microsoft-...interop.ni.dll curiosity.

The constant threat: viruses, trojans, spyware, ... the list goes on

microsoft-...interop.ni.dll curiosity.

Post by e3cb on Wed Mar 13, 2013 4:52 pm
([msg=74507]see microsoft-...interop.ni.dll curiosity.[/msg])

Soooo, after sudden paranoia about a friend's CC info being stolen after using my computer, I got paranoid about my windows machine. I don't really care if it gets compromised, it is just a nuisance. After digging though lots-a-logs, I found an unsigned DLL (Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop.ni.dll) in the C:\Windows\assembly folder, not very common. After some research: Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop.ni.dll is a DLL with version 6.1.0.0, file size 54784 bytes, last update on 7/13/2009 9:45:52 PM and file location %SYSTEMROOT%:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft-Windows-H#\xxxxxxxxxxxxxxxxxxx. However, this is not the case on my machine. A. it is not signed by Windows. B. it was modified this past January and C. it has no defined language. This annoys the hell out of me. May be something, may be nothing; however, I haven't had time to RE it yet, it certainly does match the default filesize so I am thinking the Windows OS has been compromised. If anyone is interested, I can add a link to the DLL in question.

EDIT: Seems more like paranoia, nothing ablaze on the internet.
<3 FF E4 <3
Do you even asm bruh?
User avatar
e3cb
Experienced User
Experienced User
 
Posts: 65
Joined: Fri Feb 15, 2013 11:32 pm
Location: Orange County
Blog: View Blog (0)


Re: microsoft-...interop.ni.dll curiosity.

Post by 3vilp4wn on Wed Mar 13, 2013 6:16 pm
([msg=74511]see Re: microsoft-...interop.ni.dll curiosity.[/msg])

Sounds like it's solved, but here's what I would try:

1.) Get a linux live USB/CD.
2.) In linux, move the file onto a USB.
3.) Boot into windows.
4.) If it works, yay. If not, replace the file.
Do not mistake understanding for realization, and do not mistake realization for liberation
Evil Ninja Hackers
???
٩(͡๏̯͡๏)۶

1A4EAMboaXpgvUSmtRbVRqbfJrbyuGhyoo
User avatar
3vilp4wn
Poster
Poster
 
Posts: 144
Joined: Sun Feb 10, 2013 2:05 am
Location: The darkness.
Blog: View Blog (0)


Re: microsoft-...interop.ni.dll curiosity.

Post by WallShadow on Wed Mar 13, 2013 6:17 pm
([msg=74512]see Re: microsoft-...interop.ni.dll curiosity.[/msg])

That's interesting, please post the link, I might take a look at it.
User avatar
WallShadow
Contributor
Contributor
 
Posts: 622
Joined: Tue Mar 06, 2012 9:37 pm
Blog: View Blog (0)


Re: microsoft-...interop.ni.dll curiosity.

Post by e3cb on Wed Mar 13, 2013 11:23 pm
([msg=74528]see Re: microsoft-...interop.ni.dll curiosity.[/msg])

3vil: checked to see if it was loaded in any active process and it wasn't also did a rename file file.bak and no problems.

Wall: damn you for not being on IRC. I will have you a link tomorow in the afternoon time, but I did some quick analysis and found nothing off the bat (mainly involved checking for any sketchy socket functions). However, something modified it, just don't know what got changed or who did it.

After I began my streak of paranoia, I found a connection to Poland via svchost, pinged it and it was up. So, I fire up nmap for shits and giggles; as soon as I start the scan, the host dies. Next foreign ip up to bat, Russia. Hurray. So I got kaspersky and comodo doing their things. Did some checking with HijackMe and other tools, nothing out of the ordinary. So either I got some crazy APT shit going on and I have a government rootkit, Poland doesn't like me, or I am too stupid to notice I am on a botnet. But I definately am infected because chalking this one up to paranoia and quincidence is too simple.
<3 FF E4 <3
Do you even asm bruh?
User avatar
e3cb
Experienced User
Experienced User
 
Posts: 65
Joined: Fri Feb 15, 2013 11:32 pm
Location: Orange County
Blog: View Blog (0)


Re: microsoft-...interop.ni.dll curiosity.

Post by KthProg on Thu Mar 14, 2013 7:56 am
([msg=74533]see Re: microsoft-...interop.ni.dll curiosity.[/msg])

Not sure about that specific DLL but interops are interfaces for applications in Microsoft to communicate with each other -_-, usually only called in code for automation.
User avatar
KthProg
Poster
Poster
 
Posts: 219
Joined: Wed Jan 23, 2013 7:06 pm
Blog: View Blog (0)


Re: microsoft-...interop.ni.dll curiosity.

Post by WallShadow on Thu Mar 14, 2013 6:12 pm
([msg=74538]see Re: microsoft-...interop.ni.dll curiosity.[/msg])

e3cb wrote:Wall: damn you for not being on IRC.


But I am on IRC as much as possible T.T
User avatar
WallShadow
Contributor
Contributor
 
Posts: 622
Joined: Tue Mar 06, 2012 9:37 pm
Blog: View Blog (0)



Return to Malware

Who is online

Users browsing this forum: No registered users and 0 guests