nvwractive97.dll

[hypa]

VirusTotal Results

Just thought I'd share this. Renaming this DLL throws a RUNDLL error on startup, it's in CurrentVersion\Run and ran with RUNDLL. Analysis in ollydbg with phantom shows the same thing as virus total in abstract, I didn't look at it further. Seems to start a thread with native API and collect system data. Removing the startup placement in registry just causes it to be replaced by something on next reboot. Survives only on 32bit kernel. There is no packer or anti-debug..it's just there and backed by some rootkit witch the latest builds of GMER and RKU doesn't detect. McAfee heuristics picked it up as an injector.

The most interesting thing is, renaming it on the target box and reboot stops frequent redirects in browsers, especially with Google results. The system also has updated real time protection with behavioral analysis and heuristics that efficiently filter low level file system interfaces with a signed driver. o.o

As the description indicated..literally 0 results on all search engines, and there is no vendor info on the file. File attached

zip pass:thedll

Edited December 3, 2009 by hiya

[delldell]

my analysis with Ollydbg

1 collect information of the computer

2 the goal of the dll is start the RUNDll

3 so the RUNdll can disguise the dll

somehow the dll use the method that searches for some

program that is not install and that initiate the error

RUNdll

lets remember that rundll error cud be for several reasons for example

1 registry is full with entry's that are trash

2 programs that are removed already

3 the system is infected with some virus or malware

at the moment that the system search's for the right files

to keep running the OS but the malware prohibits the aces

then the RUNdll error appears

we can make one small test first

1 start

2 run

3 write on the small window REGEDIT then ok

4 search for HKE_USER\Software\Microsoft\Windows\CurrentVersion\Run

5 make sure that the RUNdll is not there if is there then delete it

now the next step

1 start

2 run

3 on the small window run write MSCONFIG then ok

4 startup

5 uncheck the RundDll32

6 reboot the computer

if this ERROR appears you can use some program to fix the registry

make sure that when you have to uninstall some program do it the right way

some programs in order to be fully deleted must reboot the computer

resume:

this dll is a complement of other program

one possibility is the complement of some trojan

[hypa]

It's just some proprietary DLL for something that was on the machine once, not sure what, but it's not malicious. The actual problem was with Google doing redirects, and it made me think I had a rootkit because of the way they use DNS, and my AV wasn't detecting anything. I also tested with some newer ARKs and nothing was found.

Kardelia.SYS is another file, this is an undocumented driver though with no ID in the structure. Hides from the file system and some other drivers can't even detect it. RKU 2.8 LE only sees it.