Appcrash and possible malware

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Posted by Chris Lively on Super User See other posts from Super User or by Chris Lively
Published on 2011-11-01T19:35:26Z Indexed on 2012/03/23 5:33 UTC
Read the original article Hit count: 749

Filed under:
|

First off, I'm running MS Intune Endpoint Protection. It is completely up to date.

On 10/25 @ 11:53PM I came across a site that caused Intune to freak out:

Microsoft Antimalware has detected malware or other potentially unwanted software.
 For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win64/Sirefef.B&threatid=2147646729
    Name: Trojan:Win64/Sirefef.B
    ID: 2147646729
    Severity: Severe
    Category: Trojan
    Path: file:_C:\Windows\System32\consrv.dll
    Detection Origin: Local machine
    Detection Type: Concrete
    Detection Source: Real-Time Protection
    User: NT AUTHORITY\SYSTEM
    Process Name: C:\Windows\explorer.exe
    Signature Version: AV: 1.115.526.0, AS: 1.115.526.0, NIS: 10.7.0.0
    Engine Version: AM: 1.1.7801.0, NIS: 2.0.7707.0

I, of course, elected to simply delete the file.

Since then my machine has been randomly giving an error about "Host Process for Windows Services" stopped working. There are generally two different pieces of info:

Description
Faulting Application Path:  C:\Windows\System32\svchost.exe

Problem signature
Problem Event Name: BEX64
Application Name:   svchost.exe
Application Version:    6.1.7600.16385
Application Timestamp:  4a5bc3c1
Fault Module Name:  StackHash_52d4
Fault Module Version:   0.0.0.0
Fault Module Timestamp: 00000000
Exception Offset:   000062bdabe00000
Exception Code: c0000005
Exception Data: 0000000000000008
OS Version: 6.1.7601.2.1.0.256.27
Locale ID:  1033
Additional Information 1:   52d4
Additional Information 2:   52d47b8b925663f9d6437d7892cdf21b
Additional Information 3:   ed24
Additional Information 4:   ed24528f3b69e8539b5c5c2158896d3e

and

Description
Faulting Application Path:  C:\Windows\System32\svchost.exe

Problem signature
Problem Event Name: APPCRASH
Application Name:   svchost.exe
Application Version:    6.1.7600.16385
Application Timestamp:  4a5bc3c1
Fault Module Name:  mshtml.dll
Fault Module Version:   9.0.8112.16437
Fault Module Timestamp: 4e5f1784
Exception Code: c0000005
Exception Offset:   00000000002ed3c2
OS Version: 6.1.7601.2.1.0.256.27
Locale ID:  1033
Additional Information 1:   3e9e
Additional Information 2:   3e9e8b83f6a5f2a25451516023078a83
Additional Information 3:   432a
Additional Information 4:   432a0284c502cce3bbb92a3bd555fe65

Intune claims the machine is clean. I've also tried some of the online scanners like trendmicro, all of which claimed the system is clean.

Finally, I tried the "sfc /scannow" and it said all was good.

I left my machine on after I left last night and there were about 50 of those messages.

Ideas on how to proceed?

© Super User or respective owner

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Related posts about windows-7

Related posts about malware-removal

Categories cloud

.NET ASP.NET iphone linux python Windows mysql android sql windows-7 html c ruby-on-rails css objective-c ubuntu networking sql-server wpf asp.net-mvc ruby database Xml apache AJAX osx security regex django Performance 12.04 windows-xp mac web-development iphone-sdk vb.net Silverlight apache2 flash server perl best-practices email installation eclipse visual-studio algorithm windows-server-2008 winforms wcf firefox bash dns /Oracle