dcservice.exe - no disk

May 23, 2012 at 01:22:58
Specs: Windows XP
RogueKiller V7.4.5 [05/18/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/file...
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 2) 32 bits version
Started in : Normal mode
User: Kasu [Admin rights]
Mode: Scan -- Date: 05/23/2012 16:08:08

¤¤¤ Bad processes: 7 ¤¤¤
[SUSP PATH] DCService.exe -- C:\Documents and Settings\All Users\Application Data\DatacardService\DCService.exe -> KILLED [TermProc]
[SUSP PATH] cssrs.exe -- C:\Documents and Settings\Kasu\Application Data\cssrs.exe -> KILLED [TermProc]
[SUSP PATH] cssrs.exe -- C:\Documents and Settings\Kasu\Application Data\cssrs.exe -> KILLED [TermProc]
[SVCHOST] svchost.exe -- C:\WINDOWS\system32\svchost.exe -> KILLED [TermProc]
[SERVICE] SSHNAS -- C:\WINDOWS\system32\svchost.exe -k netsvcs -> STOPPED
[SUSP PATH] DCService.exe -- C:\Documents and Settings\All Users\Application Data\DatacardService\DCService.exe -> KILLED [TermProc]
[RESIDUE] cssrs.exe -- C:\Documents and Settings\Kasu\Application Data\cssrs.exe -> KILLED [TermProc]

¤¤¤ Registry Entries: 24 ¤¤¤
[SUSP PATH] HKCU\[...]\Run : Microsoft Firewall 2.9 (C:\Documents and Settings\Kasu\Application Data\WMPRWISE.EXE) -> FOUND
[SUSP PATH] HKCU\[...]\Run : 4ECYTQ9SIC (C:\DOCUME~1\Kasu\LOCALS~1\Temp\Zw1.exe) -> FOUND
[SUSP PATH] HKLM\[...]\Run : Microsoft Driver Setup (C:\WINDOWS\ggdrive32.exe) -> FOUND
[SUSP PATH] HKLM\[...]\Run : Advanced HTTPL Enable (C:\Documents and Settings\Kasu\hddd.exe) -> FOUND
[SUSP PATH] HKLM\[...]\Run : TINTIMG (C:\Documents and Settings\Kasu\Application Data\cssrs.exe) -> FOUND
[SUSP PATH] HKUS\S-1-5-21-73586283-706699826-839522115-1003[...]\Run : Microsoft Firewall 2.9 (C:\Documents and Settings\Kasu\Application Data\WMPRWISE.EXE) -> FOUND
[SUSP PATH] HKUS\S-1-5-21-73586283-706699826-839522115-1003[...]\Run : 4ECYTQ9SIC (C:\DOCUME~1\Kasu\LOCALS~1\Temp\Zw1.exe) -> FOUND
[SUSP PATH] HKLM\[...]\Policies\Explorer\Run : Microsoft Driver Setup (C:\WINDOWS\ggdrive32.exe) -> FOUND
[SUSP PATH] HKLM\[...]\Winlogon : Userinit (C:\WINDOWS\system32\userinit.exe,C:\Documents and Settings\Kasu\sap.exe \s) -> FOUND
[BLACKLIST] HKLM\[...]\services : SSHNAS (%SystemRoot%\system32\svchost.exe -k netsvcs) -> FOUND
[BLACKLIST] HKLM\[...]\services : SSHNAS (%SystemRoot%\system32\svchost.exe -k netsvcs) -> FOUND
[BLACKLIST] HKLM\[...]\Root : LEGACY_SSHNAS () -> FOUND
[SUSP PATH] {22116563-108C-42c0-A7CE-60161B75E508}.job @ : C:\DOCUME~1\Kasu\LOCALS~1\Temp\Zw1.exe -> FOUND
[HJPOL] HKCU\[...]\System : DisableTaskMgr (1) -> FOUND
[HJPOL] HKCU\[...]\System : DisableRegistryTools (1) -> FOUND
[HJ] HKLM\[...]\SystemRestore : DisableSR (1) -> FOUND
[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ] HKLM\[...]\Security Center : AntiVirusDisableNotify (1) -> FOUND
[HJ] HKLM\[...]\Security Center : FirewallDisableNotify (1) -> FOUND
[HJ] HKLM\[...]\Security Center : UpdatesDisableNotify (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HIDDEN VAL] HKLM\[...]\Run : @ () -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤
_INLINE_ : NtRequestPort -> HOOKED (Unknown @ 0xF7A84CA0)
_INLINE_ : NtRequestWaitReplyPort -> HOOKED (Unknown @ 0xF7A84D40)
_INLINE_ : NtTraceEvent -> HOOKED (Unknown @ 0xF7A84C00)

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST3320613AS +++++


See More: dcservice.exe - no disk

Report •


#1
May 23, 2012 at 03:34:01
i dont see a question?

Report •

#2
May 23, 2012 at 12:11:05
http://www.systemlookup.com/O23/582...

my guess is that this is a card reader without a card in it. I am assuming that RogueKiller
automatically disables external cards/etc as a protective mesure while scanning?

Normally logs are only posted when requested, along with more information, just as a heads up

mike


Report •

#3
May 23, 2012 at 12:14:19
Taking a guess based on what I see here you have a malware that installed a rouge program
C:\Documents and Settings\Kasu\Application Data\WMPRWISE.EXE
and disabled multiple security options
[HJPOL] HKCU\[...]\System : DisableTaskMgr (1) -> FOUND
[HJPOL] HKCU\[...]\System : DisableRegistryTools (1) -> FOUND
[HJ] HKLM\[...]\SystemRestore : DisableSR (1) -> FOUND
[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ] HKLM\[...]\Security Center : AntiVirusDisableNotify (1) -> FOUND
[HJ] HKLM\[...]\Security Center : FirewallDisableNotify (1) -> FOUND
[HJ] HKLM\[...]\Security Center : UpdatesDisableNotify (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

mike


Report •

Related Solutions


Ask Question