Results 1 to 3 of 3

Thread: Suspect HDD activity and lots of suspectly named keys and key values in Registry

  1. #1
    Member
    Join Date
    Feb 2008
    Posts
    50

    Question Suspect HDD activity and lots of suspectly named keys and key values in Registry

    Long story short, I decided to go Full S&D Professional after noticing some suspect activity on my Windows 10 system (more or less constant HDD activity on C:), which still is ongoing at this after running several scans and some careful cleanup with system repair. I also uninstalled some old apps no longer used, and I have also tried, without success, to trace what's going on with Task Manager. I'm note sure what has caused it, but today when I tried to open my VB6 environment (I'm a VB6 developer) I was met with this:

    vb6doesntstart.png

    and then it died when clicking OK button.

    I don't know why VB6 asks for that file as it's nothing I'm using, but possibly it's some old legacy it's setup to load. This made me open Regedit to make a search for DAO350.DLL and found several item, which confirmed the file didn't exist where Windows supposedly expected it to be (Program Files(x86)\Common Files\Microsoft Shared\DAO\), but when I looked closer on the registry keys I saw this:

    regdao1.png

    and this:

    regdao2.png

    and that sure looks suspect to me. In fact, I found several "InprocServer32" keys with those suspect items, not only for DAO350/DAO.DBEngine.35 - but what is it? Is it a virus/trojan or other malware that S&D missed to detect, or something legit?

    I also ran a Rootkit scan, where the quick scan showed ether "No hidden files detected, No hidden entries detected or No hidden processes detected" for all items. When I run a "Deep scan" it displays about 10 registry keys with "No admin in ACL" and a length list of file item with "Unkown ADS" in details. Most of the files are in "C;\Windows\Installer\$PatchCache$\Managed"

    Anyone has any insight on this?

    TIA
    Life on Earth is expensive but it includes a free trip around the Sun every year.

  2. #2
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,748

    Default

    Hello yettyn,

    The RootAlyzer is an analyst tool, sometimes even legitimate software uses rootkit technologies.

    If you suspect an infection it would be best if someone can take a look at the system in the Malware Removal Forum

    Please start a new topic there, the forum's FAQ includes instructions in post #2 on how to provide the logs from Farbar Recovery Scan Tool and aswMBR, which are the two logs used in the preliminary analysis.

    http://forums.spybot.info/showthread.php?t=288

    Then a volunteer analyst will advise as soon as available.

    Best regards,
    tashi
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

  3. #3
    Member
    Join Date
    Feb 2008
    Posts
    50

    Thumbs up

    huh you must bet getting tired to repeat that in basically every post, but I'm sure you have a snippet ready to paste

    but, yes I have got that, many legit items in the list, so nothing to be scared about the amount. Just a bigger challenge to find the needle in the haystack, so to speak.

    I'll open a new topic in suggested fora when I'm done with my own research and if I don't manage to figure it out by myself. Something suspicious certainly going on with almost constant HDD activity, whether it has anything to do with those suspect registry entries or not.

    Thanks.

    Admin Edit: Malware forum topic: https://forums.spybot.info/showthrea...807#post485807
    Last edited by tashi; 2021-03-26 at 15:20. Reason: .
    Life on Earth is expensive but it includes a free trip around the Sun every year.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •