Hi, I use XP SP3 and free Avast antivirus.
I have IIS always running (for development purposes) and I have a file php-cgi.exe that I downloaded recently. While I was visiting a website (not one I can trust), Avast showed a pop-up saying that it was checking a suspicious program php-cgi.exe, and then said it found no problem and the program would start in a moment.
Avast's autosandbox.log says:
Autosandbox candidate: C:\myWork\php-5.3.25-nts-Win32-VC9-x86\php-cgi.exe
[Opened by: C:\\WINDOWS\\system32\\dllhost.exe]
--> Result: Sandboxing (because policy set to Auto).
--> Instrumentation: Instrumentation inside sandbox was not requested
The relevant IIS log, modified (and created?) exactly at that time, has just 0x00's in it, not even the usual textual header, which is "#Software: Microsoft Internet Information Services 5.1"....
I haven't used IIS and localhost (or 127.0.0.1) for many weeks, which is also reflected in the dates of the older IIS logs. In addition, I have never used PHP, though I did download that php-cgi.exe file.
I've been told in a hacker forum that maybe php-cgi simply auto-updated.
I checked the file's MD5 sum and it hasn't changed.
1) Does it get auto-updated? I didn't see any mention of that in php.ini.
2) Why would it run after being auto-updated?
3) Could someone make it run by accessing my IP address?
4) Could anything else make it run?