Some system monitoring program gave me this message

A new startup program has been detected
D:\windows\system32\jkhfd.dll,c

which means that it is executing the function whose name is c which is exported by jkhfd.dll

I dissassembled the file(jkhfd.dll) and found the following list of exported functions-

c
DllCanUnloadNow
DllGetClassObject
f
InitSecurityInterfaceWLsaApCallPackage
LsaApCallPackagePassthrough
LsaApCallPackageUntrusted
LsaApInitializePackage
LsaApLogonTerminated
LsaApLogonUser
LsaApLogonUserEx
o
s
SpInitialize

(the function c, as I suspected, is exported)

Ssinternals tools told me that the above dll is there(injected?) as the browser helper objects

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
{B2CEFDCD-4318-4FD1-B87F-3E28D54ECF8D} d:\windows\system32\jkhfd.dll


From the above list of exported functions, most are implemented by the dll creator herself. But the win32 function(s) like LogonUser(which attempts to logon,probably remotely) has aroused my suspicion.

My questions-

Since the dissassembler can't locate the functions in the dissassembly, please suggest some other way of reversing the dll ?
Any further info on this method of attack, that is, how can someone remotely inject BHOs(browser helper objects) into my browser ?

Unpack the DLL before you try to disassemble it statically.


The normal method is to exploit vulnerabilities in Windows, browsers and "browser related software", that you have installed on your computer, in order to execute arbitrary code on your computer, which is in turn often used to inject things like this, often aimed to steal data and money from you.

Which is more "vulnerable" because they don't have to break into your house and force you to install their "stuff." The simply trick you into installing the damn stuff for them.

Regards,