G
Guest
I have a client with Windows Defender for whom I am doing remote monitoring,
including the Windows XP Event Logs. At least a couple times a day on several
of his machines the Event Logs report several entries like the following:
U MSWinEventLog 2 System 26 Wed Apr 11 11:35:19 2007 3004 WinDefend Unknown
User N/A Warning U None Windows Defender Real-Time Protection agent has
detected changes. Microsoft recommends you analyze the software that made
these changes for potential risks. You can use information about how these
programs operate to choose whether to allow them to run or remove them from
your computer. Allow changes only if you trust the program or the software
publisher. Windows Defender can't undo changes that you allow. For more
information please see the following:
http://go.microsoft.com/fwlink/?linkid=74409 Scan ID:
{0B110436-9929-4062-A632-464BC9C98416} User: U\DP Name: Unknown
ID: Severity: Not Yet Classified Category: Not Yet Classified
Path Found: driver:Netenumtw Alert Type: Unclassified software
Detection Type: 14
U MSWinEventLog 2 System 27 Wed Apr 11 11:35:19 2007 3004 WinDefend Unknown
User N/A Warning U None Windows Defender Real-Time Protection agent has
detected changes. Microsoft recommends you analyze the software that made
these changes for potential risks. You can use information about how these
programs operate to choose whether to allow them to run or remove them from
your computer. Allow changes only if you trust the program or the software
publisher. Windows Defender can't undo changes that you allow. For more
information please see the following:
http://go.microsoft.com/fwlink/?linkid=74409 Scan ID:
{6AC56EED-DD12-4096-99B9-9F1205E18BE9} User: U\DP Name: Unknown
ID: Severity: Not Yet Classified Category: Not Yet Classified
Path Found: service:I2i91imww Alert Type: Unclassified software
Detection Type: 15
U MSWinEventLog 2 System 28 Wed Apr 11 11:35:21 2007 3004 WinDefend Unknown
User N/A Warning U None Windows Defender Real-Time Protection agent has
detected changes. Microsoft recommends you analyze the software that made
these changes for potential risks. You can use information about how these
programs operate to choose whether to allow them to run or remove them from
your computer. Allow changes only if you trust the program or the software
publisher. Windows Defender can't undo changes that you allow. For more
information please see the following:
http://go.microsoft.com/fwlink/?linkid=74409 Scan ID:
{8FB9F3B6-9FA0-42A5-978D-712F8F535883} User: U\DP Name: Unknown
ID: Severity: Not Yet Classified Category: Not Yet Classified
Path Found: service
erf15acc Alert Type: Unclassified software
Detection Type: 16
U MSWinEventLog 2 System 29 Wed Apr 11 11:35:21 2007 3004 WinDefend Unknown
User N/A Warning U None Windows Defender Real-Time Protection agent has
detected changes. Microsoft recommends you analyze the software that made
these changes for potential risks. You can use information about how these
programs operate to choose whether to allow them to run or remove them from
your computer. Allow changes only if you trust the program or the software
publisher. Windows Defender can't undo changes that you allow. For more
information please see the following:
http://go.microsoft.com/fwlink/?linkid=74409 Scan ID:
{A2A71A4F-2C67-48C1-9238-C0B0C89383ED} User: U\DP Name: Unknown
ID: Severity: Not Yet Classified Category: Not Yet Classified
Path Found: drivererf15acc Alert Type: Unclassified software
Detection Type: 17
U MSWinEventLog 2 System 30 Wed Apr 11 11:35:22 2007 3004 WinDefend Unknown
User N/A Warning U None Windows Defender Real-Time Protection agent has
detected changes. Microsoft recommends you analyze the software that made
these changes for potential risks. You can use information about how these
programs operate to choose whether to allow them to run or remove them from
your computer. Allow changes only if you trust the program or the software
publisher. Windows Defender can't undo changes that you allow. For more
information please see the following:
http://go.microsoft.com/fwlink/?linkid=74409 Scan ID:
{B8FB3A5F-D1B7-4472-902B-B738CA001892} User: U\DP Name: Unknown
ID: Severity: Not Yet Classified Category: Not Yet Classified
Path Found: driver:Kssacgpnvene Alert Type: Unclassified software
Detection Type: 18
U MSWinEventLog 2 System 31 Wed Apr 11 11:35:23 2007 3004 WinDefend Unknown
User N/A Warning U None Windows Defender Real-Time Protection agent has
detected changes. Microsoft recommends you analyze the software that made
these changes for potential risks. You can use information about how these
programs operate to choose whether to allow them to run or remove them from
your computer. Allow changes only if you trust the program or the software
publisher. Windows Defender can't undo changes that you allow. For more
information please see the following:
http://go.microsoft.com/fwlink/?linkid=74409 Scan ID:
{039C11AE-FD47-476A-BF97-44031D7A3B87} User: U\DP Name: Unknown
ID: Severity: Not Yet Classified Category: Not Yet Classified
Path Found: service:Astpmamdmver Alert Type: Unclassified software
Detection Type: 19
You will notice that the "service" and "driver" names are meaningless.
Google searches turn up nothing because they are not legit names AND the
names are entirely random and DO NOT repeat. Therefore these things are
almost certainly some sort of spyware.
However, a check with several antispyware tools and rootkit detectors cannot
pinpoint the source. And since Windows Defender gives me no indication as to
what files are involved, I am stuck.
I do intend to try to use several process, driver and server enumeration
viewers to try to spot these things, but I have little hope as I suspect they
are hidden.
Has anybody seen these before? Are they known spyware or just Windows
Defender spurious identifications?
including the Windows XP Event Logs. At least a couple times a day on several
of his machines the Event Logs report several entries like the following:
U MSWinEventLog 2 System 26 Wed Apr 11 11:35:19 2007 3004 WinDefend Unknown
User N/A Warning U None Windows Defender Real-Time Protection agent has
detected changes. Microsoft recommends you analyze the software that made
these changes for potential risks. You can use information about how these
programs operate to choose whether to allow them to run or remove them from
your computer. Allow changes only if you trust the program or the software
publisher. Windows Defender can't undo changes that you allow. For more
information please see the following:
http://go.microsoft.com/fwlink/?linkid=74409 Scan ID:
{0B110436-9929-4062-A632-464BC9C98416} User: U\DP Name: Unknown
ID: Severity: Not Yet Classified Category: Not Yet Classified
Path Found: driver:Netenumtw Alert Type: Unclassified software
Detection Type: 14
U MSWinEventLog 2 System 27 Wed Apr 11 11:35:19 2007 3004 WinDefend Unknown
User N/A Warning U None Windows Defender Real-Time Protection agent has
detected changes. Microsoft recommends you analyze the software that made
these changes for potential risks. You can use information about how these
programs operate to choose whether to allow them to run or remove them from
your computer. Allow changes only if you trust the program or the software
publisher. Windows Defender can't undo changes that you allow. For more
information please see the following:
http://go.microsoft.com/fwlink/?linkid=74409 Scan ID:
{6AC56EED-DD12-4096-99B9-9F1205E18BE9} User: U\DP Name: Unknown
ID: Severity: Not Yet Classified Category: Not Yet Classified
Path Found: service:I2i91imww Alert Type: Unclassified software
Detection Type: 15
U MSWinEventLog 2 System 28 Wed Apr 11 11:35:21 2007 3004 WinDefend Unknown
User N/A Warning U None Windows Defender Real-Time Protection agent has
detected changes. Microsoft recommends you analyze the software that made
these changes for potential risks. You can use information about how these
programs operate to choose whether to allow them to run or remove them from
your computer. Allow changes only if you trust the program or the software
publisher. Windows Defender can't undo changes that you allow. For more
information please see the following:
http://go.microsoft.com/fwlink/?linkid=74409 Scan ID:
{8FB9F3B6-9FA0-42A5-978D-712F8F535883} User: U\DP Name: Unknown
ID: Severity: Not Yet Classified Category: Not Yet Classified
Path Found: service
erf15acc Alert Type: Unclassified softwareDetection Type: 16
U MSWinEventLog 2 System 29 Wed Apr 11 11:35:21 2007 3004 WinDefend Unknown
User N/A Warning U None Windows Defender Real-Time Protection agent has
detected changes. Microsoft recommends you analyze the software that made
these changes for potential risks. You can use information about how these
programs operate to choose whether to allow them to run or remove them from
your computer. Allow changes only if you trust the program or the software
publisher. Windows Defender can't undo changes that you allow. For more
information please see the following:
http://go.microsoft.com/fwlink/?linkid=74409 Scan ID:
{A2A71A4F-2C67-48C1-9238-C0B0C89383ED} User: U\DP Name: Unknown
ID: Severity: Not Yet Classified Category: Not Yet Classified
Path Found: driver
erf15acc Alert Type: Unclassified softwareDetection Type: 17
U MSWinEventLog 2 System 30 Wed Apr 11 11:35:22 2007 3004 WinDefend Unknown
User N/A Warning U None Windows Defender Real-Time Protection agent has
detected changes. Microsoft recommends you analyze the software that made
these changes for potential risks. You can use information about how these
programs operate to choose whether to allow them to run or remove them from
your computer. Allow changes only if you trust the program or the software
publisher. Windows Defender can't undo changes that you allow. For more
information please see the following:
http://go.microsoft.com/fwlink/?linkid=74409 Scan ID:
{B8FB3A5F-D1B7-4472-902B-B738CA001892} User: U\DP Name: Unknown
ID: Severity: Not Yet Classified Category: Not Yet Classified
Path Found: driver:Kssacgpnvene Alert Type: Unclassified software
Detection Type: 18
U MSWinEventLog 2 System 31 Wed Apr 11 11:35:23 2007 3004 WinDefend Unknown
User N/A Warning U None Windows Defender Real-Time Protection agent has
detected changes. Microsoft recommends you analyze the software that made
these changes for potential risks. You can use information about how these
programs operate to choose whether to allow them to run or remove them from
your computer. Allow changes only if you trust the program or the software
publisher. Windows Defender can't undo changes that you allow. For more
information please see the following:
http://go.microsoft.com/fwlink/?linkid=74409 Scan ID:
{039C11AE-FD47-476A-BF97-44031D7A3B87} User: U\DP Name: Unknown
ID: Severity: Not Yet Classified Category: Not Yet Classified
Path Found: service:Astpmamdmver Alert Type: Unclassified software
Detection Type: 19
You will notice that the "service" and "driver" names are meaningless.
Google searches turn up nothing because they are not legit names AND the
names are entirely random and DO NOT repeat. Therefore these things are
almost certainly some sort of spyware.
However, a check with several antispyware tools and rootkit detectors cannot
pinpoint the source. And since Windows Defender gives me no indication as to
what files are involved, I am stuck.
I do intend to try to use several process, driver and server enumeration
viewers to try to spot these things, but I have little hope as I suspect they
are hidden.
Has anybody seen these before? Are they known spyware or just Windows
Defender spurious identifications?