Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 1 subscriber
  • Views 854 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

"Installer Center" service on XP, malware?

Web-Junkie

Found a suspicious service running on some XP machines I maintain at one of our local primary schools, picked up by Kaspersky TDSSKILLER as hloeignzq and file C:\Windows\System32\xlevcb.dll, did a full Sophos scan but nothing reported, using Sophos Enpoint Security and Control 10.0.

Looking through the registry links it to "Installer Center" service with same description as Secondary Logon service, but there is no file called xlevcd.dll in System32 folder so unsure if this is a remnant of some uninstalled software but it just looks suspicious.

Anyone come across this service running on XP machines before or know what it is?

Thanks.

:35409


This thread was automatically locked due to age.
  • 0

    Hello Web-Junkie,

    if the service is actually running then it must have been started from the path given in the Properties. If there seems to be no file at the location this could be some rootkit. You might want to try the Sophos Bootable Anti-Virus. If you are unsure how to effectively use it please call Support.

    Christian

    :35437
  • 0

    I don't seem to be able to download that file? I'm asked for 'My Sophos' login but when logged in there doesn't appear to be anything to download?

    Our sophos solution is provided as part of an agreement with our local county council so I don't have any product credentials to add to My Sophos!! How do I obtain this file?

    :35665
  • 0

    Hello Web-Junkie,

    please try to just go to the article again and click the link once more (or right-click Save as ...).

    Can't say if the download requires that you account is linked to one of the AV products. Therefore I also can't say how it behaves after you log in. But I've observed some glitches with the SSO lately - so please check the very top of the article page where it should say Welcome Web-Junkie  My Account  Log out .... make sure there's indeed your username after the Welcome (on some occasions I've seen My Account instead ... ).

    Christian 

    :35667
  • 0

    No, still does the same thing, either sends me to the Add Credentials page or if Right Click > Save As then just wants to save an HTML page!!

    I'll keep trying later today/tomorrow and see if the situation changes.

    Thanks for trying to help!

    :35673
  • 0

    Hello Web-Junkie,

    just asked if it could be a glitch - doesn't look like though, might indeed require the license to be linked.

    Guess support has to go through your provider as well. Maybe the could obtain it for you?

    Christian

    :35677
  • 0

    Thanks Christian, I'll ask one of the county engineers about it next time I bump into them!

    Also, the service is not started as I think the dll is missing but it creates this registry entry:

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HLOEIGNZQ]

    "NextInstance"=dword:00000001

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HLOEIGNZQ\0000]

    "Service"="hloeignzq"

    "Legacy"=dword:00000001

    "ConfigFlags"=dword:00000000

    "Class"="LegacyDriver"

    "ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"

    "DeviceDesc"="Installer Center"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HLOEIGNZQ\0000\Control] "ActiveService"="hloeignzq"

    This is created in the following places:

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_HLOEIGNZQ\0000
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_HLOEIGNZQ\0000
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HLOEIGNZQ\0000

    TDSSKILLER has removed all traces and no issues reported on the affected machines. If I find any more info about this I'll post back!

    Thanks again for the help!

    :35833