Strange Dll

  • Thread starter Thread starter Jon Raman
  • Start date Start date
J

Jon Raman

I have a dual processor Win2k Server machine that may have been
compromised. When I ran Sysinternals Filemon and there is a file
called c:\WINNT\system32\config\SecEvents32.dll that is often being
accessed. I Googled the file and did not even get one hit returned.
It is usually accessed by either ntkrnlpa.exe or the system process.
C:\WINNT\System32\config\SecEvent.Evt is a common file for event
logging but I find nothing on SecEvents32.dll. I am afraid to delete
the file if it is supposed to be useful and am just wondering what the
readers of this group think.
 
Rename it and see what happens. If something terrible happens
then you can easily boot your machine into Command Console
mode, using your Win2000 CD, and rename the file back to
its original name.
 
Jon Raman said:
I have a dual processor Win2k Server machine that may have been
compromised. When I ran Sysinternals Filemon and there is a file
called c:\WINNT\system32\config\SecEvents32.dll that is often being
accessed. I Googled the file and did not even get one hit returned.
It is usually accessed by either ntkrnlpa.exe or the system process.
C:\WINNT\System32\config\SecEvent.Evt is a common file for event
logging but I find nothing on SecEvents32.dll. I am afraid to delete
the file if it is supposed to be useful and am just wondering what the
readers of this group think.
Click to expand...

AFAICT it's not part of Windows, but it might very well be part
of a third-party application or utility. If you right-click/Properties
on the DLL, is there a Version tab? What info does it give?

Rick
 
Interesting. There is no version tab. All the other DLLs on the
machine have version tabs, but not this one.
 
That's usually (not always) a bad indicator. I'd try renaming it and
see what happens.

Rick
 
Definitely not a Microsoft dll that's for sure. I'll look and see if I have this file...nope. And in fact I don't have a single file of type dll in that location. Yeah rename it and see what happens if anything. You can always look at processes and see if there is anything there that looks out of the ordinary.
 
George Hester said:
Definitely not a Microsoft dll that's for sure. I'll look and see if I have this file...nope. And in fact I don't have a single file of type dll in that location. Yeah rename it and see what happens if anything. You can always look at processes and see if there is anything there that looks out of the ordinary.
Click to expand...

There should not be any DLLs in that folder -- just data files. Here's a
complete list of the contents of the config folder on my system.

AppEvent.Evt
default
default.LOG
default.sav
SAM
SAM.LOG
SecEvent.Evt
SECURITY
SECURITY.LOG
software
software.LOG
software.sav
SysEvent.Evt
system
SYSTEM.ALT
system.LOG
system.sav
TempKey.LOG
userdiff
userdiff.LOG
 
Back
Top