Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: Rick F on December 13, 2008, 04:35:05 PM
-
Hi guys,
I hope this is a false positive. During a Rootkit scan (about 8 minutes after I booted my PC this morning) avast says that 'Process.exe' is believed to be infected.
File name: C:\Windows\System 32\Process.exe
Type: Rootkit hidden process
Means of detection was 'rootkit scan' using heuristic method. The recommended action was to 'Ignore'. I clicked 'ignore', left a box checked to 'submit to Alwil team for analysis' (not sure this actually occurred), then did the recommended 'Boot time scan'. After about 20 or 30 minutes, Boot scan says nothing found. (aswboot.text below)
12/13/2008 09:48
Scan of all local drives
Number of searched folders: 4371
Number of tested files: 45182
Number of infected files: 0
I have avast 4.8.1296 with Vps 081212-0 (latest).
While typing this, Rootkit scan detected the same file again. I clicked ignore. I checked the file (process.exe) and it's dated 6/5/2003 and is 52K in size.
See image below for Rootkit alert:
-
A forum search would have found this, http://forum.avast.com/index.php?topic=38236.0 (http://forum.avast.com/index.php?topic=38236.0).
-
something related to this? http://www.bleepingcomputer.com/startups/process.exe-7200.html
-
Well that one is related to one in the %Windows% folder, but there are plenty of google hits that are in the system32 folder and are less than desirable.
-
Sorry David. I had posted the following response in the wrong thread. This time I'll post a URL of VirusTotal instead of the partial image.
___________
I think this is a false positive. I uploaded it to VirusTotal for analysis, and some report as undesireable program (avast says nothing though :-\ ). Looks like it's part of SmitFraud fix. NOD32 calls it, "Win32/PrcView".
Just not sure why the date of the file is 2003. I downloaded Smitfraud fix in the past year... but maybe just a module of SmitFraud that didn't need to be updated.
VirusTotal URL of scan results.
www.virustotal.com/analisis/45ae254a2480c11c94612429f90b4046
-
Sorry but when your talking about a possible rootkit, looks, just doesn't cut it, 100% certainty is what is required or as close as makes no difference.
Smitfraud is a tool and could just as easily have components used for malicious purposes, the fact that as far as I'm aware smitfraud doesn't install anything in the system32 folder makes me less than certain this is anything to do with smitfraud.
And the obvious point everyone seems to be ignoring smitfraud doesn't run on boot so why would something supposedly (as far as you and others think) be running, hidden on every boot.
There could quite possibly be an innocent explanation for this (but smitfraud isn't it) and that is what needs to be found. So google process.exe and find what other programs use this file name and do you have that installed. Obviously sending it to avast when detected is advisable as it certainly needs much further analysis.
It isn't being detected by the normal avast detection signatures (why it isn't in the VT results) but by the heuristic scanning of the anti-rootkit scan.
-
Just so I'm sure David,
If the Rootkit scan detects something it means the process is actually active at that time? You're right, SmitfraudFix was not running when avast popped up with the alert.
What I did for now is rename the file, 'Process.exe' to 'Process.xxx' so it won't run. Then... I ran smitfraudfix. The program still runs fine. But... if I understand correctly, the file 'Process.exe' only runs if it needs to stop a suspicious process. Since Smitfraudfix finds nothing, it may not need it. But... there is a file 'Process.exe' in the 'Smitfraud folder' which may be the correct one. Not sure.
At my next boot and if avast finds another file as suspect, should I delete it then? The recommended action was to 'ignore'.
Thanks.
________
<< edit >>
Had a thought...
I use LiveState Recovery to backup my HDD each week and keep 3 weeks worth of backups (complete image of my 'C' drive). I looked in my backup images 3 weeks ago and see that the file, 'Process.exe' was there on Nov 29, 2008. So this file has been there awhile... not new.
-
I would still follow the recommended action, if avast was more certain of the heuristic detection it would I'm sure recommend deletion.
Having run smitfraud again if it was responsible for the file in the system32 folder then I would have expected it to replace the missing (renamed) file, since it didn't that makes me feel more confident that it isn't actually a part of smitfaud, but something else. That is why I suggested checking out google hits for other applications that use process.exe.
-
For what it's worth, I found the same thing yesterday. Went through the same boot scan and found nothing. avast! found it again after reboot, so I answered "Delete, but not befor checking the size. It is from: http://www.beyondlogic.org/consulting/processutil/processutil.htm
It still was left there, but when I looked inside, avast had written in it, making it non-runable. I know this because I tried to run it on a VPC. Since I could no longer prove anything, I blew it away.
My problem is I never ran smitfraudfix or anything like it. So, I have no idea how it got there! There were no registry entries to run it, so I'm puzzled.
/fidmas
-
It isn't a problem as I have been saying all along this isn't a part of smitfraud and is just a coincidence that smitfraud also uses this tool/file.
The problem with tools like this is their function can be for good or bad, and there may be many different tools that would use this file, the difficult part is what application put it in the system32 folder and why is it running hidden on every boot.
A registry search for process.exe, a hidden process might also have its registry entry hidden as you haven't been able to find a registry entry responsible for running it.
So I'm not entirely sure what else can be done to pin down why it is there or running.
-
Yeah. Beats me. Anyway it's gone now, and I see no problems or anything in the Event Logs.
Are we *sure* it had to be running to be found?
fidmas
--
-
My system32\process.exe was sure created by Smitfraud. I checked the creation date of that system32\process.exe, and then did a Windows search to find files created on that same date. All files that came up, were smitfraud files. There were 4 files in that Smitfraud folder, that were also in system32 directory. So smitfraud has copied those files to system32 few minutes after the Smitfraud folder was created - so i guess after i ran Smitfraud. They were same files, no doubt about it.
I removed all those Smitfraud files, even though there wasn't any real need for it.
-
Yeah. Beats me. Anyway it's gone now, and I see no problems or anything in the Event Logs.
Are we *sure* it had to be running to be found?
As sure as we can be as we can't use any normal windows tools as that is what it is hidden from.
The avast anti-rootkit scan makes two lists to compare, what the windows APIs, etc. say is running against a raw check on what is actually running, that is how rootkits are generally found, though there is no real information other than this is a hidden process as in the imahe posted by Rick F.
-
My system32\process.exe was sure created by Smitfraud. I checked the creation date of that system32\process.exe, and then did a Windows search to find files created on that same date. All files that came up, were smitfraud files. There were 4 files in that Smitfraud folder, that were also in system32 directory. So smitfraud has copied those files to system32 few minutes after the Smitfraud folder was created - so i guess after i ran Smitfraud. They were same files, no doubt about it.
I removed all those Smitfraud files, even though there wasn't any real need for it.
That is all well and good, however it doesn't account for why it would be a) running all the time and b) a hidden process. It also doesn't account for if the file in the system32 folder is renamed or removed and you run smitfraud again the missing/renamed file isn't replaced.
So having removed the smitfraud folder, if you rename the system32 file and recreate the creation of the smitfraud folder see if it is replaced. Run smitfraud and see if it is replaced.
So there is very much more to this than meets the eye.
-
Yeah. Beats me. Anyway it's gone now, and I see no problems or anything in the Event Logs.
Are we *sure* it had to be running to be found?
As sure as we can be as we can't use any normal windows tools as that is what it is hidden from.
The avast anti-rootkit scan makes two lists to compare, what the windows APIs, etc. say is running against a raw check on what is actually running, that is how rootkits are generally found, though there is no real information other than this is a hidden process as in the imahe posted by Rick F.
Confusing as all hell, since this "process.exe" just acts on a command line and never stays running very long. :-/
-
Confusing yes, most certainly, but it is apparently running when the anti-rootkit scan takes place 8 minutes after boot.
I still don't know what starts this (as people have tried to find an entry in registry) or why it needs to start at all or why it would need to be hidden.
-
Confusing yes, most certainly, but it is apparently running when the anti-rootkit scan takes place 8 minutes after boot.
I still don't know what starts this (as people have tried to find an entry in registry) or why it needs to start at all or why it would need to be hidden.
I even tried the "REG Query" command to find any entry hidden with the "Looooooong name" trick. No "process.exe" anywhere. If it's being started by the registry, it's not directly. Has to be the registry starting something else that then starts "process.exe" and causes no errors if it's removed, as I did. I wish I hadn't let avast destroy the original process.exe file, so I could make sure it still worked as advertised (or kept running).
I have accounted for everything in \Run and \RunOnce keys and non-MS services. What ever it is/was, it is/was hidden well!
/fidmas
-
we'll change this detection probably.. main group targeted by the algo comes from PUP greyzone, which we don't want to treat so roughly..
-
Just FYI, http://www.geocities.jp/kiskzo/regreveal.html finds nothing Hidden in the following keys:
-------
#
# sample input file for RegReveal
#
# Supports following keys:
# HKEY_CLASSES_ROOT (HKCR)
# HKEY_CURRENT_CONFIG (HKCC)
# HKEY_CURRENT_USER (HKCU)
# HKEY_LOCAL_MACHINE (HKLM)
# HKEY_USERS (HKU)
#
# If key name includes spaces, it must be quoted.
#
# Options:
# /r scan recursively
#
# Known startups:
"HKCR\Folder\shellex\ColumnHandlers"
"HKCU\Software\Microsoft\Command Processor"
"HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows"
"HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon"
"HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" /r
"HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System"
"HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /r
"HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce" /r
"HKLM\Software\Microsoft\Active Setup\Installed Components" /r
"HKLM\Software\Microsoft\Command Processor"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" /r
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" /r
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects"
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler"
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks"
"HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" /r
"HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /r
"HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce" /r
"HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx"
"HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices"
"HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce"
"HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad"
"HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute"
"HKLM\System\CurrentControlSet\Services"
# Others:
"HKCU\Software"
"HKLM\Software"
---------
/fidmas
-
That Process.exe is not a running process and it doesn't start by itself. That's pretty sure. It's a command line utility. Sure the name is suspicious, though.
-
Then how can you explain how avast detects it as a running process, it does two checks, what is reported by windows as running and what is actually running, e.g. hidden ?
How do you know it isn't running ?
How did you check ?
What tools have you tried to find what is running (remembering it is a hidden process) ?
-
Then how can you explain how avast detects it as a running process, it does two checks, what is reported by windows as running and what is actually running, e.g. hidden ?
How do you know it isn't running ?
How did you check ?
What tools have you tried to find what is running (remembering it is a hidden process) ?
Why it even should run? There's no purpose it to run. I checked with various process (running programs) programs and non of them showed this process.exe. Or maybe we are infected by some other process.exe, that's completely hidden??
The file i'm talking about here is this: http://www.beyondlogic.org/consulting/processutil/processutil.htm
-
Then how can you explain how avast detects it as a running process, it does two checks, what is reported by windows as running and what is actually running, e.g. hidden ?
How do you know it isn't running ?
How did you check ?
What tools have you tried to find what is running (remembering it is a hidden process) ?
Why it even should run? There's no purpose it to run. I checked with various process (running programs) programs and non of them showed this process.exe. Or maybe we are infected by some other process.exe, that's completely hidden??
Before I let avast write in it, I checked the size. It was the same as the one we're talking about. But I regret not copying it to a VPC to play with first, so I'm not 100% sure.
-
<snip>
Why it even should run? There's no purpose it to run. I checked with various process (running programs) programs and non of them showed this process.exe. Or maybe we are infected by some other process.exe, that's completely hidden??
The file i'm talking about here is this: http://www.beyondlogic.org/consulting/processutil/processutil.htm
Exactly, why and how but something is running.
The programs you are checking with use the windows APIs, etc. to show what is running and that is precisely what they hide from.
The size is immaterial as it is the purpose of process.exe that could be being used (a google search will show many applications use it) so no need modify it just use it via command line, etc. but it would have to be running to do that. So it isn't really the file but the purpose it might be being put to (good or evil, benign or malevolent) that really is the true issue.
To date we haven't found out, exactly what placed it in the system32 folder or why it is running or why it is hidden, everything so far is speculative it might be this or I don't think it looks bad, etc. etc. we simply don't know other than what Maxx said.
we'll change this detection probably.. main group targeted by the algo comes from PUP greyzone, which we don't want to treat so roughly..
@ Maxx_original
So if this is correct and I have little reason to doubt it, we are getting nearer to a possible resolution. Which begs the question on this PUP (Potentially Unwanted Program) greyzone, what does it do (didn't find anything on various searches) and how would it get on the the systems of those reporting this detection.
I would also consider if this really is a PUP should we not be adding a signature to the VPS to detect and report the controlling application ?
Would the likes of HiJackThis show greyzone
-
... but it would have to be running to do that. So it isn't really the file but the purpose it might be being put to (good or evil, benign or malevolent) that really is the true issue.
But *this* command-line program never does anything for a long enough time to detect. That's why I wished I verified what it actually did to a VPC I could restore easily.
-
I'm a newbie here and not that tech savvy to run a VPC. I've had the same experience as everyone else. My first avast alert regarding process.exe was yesterday, and since renaming the process.exe in my system32 directory have had no further alerts. I understand that the issue is more likely what the file is being used for, even if not modified from its original and why it is in the system32 directlry at all), but I can send my process.exe file for someone else to play with, if it would be of any help. I did not allow avast to delete or overwrite file, so except for renaming, the file is intact. I know this forum does not allow upload of executables directly with a post.
-
... but it would have to be running to do that. So it isn't really the file but the purpose it might be being put to (good or evil, benign or malevolent) that really is the true issue.
But *this* command-line program never does anything for a long enough time to detect. That's why I wished I verified what it actually did to a VPC I could restore easily.
Which is what I have been banging on about, we don't know that it has anything to do with this command line application, that hasn't been established, the only thing that has been established is that the file has the same name and the same size.
What ever it is associated with it 'is' running and hidden at 8 minutes after boot or avasts anti-rootkit scan wouldn't find it. So the why is it running (and hidden) is the question and the Command Line Process Viewer/Killer/Suspender, being a run on demand application would appear to have nothing to do with why process.exe is running.
Your selective quote doesn't show Maxx's comment that it is believed that this if to do with a PUP called greyzone ???
-
What ever it is associated with it 'is' running and hidden at 8 minutes after boot or avasts anti-rootkit scan wouldn't find it. So the why is it running (and hidden) is the question and the Command Line Process Viewer/Killer/Suspender, being a run on demand application would appear to have nothing to do with why process.exe is running.
I agree. So why did avast point directly at System32\process.exe? I'm not disputing anyone. I'm just confused? Would it help if I got the file back from Dave_MK and verified it's functionality on an XP VPC, or are we past that point?
Your selective quote doesn't show Maxx's comment that it is believed that this if to do with a PUP called greyzone ???
Sorry. I missed that the first time. :-o
-
Update...
Yesterday I posted that I renamed 'Process.exe' to 'Process.xxx' in the \Windows\System32 folder. Well when I rebooted the PC today I checked the 'System32' folder. Oh oh! - there was another file called 'Process.exe'. It has the same date and size of the one I renamed to 'Process.xxx'. It's dated 6/5/2003 and 52K in size. So there's something somewhere making or remaking this file at every bootup. Then avast rootkit scan (8 mins after boot) sounded the alarm again. This time I clicked 'delete' and submit to Alwil for analysis. BUT... the file 'Process.exe' was still there! Still the same size so I don't think Avast is actually deleting it even when told to. I deleted it manually with Windows explorer. Probably won't matter because as soon as I reboot I'm pretty sure the file will show up again.
So I think David is right. There's something going on here. It's a hidden process (task mgr doesn't show it) and we can't find it in the registry. It doesn't show up in any of the startups that Windows controls.
I'm going to look back through an archive of files I have from about a year ago when I used Acronis for backup. If the file is legit - and dated 2003 - it should be in this archive. I'll post back any results.
-
Rick F: Do you have Smitfraud and have you used it lately? I deleted my Smitfraud folder and that process.exe yesterday, and it's now gone for good.
-
I checked my archive of files from May, 2007 and the file 'Process.exe' does not exist. Not sure exactly what that proves.
-
Rick F: Do you have Smitfraud and have you used it lately? I deleted my Smitfraud folder and that process.exe yesterday, and it's now gone for good.
Yes I do. AND, I did run SmitfraudFix after renaming that file yesterday to see if it would still run with that file renamed. Maybe SmitfraudFix is rewriting that file there? I'll run SmitfaudFix again and see if the file shows up. If it doesn't, I'll consider deleting the whole thing.
Thanks.
-
Rick F: Do you have Smitfraud and have you used it lately? I deleted my Smitfraud folder and that process.exe yesterday, and it's now gone for good.
Yes I do. AND, I did run Smitfraud after renaming that file yesterday. Maybe Smitfraud is rewriting that file there? I'll rung SmitfaudFix again and see if the file shows up.
Thanks.
Yes, Smitfraud will copy that file to system32 folder! Same file is in Smitfraud folder too.
-
Avastar,
You're right!! SmitfraudFix is rewriting that file in the System32 folder. Just launching smitfaud (not actually running it) causes that file to be rewritten. I'll do an 'uninstall' then delete the whole Smitfraud folder to be sure. I'd want the latest tool if I ever needed it anyway.
Thanks. Hope this is the end of it.
-
boot) sounded the alarm again. This time I clicked 'delete' and submit to Alwil for analysis. BUT... the file 'Process.exe' was still there! Still the same size so I don't think Avast is actually deleting it even when told to. I deleted it manually with Windows explorer. Probably won't matter because as soon as I reboot I'm pretty sure the file will show up again.
I haven't seen it come back yet, but I can tell you avast didn't delete mine either. It just wrote in it to make it non-runnable. If you look at the file with a hex file editor, you'll see an ASCII blurb something about "...disabled by avast..." or something like that. I don't remember the exact wording.
fidmas
--
-
Avastar,
You're right!! SmitfraudFix is rewriting that file in the System32 folder. Just launching smitfaud (not actually running it) causes that file to be rewritten. I'll do an 'uninstall' then delete the whole Smitfraud folder to be sure. I'd want the latest tool if I ever needed it anyway.
Thanks. Hope this is the end of it.
This is what i have been saying here "all the time". It's a Smitfraud file.
Actually Smitfraud copies 4 files to system32 folder. All those files are in Smitfraud main folder too.
-
Avastar,
You're right!! SmitfraudFix is rewriting that file in the System32 folder. Just launching smitfaud (not actually running it) causes that file to be rewritten. I'll do an 'uninstall' then delete the whole Smitfraud folder to be sure. I'd want the latest tool if I ever needed it anyway.
Thanks. Hope this is the end of it.
This is what i have been saying here "all the time". It's a Smitfraud file.
Actually Smitfraud copies 4 files to system32 folder. All those files are in Smitfraud main folder too.
Yes, and I have rebooted multiple times since I renamed the process.exe file in my WinXP system32 folder and deleted the entire smitfraudfix folder on the drive yesterday. So far, I've had no recurrence of process.exe anywhere on the drive.
-
Avastar,
I would prefer to 'uninstall' Smitfraud rather than just delete the files and folders. I don't see that as a possibility though. Control panel doesn't offer that under 'add remove programs' nor is there an uninstall in the Smitfraud folder. Did you just delete the files and folder?
Also...
I wonder... since 'process.exe' was running HIDDEN, is/was Smitfraud fix ever a good program??? Maybe there's something underlying that we didn't know about.
Or... I'm a bit paranoid ::)
-
Avastar,
I would prefer to 'uninstall' Smitfraud rather than just delete the files and folders. I don't see that as a possibility though. Control panel doesn't offer that under 'add remove programs' nor is there an uninstall in the Smitfraud folder. Did you just delete the files and folder?
Also...
I wonder... since 'process.exe' was running HIDDEN, is/was Smitfraud fix ever a good program??? Maybe there's something underlying that we didn't know about.
Or... I'm a bit paranoid ::)
I would prefer it too, but there wasn't any uninstall option. I think Smitraud was just extract and run.
Was it really running hidden? Maybe we are relieving smitfraud conspiracy here...
-
I"m lost. What is this Smitfraud folder people have installed? I thought that was http://en.wikipedia.org/wiki/Spyware_Quake that I cured, on a neibor's system last year.
This box has never seen any signs of it.
-
I"m lost. What is this Smitfraud folder people have installed?
It's SmitfraudFix folder. Program that removes smitfraud virus.
-
Was it really running hidden?
Well, avast says it was a 'hidden process' from the alert I saw (image posted at beginning of thread).
I don't know a lot about rootkits -- except that they are very bad and can be hard to get rid of. If David's explanation of how avast compares what is actually running to what Windows says is running is right, then sounds to me like somehow this process was running.
I'm going to make a list of the files in 'SmitfraudFix' folder with size & dates and then delete... or rename those files that happen to show up in the "Sytem32" folder.
Thanks to everyone for their help. This forum is one of the best things about avast... users helping users. Not to mention that the developers or programmers step in here as well when needed.
I'll post back if it "rears its ugly head" again. :o ::)
-
Avastar,
I would prefer to 'uninstall' Smitfraud rather than just delete the files and folders. I don't see that as a possibility though. Control panel doesn't offer that under 'add remove programs' nor is there an uninstall in the Smitfraud folder. Did you just delete the files and folder?
Also...
I wonder... since 'process.exe' was running HIDDEN, is/was Smitfraud fix ever a good program??? Maybe there's something underlying that we didn't know about.
Or... I'm a bit paranoid ::)
I would prefer it too, but there wasn't any uninstall option. I think Smitraud was just extract and run.
Was it really running hidden? Maybe we are relieving smitfraud conspiracy here...
This message can be deleted.
-
DavidR: in this case greyzone meant apps, which are not absolutely clean (white) or absolutely bad (black)... Avira e.g. detects these files as PUP (they could be abused by some bad handler)... we have the ability to tune up the behavioral detections in the antirootkit module to detect more or less files/processes etc, it is scalable and we can make some little changes to ignore these PUPs... let's see, we must discuss it internally..
-
I"m lost. What is this Smitfraud folder people have installed?
It's SmitfraudFix folder. Program that removes smitfraud virus.
Ok. Thanks. I never used it. At least not on this box. So I still have no idea where Process.exe came from, or why (or how) it could be running 8 minutes after bootup. The only thing that got installed in the last couple of days was DvdX and it got removed shortly after not doing what I needed.
-
I"m lost. What is this Smitfraud folder people have installed?
It's SmitfraudFix folder. Program that removes smitfraud virus.
Ok. Thanks. I never used it. At least not on this box. So I still have no idea where Process.exe came from, or why (or how) it could be running 8 minutes after bootup. The only thing that got installed in the last couple of days was DvdX and it got removed shortly after not doing what I needed.
check the date on that process.exe, if you still have it, and then search files created on that same date. Maybe you will find something.
-
I"m lost. What is this Smitfraud folder people have installed?
It's SmitfraudFix folder. Program that removes smitfraud virus.
Ok. Thanks. I never used it. At least not on this box. So I still have no idea where Process.exe came from, or why (or how) it could be running 8 minutes after bootup. The only thing that got installed in the last couple of days was DvdX and it got removed shortly after not doing what I needed.
check the date on that process.exe, if you still have it, and then search files created on that same date. Maybe you will find something.
It's gone. :-( But before I blew it, the date was June something. Too far back to track, even if it was a valid date.
-
I"m lost. What is this Smitfraud folder people have installed?
It's SmitfraudFix folder. Program that removes smitfraud virus.
Ok. Thanks. I never used it. At least not on this box. So I still have no idea where Process.exe came from, or why (or how) it could be running 8 minutes after bootup. The only thing that got installed in the last couple of days was DvdX and it got removed shortly after not doing what I needed.
check the date on that process.exe, if you still have it, and then search files created on that same date. Maybe you will find something.
It's gone. :-( But before I blew it, the date was June something. Too far back to track, even if it was a valid date.
You need the exact date and then use Windows Search to search by date.
It's very possible that it came with some program you have downloaded.
-
BTW, there are more than 4 files of SmitfraudFix duplicated in the System32 folder on my machine. I opened the SmitfraudFix folder along side the System32 folder and looked at them side by side and compared file name, size and creation date. There are 12 such files in my System32 folder. Not sure everyone's will be the same. May depend on the actual date you installed SmitfraudFix.
If anyone wants or needs the list post here and I'll share it.
-
BTW, there are more than 4 files of SmitfraudFix duplicated in the System32 folder on my machine. I opened the SmitfraudFix folder along side the System32 folder and looked at them side by side and compared file name, size and creation date. There are 12 such files in my System32 folder. Not sure everyone's will be the same. May depend on the actual date you installed SmitfraudFix.
If anyone wants or needs the list post here and I'll share it.
Well, that might be possible, but i think there were 4 .exe files? Am i right?
-
I"m lost. What is this Smitfraud folder people have installed?
It's SmitfraudFix folder. Program that removes smitfraud virus.
Ok. Thanks. I never used it. At least not on this box. So I still have no idea where Process.exe came from, or why (or how) it could be running 8 minutes after bootup. The only thing that got installed in the last couple of days was DvdX and it got removed shortly after not doing what I needed.
check the date on that process.exe, if you still have it, and then search files created on that same date. Maybe you will find something.
It's gone. :-( But before I blew it, the date was June something. Too far back to track, even if it was a valid date.
You need the exact date and then use Windows Search to search by date.
It's very possible that it came with some program you have downloaded.
Sure.... I wounder why avast waited until now then to gripe......... /-|
-
I"m lost. What is this Smitfraud folder people have installed?
It's SmitfraudFix folder. Program that removes smitfraud virus.
Ok. Thanks. I never used it. At least not on this box. So I still have no idea where Process.exe came from, or why (or how) it could be running 8 minutes after bootup. The only thing that got installed in the last couple of days was DvdX and it got removed shortly after not doing what I needed.
check the date on that process.exe, if you still have it, and then search files created on that same date. Maybe you will find something.
It's gone. :-( But before I blew it, the date was June something. Too far back to track, even if it was a valid date.
You need the exact date and then use Windows Search to search by date.
It's very possible that it came with some program you have downloaded.
Sure.... I wounder why avast waited until now then to gripe......... /-|
Most likely because of new AR database update.
-
BTW, there are more than 4 files of SmitfraudFix duplicated in the System32 folder on my machine. I opened the SmitfraudFix folder along side the System32 folder and looked at them side by side and compared file name, size and creation date. There are 12 such files in my System32 folder. Not sure everyone's will be the same. May depend on the actual date you installed SmitfraudFix.
If anyone wants or needs the list post here and I'll share it.
Well, that might be possible, but i think there were 4 .exe files? Am i right?
No, all 12 of these are exe files with the exact same size and creation date as the files in the SmitfraudFix folder. I haven't deleted (or renamed) any of these as yet. Still trying to decide the best thing to do. I just rebooted to see if I get any rootkit alarms again. There is no 'Process.exe' file present in the Sys32 folder. It's been 10 mins now and no alarm as yet.
I'm still thinking that avast rootkit is detecting the presence of 'Process.exe' because it was there and matched a signature thru heuristics. I'm still confused on the 'hidden process' running.
-
BTW, there are more than 4 files of SmitfraudFix duplicated in the System32 folder on my machine. I opened the SmitfraudFix folder along side the System32 folder and looked at them side by side and compared file name, size and creation date. There are 12 such files in my System32 folder. Not sure everyone's will be the same. May depend on the actual date you installed SmitfraudFix.
If anyone wants or needs the list post here and I'll share it.
Well, that might be possible, but i think there were 4 .exe files? Am i right?
No, all 12 of these are exe files with the exact same size and creation date as the files in the SmitfraudFix folder. I haven't deleted (or renamed) any of these as yet. Still trying to decide the best thing to do. I just rebooted to see if I get any rootkit alarms again. There is no 'Process.exe' file present in the Sys32 folder. It's been 10 mins now and no alarm as yet.
I'm still thinking that avast rootkit is detecting the presence of 'Process.exe' because it was there and matched a signature thru heuristics. I'm still confused on the 'hidden process' running.
I have the following in my system32 folder that are the exact size and creation date as the files in the smitfraudfix folder.
dumphive.exe 7/31/2004
process.exe 3/25/2007
SrchSTS.exe 4/27/2006
swreg.exe 8/29/2006
swsc.exe 1/9/2006
swxcacls.exe 12/1/2006
VCCLSID.exe 9/5/2007
This would seem to correlate with the following section from the SmitfraudFix.cmd file:
if exist Update.cmd del Update.cmd
if not exist %syspath%\Process.exe copy Process.exe %syspath%\Process.exe >NUL
if not exist %syspath%\swreg.exe copy swreg.exe %syspath%\swreg.exe >NUL
if not exist %syspath%\swsc.exe copy swsc.exe %syspath%\swsc.exe >NUL
if not exist %syspath%\SrchSTS.exe copy SrchSTS.exe %syspath%\SrchSTS.exe >NUL
if not exist %syspath%\dumphive.exe copy dumphive.exe %syspath%\dumphive.exe >NUL
if not exist %syspath%\swxcacls.exe copy swxcacls.exe %syspath%\swxcacls.exe >NUL
if not exist %syspath%\VCCLSID.exe copy VCCLSID.exe %syspath%\VCCLSID.exe >NUL
I have only deleted the process.exe file thus far, which has stopped the alerts. Any advice as to risk of deleting the other files that could possibly be required by other processes?
Here are the other files that are in the smithfraudfix folder, but not in the system32 folder.
Exit.exe 8/21/2007
GenericRenosFix.exe 5/9/2007
HostsChk.exe 3/28/2007
Reboot.exe 1/13/2005
restart.exe 3/7/2006
SmiUpdate.exe 9/19/2006
-
There are a number of discussions on the web about avast detecting 'process.exe' as suspicious. Here's one where the responder suggests removal of a number of files put in the System32 folder by SmitfraudFix:
My Avast Anti Virus warned me today... (http://forums.g4tv.com/thread.jspa?messageID=13695828)
Since I renamed 'Process.exe' to 'Process.xxx' (and not run SmitfraudFix again) and rebooted - I've not had any more alerts. Not sure if I'm going to delete all those SmitfraudFix files in the System32 folder yet or not.
Here's a list files in my Windows\System32\ folder that are exactly the same in the "SmitfraudFix folder": (Included size and dates)
404Fix.exe 80KB 5/23/2008
dumphive.exe 50KB 7/31/2004
IEDFix.C.exe 81KB 7/2/2008
IEDFix.exe 81KB 5/18/2008
Process.exe 52KB 6/5/2003
SrchSTS.exe 282K 4/27/2006
swreg.exe 132K 8/29/2006
swsc.exe 40K 1/9/2006
swxcacls.exe 78K 12/1/2006
VACFix.exe 85K 5/29/2008
VCCLISID.exe 283K 9/5/2007
WS2Fix.exe 25K 10/3/2007
-
Btw, if the process.exe file really was a "running program", how i was able to delete it just like that? You can't delete running programs (processes) just like that, since they are in use.
-
Btw, if the process.exe file really was a "running program", how i was able to delete it just like that? You can't delete running programs (processes) just like that, since they are in use.
Good point. Avast called it a "hidden process". I assumed it meant it was running. Maybe not. You would have to 'kill' a running process before being able to delete it -- which ironically the file 'process.exe' is for when used by SmitfraudFix.
-
Btw, if the process.exe file really was a "running program", how i was able to delete it just like that? You can't delete running programs (processes) just like that, since they are in use.
Good point. Avast called it a "hidden process". I assumed it meant it was running. Maybe not. You would have to 'kill' a running process before being able to delete it -- which ironically the file 'process.exe' is for when used by SmitfraudFix.
There's absolutely no point it to be a running (hidden) process. It was/is not a running process, nor a hidden process. Avast just made a mistake, that's it.
-
Btw, if the process.exe file really was a "running program", how i was able to delete it just like that? You can't delete running programs (processes) just like that, since they are in use.
I agree. I'm just sitting back waiting for smarter people than me, but I smell a bug here.