Author Topic: Avast 4.8 and rootkit alert  (Read 11924 times)

0 Members and 1 Guest are viewing this topic.

speedlever

  • Guest
Avast 4.8 and rootkit alert
« on: April 12, 2008, 03:43:49 PM »
I just updated my flash player to the latest version (9.0.124.0) and on reboot of my XP/pro.sp2 laptop, got an Avast alert of a rootkit in procexp111.sys (part of Process Explorer). I run Process Explorer 11.11 (and just discovered that 11.12 is the latest version).

Any chance this is a false positive?


Offline alanrf

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3870
  • Just an avast user
Re: Avast 4.8 and rootkit alert
« Reply #1 on: April 12, 2008, 04:14:55 PM »
I have Process Explorer 11.11 on my system but there is no file on my system called procexp111.sys and it does not exist in the zip file that I downloaded as the Process Explorer 11.11 download from SystemInternals.

speedlever

  • Guest
Re: Avast 4.8 and rootkit alert
« Reply #2 on: April 12, 2008, 04:28:08 PM »
I had avast do a boot scan after reboot and it came up with this result:
File C:\windows\system32\chcfg.exe is infected by win32:rootkit-gen [RtK]

I have a choice of delete, move, repair, ignore. Between delete and repair, I'm thinking delete.

Any suggestions? Will it eliminate a rootkit?

(no mention was made of procexp111.sys)



« Last Edit: April 13, 2008, 12:13:23 AM by speedlever »

Offline alanrf

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3870
  • Just an avast user
Re: Avast 4.8 and rootkit alert
« Reply #3 on: April 12, 2008, 04:37:17 PM »
As is often said here ... first do no harm.

If the choice is offered to move it to the virus chest then do so.  It will be unable to do any more harm if moved to the chest and you will then have time to consider it before any final deletion.

speedlever

  • Guest
Re: Avast 4.8 and rootkit alert
« Reply #4 on: April 12, 2008, 05:11:14 PM »
Thanks... off to the chest it goes. Scanning is resuming...

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: Avast 4.8 and rootkit alert
« Reply #5 on: April 12, 2008, 06:01:36 PM »
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings of these files here. This can't be uploaded to VT whilst it is in the chest so it needs to be exported (right click on the file in the Infected Files section of the chest) to a temporary location and avast is likely to alert again when you do that, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect\* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

speedlever

  • Guest
Re: Avast 4.8 and rootkit alert
« Reply #6 on: April 12, 2008, 06:30:41 PM »
Thanks for those tips David. I just learned of that site and would not have known how to extract the file(s) in question in order to submit.


« Last Edit: April 12, 2008, 06:34:57 PM by speedlever »

speedlever

  • Guest
Re: Avast 4.8 and rootkit alert
« Reply #7 on: April 12, 2008, 06:32:52 PM »
I have Process Explorer 11.11 on my system but there is no file on my system called procexp111.sys and it does not exist in the zip file that I downloaded as the Process Explorer 11.11 download from SystemInternals.

I believe you should have this file. The kernel mode driver is named procexp111.sys.

See here for more information.


Offline alanrf

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3870
  • Just an avast user
Re: Avast 4.8 and rootkit alert
« Reply #8 on: April 12, 2008, 06:44:50 PM »
I had already seen that information - I am puzzled by it.

Take a look at the zip file from Sysinternals download. 

I have the file I downloaded for 11.11 and the file for 11.12 ... both just contain the procexp.exe file.

I simply run procexp.exe and there is no sys file for process explorer present on my system. 


Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: Avast 4.8 and rootkit alert
« Reply #9 on: April 12, 2008, 07:49:34 PM »
Mine is only version 11.1 tardy on the updates and that file isn't in my system32 folder.

OK downloaded the 11.12 zip file and as Alan said no procexp111.sys in that zip either, just procexp.exe, procexp..chm and Eula.txt. As this is a stand alone application I don't see how it would place a file in the system32 folder.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

psw

  • Guest
Re: Avast 4.8 and rootkit alert
« Reply #10 on: April 12, 2008, 08:43:06 PM »
Driver is contained within exe as resource. It can be found by manual scan of the file. So it is rather common practice now, many progs use it (filemon, regmon etc.)

psw

  • Guest
Re: Avast 4.8 and rootkit alert
« Reply #11 on: April 12, 2008, 08:55:38 PM »
I have the following question about rootkit search ar the system start: is the some table of legit rpcessesor any hidden process is treated as rootkit?
Today I have obtained info message about rootkit found due to hidden process markfun.w32.
Obviously it is false positive because of this is quite legit process from Gigabyte EasyTune5 (I have ETCall in my startup).

BTW, I can not find any log record about this found "rootkit".
« Last Edit: April 12, 2008, 09:00:13 PM by psw »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: Avast 4.8 and rootkit alert
« Reply #12 on: April 12, 2008, 10:17:22 PM »
If there is no log viewer entry then I would say that is a failing as it really should create an entry.

Driver is contained within exe as resource. It can be found by manual scan of the file. So it is rather common practice now, many progs use it (filemon, regmon etc.)

It may well be a common practice for the driver to be within the exe, but if so it isn't being extracted to the system32 folder on my system. Just ran 11.12 and a search of windows and sub folders reveals no procexp*.sys even procexp*.* reveals no file.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

psw

  • Guest
Re: Avast 4.8 and rootkit alert
« Reply #13 on: April 12, 2008, 10:29:48 PM »
Driver is contained within exe as resource. It can be found by manual scan of the file. So it is rather common practice now, many progs use it (filemon, regmon etc.)

It may well be a common practice for the driver to be within the exe, but if so it isn't being extracted to the system32 folder on my system. Just ran 11.12 and a search of windows and sub folders reveals no procexp*.sys even procexp*.* reveals no file.

It is hidden (or possible was deleted after being loaded successfully). I have old version Process Explorer which use older driver procexp100.sys. When Process Explorer is running I can not find this driver in system32\drivers but RootkitUnhooker claims that driver H:\Windows\System32\drivers\PROCEXP100.SYS is loaded at address 0xBA622000 with size 8192.

P.S. IceSword don't find this driver on the disk, so it can be really deleted. Probably, we can use FileMon to detect creation/deletion of this driver.
« Last Edit: April 12, 2008, 10:39:36 PM by psw »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: Avast 4.8 and rootkit alert
« Reply #14 on: April 12, 2008, 11:02:22 PM »
Very Interesting.

What I can't understand is why others who might be using procexp aren't having any detection and if your supposition of it being deleted after loading it would seem to be both hanging around on speedlever's system for it to be there on boot and if hidden avasts standard shield boot-time scan is seeing it (which is a good thing, not if it is a possible FP though).

Also it would appear that this might have been detected by the standard shield given the choices speedlever gave in his reply #2
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security