hal.dll [RESOLVED in v2.0.11.43+]

kail · November 13, 2006, 3:41pm

LM

You can set CAVS On Access scanner to “Deny Access to infected objects”. This avoids CAVS disinfection & quarantine.

Little_Mac · November 13, 2006, 4:06pm

It hasn’t been an issue for me, although the On-Demand scanner does have a setting to prompt for action.

Maybe it’s the way it’s worded, but I saw the “Deny access to infected objects” and presumed it meant denying the user access to the object, rather than denying CAVS access… I still agree with the wishlist entry to modify the interface to give a specific choice to request interaction…

system · November 14, 2006, 12:32pm

Hi George,
The copy troubleshoot log from %All users%\Application data\ Comodo AntiVirus\TroubleshootLog and compress it to send.
You can send troubleshoot log to support@comodo.com or upload here on forum in .zip format.
Also let us know that how may files are in quarantine store at %All users%\Application data\ Comodo AntiVirus\Quarantine

regards
Kishor

Quintessence · November 15, 2006, 10:17am

TroubleShootLog.zip is attached. There are no files in Quarantine.

George

[attachment deleted by admin]

panic · November 15, 2006, 12:16pm

Hi Kishork,

hal.dll issue just reoccured. This is the first reoccurence on this particular PC for over three weeks. System was idle with no scan scheduled. The following apps were open at the time;

CPF GUI window
IE
Thunderbird

Screen saver was active.

Current user was logged in as an administrator equivalent

troubleshootlog.zip attached. Also attached is folder listing of \windows and \windows\system32 taken immediately after the first warning about system files being replaced.

Hope this helps, wish me luck with the restore!

Cheers,
Ewen

[attachment deleted by admin]

panic · November 15, 2006, 12:58pm

Restore completed successfully. For info and comparison, attached are folder listings of\windows and \windows\system32 afterthe restore.

Hope this helps,
Ewen

[attachment deleted by admin]

system · November 15, 2006, 1:08pm

Hi George,
Thanks.
As no files are in quarantine folder and no trace of quarantine or deleted by CAV in troubleshoot log, we can say that CAV does not quarantine/delete hal.dll or any related files.

From initial observations we found some traces of Trojan Win32.Agent.bq. File: %WINDIR%\bootstat.dat.
AV lab is doing more analysis on it to find the root cause of it.

regards
Kishor

system · November 15, 2006, 1:57pm

Hi Ewen,
Thanks for your logs. We are analyzing it. Form initial observation we found one thing common in your log and George log i.e some traces of Trojan Win32.Agent.bq. File: %WINDIR%\bootstat.dat.

AV lab is doing more analysis on it to find the root cause of it.

regards
Kishor

panic · November 15, 2006, 2:10pm

Hey Kishor,

Attached is a zip containing the full file of bootstat.dat (RASH attributes removed). Hope it helps analysis.

Out of curiousity, what, in the logs, tipped you guys off? Just so I know what (or how to look for in the future?

Thanks in advance,
Ewen

[attachment deleted by admin]

system · November 15, 2006, 2:45pm

Hi Ewen,
Thanks.
There is no evedence that CAV has quarantined or deleted the hal.dll file :).
Looking more into it to find that what could be doing this disaster.

regards
Kishor

Quintessence · November 15, 2006, 8:49pm

Hi,

For comparison, here are my bootstat.dat files. The old one, which apparently is infected, and the new one, which i hope is not infected.

George

[attachment deleted by admin]

system · November 16, 2006, 6:01am

Hi Ewen/George,
From troubleshoot log it seems that this could be happen due to windows updates. For more analysis could you pl send us %Windows%\windowsupdate.log. Also pl check that hal.dll is there in your previous HDD.

regards,
Kishor

m0ng0d · November 16, 2006, 12:45pm

woah… who would have thunk it… a common virus, but “Patch Tuesday” being the possible catalyst… very intriguing (:NRD)

I can’t wait to see how this story ends :BNC

P.S. kishork, is Trojan Win32.Agent.bq in the CAV db presently?

panic · November 17, 2006, 12:21am

Hi Kishor,

I’ll send mine when I get home tonight - about 12 hours.

cheers,
Ewen

system · November 17, 2006, 7:24am

Hi,
Trojan Win32.Agent.bq is in CAVS db. But if its packed with some packers, it may not detect it. This virus can not cause hal.dll issue. The is suspected that it has happened after windows updates.
Let us get the windowsupdate.log from George which will help to investigate.

regards
Kishor

panic · November 17, 2006, 12:39pm

Here’s my windowsupdate.log file.

Hope this helps,
Ewen

[attachment deleted by admin]

Quintessence · November 17, 2006, 12:45pm

Hi Kishor

Here is my windowsupdate.log. I’ve checked and hal.dll is not there in my previous HDD. Also the copy i’ve made of it is gone. There is only a hal.dll in WINDOWS\Driver Cache\i386\sp2.cab.

George

[attachment deleted by admin]

system · November 20, 2006, 2:39pm

Hi Ewen,
The attached file is not being downloaded properly and its downloads zero bytes. Could you reupload or pl send mail to me.

regards
Kishor

m0ng0d · November 20, 2006, 10:29pm

It’s probably too big at almost 2Mb… maybe Zipping it 1st?

panic · November 21, 2006, 9:56am

It would help if I cut and pasted the logs into the text file, wouldn’t it? (:SHY)

Sorry, I’ll give myself an uppercut.

Ewen

[attachment deleted by admin]