Author Topic: Root kit says 'Process.exe' suspicious  (Read 34376 times)

0 Members and 1 Guest are viewing this topic.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 86142
  • No support PMs thanks
Re: Root kit says 'Process.exe' suspicious
« Reply #15 on: December 14, 2008, 01:55:12 AM »
Confusing yes, most certainly, but it is apparently running when the anti-rootkit scan takes place 8 minutes after boot.

I still don't know what starts this (as people have tried to find an entry in registry) or why it needs to start at all or why it would need to be hidden.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.11.2500 (build 21.11.6809.528) UI 1.0.683/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

fidmas

  • Guest
Re: Root kit says 'Process.exe' suspicious
« Reply #16 on: December 14, 2008, 02:17:24 PM »
Confusing yes, most certainly, but it is apparently running when the anti-rootkit scan takes place 8 minutes after boot.

I still don't know what starts this (as people have tried to find an entry in registry) or why it needs to start at all or why it would need to be hidden.

I even tried the "REG Query" command to find any entry hidden with the "Looooooong name" trick.  No "process.exe" anywhere.  If it's being started by the registry, it's not directly.  Has to be the registry starting something else that then starts "process.exe" and causes no errors if it's removed, as I did.  I wish I hadn't let avast destroy the original process.exe file, so I could make sure it still worked as advertised (or kept running).

I have accounted for everything in \Run and \RunOnce keys and non-MS services.  What ever it is/was, it is/was hidden well!

/fidmas

Offline Maxx_original

  • Avast team
  • Super Poster
  • *
  • Posts: 1479
Re: Root kit says 'Process.exe' suspicious
« Reply #17 on: December 14, 2008, 02:26:44 PM »
we'll change this detection probably.. main group targeted by the algo comes from PUP greyzone, which we don't want to treat so roughly..

fidmas

  • Guest
Re: Root kit says 'Process.exe' suspicious
« Reply #18 on: December 14, 2008, 02:53:18 PM »
Just FYI, http://www.geocities.jp/kiskzo/regreveal.html finds nothing Hidden in the following keys:
-------
#
# sample input file for RegReveal
#
# Supports following keys:
#    HKEY_CLASSES_ROOT (HKCR)
#    HKEY_CURRENT_CONFIG (HKCC)
#    HKEY_CURRENT_USER (HKCU)
#    HKEY_LOCAL_MACHINE (HKLM)
#    HKEY_USERS (HKU)
#
# If key name includes spaces, it must be quoted.
#
# Options:
#    /r   scan recursively
#

# Known startups:
"HKCR\Folder\shellex\ColumnHandlers"
"HKCU\Software\Microsoft\Command Processor"
"HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows"
"HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon"
"HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" /r
"HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System"
"HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /r
"HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce" /r
"HKLM\Software\Microsoft\Active Setup\Installed Components" /r
"HKLM\Software\Microsoft\Command Processor"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" /r
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" /r
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects"
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler"
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks"
"HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" /r
"HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /r
"HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce" /r
"HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx"
"HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices"
"HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce"
"HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad"
"HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute"
"HKLM\System\CurrentControlSet\Services"

# Others:
"HKCU\Software"
"HKLM\Software"
---------

/fidmas

Avaster

  • Guest
Re: Root kit says 'Process.exe' suspicious
« Reply #19 on: December 14, 2008, 04:12:47 PM »
That Process.exe is not a running process and it doesn't start by itself. That's pretty sure. It's a command line utility. Sure the name is suspicious, though.
« Last Edit: December 14, 2008, 04:18:40 PM by Avaster »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 86142
  • No support PMs thanks
Re: Root kit says 'Process.exe' suspicious
« Reply #20 on: December 14, 2008, 04:21:53 PM »
Then how can you explain how avast detects it as a running process, it does two checks, what is reported by windows as running and what is actually running, e.g. hidden ?

How do you know it isn't running ?
How did you check ?
What tools have you tried to find what is running (remembering it is a hidden process) ?
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.11.2500 (build 21.11.6809.528) UI 1.0.683/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Avaster

  • Guest
Re: Root kit says 'Process.exe' suspicious
« Reply #21 on: December 14, 2008, 04:29:59 PM »
Then how can you explain how avast detects it as a running process, it does two checks, what is reported by windows as running and what is actually running, e.g. hidden ?

How do you know it isn't running ?
How did you check ?
What tools have you tried to find what is running (remembering it is a hidden process) ?
Why it even should run? There's no purpose it to run. I checked with various process (running programs) programs and non of them showed this process.exe. Or maybe we are infected by some other process.exe, that's completely hidden??

The file i'm talking about here is this: http://www.beyondlogic.org/consulting/processutil/processutil.htm
« Last Edit: December 14, 2008, 04:34:35 PM by Avaster »

fidmas

  • Guest
Re: Root kit says 'Process.exe' suspicious
« Reply #22 on: December 14, 2008, 04:37:37 PM »
Then how can you explain how avast detects it as a running process, it does two checks, what is reported by windows as running and what is actually running, e.g. hidden ?

How do you know it isn't running ?
How did you check ?
What tools have you tried to find what is running (remembering it is a hidden process) ?
Why it even should run? There's no purpose it to run. I checked with various process (running programs) programs and non of them showed this process.exe. Or maybe we are infected by some other process.exe, that's completely hidden??

Before I let avast write in it, I checked the size.  It was the same as the one we're talking about.  But I regret not copying it to a VPC to play with first, so I'm not 100% sure.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 86142
  • No support PMs thanks
Re: Root kit says 'Process.exe' suspicious
« Reply #23 on: December 14, 2008, 05:48:59 PM »
<snip>
Why it even should run? There's no purpose it to run. I checked with various process (running programs) programs and non of them showed this process.exe. Or maybe we are infected by some other process.exe, that's completely hidden??

The file i'm talking about here is this: http://www.beyondlogic.org/consulting/processutil/processutil.htm
Exactly, why and how but something is running.
The programs you are checking with use the windows APIs, etc. to show what is running and that is precisely what they hide from.

The size is immaterial as it is the purpose of process.exe that could be being used (a google search will show many applications use it) so no need modify it just use it via command line, etc. but it would have to be running to do that. So it isn't really the file but the purpose it might be being put to (good or evil, benign or malevolent) that really is the true issue.

To date we haven't found out, exactly what placed it in the system32 folder or why it is running or why it is hidden, everything so far is speculative it might be this or I don't think it looks bad, etc. etc. we simply don't know other than what Maxx said.

we'll change this detection probably.. main group targeted by the algo comes from PUP greyzone, which we don't want to treat so roughly..

@ Maxx_original
So if this is correct and I have little reason to doubt it, we are getting nearer to a possible resolution. Which begs the question on this PUP (Potentially Unwanted Program) greyzone, what does it do (didn't find anything on various searches) and how would it get on the the systems of those reporting this detection.

I would also consider if this really is a PUP should we not be adding a signature to the VPS to detect and report the controlling application ?
Would the likes of HiJackThis show greyzone
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.11.2500 (build 21.11.6809.528) UI 1.0.683/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

fidmas

  • Guest
Re: Root kit says 'Process.exe' suspicious
« Reply #24 on: December 14, 2008, 06:09:04 PM »
... but it would have to be running to do that. So it isn't really the file but the purpose it might be being put to (good or evil, benign or malevolent) that really is the true issue.

But *this* command-line program never does anything for a long enough time to detect.  That's why I wished I verified what it actually did to a VPC I could restore easily.

Dave_MK

  • Guest
Re: Root kit says 'Process.exe' suspicious
« Reply #25 on: December 14, 2008, 06:21:17 PM »
I'm a newbie here and not that tech savvy to run a VPC.  I've had the same experience as everyone else.  My first avast alert regarding process.exe was yesterday, and since renaming the process.exe in my system32 directory have had no further alerts.  I understand that the issue is more likely what the file is being used for, even if not modified from its original and why it is in the system32 directlry at all), but I can send my process.exe file for someone else to play with, if it would be of any help. I did not allow avast to delete or overwrite file, so except for renaming, the file is intact.  I know this forum does not allow upload of executables directly with a post.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 86142
  • No support PMs thanks
Re: Root kit says 'Process.exe' suspicious
« Reply #26 on: December 14, 2008, 06:26:55 PM »
... but it would have to be running to do that. So it isn't really the file but the purpose it might be being put to (good or evil, benign or malevolent) that really is the true issue.

But *this* command-line program never does anything for a long enough time to detect.  That's why I wished I verified what it actually did to a VPC I could restore easily.


Which is what I have been banging on about, we don't know that it has anything to do with this command line application, that hasn't been established, the only thing that has been established is that the file has the same name and the same size.

What ever it is associated with it 'is' running and hidden at 8 minutes after boot or avasts anti-rootkit scan wouldn't find it. So the why is it running (and hidden) is the question and the Command Line Process Viewer/Killer/Suspender, being a run on demand application would appear to have nothing to do with why process.exe is running.

Your selective quote doesn't show Maxx's comment that it is believed that this if to do with a PUP called greyzone ???
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.11.2500 (build 21.11.6809.528) UI 1.0.683/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

fidmas

  • Guest
Re: Root kit says 'Process.exe' suspicious
« Reply #27 on: December 14, 2008, 07:00:01 PM »
What ever it is associated with it 'is' running and hidden at 8 minutes after boot or avasts anti-rootkit scan wouldn't find it. So the why is it running (and hidden) is the question and the Command Line Process Viewer/Killer/Suspender, being a run on demand application would appear to have nothing to do with why process.exe is running.

I agree.  So why did avast point directly at System32\process.exe?  I'm not disputing anyone.  I'm just confused?  Would it help if I got the file back from Dave_MK and verified it's functionality on an XP VPC, or are we past that point?
Quote
Your selective quote doesn't show Maxx's comment that it is believed that this if to do with a PUP called greyzone ???

Sorry.  I missed that the first time. :-o

Rick F

  • Guest
Re: Root kit says 'Process.exe' suspicious
« Reply #28 on: December 14, 2008, 07:30:07 PM »
Update...

Yesterday I posted that I renamed 'Process.exe' to 'Process.xxx' in the \Windows\System32 folder.  Well when I rebooted the PC today I checked the 'System32' folder.  Oh oh! - there was another file called 'Process.exe'.  It has the same date and size of the one I renamed to 'Process.xxx'.  It's dated 6/5/2003 and 52K in size.  So there's something somewhere making or remaking this file at every bootup.  Then avast rootkit scan (8 mins after boot) sounded the alarm again.  This time I clicked 'delete' and submit to Alwil for analysis. BUT... the file 'Process.exe' was still there! Still the same size so I don't think Avast is actually deleting it even when told to. I deleted it manually with Windows explorer. Probably won't matter because as soon as I reboot I'm pretty sure the file will show up again.

So I think David is right.  There's something going on here. It's a hidden process (task mgr doesn't show it) and we can't find it in the registry.  It doesn't show up in any of the startups that Windows controls.

I'm going to look back through an archive of files I have from about a year ago when I used Acronis for backup.  If the file is legit - and dated 2003 - it should be in this archive.  I'll post back any results.

Avaster

  • Guest
Re: Root kit says 'Process.exe' suspicious
« Reply #29 on: December 14, 2008, 07:41:54 PM »
Rick F: Do you have Smitfraud and have you used it lately? I deleted my Smitfraud folder and that process.exe yesterday, and it's now gone for good.