Windows Defender and SteamServiceTmp.exe

Discussion in 'other anti-malware software' started by Carbonyl, Dec 10, 2009.

Thread Status:
Not open for further replies.
  1. Carbonyl

    Carbonyl Registered Member

    May 19, 2009
    To begin with, I run Windows 7 Professional. I keep it patched up to date. I also run ESET NOD32 v4, and Windows Defender is on by default. Malwarebytes AntiMalware is run once a week on-demand.

    Today I launched Steam, connected, and found there was a patch. I downloaded the patch and let it install. After it installed, I reconnected to steam, and suddenly Windows Defender popped up.

    The popup balloon said it wanted to submit malware samples. It said it flagged SteamServiceTmp.exe, and that it wanted to submit the file to Microsoft. I don't know if this means there was a virus in the file or some other malware. I think that's unlikely, considering it came directly from Valve (That's the file that launches to patch the Steam Service), but I'm not sure what that means. I can't find any record of the file being detected in the Windows Defender History, at all. Does this mean I have a virus? What is this all about?

    All I can find is this information from the Event Viewer:

    Fault bucket 864089046, type 5
    Event Name: AVSubmit
    Response: Not available
    Cab Id: 0
    Problem signature:
    P1: Windows Defender
    P2: 1.1.5302.0
    P3: unspecified
    P4: 1.71.700.0
    P5: 00175e0c-0000-0000-0000-000000000000,7B6FEFA17A704B6D4A03BFABB1DBC794703D4 80F
    Attached files:
    \\?\C:\ProgramData\Microsoft\Windows Defender\LocalCopy\{BF619DBF-AF9E-8823-3E83-12DE9B785E0B}-SteamServiceTmp.exe
    C:\Users\{Omitted}\AppData\Local\Temp\MPSampleSubm it\client_manifest.txt
    These files may be available here:
    C:\Users\{Omitted}\AppData\Local\Microsoft\Windows \WER\ReportArchive\NonCritical_Windows Defender_aaba7e9e24b775a1b21d5c41a485d822c4ec703b_ 0ac496bf
    Analysis symbol: 
    Rechecking for solution: 0
    Report Id: 78cda38e-e5ff-11de-862f-001fbc01945b
    Report Status: 0
    Upon review, here's the contents of the Report.wer file generated

    Sig[0].Name=Problem Signature 01
    Sig[0].Value=Windows Defender
    Sig[1].Name=Problem Signature 02
    Sig[2].Name=Problem Signature 03
    Sig[3].Name=Problem Signature 04
    Sig[4].Name=Problem Signature 05
    Sig[4].Value=00175e0c-0000-0000-0000-000000000000,7B6FEFA17A704B6D4A03BFABB1DBC794703D4 80F
    DynamicSig[1].Name=OS Version
    DynamicSig[2].Name=Locale ID
    AppName=Windows Defender User Interface
    AppPath=C:\Program Files\Windows Defender\MSASCui.exe
    Both Virustotal and Jotti's Malware scan have returned SteamServiceTmp.exe as being mostly clean. Every one of the modules, except Panda, detect nothing. On the other hand, Panda detects W32/Xor-encoded.A in the file.

    I would imagine that if this were actually a false positive, though, that MANY more people would be experiencing this issue. I think two is a small number given the vast crowds running Steam and MSE/Defender.

    Does this look like a legit file wrongly tagged, or an actual infection to be worried over?
  2. Saraceno

    Saraceno Registered Member

    Mar 24, 2008
    From my dealing with the steam program and its games, it should be clean as a whistle.

    Other game program platforms I'd be worried of, but not steam (valve corporation). They hold over 20 million accounts. You can read about how their servers work

    In the link above, it states steam will automatically patch a game, otherwise the game will not be able to launch.

    I wouldn't worry at all. I've noticed the steam service to change, be updated, apply patches, if the game I'm playing requires updated drivers and so on. I trust it, as the servers I regularly connect to are run by a very reputable ISP here, on behalf of steam.

    See prevx analysis of the file: "safe" :)

    Also see steam board when member asks why AV gave warning on the gameoverlayUI.exe process:
    Last edited: Dec 11, 2009
  3. Ibrad

    Ibrad Registered Member

    Dec 8, 2009
    It sounds like Windows Defender found something it thought was suspicious in the SteamServiceTemp.exe and sent to file to be examined at Microsoft Malware Labs. It does not mean that the file is infected, Microsoft just wanted more data on the file.
  4. Carbonyl

    Carbonyl Registered Member

    May 19, 2009
    Thanks, guys. That sets my mind at ease! Windows Defender just did the same thing to me again a few hours ago - Only this time it was with the latest version of Flash I downloaded from Adobe. Apparently Defender didn't like the uninstall_plugin.exe file, and wanted to submit it. This time I got a better look at the dialog before I panicked, though, and it looks like it's exactly as you explain it Ibrad. I assume they're just gathering data.

    Thanks again for the helpful links and info!
  5. Saraceno

    Saraceno Registered Member

    Mar 24, 2008
    I didn't mind using windows defender, but I found at the time, it kept identifying my wireless modem as 'changing' and needed the file to be submitted. I excluded the file from being scanned, but WD continued to notify me each time I connected/disconnected.

    It may have improved since then, but if you're after a program to check for autoruns, I'd go for something like a-squared's hijackfree and check for what's running manually, or something simple like winpatrol which will check for changes in a similar way as windows defender does. You could download and use both instead (both are free - hijackfree is manually started, winpatrol runs in the background).
  6. funkydude

    funkydude Registered Member

    Apr 5, 2004
    To explain this, it is not a file infection warning, it was a file suspicious warning.

    MSE did something similar, except that it came with a popup "This file is suspicious please send it to Microsoft for inspection" and you just click send, that was it.

    It means the file triggered off some heuristic points but not enough to classify it as a threat.

    I believe this has already been fixed, probably from the millions of users that would have submitted the same file.
Thread Status:
Not open for further replies.