Error code 0x80508023. The program could not find the malware and other potentially unwanted software on this computer.

Happens on a windows server 2012 with IIS 8 and 5.3 installed. Any clue that it is actually detected and removed ? or dissapear before security essential do anything on it.

Below appears on the Security Essentials History.

The following error occurred: Error code 0x80508023. The program could not find the malware and other potentially unwanted software on this computer. 

Category: Backdoor

Description: This program provides remote access to the computer it is installed on.

Recommended action: Remove this software immediately.

Items: 
containerfile:C:\Windows\Temp\php80BE.tmp
file:C:\Windows\Temp\php80BE.tmp->[PHP]

While on event log i got below.

       1.     warning

Microsoft Antimalware has detected malware or other potentially unwanted software.
 For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=37020&name=Backdoor:PHP/SimpleShell.A&threatid=2147684280
Name: Backdoor:PHP/SimpleShell.A
ID: 2147684280
Severity: Severe
Category: Backdoor
Path: file:_C:\Windows\Temp\php80BE.tmp->[PHP]
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: Real-Time Protection
User: **************
Process Name: C:\PHP\default\php-cgi.exe
Signature Version: AV: 1.173.1228.0, AS: 1.173.1228.0, NIS: 111.6.0.0
Engine Version: AM: 1.1.10502.0, NIS: 2.1.10502.0

2.warning

            

Microsoft Antimalware has detected malware or other potentially unwanted software.
 For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=37020&name=Backdoor:PHP/SimpleShell.A&threatid=2147684280
Name: Backdoor:PHP/SimpleShell.A
ID: 2147684280
Severity: Severe
Category: Backdoor
Path: containerfile:_C:\Windows\Temp\php80BE.tmp;file:_C:\Windows\Temp\php80BE.tmp->[PHP]
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: Real-Time Protection
User: *****************
Process Name: C:\PHP\default\php-cgi.exe
Signature Version: AV: 1.173.1228.0, AS: 1.173.1228.0, NIS: 111.6.0.0
Engine Version: AM: 1.1.10502.0, NIS: 2.1.10502.0

3. Information

                

Microsoft Antimalware has taken action to protect this machine from malware or other potentially unwanted software.
 For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=37020&name=Backdoor:PHP/SimpleShell.A&threatid=2147684280
Name: Backdoor:PHP/SimpleShell.A
ID: 2147684280
Severity: Severe
Category: Backdoor
Path: containerfile:_C:\Windows\Temp\php80BE.tmp;file:_C:\Windows\Temp\php80BE.tmp->[PHP]
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: Real-Time Protection
User: NT AUTHORITY\SYSTEM
Process Name: C:\PHP\default\php-cgi.exe
Action: Quarantine
Action Status:  No additional actions required
Error Code: 0x80508023
Error description: The program could not find the malware and other potentially unwanted software on this computer. 
Signature Version: AV: 1.173.1228.0, AS: 1.173.1228.0, NIS: 111.6.0.0
Engine Version: AM: 1.1.10502.0, NIS: 2.1.10502.0

 

Question Info


Last updated September 4, 2019 Views 3,673 Applies to:
Answer
Answer

The threat might be actually present. The files you mentioned (phpxxxx.tmp) are the files used by PHP while executing php scripts. The threat detected is a Shell script and is used in illegal activities like Hacking. You should check your IIS server for any PHP shell scripts and remove them. They posses a security vulnerability. If the shell script was not added by you then chances someone else uploaded it and your server was compromised, you need to check that and patch the hole (validate file uploads properly).

About 0x80508023 error, as Stephen Boots said, when file was deleted or removed before action can be taken against it then this error is shown. Maybe script finished executing before any action by MSE.

You should also get compatible antivirus for your server, MSE is not supported for any server version. This page can help in securing your Windows Server;

http://technet.microsoft.com/library/hh831360

Note: We do not provide support of Windows Server here, it's in Technet forums.

Prashant Kumar

Please come back with the results.
Please mark replies as helpful/answer if they are.

1 person was helped by this reply

·

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.