Sign in to follow this  
Followers 0
planet

FPs system32 config folder .evt files

4 posts in this topic

Here's the log file in developer mode as requested. The 3 listings for the security center are ok; I have my security center disabled. The 7 files in the config folder I believe are FP.

Malwarebytes' Anti-Malware 1.35

Database version: 1931

Windows 5.1.2600 Service Pack 2

4/2/2009 9:24:49 AM

mbam-log-2009-04-02 (09-24-28).txt

Scan type: Quick Scan

Objects scanned: 70875

Time elapsed: 8 minute(s), 6 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 3

Folders Infected: 0

Files Infected: 7

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken. [5138494534363830414438586445483634456446343641424738615248395356345138614674688

38084807185615270688683748590013670798570839334798574557483868437748466677770478

0

857471903018130117]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken. [5138494534363830414438586445483634456446343641424738615248395356345138614674688

38084807185615270688683748590013670798570839339748370886677773774846667777047808

5

7471903018130117]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken. [5138494534363830414438586445483634456446343641424738615248395356345138614674688

38084807185615270688683748590013670798570839354816966857084377484666777704780857

4

71903018130117]

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt (Rootkit.Agent.H) -> No action taken. [52686679398083388785518080857674850910013986796885748079]

C:\WINDOWS\SYSTEM32\CONFIG\Cisco An.evt (Rootkit.Agent.H) -> No action taken. [52686679398083388785518080857674850910013986796885748079]

C:\WINDOWS\SYSTEM32\CONFIG\ODiag.evt (Rootkit.Agent.H) -> No action taken. [52686679398083388785518080857674850910013986796885748079]

C:\WINDOWS\SYSTEM32\CONFIG\OSession.evt (Rootkit.Agent.H) -> No action taken. [52686679398083388785518080857674850910013986796885748079]

C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt (Rootkit.Agent.H) -> No action taken. [52686679398083388785518080857674850910013986796885748079]

C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt (Rootkit.Agent.H) -> No action taken. [52686679398083388785518080857674850910013986796885748079]

C:\WINDOWS\SYSTEM32\CONFIG\VPN.evt (Rootkit.Agent.H) -> No action taken. [52686679398083388785518080857674850910013986796885748079]

Share this post


Link to post
Share on other sites

Sorry, just to add, I uploaded about 4 of these .evt files to jotti and all vendors found nothing. Thanks again.

Share this post


Link to post
Share on other sites

I need 2 things . I need a zipped copy of any of those files and I need to know if you are on a limited account .

I know how this heuristic works and under normal circumstances it cant hit those files no matter what so there is more going on here .

Share this post


Link to post
Share on other sites

nosirrah,

thanks for your input. I did do the quick scan from my limited user account. I didn't realize Malewarebytes is recommended to run only from an administrator account. Consequently, I logged into my admin account and scanned the system32/config folder. No malicious items were reported on this scan. So, I'm hoping that all is well.

Thanks again.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.