Bluetooth False positives

[wildman424]

Bluetooth False Positives
annoying

not being detected as a threat, just being sandboxed on startup. It causes the system pause until you decide whether or not to sandbox it,
its annoying


devmonsrv.exe & mediasrv.exe



File name: devmonsrv.exe
MD5: 093b1b419ef25b15d3a1ca6953f41afb
SHA1: a6944b710dc2f99f4bb2605dac7581b1da0ec28b
SHA256: 52b7ad47ce65bea723ed361e67781e237ee85d71d8233bf965f69b1c6353ade4
ssdeep: 12288:DL6b1p8IBtfLGj7FNOUe5ZK1FNjNje+pXC1NxJ4iRQxQjGGI:G1p8IBk7FNgPINw13JjQxQ2
File size: 897088 bytes
First seen: 2011-02-07 23:51:30
Last seen: 2011-10-05 11:39:45

sigcheck:
publisher....: Intel Corporation
copyright....: Copyright Motorola, Inc. 2010
product......: Intel PROSet\Wireless Bluetooth
description..: Bluetooth Device Monitor
original name: devmonsrv.exe
internal name: devmonsrv.exe
file version.: 1.0.0.0040
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

http://www.virustotal.com/file-scan/report.html?id=52b7ad47ce65bea723ed361e67781e237ee85d71d8233bf965f69b1c6353ade4-1317814785

--------------------------

File name: mediasrv.exe
MD5   : 03a7341e94acd92e0831336d4f3ace92
SHA1  : b79ee6b0f81533962635cdcda6765897a941d087
SHA256: b7bf8b549f2e1508e13568a735c20e799751143de7d58728100e0eb527d39ac6
ssdeep: 24576:8ths92/2zBFG0n2SqAH0Yis8GP4lTP/1qDPO7z8m0qAXVV:0hs92/qBFcA1rATwa7z+qAFV
File size : 1298496 bytes
First seen: 2011-04-16 19:55:56
Last seen : 2011-10-05 11:38:00

sigcheck:
publisher....: Intel Corporation
copyright....: Copyright Motorola, Inc. 2010
product......: Intel PROSet\Wireless Bluetooth
description..: Bluetooth Media Service
original name: mediasrv.exe
internal name: mediasrv
file version.: 1.0.0.0040
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

http://www.virustotal.com/file-scan/report.html?id=b7bf8b549f2e1508e13568a735c20e799751143de7d58728100e0eb527d39ac6-1317814680

======

Code: [Select]

file location:

C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe
C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe

=====

Registry Export:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Bluetooth Device Monitor]
"Type"=dword:00000020
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):22,00,43,00,3a,00,5c,00,50,00,72,00,6f,00,67,00,72,00,61,00,\
  6d,00,20,00,46,00,69,00,6c,00,65,00,73,00,20,00,28,00,78,00,38,00,36,00,29,\
  00,5c,00,49,00,6e,00,74,00,65,00,6c,00,5c,00,42,00,6c,00,75,00,65,00,74,00,\
  6f,00,6f,00,74,00,68,00,5c,00,64,00,65,00,76,00,6d,00,6f,00,6e,00,73,00,72,\
  00,76,00,2e,00,65,00,78,00,65,00,22,00,00,00
"DisplayName"="Bluetooth Device Monitor"
"DependOnService"=hex(7):52,00,50,00,43,00,53,00,53,00,00,00,00,00
"WOW64"=dword:00000001
"ObjectName"="LocalSystem"
"Description"="A process to monitor Bluetooth radio state and configure Bluetooth remote folders."

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Bluetooth Media Service]
"Type"=dword:00000020
"Start"=dword:00000003
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):22,00,43,00,3a,00,5c,00,50,00,72,00,6f,00,67,00,72,00,61,00,\
  6d,00,20,00,46,00,69,00,6c,00,65,00,73,00,20,00,28,00,78,00,38,00,36,00,29,\
  00,5c,00,49,00,6e,00,74,00,65,00,6c,00,5c,00,42,00,6c,00,75,00,65,00,74,00,\
  6f,00,6f,00,74,00,68,00,5c,00,6d,00,65,00,64,00,69,00,61,00,73,00,72,00,76,\
  00,2e,00,65,00,78,00,65,00,22,00,00,00
"DisplayName"="Bluetooth Media Service"
"DependOnService"=hex(7):62,00,74,00,68,00,73,00,65,00,72,00,76,00,00,00,00,00
"WOW64"=dword:00000001
"ObjectName"="LocalSystem"
"Description"="Provides Bluetooth Media Profiles support"

======


from OTL log

[color=#E56717]========== Win32 Services (SafeList) ==========[/color]
SRV - [2010/11/03 13:01:20 | 001,298,496 | ---- | M] (Intel Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe -- (Bluetooth Media Service)

SRV - [2010/11/03 12:53:28 | 000,897,088 | ---- | M] (Intel Corporation) [Auto | Stopped] -- C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe -- (Bluetooth Device Monitor)

===

from HJT log

O23 - Service: Bluetooth Device Monitor - Intel Corporation - C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe

O23 - Service: Bluetooth Media Service - Intel Corporation - C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe

====

From dds log

============= SERVICES / DRIVERS ===============
S2 Bluetooth Device Monitor;Bluetooth Device Monitor;C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe [2010-11-3 897088]

S3 Bluetooth Media Service;Bluetooth Media Service;C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe [2010-11-3 1298496]

=======



[Pondus]

easyer if you post the VT links so we can just click them   

http://www.virustotal.com/file-scan/report.html?id=52b7ad47ce65bea723ed361e67781e237ee85d71d8233bf965f69b1c6353ade4-1317814785
http://www.virustotal.com/file-scan/report.html?id=b7bf8b549f2e1508e13568a735c20e799751143de7d58728100e0eb527d39ac6-1317814680



you can report FP here
http://www.avast.com/en-us/contact-form.php?loadStyles

[wildman424]

easyer if you post the VT links so we can just click them    

http://www.virustotal.com/file-scan/report.html?id=52b7ad47ce65bea723ed361e67781e237ee85d71d8233bf965f69b1c6353ade4-1317814785
http://www.virustotal.com/file-scan/report.html?id=b7bf8b549f2e1508e13568a735c20e799751143de7d58728100e0eb527d39ac6-1317814680



you can report FP here
http://www.avast.com/en-us/contact-form.php?loadStyles

sorry bout that ,edited the first post
I sent in a copy of the files

Thanks

[misak]

Hi,

files have been added to white-list to prevent autoSNX popup. Fix will be in next VPS (111005-1) update.

[wildman424]

Thanks fellas