0

First off, I'm running MS Intune Endpoint Protection. It is completely up to date.

On 10/25 @ 11:53PM I came across a site that caused Intune to freak out:

Microsoft Antimalware has detected malware or other potentially unwanted software.
 For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win64/Sirefef.B&threatid=2147646729
    Name: Trojan:Win64/Sirefef.B
    ID: 2147646729
    Severity: Severe
    Category: Trojan
    Path: file:_C:\Windows\System32\consrv.dll
    Detection Origin: Local machine
    Detection Type: Concrete
    Detection Source: Real-Time Protection
    User: NT AUTHORITY\SYSTEM
    Process Name: C:\Windows\explorer.exe
    Signature Version: AV: 1.115.526.0, AS: 1.115.526.0, NIS: 10.7.0.0
    Engine Version: AM: 1.1.7801.0, NIS: 2.0.7707.0

I, of course, elected to simply delete the file.

Since then my machine has been randomly giving an error about "Host Process for Windows Services" stopped working. There are generally two different pieces of info:

Description
Faulting Application Path:  C:\Windows\System32\svchost.exe

Problem signature
Problem Event Name: BEX64
Application Name:   svchost.exe
Application Version:    6.1.7600.16385
Application Timestamp:  4a5bc3c1
Fault Module Name:  StackHash_52d4
Fault Module Version:   0.0.0.0
Fault Module Timestamp: 00000000
Exception Offset:   000062bdabe00000
Exception Code: c0000005
Exception Data: 0000000000000008
OS Version: 6.1.7601.2.1.0.256.27
Locale ID:  1033
Additional Information 1:   52d4
Additional Information 2:   52d47b8b925663f9d6437d7892cdf21b
Additional Information 3:   ed24
Additional Information 4:   ed24528f3b69e8539b5c5c2158896d3e

and

Description
Faulting Application Path:  C:\Windows\System32\svchost.exe

Problem signature
Problem Event Name: APPCRASH
Application Name:   svchost.exe
Application Version:    6.1.7600.16385
Application Timestamp:  4a5bc3c1
Fault Module Name:  mshtml.dll
Fault Module Version:   9.0.8112.16437
Fault Module Timestamp: 4e5f1784
Exception Code: c0000005
Exception Offset:   00000000002ed3c2
OS Version: 6.1.7601.2.1.0.256.27
Locale ID:  1033
Additional Information 1:   3e9e
Additional Information 2:   3e9e8b83f6a5f2a25451516023078a83
Additional Information 3:   432a
Additional Information 4:   432a0284c502cce3bbb92a3bd555fe65

Intune claims the machine is clean. I've also tried some of the online scanners like trendmicro, all of which claimed the system is clean.

Finally, I tried the "sfc /scannow" and it said all was good.

I left my machine on after I left last night and there were about 50 of those messages.

Ideas on how to proceed?

Improve this question
3
  • Did you try a System Restore to a point before the problem started? Have you tried an off-line malware-specific utility like MalwareBytes? How about something that scans for Rootkits (outside of your install copy of Windows? Sirefef.B is usually installed by Sirefef.A (and not directly by itself). Sirefef.A and .B are both known to have Rootkit variants which will hide from your OS and (in turn) your AV installed on that OS. They're also known to inject themselves into svchost.exe. See microsoft.com/security/portal/Threat/Encyclopedia/…
    – Ƭᴇcʜιᴇ007
    Commented Nov 1, 2011 at 19:46
  • Also see: What to do if my computer is infected by a virus or a malware?
    – Ƭᴇcʜιᴇ007
    Commented Nov 1, 2011 at 19:48
  • @techie007: No, I haven't tried a system restore. I'll look into MalwareBytes to see if that can help.
    – NotMe
    Commented Nov 2, 2011 at 14:51

1 Answer 1

Reset to default
0

Been awhile on this: It was a virus; and I ended up using a long list of methods to fix it. MalwareBytes helped.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .