Hi, I use XP SP3 and free Avast antivirus.
I have IIS always running (for development purposes) and I have a file php-cgi.exe that I downloaded recently. While I was visiting a website (not one I can trust), Avast showed a pop-up saying that it was checking a suspicious program php-cgi.exe, and then said it found no problem and the program would start in a moment.
Avast’s autosandbox.log says:
Autosandbox candidate: C:\myWork\php-5.3.25-nts-Win32-VC9-x86\php-cgi.exe
[Opened by: C:\WINDOWS\system32\dllhost.exe]
–> Result: Sandboxing (because policy set to Auto).
–> Instrumentation: Instrumentation inside sandbox was not requested
The relevant IIS log, modified (and created?) exactly at that time, has just 0x00’s in it, not even the usual textual header, which is “#Software: Microsoft Internet Information Services 5.1”…
I haven’t used IIS and localhost (or 127.0.0.1) for many weeks, which is also reflected in the dates of the older IIS logs. In addition, I have never used PHP, though I did download that php-cgi.exe file.
I’ve been told in a hacker forum that maybe php-cgi simply auto-updated.
I checked the file’s MD5 sum and it hasn’t changed.
- Does it get auto-updated? I didn’t see any mention of that in php.ini.
- Why would it run after being auto-updated?
- Could someone make it run by accessing my IP address?
- Could anything else make it run?