A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #493  by a_d_13
 Mon Mar 29, 2010 9:58 pm
Hello,

Board upload limit has been increased to 5MB. Please host any larger files on an external files hosting service.

Thanks,
--AD
 #10655  by EP_X0FF
 Wed Dec 28, 2011 4:58 pm
This is service dll. If you have registry snapshot from machine where this dll was discovered - please attach it, we need to know in which service this dll was registered.

Particularly, we need contents of HKLM\System\CurrentControlSet\Services registry key and all it's subkeys to locate any reference to this dll.

Also please check references to this CLSID {97A33157-2988-42BE-B4D5-93B7E823CAB8}, where they occur?
 #10656  by markusg
 Wed Dec 28, 2011 5:17 pm
last time i saw it (on other pc) it runs under:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation
the user with the dll uploaded in this topic is active and i will get an snapshot of the registry
 #10657  by EP_X0FF
 Wed Dec 28, 2011 5:25 pm
markusg wrote:last time i saw it (on other pc) it runs under:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation
the user with the dll uploaded in this topic is active and i will get an snapshot of the registry
As expected. This dll works with Messenger service.
 #10659  by markusg
 Wed Dec 28, 2011 5:40 pm
i will use this tool
http://regshot.sourceforge.net/
and will upload the .hiv file, i hope this is what you search, or is it needed to safe some extra kays? but i think normaly it should be an complete safe of the registry
 #10660  by EP_X0FF
 Wed Dec 28, 2011 5:42 pm
Well it is not necessary to dump whole hive. I think only Services key and it's subkeys will be enough. Also would be interesting to see if there any references to {97A33157-2988-42BE-B4D5-93B7E823CAB8} CLSID exists on this machine.