What dlls belong in c:\windows\system32

[Andy]

I have a dll in the system32 directory that I feel does not belong there.

I would like to find out which ones should be there.

I found this, but it is no longer available.

DLL Help application

I posted this on a M.S. forum, but it is set up differently than other forums and I could not find my way back to where I posted.

I am looking for some newsgroup that could give more detailed help.

Thanks.

 

[Nil]

I have a dll in the system32 directory that I feel does not belong
there.

I would like to find out which ones should be there.

That's impossible to say. Many applications place dlls there. Every
system will be different. I currently have 2,746 of them in that
location. I don't think listing them all would be useful information.

 

[Andy]

That's impossible to say. Many applications place dlls there. Every

system will be different. I currently have 2,746 of them in that

location. I don't think listing them all would be useful information.

I know there is a list of what Windows uses and places there on installation and upgrades.

There is also documentation for other areas of interest, but it's limited to educators and other professionals.

There may be a way to see which installed user programs place dlls there and maybe determine by process of elimination.

The dll contained 2 code caves, which have legitimate uses and non-legit.

 

[Nil]

I know there is a list of what Windows uses and places there on
installation and upgrades.

I doubt that there is. Which of the dozens of versions of Windows?
Which Service Packs are preinstalled? What features are enabled? What
hardware is installed? What 3rd-party addons are installed? Etc, etc.
Any such list you may find is sure to be massive and unreliable.

Here's a list all the dlls in my system32 directory. All of them are
supposed to be there. Have at it:

http://rednoise.x10host.com/SearchResults.txt

 

[Andy]

in message












All Win32 dll go in to your system32

From games to Software

From Microsoft to Apple

All in between



Now if you have a dll you know not

post the dll name and we will help you

get the Info you need to know

Thanks.

The name of the file is pkiviewt.dll and it was in the system32 directory.
_

Note the t before .dll. After this was deleted, my problems went away.

I just ran M.S. security scanner and it came up clean, but it could not scan the dll because it's in a Linux partition.

I just rebooted from running Linux on a dual O.S. system.

Never had any virus/rootkit or malware.

I am getting a rather annoying popup box from Comcast saying it found a bot.

Andy

 

[micky]

Thanks.

The name of the file is pkiviewt.dll and it was in the system32 directory.
_

Note the t before .dll. After this was deleted, my problems went away.

After the t was deleted or after the dll was deleted?

It's better to rename problem files than to delete them entirely,
because it may turn out that one has misidentifed the problem, and he
wants the file back later. Maybe that's what had happened here,
someone added a t (for temporary?) to see how the computer would work
without pkiview.dll. Does anyone fiddle with the computer besides
you?

I just ran M.S. security scanner and it came up clean, but it could not scan the dll because it's in a Linux partition.

Huh. You have a system32 directory in a Linux partition?

 

[Andy]

After the t was deleted or after the dll was deleted?



It's better to rename problem files than to delete them entirely,

because it may turn out that one has misidentifed the problem, and he

wants the file back later. Maybe that's what had happened here,

someone added a t (for temporary?) to see how the computer would work

without pkiview.dll. Does anyone fiddle with the computer besides

you?





Huh. You have a system32 directory in a Linux partition?

The name of the dll that ends in t is what I deleted from the windows/system directory from within XP.

It was marked as a system file, so I could not delete it from within Windows.

I booted to my OpenSuse O.S. and renamed it to pkiview.xxx to prevent it from being used and to study it later and moved it to a Linux hidden partition.

I am happy that it is not causing any more problems, but would like to find out the mechanism of how it was copied or created in the system32 directory.

Andy

 

[Andy]

Micky is a 100% Right









I have a system32 directory on "Xandros Linux"

Because it was able to Lie to a Software

Run as it as if it was a Windows Operator System



I would like to know the Name of his Linux too ?

I think I answered your questions on my last post.

Thanks.

 

[Andy]

I have a dll in the system32 directory that I feel does not belong there.



I would like to find out which ones should be there.



I found this, but it is no longer available.



DLL Help application



I posted this on a M.S. forum, but it is set up differently than other forums and I could not find my way back to where I posted.



I am looking for some newsgroup that could give more detailed help.



Thanks.

You can find more info here.

comp.lang.asm.x86

Topic is Under "dem Mikroskop"

 

[Paul]

You can find more info here.

comp.lang.asm.x86

Topic is Under "dem Mikroskop"

This is your scan of pkiviewt.dll . I got this, by using the
checksum value you posted, and feeding that back into Virustotal.
This would be what you saw on your scan.

Now, one thing pretty strange about your file, is the size.
262144 bytes. How often is a file like that, an exact power-of-two ?
If it was me, I would pop it in a hex editor for a look. Perhaps
the size, is an indication of the delivery vehicle. Rather than
being installed, it was downloaded somehow, and that file
is not the primary malware.

Another strange thing, is there isn't the usual file analysis
offered. Almost as if the file doesn't have header characteristics
of an executable. Usually, there is a bit more info in the
"Additional Information" tab.

https://www.virustotal.com/en/file/...08704e2e7b3b37a0a5ac1bda8582495d33e/analysis/

Fortinet W32/Ponmocup.GZ!tr 20130821
Ikarus Trojan.Win32.Pirminay 20130821

http://www.microsoft.com/security/p...r:Win32/Ponmocup.A&ThreatID=-2147337205#tab=2

"Threat behavior

TrojanDownloader:Win32/Ponmocup.A is a trojan that silently downloads
and installs other programs without consent. This could include the
installation of additional malware or malware components to an affected
machine.

TrojanDownloader:Win32/Ponmocup.A creates the following file(s) on an affected machine:

%windir%\temp\scse.tmp
%windir%\temp\scsf.tmp
<system folder>\drivers\etc\hosts
c:\documents and settings\administratorxplore.exe
"

That seems like a pretty concrete thing to work on.
Maybe the free version of Malwarebytes could be used
to scan the computer.

I didn't find much for Trojan.Win32.Pirminay . Note
that I don't click on that many links when I search
for one of those. There are plenty of sites offering
help, but which one do you trust ?

http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan:Win32/Vundo.KAT

While your scan results have the earmarks of false
positives, the fact you feel you're infected makes
the results more significant.

Paul

 

[Andy]

This is your scan of pkiviewt.dll . I got this, by using the

checksum value you posted, and feeding that back into Virustotal.

This would be what you saw on your scan.



Now, one thing pretty strange about your file, is the size.

262144 bytes. How often is a file like that, an exact power-of-two ?

If it was me, I would pop it in a hex editor for a look. Perhaps

the size, is an indication of the delivery vehicle. Rather than

being installed, it was downloaded somehow, and that file

is not the primary malware.



Another strange thing, is there isn't the usual file analysis

offered. Almost as if the file doesn't have header characteristics

of an executable. Usually, there is a bit more info in the

"Additional Information" tab.



https://www.virustotal.com/en/file/...08704e2e7b3b37a0a5ac1bda8582495d33e/analysis/



Fortinet W32/Ponmocup.GZ!tr 20130821

Ikarus Trojan.Win32.Pirminay 20130821



http://www.microsoft.com/security/p...r:Win32/Ponmocup.A&ThreatID=-2147337205#tab=2



"Threat behavior



TrojanDownloader:Win32/Ponmocup.A is a trojan that silently downloads

and installs other programs without consent. This could include the

installation of additional malware or malware components to an affected

machine.



TrojanDownloader:Win32/Ponmocup.A creates the following file(s) on an affected machine:



%windir%\temp\scse.tmp

%windir%\temp\scsf.tmp

<system folder>\drivers\etc\hosts

c:\documents and settings\administratorxplore.exe

"



That seems like a pretty concrete thing to work on.

Maybe the free version of Malwarebytes could be used

to scan the computer.



I didn't find much for Trojan.Win32.Pirminay . Note

that I don't click on that many links when I search

for one of those. There are plenty of sites offering

help, but which one do you trust ?



http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan:Win32/Vundo.KAT



While your scan results have the earmarks of false

positives, the fact you feel you're infected makes

the results more significant.



Paul

Win32/Vundo may be what WAS causing the Comcast Constrant Guard popup boxes.

I thought that Palemoon was infected, so I deleted it and installed Firefox.

No more problems with that issue.

I remember when I ran Malware Bytes or one of the many I used,
it found something and removed it.

It may have been important to the dll to function, and when it was removed,it became defanged.

After reading about the FBI using browser exploits to track what sites suspects go to and now a BHO exploit can cause havoc.

I have some assembly language experts helping with this.

I think the dll is using encrypted strings, but with time they can be deciphered.

I am getting some pretty neat tools to examine it.

It listed the compiler used to make it and it showed 2 code caves which can be indicative of bad intentions.

Andy

 

[Andy]

I have a dll in the system32 directory that I feel does not belong there.



I would like to find out which ones should be there.



I found this, but it is no longer available.



DLL Help application



I posted this on a M.S. forum, but it is set up differently than other forums and I could not find my way back to where I posted.



I am looking for some newsgroup that could give more detailed help.



Thanks.

That is the one I sent to virustotal.

Since I sent it up, it would be nice to find out all the specifics of it.

I have spent quite of bit of time doing an autopsy on it.

Andy