Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Was this a false positive? Or something Serious?

  • Please log in to reply
2 replies to this topic

#1 Carbonyl


  • Members
  • 2 posts
  • Local time:12:56 PM

Posted 11 December 2009 - 11:35 AM

Hello. To begin with, here are some details of the system that I'm working with: It's running Windows 7 Professional, Protected by NOD32 v4 antivirus, with Windows Defender running realtime. Weekly I scan with Malwarebytes Antimalware. I use Opera 10.1 for webbrowsing, and typically keep javascript off. I haven't manually downloaded or installed any software in weeks. Only automatic updates have run for various programs. One of those programs I run is Steam.

Yesterday, when Steam self-updated, something very peculiar happened. While Steam was in the process of Patching itself, it spawns a process called SteamServiceTmp.exe. I've seen this happen in the past (I was watching in Process Explorer), so I didn't think much of it at all. However, a popup balloon from Windows Defender cropped up at this point, and said that it wanted to send SteamServiceTmp.exe to Microsoft. I was a little freaked out, because I didn't know what was going on. NOD didn't see anything, and Defender was acting like SteamServiceTmp was a piece of malware. I was in such a panic, I don't remember the exact message, but Defender didn't really say anything explicit. I checked the logfiles for defender, and the quarantine, but found nothing there. I only was able to find evidence that anything happened when I checked the System Event Viewer. I included the entry from that below, following by a hidden log file that I eventually uncovered from this information.

I've been able to dig up no other information on this, despite asking around at several forums (Steam's in particular). It seems like I was the only one who saw this happen, which make me think it wasn't a false positive at all. If it was, then EVERYONE who runs Steam and Windows Defender (quite a few people!) would have seen this!

A NOD32 scan found nothing, a MalwareBytes AntiMalware scan found nothing, and a Windows Defender scan found nothing. Is there some way I can understand what happened here, and some way to ensure that my system is safe? I'm hesitant to call this a fluke, but I don't know what other actions to take. Any assistance would be appreciated. Thanks!

Here's the Event Viewer Log:
Fault bucket 864089046, type 5
Event Name: AVSubmit
Response: Not available
Cab Id: 0

Problem signature:
P1: Windows Defender
P2: 1.1.5302.0
P3: unspecified
P4: 1.71.700.0
P5: 00175e0c-0000-0000-0000-000000000000,7B6FEFA17A704B6D4A03BFABB1DBC794703D4 80F

Attached files:
\\?\C:\ProgramData\Microsoft\Windows Defender\LocalCopy\{BF619DBF-AF9E-8823-3E83-12DE9B785E0B}-SteamServiceTmp.exe
C:\Users\{Omitted}\AppData\Local\Temp\MPSampleSubm it\client_manifest.txt

These files may be available here:
C:\Users\{Omitted}\AppData\Local\Microsoft\Windows \WER\ReportArchive\NonCritical_Windows Defender_aaba7e9e24b775a1b21d5c41a485d822c4ec703b_ 0ac496bf

Analysis symbol: 
Rechecking for solution: 0
Report Id: 78cda38e-e5ff-11de-862f-001fbc01945b
Report Status: 0

Here's the contents of the Report.wer file generated

Sig[0].Name=Problem Signature 01
Sig[0].Value=Windows Defender
Sig[1].Name=Problem Signature 02
Sig[2].Name=Problem Signature 03
Sig[3].Name=Problem Signature 04
Sig[4].Name=Problem Signature 05
Sig[4].Value=00175e0c-0000-0000-0000-000000000000,7B6FEFA17A704B6D4A03BFABB1DBC794703D4 80F
DynamicSig[1].Name=OS Version
DynamicSig[2].Name=Locale ID
AppName=Windows Defender User Interface
AppPath=C:\Program Files\Windows Defender\MSASCui.exe

EDIT:Just now this happened again, with a different file - This time with a Flash updater I downloaded directly from Adobe (trying to keep Flash up to date to prevent security flaws, ironically!). It found the uninstall_plugin.exe file the same way it did the SteamServiceTmp.exe file, and submitted it to Microsoft. The exact wording on the balloon message was "Review files that Windows Defender will Send to Microsoft (Important). It doesn't say "This is a piece of malware" explicitly, but the logs in the Event viewer call this an "AVsubmission". Additionally, it doesn't say anything other than "We're submitting this". Help?

Edited by Carbonyl, 11 December 2009 - 03:25 PM.

BC AdBot (Login to Remove)


#2 xblindx


  • Banned
  • 1,923 posts
  • Gender:Male
  • Local time:01:56 PM

Posted 13 December 2009 - 10:49 AM

Maybe it is something on Windows Defender's end?

#3 Carbonyl

  • Topic Starter

  • Members
  • 2 posts
  • Local time:12:56 PM

Posted 15 December 2009 - 11:05 AM

Maybe it is something on Windows Defender's end?

I've tried to look into it by asking over at the Microsoft answers forum, but I keep getting nonsensical or useless replies. One guy even said "It's a false positive. Heuristics were being overzealous. Should be fixed by now. Oh, and it's definitely a Trojan!" which confused the hell out of me!

The only official reply I got over there was a series of instructions on how to exclude Steam from Defender's scans. But that doesn't explain why Defender is submitting these files. Steam isn't the only program it's grabbing and submitting! It did it to files from Adobe's latest flash update (Which I downloaded DIRECTLY from Adobe's main website! I didn't get tricked!)

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users