Event Viewer

[Guest]

I regularly find postings in the event viewer as follows:

"Windows Defender Real-Time Protection agent has detected potential malware.
For more information please see the following:
http://www.microsoft.com
Scan ID: {CCF7F561-C0E5-416E-A9C4-3ADF833DA0B4}
User: (NOT NEEDED HERE)
Threat Name: Unknown
Threat Id:

Threat Severity:
Threat Category:
Path Found: driver:SDDMI2
Threat Classification: Unknown
Detection Type:

For more information, see Help and Support Center"

There is no further information available at the Support Center.

Can anyone enlighten me as to the meaning of these messages. Thanks.

 

[Bill Sanderson]

The key is the "threat classification" of "unknown." These are simply files
that Windows Defender has insufficient information about to classify. They
aren't called to your attention because they are not known to be malware--a
good bit of the verbiage in those records is misleading--such files might be
good or might be bad--the ones I've seen posted about so far have all been
good, I believe.

 

[Guest]

Thanks, Bill.

The key is the "threat classification" of "unknown." These are simply files
that Windows Defender has insufficient information about to classify. They
aren't called to your attention because they are not known to be malware--a
good bit of the verbiage in those records is misleading--such files might be
good or might be bad--the ones I've seen posted about so far have all been
good, I believe.

 

[Guest]

Bill,

I also get these. My most recent is a mini-flood, citing these "paths":
driver:Sta16ioss, serviceci7pp, driverci7pp, service:Hellintecma,
driver:Hellintecma, service:Cdipusefmpp, driver:Cdipusefmpp, service:Linphmt,
driver:Linphmt, driver:Ulttirtpvn and service:Ulttirtpvn. These occur over a
3-5 second period. When I scan the registry (after the fact), I find the
following entry: HKLM\SYSTEM\CurrentControlSet\Services\Sta16ioss, repeated
in ControlSet001 and 003; the service type is "FSFilter Encryption", but
there is no image path.

This is the second time I have seen this, only the driver/service names were
different.

These do not seem to be "phantoms" as there are real registry entries,
although they appear to be of no immediate threat. Whether they are the trail
of a real threat or a phantom I can't say ... my system does not appear to be
misbehaving. Is there a way to trace registry changes? I would think that
tracing adds to HKLM\SYSTEM\CurrentControlSet\Services would shed some light.
Suggestions?

John

 

[Guest]

Hi again,

I've just had another "mini-flood". Same sequence of events, and the names
are different again, this time ending up with "driver:Cdcauan".

My suspicions now are that something is quite wrong, but I am unsure how to
proceed ... help!

Thanks, John

 

[Bill Sanderson]

I don't like the look or sound of these. I think my suggestion at this
point is:

1) update your antivirus and Windows Defender.

2) Try installing a trial of Ewido and updating it.

3) after all those updates, restart the system in safe mode and scan with
all three products--antivirus, Windows Defender, and Ewido.

This has the "feel" of a virus or spyware attempting an install. I'll see
if I can get the time to google the names involved, but that may not be
productive.

--

 

[Bill Sanderson]

http://www.sysinternals.com/Utilities/Regmon.html

See if the above utility may help with monitoring the registry--and perhaps
getting a handle on what is making the changes.

--