Wednesday, May 18, 2005

Key File Index

The following is an in-progress index of key files. The files are designated "key" files as a result of issues discovered during various computer repairs and/or queries received at Virtual Grub Street and/or issues noted during extensive Internet research. It will be regularly updated with new information as it comes available. Revision dates will be listed in parenthesis next to the revised/updated item.

The information in the Key File Index is the result of thousands of web searches. It can not, however, possibly be complete. The subject is vast and constantly changing. The information on the page is not guaranteed correct and any use you may choose to make of it is entirely at your own risk.


File Name: mwsoemon.exe

  • Related Names:
  • Associated Files: websearch1.exe; hbhostie.dll; hbinst.exe; mwsbar.dll; mwsoestb.dll; mwssrcas.dll.
  • What is mwsoemon.exe?: Installs MyWebSearch (MySearchBar, MyWay Speed Bar). Loads down into "c:\program files\".
  • Related Articles:
  • Notes:


File Name: navlogon.dll


  • Related Names:
  • Associated Files:
  • What is Navlogon.dll?: In the location O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll for Windows Xp, C:\Winnt\System32\NavLogon.dll for Windows NT/2000, and C:\Windows\System\NavLogon.dll for Windows 95/98/Me, this file is the legitimate Norton Anti-Virus Log-On library. No other instances of this file are known.
  • Related Articles: None.
  • Notes:



File Name: rundll32.exe

  • Related Names: Normal Windows file for loading applications. It can also be associated with: Backdoor.Lastdoor trojan; StartPage trojan; W32/Legemer.worm; W32.Miroot.Worm; etc.
  • Associated Files:
  • What is rundll32.exe?: The normal Windows system file "rundll32.exe" is an executable file used to traffic-cop/import functions from Dynamic Link Libraries recognized by the Windows system. If it is removed, many legitimate programs will no longer be able to run on the subject machine. Counterfeit rundll32.exe programs are frequent components in viruses, trojans, worms, etc.
  • Related Articles: None.
  • Notes: The legitimate Windows rundll32.exe file is located at C:\WINDOWS\System32\rundll32.exe for Windows XP, C:\Winnt\System32\rundll32.exe for Windows NT/2000, and C:\Windows\System\rundll32.exe for Windows 95/98/Me. The legitimate rundll32.exe file can be overwritten, however, by the Backdoor.Lastdoor trojan. In all instances when rundll32.exe is located other than in the appropriate Windows folder it is associated with a virus, spyware, trojan or worm.

File Name: Sysmon.dll

  • Related Names: WORM_APRIFUL.A [Trend Micro]; Diplodock System Spy II [Spyware Information Center]; Spyware.SystemSpy [Symantec].
  • Associated Files: analyzer.exe; ss.exe.
  • What is Sysmon.dll?: Sysmon.dll is a keystroke logger that can effect Windows 95, Windows 98, Windows Me. It can run without appearing in the Task Manager.
  • Related Articles: None.
  • Notes:

File Name: Sysmon.exe

  • Related Names: Trojan.Sysmon [Dialogue Science]; Trojan.Win32.VB.ac [Kaspersky]; Worm.Win32.Bizex [Kaspersky]; W32/Bizex.worm [McAfee]; W32/Bizex-A [Sophos]; Java/Bizex.A.
  • Associated Files: ICQ2003Decrypt.dll; icq_socket.dll; irsetup.dat; java32.dll; javaext.dll; sysmon.ini.
  • What is Sysmon.exe?: Sysmon.exe can be a malware file especially if found together with any of the above files. This is also the file name for Aopen, Inc.'s legitimate CPU monitoring software.
  • Related Articles: None.
  • Notes: Sysmon.exe occupies approximately 32k of memory.

File Name: Sysmon.ocx

  • Related Names:
  • Associated Files:
  • What is Sysmon.ocx?: Sysmon.ocx is a legitimate program to monitor and enhance Windows-bearing computer hardware via ActiveX controls. If removed, some legitimate windows programs will no longer be functional.
  • Related Articles: None.
  • Notes: Sysmon.ocx occupies approximately 200-235k of memory.

File Name: winldra.exe

  • Related Names: Nibu.j trojan; Dumaru trojan (or worm); Dumador trojan (or worm); Bambo trojan.
  • Associated Files: dvpd.dll; netdx.dat; socks.dat; prntsvra.dll; TEMP\fa4537ef.tmp; prntk.log; prntc.log; feff35a0.htm; fe43e701.htm .
  • What is Winldra.exe?: Winldra.exe is associated with Nibu.j backdoor trojan (a.k.a. Dumaru, Dumador, Bambo). It harvests information from the user's computer and periodically sends it to the host site. The information may include screen-shots and keystroke logs.
  • Related Articles: None.
  • Notes:

No comments: