Hey Dan,
I’ve registered - just waiting for a confirming email. I’ll do a cut ‘n’ shut when I can.
cheers,
ewen 
Most excellent.
(:CLP)
Hi,
I will paste the information from the post “Malware renaming system files”
http://malware-research.co.uk/index.php?topic=3049.0
Currently malware-research.co.uk site is down, I will do it asap this site is up.
In brief:The info is like, the files from sysytem32 folder is being renamed to some numbers. And hence on next bootup hal.dll is missing.
regards
Kishor
Good day!
Below, I am pasting the contents of the post “Malware renaming system files”
http://malware-research.co.uk/index.php?topic=3049.0. Do you face the same kind of issue?
Bobby:
One of my test-machines was rendered unusable by some malware which renames system DLLs.
I’ve infected one of my test-machines with some Zlob sample, and installed all the new VirusBursters & co (MalwareWipe, PestTrap…).
As a result, machine ended infected with Lmir, some worm named Gamec (Kaspersky) etc etc.
The main problem is that all the files in System32 folder were renamed (see the screenshot).
btw. I missed to test one thing - if the system would boot with the infections not removed (I have scanned the HDD imediatelly after shutdown, by mounting it at other PC, and removed the files recognized by KAV and/or BitDefender).
I mean, is there a malware-driver installed that will know how to handle the renamed files.
After I’ve removed the infection (HDD mounted on clean PC), and mounted the HDD back, Windows could not boot (can’t find HAL.DLL).
Anyone with an idea how to revert the changes, in the case we get a victim with such problem?
Karl:
It should be possible to add the dll extension and then open the file properties and get the right name from the version tab. I recently did a reinstall of my main system, there are 1295 dll files in system32. Renaming every file by hand will need more time than reinstalling windows, and most people wouldn’t be able to do this because they only have one computer. Probably there will be dll files which are missing the version info.
Btw: How did you make windows show the exact file sizes in explorer? My windows only shows the size in kb, for the exact size i have to open the properties.
Mosaic1:
That’s ugly. What do the subfolders look like? Dllcache wiptred? Or looks like this too?
Something so widespread IMO should not be repaired. Sometimes you should wipe the drive.
If a person has an install Partition and not a CD, I wonder if that would be destroyed by this thing too.
Scripts, commands etc. to examine and repair would all be useless if the correct filenames for wscript.exe cmd.exe and support files weren’t in place.
Bobby:
Boot.ini is OK, not altered.
Wscript.exe and cmd.exe can’t be found by using Search function in Total Commander, I guess they are renamed too.
The names of subfolders in System32 are renamed too. The content of those subfolders is not renamed, but that is not for sure. Perhaps more files would be renamed if I would let it running for more time.
I can’t say anything about dllcache because this Windows was trimed down using nLite in order to run it on my test machine (600Mhz VIA EPIA), so it is removed all that could be removed.
I have one more test machine with XP SP1 (not trimed with nLite), if needed I can install those frauds on it, and to monitor the whole process.
regards
Kishor
[attachment deleted by admin]
Bad news Dan, they knocked my application back as they are a “serious” malware research forum.
Their forum, their call.
ewen
Hi Kishor,
No, it doesn’t seem similar to that issue. I have attached a listing of the files and folders of Windows\system32 on my old HD (D). For comparison I also made a listing of the same folder on my new HD (C). Further I included a listing of the Windows folder on D and the Program Files folder on D (folders only, but subfolders also). I used this tool: http://thd.dyndns.org/s_filelister.php to make the listings. If you need to see any other listing of files/folders on my old HD please ask.
George
[attachment deleted by admin]
Hi George,
Thanks you very much.
It seems that there are lot of dlls missing including hal.dll. And it seema its not the case of renaming of dlls. So need to investigate more to find who deletes/moves the dlls.
George, did you try CAVS 2.0.5.7 or CAVS 2.0.5.12 version? We are making the logs of file deletion and the parent process name who does it.
regards
Kishor
The current CAV beta just logs deletes, not renames?
I’m wondering if the full blown HIPS/sandbox of the future CPF would help if the issue is malware.
I imagine it would prompt/notify the user if something tried to delete/rename a system file (or possibly any file).
i am new but did :THNK think of some things this may be 3rd party software…
or it is renameing system32 folder comodo thinks that it is a virus… and a virus may be useing the hal.dll file and more .dll files…
note i have removed ist toolbar and that one was a hard virus to get out system would not boot right after useing system mechanic 5.
i did not have the hal.dll problem…
look on google and came up with alot hear are two web sites on hal.dll
http://www.compphix.com/corrupthal.html
they say how to get it back it has to do with the boot.ini file
hope this helps you out (:AGL)
steven
Not that I can be much use, but just to let you all know that I had this issue too.
I kept getting some sort of script error when I opened the CAVS main window, so I uninstalled, rebooted = missing/corrupt hal.dll.
If there is any infomation I can get from my computer then just ask.
That’s an excellent offer, but may be dependant on how/if you recovered.
- If you reformated for example, all the logs would be lost.
- But if you did a repair install for example, there’s an excellent chance there will be something you can post.
If only I knew what to post… then I could complete this thought… (:SHY) oh well (:WIN)
Let’s start with this
Regards, George
HI All,
The Hal.dll issue is detected and resolved in CAVS beta 2.0.11.43. The same version was released on comodo website as first release of CAVS beat2.0
For more details on fixing of hal.dll pls. see
https://forums.comodo.com/index.php/topic,6794.msg58628.html#msg58628
regards
Kishor
Hi Guys.
We are now getting very close to CAV 3… Info & Screen Shots:
This thread is now closed in preparation for that. (:m*)
Thanks
Josh