Select file extension by starting letter:
A - B - C - D - E - F - G - H - I - J - K - L - M -
N - O - P - Q - R - S - T - U - V - W - X - Y - Z -
OTHER - Allowed chars in Filenames - what is an extension?
Secret service trojans
German secret services have been caught in the act of observing normal inocent citizens per laptop camera/microfone and stealth keyloggers. Since secret services often cooperate in developping such tools or exchange their tools it may be that these observations happened also in other countries. These files are possible indications that you have been observed: c:\windows\system32\mfc42ul.dll and winsys32.sys
(if you have installed windows on another drive you should look there)
If you want to read more: http://www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf
These extensions should be handled with particular caution if received as attachment by mail, on a diskette or from any other source which you consider not fully trustworthy
This is the reason why some mail-programs rename files with these extensions, so they are no more able to execute. Give them first a check with a trustworthy virus checker! Afterwards you may rename them back to their original extension.
( It should be noted that there are other extensions which can be dangerous too. These are considered Level 1 files)
If you think your system is infected Lavasoft or Adaware offer useful free tools for private users. But since these tools work fully automatic they sometimes do a too good job.
An very useful alternative for not experienced users is Hijackthis. There are sites where you can send Hijackthis logs and get advice what to do.
If you think you know enough of your system and are able to help yourself or even want to detect totally new - not already described viruses, the following tool might be the right thing for you:
FindVir is a tool (a multitude of tools) for detecting viruses by searching different locations where they usualy hide.
"Files which have changed since last inspection" does not rely on simple date comparisions (but these too can be performed) but uses a very fast CRC32 comparision (and date and size and..) as already 'VIRCHECK' from 1999 has done. You can use this command on any system folder or normal files folder. A typical system scan takes only 10 minutes and brings normaly not more than 10-20 files which are easy to survey.
Many Viruses and Worms try to maskerade as Windows executables or dll's and use the same names as normal Windows executables or dll's. They are easily detected by "Find files with identical names in system search path". A database is used in VirDetect and the paid version of FindVir to discriminate mascerading files from true Windows system files. So all these dialogs together help easily detect even unknown viruses or worms or other spyware related files.
Some operations take a long time to complete on todays big harddisks, so it's always advisable to chose only subitems, subdirs in this case.
As a short example a run of "Show Alternate Data Stream Objects" brings these results in the log file(some entries deleted):
(ZoneId=3) means downloads with "INTERNET EXPLORER", (so if you don't
use IE or the file wasn't downloaded or was extracted from a
zip(rar,7zip...) or copied from FAT (eg if you transfered the file over an
USB-Stick formated in FAT32 and not NTFS) or if you clear from time to time
all ADS's or..., further investigation should be done)
Most dialogs have sub-dialogs so that further viewing, alterations, additions or deletions are possible. Right click menues in some dialogs lets you view or delete entries or in the case of services start or stop services.
You can even change your Mac-Address with one of these dialogs or view the full version history of Dll's and the like.
(all artefacts/smearing due to jpeg compression)
Since these system infos are far more comprehensive than those of Hijackthis (the most used tool at the moment to give a system snapshot for virus detection) there is an option in FindVir to print out a log file of a system summary.
Virdetect's comprehensive rootkit detection or injected process detection routines or IRC-server conection detection routines will get integrated in later versions of FindVir.
Some operations of FindVir make heavy use of memory! Be prepared to wait if your computer is low in memory.
(Some possibly dangerous operations disabled like delete LSP-chain entry or repair LSP-chain, or stop or start services)
Load Findvir in a folder of your choice (not in desktop!), e.g. programs\utils\. Right click on desktop, select new, then link.
(FindVir needs the newest Microsoft library tools: vcredist-x86 or 64!)
(additional help info soon)
Use of FindVir is at your own risk! No guarantee for anything.
Select Extension by starting letter:
If you find an extension missing,
write! No guaratee given forcompleteness or correctness.
If you feel an extension is outdated, write!
Authors and retailers: it is in the interest of us all and our customers toavoid the double use of extensions! Please help us keep this compilation up todate!
Send extension data to:
Compilation Copyright (c)R.Cooper-Bitsch, visit also: www.sunorbit.net