Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 1 subscriber
  • Views 854 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

"Installer Center" service on XP, malware?

Web-Junkie

Found a suspicious service running on some XP machines I maintain at one of our local primary schools, picked up by Kaspersky TDSSKILLER as hloeignzq and file C:\Windows\System32\xlevcb.dll, did a full Sophos scan but nothing reported, using Sophos Enpoint Security and Control 10.0.

Looking through the registry links it to "Installer Center" service with same description as Secondary Logon service, but there is no file called xlevcd.dll in System32 folder so unsure if this is a remnant of some uninstalled software but it just looks suspicious.

Anyone come across this service running on XP machines before or know what it is?

Thanks.

:35409


This thread was automatically locked due to age.
Parents
  • 0

    Thanks Christian, I'll ask one of the county engineers about it next time I bump into them!

    Also, the service is not started as I think the dll is missing but it creates this registry entry:

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HLOEIGNZQ]

    "NextInstance"=dword:00000001

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HLOEIGNZQ\0000]

    "Service"="hloeignzq"

    "Legacy"=dword:00000001

    "ConfigFlags"=dword:00000000

    "Class"="LegacyDriver"

    "ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"

    "DeviceDesc"="Installer Center"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HLOEIGNZQ\0000\Control] "ActiveService"="hloeignzq"

    This is created in the following places:

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_HLOEIGNZQ\0000
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_HLOEIGNZQ\0000
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HLOEIGNZQ\0000

    TDSSKILLER has removed all traces and no issues reported on the affected machines. If I find any more info about this I'll post back!

    Thanks again for the help!

    :35833
Reply
  • 0

    Thanks Christian, I'll ask one of the county engineers about it next time I bump into them!

    Also, the service is not started as I think the dll is missing but it creates this registry entry:

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HLOEIGNZQ]

    "NextInstance"=dword:00000001

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HLOEIGNZQ\0000]

    "Service"="hloeignzq"

    "Legacy"=dword:00000001

    "ConfigFlags"=dword:00000000

    "Class"="LegacyDriver"

    "ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"

    "DeviceDesc"="Installer Center"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HLOEIGNZQ\0000\Control] "ActiveService"="hloeignzq"

    This is created in the following places:

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_HLOEIGNZQ\0000
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_HLOEIGNZQ\0000
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HLOEIGNZQ\0000

    TDSSKILLER has removed all traces and no issues reported on the affected machines. If I find any more info about this I'll post back!

    Thanks again for the help!

    :35833
Children
No Data