kyler211

New Member
Joined
Feb 24, 2014
Messages
24
my anti-virus (Trend Micro Titanium)
has been blocking a process called "appsvc.exe" saying it is a "TROJ_HIDEFIL.BMC"
i have located it but i cannot delete it saying that i need permission from my user to delete it. I am currently logged on as my user but i am unable to delete it saying the same error message. i have also tried to use the hidden administrator account using "net user administrator /active:yes"
but that account also needs permission from my user.
it constantly tries to open every 5 seconds and i cannot stop it. i can end its process from the task manager but it still continues to try starting itself up again. please help.
 


Solution
This thread goes back a few weeks and has morphed into tangential problems. Let me go back to the original issue and raise the question of whether there is an actual problem. The original issue was that Trend Micro identified appsvc.exe as a trojan.

First question: could appsvc.exe be a legit program on this computer. If it is supposed to be there, it would have come pre-installed as part of Lenovo ReadyComm 5. These links describe what it is, where it should be on the computer, what other files you should find with it, etc.: http://www.shouldiremoveit.com/lenovo-readycomm-5-13720-program.aspx and more comprehensive information of appsvc.exe, specifically: http://processchecker.com/file/AppSvc.exe.html
If...
ok i managed to fit it in, im scanning it now, ill leave it overnight since it looks like its gonna take a while
 


i have no idea how to get the log, the export log thing just send some stuff to my email which is not the log so i just took a picture of the scan
Link Removed
 


@kyler211, I encoutered same problem as you, I couldnt install any antivirus on my computer (yes any antivirus), malwarebyte has the same problem as you. I fixed it by run this program Windows Repair All in One (tweaking.com), let it repair and restart PC, then I can run Malwarebyte (still cant install any antivirus) and Malwarebyte report appsvc.exe is malware, quarantine it and everything back to normal.
 


This thread goes back a few weeks and has morphed into tangential problems. Let me go back to the original issue and raise the question of whether there is an actual problem. The original issue was that Trend Micro identified appsvc.exe as a trojan.

First question: could appsvc.exe be a legit program on this computer. If it is supposed to be there, it would have come pre-installed as part of Lenovo ReadyComm 5. These links describe what it is, where it should be on the computer, what other files you should find with it, etc.: http://www.shouldiremoveit.com/lenovo-readycomm-5-13720-program.aspx and more comprehensive information of appsvc.exe, specifically: http://processchecker.com/file/AppSvc.exe.html
If ReadyComm is not installed, then appsvc.exe is a trojan that shouldn't be there.

If ReadyComm is installed, the next question is: is the appsvc.exe that you're seeing the real thing or an imposter. It could be the real thing, it could be a trojan replacement, or both could be on the computer.

  • Trend Micro may be flagging a legit program as malware. False positives are not uncommon; legit software can use some of the same programming tricks that are exploited by malware and the program gets flagged. The Trend Micro page for the trojan it claims to find identifies a specific file, doekeu.exe, that is supposed to be the issue. The only reference I can find to that file is from Trend Micro, so it is not clear whether that is a known malware file or legit software that Lenovo uses as part of ReadyComm. You could look to see if that file is actually on your computer and check with Lenovo as to whether it is part of their package.
  • Trend Micro could have found a real trojan, deleted or quarantined it, and what you are seeing now could be the real thing.
Use Task Manager to identify the appsvc.exe that is running. Is it in the right directory, the right version number, size, etc. to be the real thing? If so, you may be chasing a false positive or a ghost that Trend Micro already fixed. If not, the one that is running is a trojan.

Third question: should you delete it? If you are not comfortable that you have ruled out an active trojan, should you just delete the program and be done with it? ReadyComm looks like it serves a useful but not critical function. If you did delete it, your computer would continue to work, you would lose a resource to help configure and manage network connectivity. I would still follow patcooke's advice of renaming rather than deleting. If you have established that appsvc.exe is actually a trojan, it may not be critical to remove it. Trend Micro rates it low for risk and potential damage so if you are unable to remove it, it probably would not be catastrophic.


Fourth question: how to remove it if you have determined that you should? Things that are really a threat are normally deleted or quarantined automatically. Things that are not a serious threat and/or could be a false positive are sometimes flagged for your approval to quarantine. Trend Micro should at least offer the option to handle the trojan. If not, there are several ways to proceed.

This thread went off on a tangent regarding problems trying to load mbam. That's another issue. In terms of this trojan warning, there is no guarantee that another AV would recognize this trojan or consider it a threat. If it did, that would be a simple solution (assuming you solve the mbam problem). If it didn't, you wouldn't know whether Trend Micro was a better AV program or this trojan is really a non-issue.

There would be several ways to disable the trojan manually. As mentioned, renaming appsvc.exe is one. Another would be to rename or delete doekeu.exe if you have determined that it should not be there. This link provides the location: Link Removed

The ReadyComm link in the second paragraph shows where the hooks are that load appsvc at startup. The link in the previous paragraph shows where the registry entries are for doekeu.exe.
 


Solution
Back
Top