Solved [Suspected infection] EventService from ViewSonic

Joined
Mar 10, 2015
Messages
27
#1
Hello,

Few days ago I found something called "EventService" installed on my old XP laptop as an "driver".

I've made another post asking whether the program is malicious or not, but no conclusion is made. Here's all the detail I know:
https://malwaretips.com/threads/que...iver-from-viewsonic-laptop.57144/#post-490866

I don't know if there are still suspicious or even malicious files on my laptop after I uninstalled it, so I come here to for your help, thanks!

-Zevin
 
Operating System
Windows XP
Are you using a 32-bit or 64-bit operating system?
32-bit (x86)
Infection date and initial symptoms
Few days ago, when the timer on my laptop went insanely fast.
Current issues and symptoms
Nothing looks wrong after I uninstalled it.
Steps taken in order to remove the infection
Ran FRST Scan, uninstalled the application, ran AdwCleaner scan

Attachments

Joined
Mar 10, 2015
Messages
27
#5
Ummm... But why would you think it's not malicious?

I'm worry about this program due to these indicators:
1. The installer provides no EULA or the description of its service. Seriously, nothing is found.
2. The program states that it's produced by "OEM" in control panel, with "SweetHome" as its registered company name. Both of them look fake.
3. The main executable states that its produced by "Gray Workshop". It's different from the "producer" mentioned in 2., and nothing informative can be found by searching "Gray Workshop EventService" on Google.
4. The "3G Module" mentioned in the log file is unknown. Neither itself or the Internet said anything.
To be honest, I find no explanation other than it's a piece of grayware or even malware disguised as a legit program.
 

TwinHeadedEagle

Removal Expert
Staff member
Joined
Mar 8, 2013
Messages
22,094
OS
Windows 10
Antivirus
ESET
#6
Can you scan this file?

S3 PHYMEM; C:\Program Files\OEM\EventService\phymem.sys [6656 2009-04-11] ()
 
Joined
Mar 10, 2015
Messages
27
#7
It's not detected by VT at all.
link: Antivirus scan for 04496c3552a0c9b0ae7d3aa52f7eaf91c668690f4a24c038bec4ffc1c1b2d7d7 at 2016-03-15 14:46:57 UTC - VirusTotal

BTW I think I accidentally found some source codes. (phymem.sys and pmdll.dll)
The CRC32s in the source file I found match the one installed by the suspicious program.
Here's the link of the source codes I found:
Access Physical Memory, Port and PCI Configuration Space - CodeProject
The site looks trustworthy (It's a source controlling site, I think.), but the codes are released in China.
 

TwinHeadedEagle

Removal Expert
Staff member
Joined
Mar 8, 2013
Messages
22,094
OS
Windows 10
Antivirus
ESET
#8
I am not sure, but it looks legit. Chinese programs are a huge mess and a headache, so I really don't know how to help you.
 
Joined
Mar 10, 2015
Messages
27
#9
Well... Thank you anyways. :)

But can I ask you 1 more question?
Is there any free/low-cost deep program analyzing platform on the Internet? I wonder why it needs to access physical memory...