Hi, I use XP SP3 and free Avast antivirus.
I have IIS always running (for development purposes) and I have a file php-cgi.exe that I downloaded recently. While I was visiting a website (not one I can trust), Avast showed a pop-up saying that it was checking a suspicious program php-cgi.exe, and then said it found no problem and the program would start in a moment.
autosandbox.log says:
Autosandbox candidate: C:\myWork\php-5.3.25-nts-Win32-VC9-x86\php-cgi.exe
[Source:
http://windows.php.net/downloads/releases/php-5.3.25-nts-Win32-VC9-x86.zip]
[Opened by: C:\WINDOWS\system32\dllhost.exe]
[Reason: 0x00020000]
--> Result: Sandboxing (because policy set to Auto).
--> Instrumentation: Instrumentation inside sandbox was not requested
The relevant IIS log, modified (and created?) exactly at that time, has just 0x00's in it, not even the usual textual header, which is "#Software: Microsoft Internet Information Services 5.1"....
I haven't used IIS and localhost (or 127.0.0.1) for many weeks, which is also reflected in the dates of the older IIS logs. In addition, I have never used PHP, though I did download that php-cgi.exe file.
So, is it possible that some malicious web page script tried to make my IIS run a PHP script?
And if so, can I be sure there's no harm done, thanks to Avast sandboxing it?
P.S.: I'm using the same computer with Linux for now, until things get clearer, so checking the running processes or anything like that is irrelevant.
Thank you!
