviceIoControlFile (1471) intercepted, method CodeHijack (method not defined)
Function ntdll.dll:ZwOpenFile (1541) intercepted, method CodeHijack (method not defined)
Function ntdll.dll:ZwQueryInformationProcess (1595) intercepted, method CodeHijack (method not defined)
Analysis: user32.dll, export table found in section .text
Analysis: advapi32.dll, export table found in section .text
Analysis: ws2_32.dll, export table found in section .text
Analysis: wininet.dll, export table found in section .text
Analysis: rasapi32.dll, export table found in section .text
Analysis: urlmon.dll, export table found in section .text
Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
Driver loaded successfully
SDT found (RVA=1278C0)
Kernel ntoskrnl.exe found in memory at address 82000000
SDT = 821278C0
KiST = 8205607C (398)
Functions checked: 398, intercepted: 0, restored: 0
1.3 Checking IDT and SYSENTER
Analysis for CPU 1
Analysis for CPU 2
Checking IDT and SYSENTER - complete
1.4 Searching for masking processes and drivers
Checking not performed: extended monitoring driver (AVZPM) is not installed
Driver loaded successfully
1.5 Checking of IRP handlers
\FileSystem\ntfs[IRP_MJ_CREATE] = 85A171F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_CLOSE] = 85A171F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_WRITE] = 85A171F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_QUERY_INFORMATION] = 85A171F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_INFORMATION] = 85A171F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_QUERY_EA] = 85A171F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_EA] = 85A171F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_QUERY_VOLUME_INFORMATION] = 85A171F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_VOLUME_INFORMATION] = 85A171F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_DIRECTORY_CONTROL] = 85A171F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_FILE_SYSTEM_CONTROL] = 85A171F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_DEVICE_CONTROL] = 85A171F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_LOCK_CONTROL] = 85A171F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_QUERY_SECURITY] = 85A171F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_SECURITY] = 85A171F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_PNP] = 85A171F8 -> hook not defined
Checking - complete
2. Scanning memory
Number of processes found: 53
Number of modules loaded: 505
Scanning memory - complete
3. Scanning disks
F:\Program Files\Common Files\microsoft shared\ink\pipanel.exe >>> suspicion for Backdoor.Win32.Agent.px ( 07CD3C40 000ED0BE 0001F605 0028BBC5 28160)
Direct reading F:\Windows\System32\drivers\sptd.sys
F:\Windows\System32\wiawow32.sys >>> suspicion for Trojan-Clicker.Win32.Pamere.cc ( 0037591C 01BF58DB 00110A55 00086F7F 36864)
F:\Windows\winsxs\x86_microsoft-windows-t..acyinkingcomponents_31bf3856ad364e35_6.0.6000.16386_none_3fbb09cf8caa385d\pipanel.exe >>> suspicion for Backdoor.Win32.Agent.px ( 07CD3C40 000ED0BE 0001F605 0028BBC5 28160)
4. Checking Winsock Layered Service Provider (SPI/LSP)
LSP settings checked. No errors detected
5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)
6. Searching for opened TCP/UDP ports used by malicious programs
Checking disabled by user
7. Heuristic system check
Checking - complete
8. Searching for vulnerabilities
>> Services: potentially dangerous service allowed: TermService (@%SystemRoot%\System32\termsrv.dll,-268)
>> Services: potentially dangerous service allowed: SSDPSRV (@%systemroot%\system32\ssdpsrv.dll,-100)
>> Services: potentially dangerous service allowed: Schedule (@%SystemRoot%\system32\schedsvc.dll,-100)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
>> Security: terminal connections to the PC are allowed
>> Security: sending Remote Assistant queries is enabled
Checking - complete
9. Troubleshooting wizard
>> Abnormal COM files association
>> Service termination timeout is out of admissible values
>> HDD autorun are allowed
>> Autorun from network drives are allowed
>> Removable media autorun are allowed
>> Invalid autorun item
Checking - complete
Files scanned: 43897, extracted from archives: 21808, malicious software found 0, suspicions - 3
Scanning finished at 7/9/2009 4:18:06 AM
Time of scanning: 00:04:52
If you have a suspicion on presence of viruses or questions on the suspected objects,
you can address VirusInfo conference
---------------------------------------------------------------------------------
I dnt knw what caused this problem but pls any help would be greatly appreciated
first of all no its not just with one program so that "fix" of try re installing the program its not that
i searched google cnt find anything
the ntdll is stopping a few programs (the most important ones) from running
i found this AVZ Antiviral Toolkit and it gave me this results :
------------------------------------------------------------------
Attention !!! Database was last updated 2/8/2009 it is necessary to update the bases using automatic updates (File/Database update)
>>>> Danger - the avz.exe file is changed, check of its CRC by Trusted Objects Database failed
AVZ Antiviral Toolkit log; AVZ version is 4.30
Scanning started at 7/9/2009 4:13:15 AM
Database loaded: signatures - 209302, NN profile(s) - 2, microprograms of healing - 56, signature database released 08.02.2009 18:56
Heuristic microprograms loaded: 372
SPV microprograms loaded: 9
Digital signatures of system files loaded: 91560
Heuristic analyzer mode: Medium heuristics level
Healing mode: disabled
Windows version: 6.0.6000, ; AVZ is launched with administrator rights
System Restore: enabled
1. Searching for Rootkits and programs intercepting API functions
1.1 Searching for user-mode API hooks
Analysis: kernel32.dll, export table found in section .text
Analysis: ntdll.dll, export table found in section .text
Function ntdll.dll:NtCreateFile (228) intercepted, method CodeHijack (method not defined)
Function ntdll.dll:NtCreateProcess (241) intercepted, method CodeHijack (method not defined)
Function ntdll.dll:NtCreateProcessEx (242) intercepted, method CodeHijack (method not defined)
Function ntdll.dll:NtCreateUserProcess (254) intercepted, method CodeHijack (method not defined)
Function ntdll.dll:NtDeviceIoControlFile (269) intercepted, method CodeHijack (method not defined)
Function ntdll.dll:NtOpenFile (340) intercepted, method CodeHijack (method not defined)
Function ntdll.dll:NtQueryInformationProcess (394) intercepted, method CodeHijack (method not defined)
Function ntdll.dll:ZwCreateFile (1431) intercepted, method CodeHijack (method not defined)
Function ntdll.dll:ZwCreateProcess (1444) intercepted, method CodeHijack (method not defined)
Function ntdll.dll:ZwCreateProcessEx (1445) intercepted, method CodeHijack (method not defined)
Function ntdll.dll:ZwCreateUserProcess (1457) intercepted, method CodeHijack (method not defined)
Function ntdll.dll:ZwDeviceIoControlFile (1471) intercepted, method CodeHijack (method not defined)
Function ntdll.dll:ZwOpenFile (1541) intercepted, method CodeHijack (method not defined)
Function ntdll.dll:ZwQueryInformationProcess (1595) intercepted, method CodeHijack (method not defined)
Analysis: user32.dll, export table found in section .text
Analysis: advapi32.dll, export table found in section .text
Analysis: ws2_32.dll, export table found in section .text
Analysis: wininet.dll, export table found in section .text
Analysis: rasapi32.dll, export table found in section .text
Analysis: urlmon.dll, export table found in section .text
Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
Driver loaded successfully
SDT found (RVA=1278C0)
Kernel ntoskrnl.exe found in memory at address 82000000
SDT = 821278C0
KiST = 8205607C (398)
Functions checked: 398, intercepted: 0, restored: 0
1.3 Checking IDT and SYSENTER
Analysis for CPU 1
Analysis for CPU 2
Checking IDT and SYSENTER - complete
1.4 Searching for masking processes and drivers
Checking not performed: extended monitoring driver (AVZPM) is not installed
Driver loaded successfully
1.5 Checking of IRP handlers
\FileSystem\ntfs[IRP_MJ_CREATE] = 85A171F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_CLOSE] = 85A171F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_WRITE] = 85A171F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_QUERY_INFORMATION] = 85A171F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_INFORMATION] = 85A171F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_QUERY_EA] = 85A171F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_EA] = 85A171F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_QUERY_VOLUME_INFORMATION] = 85A171F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_VOLUME_INFORMATION] = 85A171F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_DIRECTORY_CONTROL] = 85A171F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_FILE_SYSTEM_CONTROL] = 85A171F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_DEVICE_CONTROL] = 85A171F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_LOCK_CONTROL] = 85A171F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_QUERY_SECURITY] = 85A171F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_SECURITY] = 85A171F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_PNP] = 85A171F8 -> hook not defined
Checking - complete
2. Scanning memory
Number of processes found: 53
Number of modules loaded: 505
Scanning memory - complete
3. Scanning disks
F:\Program Files\Common Files\microsoft shared\ink\pipanel.exe >>> suspicion for Backdoor.Win32.Agent.px ( 07CD3C40 000ED0BE 0001F605 0028BBC5 28160)
Direct reading F:\Windows\System32\drivers\sptd.sys
F:\Windows\System32\wiawow32.sys >>> suspicion for Trojan-Clicker.Win32.Pamere.cc ( 0037591C 01BF58DB 00110A55 00086F7F 36864)
F:\Windows\winsxs\x86_microsoft-windows-t..acyinkingcomponents_31bf3856ad364e35_6.0.6000.16386_none_3fbb09cf8caa385d\pipanel.exe >>> suspicion for Backdoor.Win32.Agent.px ( 07CD3C40 000ED0BE 0001F605 0028BBC5 28160)
4. Checking Winsock Layered Service Provider (SPI/LSP)
LSP settings checked. No errors detected
5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)
6. Searching for opened TCP/UDP ports used by malicious programs
Checking disabled by user
7. Heuristic system check
Checking - complete
8. Searching for vulnerabilities
>> Services: potentially dangerous service allowed: TermService (@%SystemRoot%\System32\termsrv.dll,-268)
>> Services: potentially dangerous service allowed: SSDPSRV (@%systemroot%\system32\ssdpsrv.dll,-100)
>> Services: potentially dangerous service allowed: Schedule (@%SystemRoot%\system32\schedsvc.dll,-100)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
>> Security: terminal connections to the PC are allowed
>> Security: sending Remote Assistant queries is enabled
Checking - complete
9. Troubleshooting wizard
>> Abnormal COM files association
>> Service termination timeout is out of admissible values
>> HDD autorun are allowed
>> Autorun from network drives are allowed
>> Removable media autorun are allowed
>> Invalid autorun item
Checking - complete
Files scanned: 43897, extracted from archives: 21808, malicious software found 0, suspicions - 3
Scanning finished at 7/9/2009 4:18:06 AM
Time of scanning: 00:04:52
If you have a suspicion on presence of viruses or questions on the suspected objects,
you can address VirusInfo conference
---------------------------------------------------------------------------------
I dnt knw what caused this problem but pls any help would be greatly appreciated