Appcrash and possible malware
- by Chris Lively
First off, I'm running MS Intune Endpoint Protection. It is completely up to date.
On 10/25 @ 11:53PM I came across a site that caused Intune to freak out:
Microsoft Antimalware has detected malware or other potentially unwanted software.
For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win64/Sirefef.B&threatid=2147646729
Name: Trojan:Win64/Sirefef.B
ID: 2147646729
Severity: Severe
Category: Trojan
Path: file:_C:\Windows\System32\consrv.dll
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: Real-Time Protection
User: NT AUTHORITY\SYSTEM
Process Name: C:\Windows\explorer.exe
Signature Version: AV: 1.115.526.0, AS: 1.115.526.0, NIS: 10.7.0.0
Engine Version: AM: 1.1.7801.0, NIS: 2.0.7707.0
I, of course, elected to simply delete the file.
Since then my machine has been randomly giving an error about "Host Process for Windows Services" stopped working. There are generally two different pieces of info:
Description
Faulting Application Path: C:\Windows\System32\svchost.exe
Problem signature
Problem Event Name: BEX64
Application Name: svchost.exe
Application Version: 6.1.7600.16385
Application Timestamp: 4a5bc3c1
Fault Module Name: StackHash_52d4
Fault Module Version: 0.0.0.0
Fault Module Timestamp: 00000000
Exception Offset: 000062bdabe00000
Exception Code: c0000005
Exception Data: 0000000000000008
OS Version: 6.1.7601.2.1.0.256.27
Locale ID: 1033
Additional Information 1: 52d4
Additional Information 2: 52d47b8b925663f9d6437d7892cdf21b
Additional Information 3: ed24
Additional Information 4: ed24528f3b69e8539b5c5c2158896d3e
and
Description
Faulting Application Path: C:\Windows\System32\svchost.exe
Problem signature
Problem Event Name: APPCRASH
Application Name: svchost.exe
Application Version: 6.1.7600.16385
Application Timestamp: 4a5bc3c1
Fault Module Name: mshtml.dll
Fault Module Version: 9.0.8112.16437
Fault Module Timestamp: 4e5f1784
Exception Code: c0000005
Exception Offset: 00000000002ed3c2
OS Version: 6.1.7601.2.1.0.256.27
Locale ID: 1033
Additional Information 1: 3e9e
Additional Information 2: 3e9e8b83f6a5f2a25451516023078a83
Additional Information 3: 432a
Additional Information 4: 432a0284c502cce3bbb92a3bd555fe65
Intune claims the machine is clean. I've also tried some of the online scanners like trendmicro, all of which claimed the system is clean.
Finally, I tried the "sfc /scannow" and it said all was good.
I left my machine on after I left last night and there were about 50 of those messages.
Ideas on how to proceed?