Jump to content
Sign in to follow this  
NT File Manager

14 year old files & 1 registry entry...

Recommended Posts

Hi;

I was doing some system maintenance on a win2k SP4 Machine and 2 XP-Pro SP3 machines and found some files in:

- ..\Local Settings\Application Data\

and

- ..\Documents and Settings\user name\Application Data\

when I searched for them they came back as supposedly bad

fusioncache.dat (no threat detected during scan)

GDIPFFONTCACHEV1.DAT (no threat detected during scan)

IconCache.db (no threat detected during scan)

except these two (which supposedly belong to roxio / sonic)

rx_audio.Cache (no threat detected during scan)

rx_image.Cache (no threat detected during scan)

some of these files had a file date of when the system was built

so I used the Eset Online Scanner, Spybot S&D, and then tried MBAM

I had AVG up until 2 days ago and then dumped it because it wasn't working properly

other than to slow my systems down,

- it wouldn't even detect the EICAR test string every time

during the quick scan a registry entry which I created with Group Policy Editor was detected as a HiJack on all the systems

actually all the anti-Spy/Malware scanners detect this and I don't know why,

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind

Result > (Hijack.Find)

this key is created when using The GPO

User Configuration\Administrative Templates\Start Menu and Taskbar\

"Remove Search From the Start Menu" (Enabled)

(I try to remove clutter I don't use from my system / menus etc.)

so after all that I ran a "Deep Scan" and selected all the drives in my main system

which has a ton of backed up files from 4 win3.1x machines that I haven't had time to sort out and permanently archive or remove yet;

here's where it gets weird;

one 14 year old file from the Microsoft Win32's extension set for 16-bit Win3.1x was detected as a trojan dropper

D:\310Moved\Server~D\SOFTWARE\WIN~DLLS.100\SYSTEM\WIN32S\W32SKRNL.DLL

D:\310Moved\Server~D\SOFTWARE\WIN~DLLS.166\SYSTEM\WIN32S\W32SKRNL.DLL

D:\310Moved\Server~J\WINDOWS\SYSTEM\WIN32S\W32SKRNL.DLL

D:\310Moved\Server~L\WINDOWS\SYSTEM\WIN32S\W32SKRNL.DLL

E:\310Moved\Server~D\SOFTWARE\WIN~DLLS.100\SYSTEM\WIN32S\W32SKRNL.DLL

E:\310Moved\Server~D\SOFTWARE\WIN~DLLS.166\SYSTEM\WIN32S\W32SKRNL.DLL

E:\310Moved\Server~J\WINDOWS\SYSTEM\WIN32S\W32SKRNL.DLL

E:\310Moved\Server~L\WINDOWS\SYSTEM\WIN32S\W32SKRNL.DLL

Result on all files > (Trojan.Dropper) -> No action taken.

they're all the same file: W32SKRNL.DLL 82,944 Bytes 30/01/1996 23:00

the file comes from a legitimate program install CD which included win32's and the game FreeCell

even though those win3.1x systems were never on the internet or even a real network,

I used Interlink to transfer to the main backup file storage server back then

and then when I got the new XP system I pulled the largest drive

and put it on an IDE/USB adapter and pulled the files to the main system now in use.

should I submit a copy of this file just to verify it,

sorry for the long post, I hope it makes enough sense.

summary

there's really two things going on:

> where'd those weird files come from and why aren't they detected?

> and why are a legitimate registry entry and a file from 1996 detected as threats?

THX

Share this post


Link to post
Share on other sites

The detection of the disabled find button is self explanatory . There are multiple trojans that disable functions that aid the user in fixing things and collecting samples and we re-enable them . If you have set these restrictions yourself please use the ignore function , it was designed for these exact situations . Keep in mind that there is no way to tell how a standard function has become disabled .

Malwarebytes will not run on systems below windows 2000 so windows 3.1 files are not anything we ever test against . Without the file there is no way to proceed from here .

Share this post


Link to post
Share on other sites

My apologies for taking this long, my weekends are always packed with stuff to do;

I'm attaching the file from the win32's for win3.1 that is detected as a trojan dropper.

W32SKRNL.DLL

in addition to the GPO item: "Remove search from the start menu"

I also have checked:

- "Remove Documents menu item"

- "Remove my pictures from the start menu"

- "Remove my music from the start menu"

- "Disable User Tracking"

- "Do not keep history of recently opened documents"

- "Clear document history on exit"

etc.

I would think that most people would be more freaked out if their documents, pictures, and music menu links disappeared from the start menu before they'd even notice that Search was missing, and yet these settings aren't detected as problems

cheers

W32SKRNLDLL.zip

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.