New
#1
Weird Windows Defender behavior
To begin with, I run Windows 7 Professional. I keep it patched up to date. I also run ESET NOD32 v4, and Windows Defender is on by default. Malwarebytes AntiMalware is run once a week on-demand.
Today I launched Steam, connected, and found there was a patch. I downloaded the patch and let it install. After it installed, I reconnected to steam, and suddenly Windows Defender popped up.
The popup balloon didn't say that it had found a virus, or malware. It said it flagged SteamServiceTmp.exe, and that it wanted to submit the file to Microsoft. I don't know if this means there was a virus in the file or some other malware. I think that's unlikely, considering it came directly from Valve (That's the file that launches to patch the Steam Service), but I'm not sure what that means. I can't find any record of the file being detected in the Windows Defender History, at all. Does this mean I have a virus? What is this all about?
All I can find is this information from the Event Viewer:
Fault bucket 864089046, type 5
Event Name: AVSubmit
Response: Not available
Cab Id: 0
Problem signature:
P1: Windows Defender
P2: 1.1.5302.0
P3: unspecified
P4: 1.71.700.0
P5: 00175e0c-0000-0000-0000-000000000000,7B6FEFA17A704B6D4A03BFABB1DBC794703D480F
P6:
P7:
P8:
P9:
P10:
Attached files:
\\?\C:\ProgramData\Microsoft\Windows Defender\LocalCopy\{BF619DBF-AF9E-8823-3E83-12DE9B785E0B}-SteamServiceTmp.exe
C:\Users\{Omitted}\AppData\Local\Temp\MPSampleSubmit\client_manifest.txt
These files may be available here:
C:\Users\{Omitted}\AppData\Local\Microsoft\Windows\WER\ReportArchive\NonCritical_Windows Defender_aaba7e9e24b775a1b21d5c41a485d822c4ec703b_0ac496bf
Analysis symbol:
Rechecking for solution: 0
Report Id: 78cda38e-e5ff-11de-862f-001fbc01945b
Report Status: 0
EDIT: Upon review, here's the contents of the Report.wer file generated
Version=1
EventType=AVSubmit
EventTime=129049732283935547
Consent=2
UploadTime=129049732284013672
ReportIdentifier=78cda38e-e5ff-11de-862f-001fbc01945b
Response.BucketId=864089046
Response.BucketTable=5
Response.type=4
Sig[0].Name=Problem Signature 01
Sig[0].Value=Windows Defender
Sig[1].Name=Problem Signature 02
Sig[1].Value=1.1.5302.0
Sig[2].Name=Problem Signature 03
Sig[2].Value=unspecified
Sig[3].Name=Problem Signature 04
Sig[3].Value=1.71.700.0
Sig[4].Name=Problem Signature 05
Sig[4].Value=00175e0c-0000-0000-0000-000000000000,7B6FEFA17A704B6D4A03BFABB1DBC794703D480F
DynamicSig[1].Name=OS Version
DynamicSig[1].Value=6.1.7600.2.0.0.256.48
DynamicSig[2].Name=Locale ID
DynamicSig[2].Value=1033
State[0].Key=Transport.DoneStage1
State[0].Value=1
FriendlyEventName=AVSubmit
ConsentKey=AVSubmit
AppName=Windows Defender User Interface
AppPath=C:\Program Files\Windows Defender\MSASCui.exe
I uploaded the file to Virustotal, but the report has since expired. It came back with 1/41 as the result, with Panda finding the only positive (W32/Xor-encoded.A), and everything else being negative.
Last edited by Carbonyl; 10 Dec 2009 at 23:24.