Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: speedlever on April 12, 2008, 03:43:49 PM
-
I just updated my flash player to the latest version (9.0.124.0) and on reboot of my XP/pro.sp2 laptop, got an Avast alert of a rootkit in procexp111.sys (part of Process Explorer). I run Process Explorer 11.11 (and just discovered that 11.12 is the latest version).
Any chance this is a false positive?
-
I have Process Explorer 11.11 on my system but there is no file on my system called procexp111.sys and it does not exist in the zip file that I downloaded as the Process Explorer 11.11 download from SystemInternals.
-
I had avast do a boot scan after reboot and it came up with this result:
File C:\windows\system32\chcfg.exe is infected by win32:rootkit-gen [RtK]
I have a choice of delete, move, repair, ignore. Between delete and repair, I'm thinking delete.
Any suggestions? Will it eliminate a rootkit?
(no mention was made of procexp111.sys)
-
As is often said here ... first do no harm.
If the choice is offered to move it to the virus chest then do so. It will be unable to do any more harm if moved to the chest and you will then have time to consider it before any final deletion.
-
Thanks... off to the chest it goes. Scanning is resuming...
-
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner (http://www.virustotal.com/) and report the findings of these files here. This can't be uploaded to VT whilst it is in the chest so it needs to be exported (right click on the file in the Infected Files section of the chest) to a temporary location and avast is likely to alert again when you do that, see below.
Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect\* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.
-
Thanks for those tips David. I just learned of that site and would not have known how to extract the file(s) in question in order to submit.
-
I have Process Explorer 11.11 on my system but there is no file on my system called procexp111.sys and it does not exist in the zip file that I downloaded as the Process Explorer 11.11 download from SystemInternals.
I believe you should have this file. The kernel mode driver is named procexp111.sys.
See here (http://tinyurl.com/5hecks) for more information.
-
I had already seen that information - I am puzzled by it.
Take a look at the zip file from Sysinternals download.
I have the file I downloaded for 11.11 and the file for 11.12 ... both just contain the procexp.exe file.
I simply run procexp.exe and there is no sys file for process explorer present on my system.
-
Mine is only version 11.1 tardy on the updates and that file isn't in my system32 folder.
OK downloaded the 11.12 zip file and as Alan said no procexp111.sys in that zip either, just procexp.exe, procexp..chm and Eula.txt. As this is a stand alone application I don't see how it would place a file in the system32 folder.
-
Driver is contained within exe as resource. It can be found by manual scan of the file. So it is rather common practice now, many progs use it (filemon, regmon etc.)
-
I have the following question about rootkit search ar the system start: is the some table of legit rpcessesor any hidden process is treated as rootkit?
Today I have obtained info message about rootkit found due to hidden process markfun.w32.
Obviously it is false positive because of this is quite legit process from Gigabyte EasyTune5 (I have ETCall in my startup).
BTW, I can not find any log record about this found "rootkit".
-
If there is no log viewer entry then I would say that is a failing as it really should create an entry.
Driver is contained within exe as resource. It can be found by manual scan of the file. So it is rather common practice now, many progs use it (filemon, regmon etc.)
It may well be a common practice for the driver to be within the exe, but if so it isn't being extracted to the system32 folder on my system. Just ran 11.12 and a search of windows and sub folders reveals no procexp*.sys even procexp*.* reveals no file.
-
Driver is contained within exe as resource. It can be found by manual scan of the file. So it is rather common practice now, many progs use it (filemon, regmon etc.)
It may well be a common practice for the driver to be within the exe, but if so it isn't being extracted to the system32 folder on my system. Just ran 11.12 and a search of windows and sub folders reveals no procexp*.sys even procexp*.* reveals no file.
It is hidden (or possible was deleted after being loaded successfully). I have old version Process Explorer which use older driver procexp100.sys. When Process Explorer is running I can not find this driver in system32\drivers but RootkitUnhooker claims that driver H:\Windows\System32\drivers\PROCEXP100.SYS is loaded at address 0xBA622000 with size 8192.
P.S. IceSword don't find this driver on the disk, so it can be really deleted. Probably, we can use FileMon to detect creation/deletion of this driver.
-
Very Interesting.
What I can't understand is why others who might be using procexp aren't having any detection and if your supposition of it being deleted after loading it would seem to be both hanging around on speedlever's system for it to be there on boot and if hidden avasts standard shield boot-time scan is seeing it (which is a good thing, not if it is a possible FP though).
Also it would appear that this might have been detected by the standard shield given the choices speedlever gave in his reply #2
-
My system logs do indeed show that the driver is created and then (after the display information is obtained) the driver is immediately deleted. Leaving just the main process running. The driver loading is also recorded in the boot log (ntbtlog).
-
That is fine, but it seems strange that it would be around at boot to be caught by avast Unless speedlever has procexp.exe run on boot. But equally why it is caught by avast yet yours isn't. Definitely strange.
-
For the record, I do not have PE run at boot. I have a shortcut to it on my quick launch bar only.
-
Check this sysinternals thread (http://tinyurl.com/5rska6) for more info about this issue.
-
Thanks for taking the time to post on the Sysinternals Forums, good to get it direct from the source.
-
So Avast logic is clear. Rootkit scan is launched after 120 sec from system load. If a) for any loaded driver driver file is deleted during rootkit scan (procexpXXX.sys) or b) driver process is terminated during scan (Gigabyte markfun.w32) then these drivers are meet 'hidden' criteria (file invisible - 'hidden' or process invisible - 'hidden').