| Author | Thread |
|
|
02/10/2010 11:28:26 AM · #1 |
I am a bit worried...I ran a routine HiJackThis check on my main Win7 computer, and I see something odd:
O20 - AppInit_DLLs: prio32.dll
I don't recall seeing that ever before. I searched the web, and can't find any info on a shared dll callde prio32.dll.
This key is used for a DLL that's loaded on startup and unloaded on shutdown. But oddly, I can't find the DLL by searching the hard drive...so if it's there, perhaps it's a rootkit?
I have a Norton Antivirus subscription, and it's current. Never had a problem with Norton letting stuff through... I run Spybot routinely, and it doesn't find anything.
This could be normal...but use of this registry key is unusual except by Trojans.
Anyone know what it is?
Can anyone who also has HiJackThis check their logs and see if you happen to see this?
I can delete the registry entry, but if it's a rootkit, that won't help... and I was worried it was something "real" on my system (though then I don't know why I wouldn't be able to find the DLL file.)
Message edited by author 2010-02-10 11:28:45.
|
|
|
|
02/10/2010 11:33:28 AM · #2 |
| Looks like there may be some info here but Im blocked from those sites ATM ;) |
|
|
|
02/10/2010 11:39:46 AM · #3 |
| On a clean install of Win7 with very few apps, I have no O20 - AppInit_DLLs, and no prio32.dll anywhere. |
|
|
|
02/10/2010 11:41:12 AM · #4 |
Originally posted by PhotoDave:
Looks like there may be some info here but Im blocked from those sites ATM ;) |
Yes, I've done the google searches, bing, looked at the trendmicro forum (and posted there).
In the Spybot forum, a search comes up with one other person's log that shows this entry, but it's in the log, and not discussed. I noticed that they also have Skype, so that's a commonality. Perhaps it has something to do with Microsoft's Virtual OS--which I had installed at one time when this machine was Vista, and before I upgraded to 7.
I thought I had saved some old HiJackThis logs, so I could compare to the "old days", but so far, I haven't been able to find them. I guess I'll look at my backups to see.
It's weird to find a system level DLL that's not discussed ad nauseum on the internet...that makes me even more suspicious.
Message edited by author 2010-02-10 11:42:00.
|
|
|
|
02/10/2010 11:42:18 AM · #5 |
Hey Neil!
Don't know exactly, but you can try a bit of freeware from Mcafee, that has helped me more than once with rootkits: here.
Hope it helps!
|
|
|
|
02/10/2010 11:44:00 AM · #6 |
| Rootkits by their nature will hide themselves. The only way to really detect them for sure may be to boot with something else and scan the hard drive "from orbit" so to speak. I recall these being discussed in depth on the Security Now podcast. Here is a Microsoft Technet article on using rootkit revealer to try and find them. |
|
|
|
02/10/2010 11:47:32 AM · #7 |
I also don't see it running in memory...so it's possible that it's a startup file for a program (like Microsoft's virtual PC) that's been uninstalled incorrectly.
But I expected to find info on it on the internet...still no one "claiming" it!
|
|
|
|
02/10/2010 11:55:10 AM · #8 |
You can't always find loaded dll as they are sometime embedded in .exe files.
It looks like there should be a prio_svc.exe in your computer (maybe this : //wareseeker.com/Utilities/prio-1.6.zip/61947 )
Monitor your ports : netstat -abn (but rootkit should override it) ... and install a real firewall. |
|
|
|
02/10/2010 12:09:06 PM · #9 |
Originally posted by keyz:
You can't always find loaded dll as they are sometime embedded in .exe files.
It looks like there should be a prio_svc.exe in your computer (maybe this : //wareseeker.com/Utilities/prio-1.6.zip/61947 )
Monitor your ports : netstat -abn (but rootkit should override it) ... and install a real firewall. |
Oh, I didn't realize DLLs could be embedded.
But I believe you hit the nail on the head... I do have a program called prio that I used to use to elevate or reduce a process's priority (the difference between this and the normal system method is that the prio program remembers the process and elevates it or reduces it each time it runs).
I think it ran as a sevice, but I remnoved it a while back. So that's probably it (especially given the function of the program).
I just found the Prio folder is actually still on my computer (though removed from service), but there's only an EXE in it. I used my everything program to search, but I should have tried a search for prio rather than prio32! I am embarrassed that I didn't remember that program and make the connection!
Thanks!
Message edited by author 2010-02-10 12:18:07.
|
|
|
|
02/10/2010 12:54:48 PM · #10 |
You should find your services running in something like Configuration Panel > Administation (don't know really) > Services and disable it from there.
Just give me the name of the troll voters on my last entry and we are ok :D |
|
|
|
02/10/2010 01:19:56 PM · #11 |
Originally posted by keyz:
You should find your services running in something like Configuration Panel > Administation (don't know really) > Services and disable it from there.
Just give me the name of the troll voters on my last entry and we are ok :D |
Thanks--I always check and manage services...it's not there anymore, so either I removed it, or it removed itself via uninstall or a menu option to stop loading.
I'm set now...I am pretty sure that must have been the DLL entry. I just wanted to know what was going on, if it could be a rootkit, before I deleted the registry entry.
I am pretty diligent with my system, but sometimes the human memory cells don't work!
|
|
Home -
Challenges -
Community -
League -
Photos -
Cameras -
Lenses -
Learn -
Help -
Terms of Use -
Privacy -
Top ^
DPChallenge, and website content and design, Copyright © 2001-2025 Challenging Technologies, LLC.
All digital photo copyrights belong to the photographers and may not be used without permission.
Current Server Time: 12/24/2025 09:58:22 AM EST.
