Strange Dll

J

Jon Raman

I have a dual processor Win2k Server machine that may have been
compromised. When I ran Sysinternals Filemon and there is a file
called c:\WINNT\system32\config\SecEvents32.dll that is often being
accessed. I Googled the file and did not even get one hit returned.
It is usually accessed by either ntkrnlpa.exe or the system process.
C:\WINNT\System32\config\SecEvent.Evt is a common file for event
logging but I find nothing on SecEvents32.dll. I am afraid to delete
the file if it is supposed to be useful and am just wondering what the
readers of this group think.
 
P

Pegasus \(MVP\)

Rename it and see what happens. If something terrible happens
then you can easily boot your machine into Command Console
mode, using your Win2000 CD, and rename the file back to
its original name.
 
R

Rick

Jon Raman said:
I have a dual processor Win2k Server machine that may have been
compromised. When I ran Sysinternals Filemon and there is a file
called c:\WINNT\system32\config\SecEvents32.dll that is often being
accessed. I Googled the file and did not even get one hit returned.
It is usually accessed by either ntkrnlpa.exe or the system process.
C:\WINNT\System32\config\SecEvent.Evt is a common file for event
logging but I find nothing on SecEvents32.dll. I am afraid to delete
the file if it is supposed to be useful and am just wondering what the
readers of this group think.
Click to expand...

AFAICT it's not part of Windows, but it might very well be part
of a third-party application or utility. If you right-click/Properties
on the DLL, is there a Version tab? What info does it give?

Rick
 
J

Jon Raman

Interesting. There is no version tab. All the other DLLs on the
machine have version tabs, but not this one.
 
R

Rick

That's usually (not always) a bad indicator. I'd try renaming it and
see what happens.

Rick
 
G

George Hester

Definitely not a Microsoft dll that's for sure. I'll look and see if I have this file...nope. And in fact I don't have a single file of type dll in that location. Yeah rename it and see what happens if anything. You can always look at processes and see if there is anything there that looks out of the ordinary.
 
G

Gary Smith

George Hester said:
Definitely not a Microsoft dll that's for sure. I'll look and see if I have this file...nope. And in fact I don't have a single file of type dll in that location. Yeah rename it and see what happens if anything. You can always look at processes and see if there is anything there that looks out of the ordinary.
Click to expand...

There should not be any DLLs in that folder -- just data files. Here's a
complete list of the contents of the config folder on my system.

AppEvent.Evt
default
default.LOG
default.sav
SAM
SAM.LOG
SecEvent.Evt
SECURITY
SECURITY.LOG
software
software.LOG
software.sav
SysEvent.Evt
system
SYSTEM.ALT
system.LOG
system.sav
TempKey.LOG
userdiff
userdiff.LOG
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Windows 2000 System Hive Too Large? 3
How many copies of Kernel32.dll should I have? 7
Internet Explorer and Explorer not running 1
KB927779 will not install 2
Error Loading C:\WINNT\system32\ccdnlehw.dll 3
Windows 2000 SP4 Fails 1
Defrag question 2
MSCAT32.dll/File Signature Verification 2

Top