Please feel free to remove this if this is not malware, but I have been working with it and have been finding it coupled with some unstable userland malware that uses APPINIT_DLL to load on startup (Search toolbar stuff - causes pretty bad system instability including services not responding to control requests and inability to boot to normal mode). This set comes in two DLL's, the winXXprop goes into the APPINIT_DLL entry under WindowsNT\CurrentVersion\Windows and then, with that in there, will look for WinXXcert. There is no company name, no detections, and the main module only has two exports, including BZInvoke which appears to check which process is loaded and act accordingly. At BZInvoke+55 there is a function that appears to start making keys if Firefox or Chrome are present, but I just do not have the skill yet to figure out how to handle this. Mostly because this would be my first DLL, and I'm not really sure how to monitor what its doing, so i just called the DLL exports manually in OllyDBG but didn't get very far.
Feel free to move the topic if I posted this in error.
Feel free to move the topic if I posted this in error.
Attachments
infected
(87.21 KiB) Downloaded 45 times
(87.21 KiB) Downloaded 45 times