Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

zphgfue.dll - Any insight? 2

Status
Not open for further replies.
buho

buho

Programmer
Jan 31, 2004
511
Hello.

First, if this group is not the right one, feel free to redirect me to any other group fitting my
needs.

My Windows 2000 Adv. Sever machine is loading (or may be trying to load) a so called zphgfue.dll.

I have an entry in the HKLM\...\Run key and another in the HKLM\...\RunOnce key, the last one marked with a "*" (so it loads in safe mode too). The DLL is not present in the machine.

-> "*zphgfue"="rundll32 C:\\WINNT\\system32:zphgfue.dll,Init 1"

The keys can't be deleted, as EXPLORER.EXE automatically re-creates it.

-> regedit.exe:964 DeleteValueKey HKLM\...\*zphgfue
. SUCCESS
-> explorer.exe:1096 SetValue HKLM\...\*zphgfue
. SUCCESS
. "rundll32 C:\WINNT\system32:zphgfue.dll,Init 1

Furthermore, any user have a zphgfue (no extension) file in D&S\user\...\temp. Said file is in use and can't be deleted. Deleting the file in a non logged user directory is possible, of course, but the file will be re-created in the next login.

The DLL appear to be accessed at least for mstha.exe and mdm.exe.

-> mshta.exe:1280 OPEN C:\WINNT\system32:zphgfue.dll
. SUCCESS Options: Open Access: Execute
-> mdm.exe:1628 OPEN C:\WINNT\system32:zphgfue.dll
. SUCCESS Options: Open Access: Execute

What is troubling me is:
a) I can't get any reference in the 'net
b) I have not said DLL, but the logs reports the accesses as "SUCCESS".
c) The ":" syntaxis in the parameters line (...system32:zphgfue.dll,Init 1)

Any insight/info/pointers will be pretty much appreciated.

TIA.
buho.

 
Sort by date Sort by votes
Nearly one month later:

The keys vanished. They was there last week, they are not anywhere tonight.

Please, any clue, pointer, theory, whatever will be really appreciated. This thing is driven me mad.

buho (A).

 
Upvote 0 Downvote
I'd hazard a guess that it's a trojan, virus, or some other malware. The format, file:name is a stream. Ntfs supports alternate data streams. The dll was hidden in an alternate data stream the system32 directory itself. Data in an alternate stream can be executed by calling it directly. One very real virus that took advantage of all this was W32.stream. Looks like you found a new variant.


The naming convention looks like coreflood-d.





Notepad is a stream aware application if you want to experiment....


At a command prompt, type notepad c:\test.txt:mystream

Click yes at the prompt.

Type your thesis, list of reasons why IBM Domino [arguably a virus itself] sucks, or other lengthy document.

Click save.

Close notepad.

change directories to c:\ and do a directory listing.

Note that test.txt is 0 bytes long.

open notepad

from the file menu, navagate to and select test.txt

note that the document is blank.

close notepad

from the command prompt, type notepad c:\test.txt:mystream

Your thesis is back.
 
Upvote 0 Downvote
Thank you very much, xmsre!

buho (A).
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

penguinroundup
  • Locked
  • Question
programmatically delete all saved passwords for IE for any user
Replies
0
Views
307
penguinroundup
penguinroundup
Fireksf
  • Locked
  • Question
Avaya IPOCC not generate Report, Please any body if you a have any idea help me.
Replies
1
Views
352
MarkSweetland
MarkSweetland
DrB0b
  • Locked
  • Question
Terminal Server issues doing anything network related after RDPing into
Replies
3
Views
328
DrB0b
DrB0b
chester27
  • Locked
  • Question
Anyone seen this before? [img http
Replies
1
Views
193
DrB0b
DrB0b
lameid
  • Locked
  • Question
Standalone Terminal Server - Any reason not to Add AD (Domain)?
Replies
0
Views
133
lameid
lameid

Part and Inventory Search

Sponsor

Back
Top