If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
|
Thread Tools | Display Modes |
#16
|
|||
|
|||
What dlls belong in c:\windows\system32
Andy wrote:
On Sunday, August 25, 2013 5:25:54 PM UTC-5, Andy wrote: I have a dll in the system32 directory that I feel does not belong there. I would like to find out which ones should be there. I found this, but it is no longer available. DLL Help application I posted this on a M.S. forum, but it is set up differently than other forums and I could not find my way back to where I posted. I am looking for some newsgroup that could give more detailed help. Thanks. You can find more info here. comp.lang.asm.x86 Topic is Under "dem Mikroskop" This is your scan of pkiviewt.dll . I got this, by using the checksum value you posted, and feeding that back into Virustotal. This would be what you saw on your scan. Now, one thing pretty strange about your file, is the size. 262144 bytes. How often is a file like that, an exact power-of-two ? If it was me, I would pop it in a hex editor for a look. Perhaps the size, is an indication of the delivery vehicle. Rather than being installed, it was downloaded somehow, and that file is not the primary malware. Another strange thing, is there isn't the usual file analysis offered. Almost as if the file doesn't have header characteristics of an executable. Usually, there is a bit more info in the "Additional Information" tab. https://www.virustotal.com/en/file/5...d33e/analysis/ Fortinet W32/Ponmocup.GZ!tr 20130821 Ikarus Trojan.Win32.Pirminay 20130821 http://www.microsoft.com/security/po...47337205#tab=2 "Threat behavior TrojanDownloader:Win32/Ponmocup.A is a trojan that silently downloads and installs other programs without consent. This could include the installation of additional malware or malware components to an affected machine. TrojanDownloader:Win32/Ponmocup.A creates the following file(s) on an affected machine: %windir%\temp\scse.tmp %windir%\temp\scsf.tmp system folder\drivers\etc\hosts c:\documents and settings\administratorxplore.exe " That seems like a pretty concrete thing to work on. Maybe the free version of Malwarebytes could be used to scan the computer. I didn't find much for Trojan.Win32.Pirminay . Note that I don't click on that many links when I search for one of those. There are plenty of sites offering help, but which one do you trust ? http://www.microsoft.com/security/po...32%2FVundo.KAT While your scan results have the earmarks of false positives, the fact you feel you're infected makes the results more significant. Paul |
Ads |
#17
|
|||
|
|||
What dlls belong in c:\windows\system32
On Monday, August 26, 2013 12:33:10 PM UTC-4, Paul wrote:
Andy wrote: On Sunday, August 25, 2013 5:25:54 PM UTC-5, Andy wrote: I have a dll in the system32 directory that I feel does not belong there. I would like to find out which ones should be there. I found this, but it is no longer available. DLL Help application I posted this on a M.S. forum, but it is set up differently than other forums and I could not find my way back to where I posted. I am looking for some newsgroup that could give more detailed help. Thanks. You can find more info here. comp.lang.asm.x86 Topic is Under "dem Mikroskop" This is your scan of pkiviewt.dll . I got this, by using the checksum value you posted, and feeding that back into Virustotal. This would be what you saw on your scan. Now, one thing pretty strange about your file, is the size. 262144 bytes. How often is a file like that, an exact power-of-two ? If it was me, I would pop it in a hex editor for a look. Perhaps the size, is an indication of the delivery vehicle. Rather than being installed, it was downloaded somehow, and that file is not the primary malware. Another strange thing, is there isn't the usual file analysis offered. Almost as if the file doesn't have header characteristics of an executable. Usually, there is a bit more info in the "Additional Information" tab. https://www.virustotal.com/en/file/5...d33e/analysis/ Fortinet W32/Ponmocup.GZ!tr 20130821 Ikarus Trojan.Win32.Pirminay 20130821 http://www.microsoft.com/security/po...47337205#tab=2 "Threat behavior TrojanDownloader:Win32/Ponmocup.A is a trojan that silently downloads and installs other programs without consent. This could include the installation of additional malware or malware components to an affected machine. TrojanDownloader:Win32/Ponmocup.A creates the following file(s) on an affected machine: %windir%\temp\scse.tmp %windir%\temp\scsf.tmp system folder\drivers\etc\hosts c:\documents and settings\administratorxplore.exe " That seems like a pretty concrete thing to work on. Maybe the free version of Malwarebytes could be used to scan the computer. I didn't find much for Trojan.Win32.Pirminay . Note that I don't click on that many links when I search for one of those. There are plenty of sites offering help, but which one do you trust ? http://www.microsoft.com/security/po...32%2FVundo.KAT While your scan results have the earmarks of false positives, the fact you feel you're infected makes the results more significant. Paul Win32/Vundo may be what WAS causing the Comcast Constrant Guard popup boxes. I thought that Palemoon was infected, so I deleted it and installed Firefox. No more problems with that issue. I remember when I ran Malware Bytes or one of the many I used, it found something and removed it. It may have been important to the dll to function, and when it was removed,it became defanged. :-) After reading about the FBI using browser exploits to track what sites suspects go to and now a BHO exploit can cause havoc. I have some assembly language experts helping with this. I think the dll is using encrypted strings, but with time they can be deciphered. I am getting some pretty neat tools to examine it. It listed the compiler used to make it and it showed 2 code caves which can be indicative of bad intentions. Andy |
#18
|
|||
|
|||
What dlls belong in c:\windows\system32
On Sunday, August 25, 2013 6:25:54 PM UTC-4, Andy wrote:
I have a dll in the system32 directory that I feel does not belong there. I would like to find out which ones should be there. I found this, but it is no longer available. DLL Help application I posted this on a M.S. forum, but it is set up differently than other forums and I could not find my way back to where I posted. I am looking for some newsgroup that could give more detailed help. Thanks. That is the one I sent to virustotal. Since I sent it up, it would be nice to find out all the specifics of it. I have spent quite of bit of time doing an autopsy on it. Andy |
|
Thread Tools | |
Display Modes | |
|
|