new virus?

[Steve]

Wife got a fake blue mountain ecard yesterday and it looks like when
she clicked through we picked up a virus of some sorts. So far
neither AVG nor Panda detect it - which is worrysome. Here are the
indications.

running in taskmon was winverr.exe, which was located in \system32\
and time stamped with the correct time for the infection. fport
showed it active on 1029 and 1031 tcp.

I killed the process, removed the startup reg key in HKLM\Software\MS
\Windows\CurrentVersion\Run and rebooted.

Upon reboot, my Firefox.exe file was replaced (same size - 7,455) with
upload.exe and all shortcuts to firefox.exe were updated to
upload.exe. Deleted that reinstalled firefox, rebooted, and same
thing - a new upload.exe and firefox.exe is gone.

Look back in taskmon and now it's cdrwrr.exe running on 1029 and
1031. Netstat showed the processes connecting to 209.51.196.244:80.
Both winverr.exe and cdrwrr.exe were small - about 71k in size.

Other files that have the same timestamp in \system32 are:

default_user_class.dat.LOG
looking at that in textpad shows:
s y s t e m 3 2 \ d e f a u l t _ u s e r _ c l a s s . d a t
›^DIRTÿ

and a file called: ulvrsao with the only content displayable in
notepad being: Y2RydnY&

As I mentioned both AVG and Panda report the system clean. The other
suspicious factor is that it seems to be adding a 2nd duplicate letter
at the end of the running process in an attempt to hide itself -
winver.exe to winverr.exe etc.

In Eventviewer under System, I see a couple of these:


Windows Defender Real-Time Protection agent has detected changes.
Microsoft recommends you analyze the software that made these changes
for potential risks. You can use information about how these programs
operate to choose whether to allow them to run or remove them from
your computer. Allow changes only if you trust the program or the
software publisher. Windows Defender can't undo changes that you
allow.
For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=74409
Scan ID: {6198A5F8-4071-4F4B-9F15-4C5D78034F76}
User: STEVE-QPGWKTW1R\Steve
Name: Unknown
ID:
Severity: Not Yet Classified
Category: Not Yet Classified
Path Found: clsid:HKLM\SOFTWARE\CLASSES\CLSID\{9A9307A0-7DA4-4DAF-
B042-5009F29E09E1};regkey:HKLM\Software\Microsoft\Code Store Database
\Distribution Units\{9A9307A0-7DA4-4DAF-B042-5009F29E09E1}\CONTAINS
\FILES\\C:\WINDOWS\Downloaded Program Files\asinst.dll;regkey:HKLM
\Software\Microsoft\Code Store Database\Distribution Units
\{9A9307A0-7DA4-4DAF-B042-5009F29E09E1};regkey:HKLM\SOFTWARE\CLASSES
\TYPELIB\{4387D200-E98E-4194-9684-44783E8EB4EE}\1.0;regkey:HKLM
\SOFTWARE\CLASSES\CLSID\{9A9307A0-7DA4-4DAF-
B042-5009F29E09E1};activex:HKLM\Software\Microsoft\Code Store Database
\Distribution Units\{9A9307A0-7DA4-4DAF-
B042-5009F29E09E1};typelibversion:HKLM\SOFTWARE\CLASSES\TYPELIB
\{4387D200-E98E-4194-9684-44783E8EB4EE}\1.0;typelib:HKLM\SOFTWARE
\CLASSES\TYPELIB\{4387D200-E98E-4194-9684-44783E8EB4EE};file:C:\WINDOWS
\Downloaded Program Files\asinst.dll
Alert Type: Unclassified software
Detection Type:

2nd:

Scan ID: {F1BE1670-344B-4D4F-AAB6-A2FD5D9E186C}
User: STEVE-QPGWKTW1R\Steve
Name: Unknown
ID:
Severity: Not Yet Classified
Category: Not Yet Classified
Path Found: driver:RkPavProc
Alert Type: Unclassified software
Detection Type:

3rd:

Scan ID: {A942A6AB-FD6D-405E-B44B-F043E2ACDCC8}
User: STEVE-QPGWKTW1R\Steve
Name: Unknown
ID:
Severity: Not Yet Classified
Category: Not Yet Classified
Path Found:
regkey:HKCU@S-1-5-21-1454471165-1708537768-839522115-1003\Software
\Microsoft\Windows\CurrentVersion\Run\
\SPOLSV;runkey:HKCU@S-1-5-21-1454471165-1708537768-839522115-1003\Software
\Microsoft\Windows\CurrentVersion\Run\\SPOLSV;file:C:\WINDOWS
\system32\tracerts.exe
Alert Type: Unclassified software
Detection Type:

 

[Alan]

Hi Steve,

There's a newsgroup at microsoft.private.security.spyware.general where many
of the regular contributors in the group -- including a couple of Microsoft
people -- might be able to give you some good advice, especially as it
pertains to Windows Defender.

Alan

Wife got a fake blue mountain ecard yesterday and it looks like when
she clicked through we picked up a virus of some sorts. So far
neither AVG nor Panda detect it - which is worrysome. Here are the
indications.

running in taskmon was winverr.exe, which was located in \system32\
and time stamped with the correct time for the infection. fport
showed it active on 1029 and 1031 tcp.

I killed the process, removed the startup reg key in HKLM\Software\MS
\Windows\CurrentVersion\Run and rebooted.

Upon reboot, my Firefox.exe file was replaced (same size - 7,455) with
upload.exe and all shortcuts to firefox.exe were updated to
upload.exe. Deleted that reinstalled firefox, rebooted, and same
thing - a new upload.exe and firefox.exe is gone.

Look back in taskmon and now it's cdrwrr.exe running on 1029 and
1031. Netstat showed the processes connecting to 209.51.196.244:80.
Both winverr.exe and cdrwrr.exe were small - about 71k in size.

Other files that have the same timestamp in \system32 are:

default_user_class.dat.LOG
looking at that in textpad shows:
s y s t e m 3 2 \ d e f a u l t _ u s e r _ c l a s s . d a t

^DIRTÿ

and a file called: ulvrsao with the only content displayable in
notepad being: Y2RydnY&

As I mentioned both AVG and Panda report the system clean. The other
suspicious factor is that it seems to be adding a 2nd duplicate letter
at the end of the running process in an attempt to hide itself -
winver.exe to winverr.exe etc.

In Eventviewer under System, I see a couple of these:


Windows Defender Real-Time Protection agent has detected changes.
Microsoft recommends you analyze the software that made these changes
for potential risks. You can use information about how these programs
operate to choose whether to allow them to run or remove them from
your computer. Allow changes only if you trust the program or the
software publisher. Windows Defender can't undo changes that you
allow.
For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=74409
Scan ID: {6198A5F8-4071-4F4B-9F15-4C5D78034F76}
User: STEVE-QPGWKTW1R\Steve
Name: Unknown
ID:
Severity: Not Yet Classified
Category: Not Yet Classified
Path Found: clsid:HKLM\SOFTWARE\CLASSES\CLSID\{9A9307A0-7DA4-4DAF-
B042-5009F29E09E1};regkey:HKLM\Software\Microsoft\Code Store Database
\Distribution Units\{9A9307A0-7DA4-4DAF-B042-5009F29E09E1}\CONTAINS
\FILES\\C:\WINDOWS\Downloaded Program Files\asinst.dll;regkey:HKLM
\Software\Microsoft\Code Store Database\Distribution Units
\{9A9307A0-7DA4-4DAF-B042-5009F29E09E1};regkey:HKLM\SOFTWARE\CLASSES
\TYPELIB\{4387D200-E98E-4194-9684-44783E8EB4EE}\1.0;regkey:HKLM
\SOFTWARE\CLASSES\CLSID\{9A9307A0-7DA4-4DAF-
B042-5009F29E09E1};activex:HKLM\Software\Microsoft\Code Store Database
\Distribution Units\{9A9307A0-7DA4-4DAF-
B042-5009F29E09E1};typelibversion:HKLM\SOFTWARE\CLASSES\TYPELIB
\{4387D200-E98E-4194-9684-44783E8EB4EE}\1.0;typelib:HKLM\SOFTWARE
\CLASSES\TYPELIB\{4387D200-E98E-4194-9684-44783E8EB4EE};file:C:\WINDOWS
\Downloaded Program Files\asinst.dll
Alert Type: Unclassified software
Detection Type:

2nd:

Scan ID: {F1BE1670-344B-4D4F-AAB6-A2FD5D9E186C}
User: STEVE-QPGWKTW1R\Steve
Name: Unknown
ID:
Severity: Not Yet Classified
Category: Not Yet Classified
Path Found: driver:RkPavProc
Alert Type: Unclassified software
Detection Type:

3rd:

Scan ID: {A942A6AB-FD6D-405E-B44B-F043E2ACDCC8}
User: STEVE-QPGWKTW1R\Steve
Name: Unknown
ID:
Severity: Not Yet Classified
Category: Not Yet Classified
Path Found:
regkey:HKCU@S-1-5-21-1454471165-1708537768-839522115-1003\Software
\Microsoft\Windows\CurrentVersion\Run\
\SPOLSV;runkey:HKCU@S-1-5-21-1454471165-1708537768-839522115-1003\Software
\Microsoft\Windows\CurrentVersion\Run\\SPOLSV;file:C:\WINDOWS
\system32\tracerts.exe
Alert Type: Unclassified software
Detection Type:

 

[Frank Saunders, MS-MVP OE/WM]

Wife got a fake blue mountain ecard yesterday and it looks like when
she clicked through we picked up a virus of some sorts. So far
neither AVG nor Panda detect it - which is worrysome. Here are the
indications.

running in taskmon was winverr.exe, which was located in \system32\
and time stamped with the correct time for the infection. fport
showed it active on 1029 and 1031 tcp.

I killed the process, removed the startup reg key in HKLM\Software\MS
\Windows\CurrentVersion\Run and rebooted.

Upon reboot, my Firefox.exe file was replaced (same size - 7,455) with
upload.exe and all shortcuts to firefox.exe were updated to
upload.exe. Deleted that reinstalled firefox, rebooted, and same
thing - a new upload.exe and firefox.exe is gone.

Look back in taskmon and now it's cdrwrr.exe running on 1029 and
1031. Netstat showed the processes connecting to 209.51.196.244:80.
Both winverr.exe and cdrwrr.exe were small - about 71k in size.

Other files that have the same timestamp in \system32 are:

default_user_class.dat.LOG
looking at that in textpad shows:
s y s t e m 3 2 \ d e f a u l t _ u s e r _ c l a s s . d a t

^DIRTÿ

and a file called: ulvrsao with the only content displayable in
notepad being: Y2RydnY&

As I mentioned both AVG and Panda report the system clean. The other
suspicious factor is that it seems to be adding a 2nd duplicate letter
at the end of the running process in an attempt to hide itself -
winver.exe to winverr.exe etc.

In Eventviewer under System, I see a couple of these:


Windows Defender Real-Time Protection agent has detected changes.
Microsoft recommends you analyze the software that made these changes
for potential risks. You can use information about how these programs
operate to choose whether to allow them to run or remove them from
your computer. Allow changes only if you trust the program or the
software publisher. Windows Defender can't undo changes that you
allow.
For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=74409
Scan ID: {6198A5F8-4071-4F4B-9F15-4C5D78034F76}
User: STEVE-QPGWKTW1R\Steve
Name: Unknown
ID:
Severity: Not Yet Classified
Category: Not Yet Classified
Path Found: clsid:HKLM\SOFTWARE\CLASSES\CLSID\{9A9307A0-7DA4-4DAF-
B042-5009F29E09E1};regkey:HKLM\Software\Microsoft\Code Store Database
\Distribution Units\{9A9307A0-7DA4-4DAF-B042-5009F29E09E1}\CONTAINS
\FILES\\C:\WINDOWS\Downloaded Program Files\asinst.dll;regkey:HKLM
\Software\Microsoft\Code Store Database\Distribution Units
\{9A9307A0-7DA4-4DAF-B042-5009F29E09E1};regkey:HKLM\SOFTWARE\CLASSES
\TYPELIB\{4387D200-E98E-4194-9684-44783E8EB4EE}\1.0;regkey:HKLM
\SOFTWARE\CLASSES\CLSID\{9A9307A0-7DA4-4DAF-
B042-5009F29E09E1};activex:HKLM\Software\Microsoft\Code Store Database
\Distribution Units\{9A9307A0-7DA4-4DAF-
B042-5009F29E09E1};typelibversion:HKLM\SOFTWARE\CLASSES\TYPELIB
\{4387D200-E98E-4194-9684-44783E8EB4EE}\1.0;typelib:HKLM\SOFTWARE
\CLASSES\TYPELIB\{4387D200-E98E-4194-9684-44783E8EB4EE};file:C:\WINDOWS
\Downloaded Program Files\asinst.dll
Alert Type: Unclassified software
Detection Type:

2nd:

Scan ID: {F1BE1670-344B-4D4F-AAB6-A2FD5D9E186C}
User: STEVE-QPGWKTW1R\Steve
Name: Unknown
ID:
Severity: Not Yet Classified
Category: Not Yet Classified
Path Found: driver:RkPavProc
Alert Type: Unclassified software
Detection Type:

3rd:

Scan ID: {A942A6AB-FD6D-405E-B44B-F043E2ACDCC8}
User: STEVE-QPGWKTW1R\Steve
Name: Unknown
ID:
Severity: Not Yet Classified
Category: Not Yet Classified
Path Found:
regkey:HKCU@S-1-5-21-1454471165-1708537768-839522115-1003\Software
\Microsoft\Windows\CurrentVersion\Run\
\SPOLSV;runkey:HKCU@S-1-5-21-1454471165-1708537768-839522115-1003\Software
\Microsoft\Windows\CurrentVersion\Run\\SPOLSV;file:C:\WINDOWS
\system32\tracerts.exe
Alert Type: Unclassified software
Detection Type:


Do a thorough check for malware following all of the steps at one of these
sites:
Help with malware
All MS-MVP Sites.
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://www.elephantboycomputers.com/page2.html#Removing_Malware
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/darnit.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm

Unexplained computer behavior may be caused by deceptive software.
http://support.microsoft.com/kb/827315

So How Did I Get Infected Anyway?
For quite a few people it's by installing Messenger Plus, whose ads for
malware don't identify the malware as such and try to convince you that you
owe it to the author. See also:
http://www.wilderssecurity.com/showthread.php?t=27971
Don't ever do a "default" install of anything. Always choose Custom and see
what else is being carried along. Don't install any extras you're not sure
of.

 

[Poprivet]

Wife got a fake blue mountain ecard yesterday and it looks like when
she clicked through we picked up a virus of some sorts. So far
neither AVG nor Panda detect it - which is worrysome. Here are the
indications.

running in taskmon was winverr.exe, which was located in \system32\
and time stamped with the correct time for the infection. fport
showed it active on 1029 and 1031 tcp.

I killed the process, removed the startup reg key in HKLM\Software\MS
\Windows\CurrentVersion\Run and rebooted.

Upon reboot, my Firefox.exe file was replaced (same size - 7,455) with
upload.exe and all shortcuts to firefox.exe were updated to
upload.exe. Deleted that reinstalled firefox, rebooted, and same
thing - a new upload.exe and firefox.exe is gone.

Look back in taskmon and now it's cdrwrr.exe running on 1029 and
1031. Netstat showed the processes connecting to 209.51.196.244:80.
Both winverr.exe and cdrwrr.exe were small - about 71k in size.

Other files that have the same timestamp in \system32 are:

default_user_class.dat.LOG
looking at that in textpad shows:
s y s t e m 3 2 \ d e f a u l t _ u s e r _ c l a s s . d a t

and a file called: ulvrsao with the only content displayable in
notepad being: Y2RydnY&

As I mentioned both AVG and Panda report the system clean. The other
suspicious factor is that it seems to be adding a 2nd duplicate letter
at the end of the running process in an attempt to hide itself -
winver.exe to winverr.exe etc.

In Eventviewer under System, I see a couple of these:


Windows Defender Real-Time Protection agent has detected changes.
Microsoft recommends you analyze the software that made these changes
for potential risks. You can use information about how these programs
operate to choose whether to allow them to run or remove them from
your computer. Allow changes only if you trust the program or the
software publisher. Windows Defender can't undo changes that you
allow.
For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=74409
Scan ID: {6198A5F8-4071-4F4B-9F15-4C5D78034F76}
User: STEVE-QPGWKTW1R\Steve
Name: Unknown
ID:
Severity: Not Yet Classified
Category: Not Yet Classified
Path Found: clsid:HKLM\SOFTWARE\CLASSES\CLSID\{9A9307A0-7DA4-4DAF-
B042-5009F29E09E1};regkey:HKLM\Software\Microsoft\Code Store Database
\Distribution Units\{9A9307A0-7DA4-4DAF-B042-5009F29E09E1}\CONTAINS
\FILES\\C:\WINDOWS\Downloaded Program Files\asinst.dll;regkey:HKLM
\Software\Microsoft\Code Store Database\Distribution Units
\{9A9307A0-7DA4-4DAF-B042-5009F29E09E1};regkey:HKLM\SOFTWARE\CLASSES
\TYPELIB\{4387D200-E98E-4194-9684-44783E8EB4EE}\1.0;regkey:HKLM
\SOFTWARE\CLASSES\CLSID\{9A9307A0-7DA4-4DAF-
B042-5009F29E09E1};activex:HKLM\Software\Microsoft\Code Store Database
\Distribution Units\{9A9307A0-7DA4-4DAF-
B042-5009F29E09E1};typelibversion:HKLM\SOFTWARE\CLASSES\TYPELIB
\{4387D200-E98E-4194-9684-44783E8EB4EE}\1.0;typelib:HKLM\SOFTWARE
\CLASSES\TYPELIB\{4387D200-E98E-4194-9684-44783E8EB4EE};file:C:\WINDOWS
\Downloaded Program Files\asinst.dll
Alert Type: Unclassified software
Detection Type:

2nd:

Scan ID: {F1BE1670-344B-4D4F-AAB6-A2FD5D9E186C}
User: STEVE-QPGWKTW1R\Steve
Name: Unknown
ID:
Severity: Not Yet Classified
Category: Not Yet Classified
Path Found: driver:RkPavProc
Alert Type: Unclassified software
Detection Type:

3rd:

Scan ID: {A942A6AB-FD6D-405E-B44B-F043E2ACDCC8}
User: STEVE-QPGWKTW1R\Steve
Name: Unknown
ID:
Severity: Not Yet Classified
Category: Not Yet Classified
Path Found:
regkey:HKCU@S-1-5-21-1454471165-1708537768-839522115-1003\Software
\Microsoft\Windows\CurrentVersion\Run\
\SPOLSV;runkey:HKCU@S-1-5-21-1454471165-1708537768-839522115-1003\Software
\Microsoft\Windows\CurrentVersion\Run\\SPOLSV;file:C:\WINDOWS
\system32\tracerts.exe
Alert Type: Unclassified software
Detection Type:

Just to add a little verification, Frank Saunder's advice is good and you
should give it a try; it's highly likely to help you.

There are a great many worms, trojans, spyware and other "malware" that
can do this sort of thing. Antivirus software just does NOT find those
sorts of malware; it takes other programs and applications to find them
because they aren't "viruses" in the sense that the AV programs are written
for. Besides AV software, it's advisable to have at least three other
programs to search for and protect you against spyware and other malware. I
use:
Adaware from lavasoft.com
Spybot Search & Destroy from spybot.com,
and WinPatrol from winpatrol.com.
Another one people seem to like is the Windows Defender from microsoft.com.
Then, you need a firewall. ZoneAlarm still has a free version of their
very good software firewall.
So, once you get your machine going again, you might want to consider
adding a firewall and spyware arsenal to your current AV software and keep
them all up to date, of course. Many of the programs have their own
automatic updates; some you have to remember to do manually.

Regards,
Pop`

 

[Rock]

Wife got a fake blue mountain ecard yesterday and it looks like when
she clicked through we picked up a virus of some sorts. So far
neither AVG nor Panda detect it - which is worrysome. Here are the
indications.

running in taskmon was winverr.exe, which was located in \system32\
and time stamped with the correct time for the infection. fport
showed it active on 1029 and 1031 tcp.

I killed the process, removed the startup reg key in HKLM\Software\MS
\Windows\CurrentVersion\Run and rebooted.

Upon reboot, my Firefox.exe file was replaced (same size - 7,455) with
upload.exe and all shortcuts to firefox.exe were updated to
upload.exe. Deleted that reinstalled firefox, rebooted, and same
thing - a new upload.exe and firefox.exe is gone.

Look back in taskmon and now it's cdrwrr.exe running on 1029 and
1031. Netstat showed the processes connecting to 209.51.196.244:80.
Both winverr.exe and cdrwrr.exe were small - about 71k in size.

Other files that have the same timestamp in \system32 are:

default_user_class.dat.LOG
looking at that in textpad shows:
s y s t e m 3 2 \ d e f a u l t _ u s e r _ c l a s s . d a t
›^DIRTÿ

and a file called: ulvrsao with the only content displayable in
notepad being: Y2RydnY&

As I mentioned both AVG and Panda report the system clean. The other
suspicious factor is that it seems to be adding a 2nd duplicate letter
at the end of the running process in an attempt to hide itself -
winver.exe to winverr.exe etc.


<snip>

Malware Removal
http://www.elephantboycomputers.com/page2.html#Removing_Malware

THE PARASITE FIGHT
Finding, Removing & Protecting Yourself From Scumware
http://aumha.org/a/parasite.htm

Richard Harper’s Guide to Cleaning Pests
http://rgharper.mvps.org/cleanit.htm

 

[thepdw]

mmusone- Can you let us know if you find anything out about how to
remove this? My mom got it yesterday and we are stuck as far as how
to remove it...
Thanks,

Jordon

 

[Alan]

Hi Steve,

I'm crossposting this to the microsoft.private.security.spyware.general,
microsoft.private.security.spyware.announcements and the
microsoft.public.security.virus newsgroups.

Maybe someone in one of those groups will have some ideas as to cleaning
this.

At least they will be on the alert that a new virus seems to be making its
way through the 'Net.

Alan


Wife got a fake blue mountain ecard yesterday and it looks like when
she clicked through we picked up a virus of some sorts. So far
neither AVG nor Panda detect it - which is worrysome. Here are the
indications.

running in taskmon was winverr.exe, which was located in \system32\
and time stamped with the correct time for the infection. fport
showed it active on 1029 and 1031 tcp.

I killed the process, removed the startup reg key in HKLM\Software\MS
\Windows\CurrentVersion\Run and rebooted.

Upon reboot, my Firefox.exe file was replaced (same size - 7,455) with
upload.exe and all shortcuts to firefox.exe were updated to
upload.exe. Deleted that reinstalled firefox, rebooted, and same
thing - a new upload.exe and firefox.exe is gone.

Look back in taskmon and now it's cdrwrr.exe running on 1029 and
1031. Netstat showed the processes connecting to 209.51.196.244:80.
Both winverr.exe and cdrwrr.exe were small - about 71k in size.

Other files that have the same timestamp in \system32 are:

default_user_class.dat.LOG
looking at that in textpad shows:
s y s t e m 3 2 \ d e f a u l t _ u s e r _ c l a s s . d a t

^DIRTÿ

and a file called: ulvrsao with the only content displayable in
notepad being: Y2RydnY&

As I mentioned both AVG and Panda report the system clean. The other
suspicious factor is that it seems to be adding a 2nd duplicate letter
at the end of the running process in an attempt to hide itself -
winver.exe to winverr.exe etc.

In Eventviewer under System, I see a couple of these:


Windows Defender Real-Time Protection agent has detected changes.
Microsoft recommends you analyze the software that made these changes
for potential risks. You can use information about how these programs
operate to choose whether to allow them to run or remove them from
your computer. Allow changes only if you trust the program or the
software publisher. Windows Defender can't undo changes that you
allow.
For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=74409
Scan ID: {6198A5F8-4071-4F4B-9F15-4C5D78034F76}
User: STEVE-QPGWKTW1R\Steve
Name: Unknown
ID:
Severity: Not Yet Classified
Category: Not Yet Classified
Path Found: clsid:HKLM\SOFTWARE\CLASSES\CLSID\{9A9307A0-7DA4-4DAF-
B042-5009F29E09E1};regkey:HKLM\Software\Microsoft\Code Store Database
\Distribution Units\{9A9307A0-7DA4-4DAF-B042-5009F29E09E1}\CONTAINS
\FILES\\C:\WINDOWS\Downloaded Program Files\asinst.dll;regkey:HKLM
\Software\Microsoft\Code Store Database\Distribution Units
\{9A9307A0-7DA4-4DAF-B042-5009F29E09E1};regkey:HKLM\SOFTWARE\CLASSES
\TYPELIB\{4387D200-E98E-4194-9684-44783E8EB4EE}\1.0;regkey:HKLM
\SOFTWARE\CLASSES\CLSID\{9A9307A0-7DA4-4DAF-
B042-5009F29E09E1};activex:HKLM\Software\Microsoft\Code Store Database
\Distribution Units\{9A9307A0-7DA4-4DAF-
B042-5009F29E09E1};typelibversion:HKLM\SOFTWARE\CLASSES\TYPELIB
\{4387D200-E98E-4194-9684-44783E8EB4EE}\1.0;typelib:HKLM\SOFTWARE
\CLASSES\TYPELIB\{4387D200-E98E-4194-9684-44783E8EB4EE};file:C:\WINDOWS
\Downloaded Program Files\asinst.dll
Alert Type: Unclassified software
Detection Type:

2nd:

Scan ID: {F1BE1670-344B-4D4F-AAB6-A2FD5D9E186C}
User: STEVE-QPGWKTW1R\Steve
Name: Unknown
ID:
Severity: Not Yet Classified
Category: Not Yet Classified
Path Found: driver:RkPavProc
Alert Type: Unclassified software
Detection Type:

3rd:

Scan ID: {A942A6AB-FD6D-405E-B44B-F043E2ACDCC8}
User: STEVE-QPGWKTW1R\Steve
Name: Unknown
ID:
Severity: Not Yet Classified
Category: Not Yet Classified
Path Found:
regkey:HKCU@S-1-5-21-1454471165-1708537768-839522115-1003\Software
\Microsoft\Windows\CurrentVersion\Run\
\SPOLSV;runkey:HKCU@S-1-5-21-1454471165-1708537768-839522115-1003\Software
\Microsoft\Windows\CurrentVersion\Run\\SPOLSV;file:C:\WINDOWS
\system32\tracerts.exe
Alert Type: Unclassified software
Detection Type: