What dlls belong in c:\windows\system32

Andy wrote:
On Sunday, August 25, 2013 5:25:54 PM UTC-5, Andy wrote:
I have a dll in the system32 directory that I feel does not belong there.



I would like to find out which ones should be there.



I found this, but it is no longer available.



DLL Help application



I posted this on a M.S. forum, but it is set up differently than other forums and I could not find my way back to where I posted.



I am looking for some newsgroup that could give more detailed help.



Thanks.

You can find more info here.

comp.lang.asm.x86

Topic is Under "dem Mikroskop"

This is your scan of pkiviewt.dll . I got this, by using the
checksum value you posted, and feeding that back into Virustotal.
This would be what you saw on your scan.

Now, one thing pretty strange about your file, is the size.
262144 bytes. How often is a file like that, an exact power-of-two ?
If it was me, I would pop it in a hex editor for a look. Perhaps
the size, is an indication of the delivery vehicle. Rather than
being installed, it was downloaded somehow, and that file
is not the primary malware.

Another strange thing, is there isn't the usual file analysis
offered. Almost as if the file doesn't have header characteristics
of an executable. Usually, there is a bit more info in the
"Additional Information" tab.

https://www.virustotal.com/en/file/5...d33e/analysis/

Fortinet W32/Ponmocup.GZ!tr 20130821
Ikarus Trojan.Win32.Pirminay 20130821

http://www.microsoft.com/security/po...47337205#tab=2

"Threat behavior

TrojanDownloader:Win32/Ponmocup.A is a trojan that silently downloads
and installs other programs without consent. This could include the
installation of additional malware or malware components to an affected
machine.

TrojanDownloader:Win32/Ponmocup.A creates the following file(s) on an affected machine:

%windir%\temp\scse.tmp
%windir%\temp\scsf.tmp
system folder\drivers\etc\hosts
c:\documents and settings\administratorxplore.exe
"

That seems like a pretty concrete thing to work on.
Maybe the free version of Malwarebytes could be used
to scan the computer.

I didn't find much for Trojan.Win32.Pirminay . Note
that I don't click on that many links when I search
for one of those. There are plenty of sites offering
help, but which one do you trust ?

http://www.microsoft.com/security/po...32%2FVundo.KAT

While your scan results have the earmarks of false
positives, the fact you feel you're infected makes
the results more significant.

Paul

On Monday, August 26, 2013 12:33:10 PM UTC-4, Paul wrote:
Andy wrote:

On Sunday, August 25, 2013 5:25:54 PM UTC-5, Andy wrote:

I have a dll in the system32 directory that I feel does not belong there.







I would like to find out which ones should be there.







I found this, but it is no longer available.







DLL Help application







I posted this on a M.S. forum, but it is set up differently than other forums and I could not find my way back to where I posted.







I am looking for some newsgroup that could give more detailed help.







Thanks.



You can find more info here.



comp.lang.asm.x86



Topic is Under "dem Mikroskop"



This is your scan of pkiviewt.dll . I got this, by using the

checksum value you posted, and feeding that back into Virustotal.

This would be what you saw on your scan.



Now, one thing pretty strange about your file, is the size.

262144 bytes. How often is a file like that, an exact power-of-two ?

If it was me, I would pop it in a hex editor for a look. Perhaps

the size, is an indication of the delivery vehicle. Rather than

being installed, it was downloaded somehow, and that file

is not the primary malware.



Another strange thing, is there isn't the usual file analysis

offered. Almost as if the file doesn't have header characteristics

of an executable. Usually, there is a bit more info in the

"Additional Information" tab.



https://www.virustotal.com/en/file/5...d33e/analysis/



Fortinet W32/Ponmocup.GZ!tr 20130821

Ikarus Trojan.Win32.Pirminay 20130821



http://www.microsoft.com/security/po...47337205#tab=2



"Threat behavior



TrojanDownloader:Win32/Ponmocup.A is a trojan that silently downloads

and installs other programs without consent. This could include the

installation of additional malware or malware components to an affected

machine.



TrojanDownloader:Win32/Ponmocup.A creates the following file(s) on an affected machine:



%windir%\temp\scse.tmp

%windir%\temp\scsf.tmp

system folder\drivers\etc\hosts

c:\documents and settings\administratorxplore.exe

"



That seems like a pretty concrete thing to work on.

Maybe the free version of Malwarebytes could be used

to scan the computer.



I didn't find much for Trojan.Win32.Pirminay . Note

that I don't click on that many links when I search

for one of those. There are plenty of sites offering

help, but which one do you trust ?



http://www.microsoft.com/security/po...32%2FVundo.KAT



While your scan results have the earmarks of false

positives, the fact you feel you're infected makes

the results more significant.



Paul

Win32/Vundo may be what WAS causing the Comcast Constrant Guard popup boxes.

I thought that Palemoon was infected, so I deleted it and installed Firefox.

No more problems with that issue.

I remember when I ran Malware Bytes or one of the many I used,
it found something and removed it.

It may have been important to the dll to function, and when it was removed,it became defanged. :-)

After reading about the FBI using browser exploits to track what sites suspects go to and now a BHO exploit can cause havoc.

I have some assembly language experts helping with this.

I think the dll is using encrypted strings, but with time they can be deciphered.

I am getting some pretty neat tools to examine it.

It listed the compiler used to make it and it showed 2 code caves which can be indicative of bad intentions.

Andy

On Sunday, August 25, 2013 6:25:54 PM UTC-4, Andy wrote:
I have a dll in the system32 directory that I feel does not belong there.



I would like to find out which ones should be there.



I found this, but it is no longer available.



DLL Help application



I posted this on a M.S. forum, but it is set up differently than other forums and I could not find my way back to where I posted.



I am looking for some newsgroup that could give more detailed help.



Thanks.

That is the one I sent to virustotal.

Since I sent it up, it would be nice to find out all the specifics of it.

I have spent quite of bit of time doing an autopsy on it.

Andy