Author Topic: Root kit says 'Process.exe' suspicious  (Read 37521 times)

0 Members and 1 Guest are viewing this topic.

Rick F

  • Guest
Root kit says 'Process.exe' suspicious
« on: December 13, 2008, 04:35:05 PM »
Hi guys,

I hope this is a false positive.  During a Rootkit scan (about 8 minutes after I booted my PC this morning) avast says that 'Process.exe' is believed to be infected. 

File name: C:\Windows\System 32\Process.exe
Type: Rootkit hidden process

Means of detection was 'rootkit scan' using heuristic method. The recommended action was to 'Ignore'.  I clicked 'ignore', left a box checked to 'submit to Alwil team for analysis' (not sure this actually occurred), then did the recommended 'Boot time scan'.  After about 20 or 30 minutes, Boot scan says nothing found. (aswboot.text below)

Quote
12/13/2008 09:48
Scan of all local drives

Number of searched folders: 4371
Number of tested files: 45182
Number of infected files: 0

I have avast 4.8.1296 with Vps 081212-0 (latest).

While typing this, Rootkit scan detected the same file again.  I clicked ignore.  I checked the file (process.exe) and it's dated 6/5/2003 and is 52K in size.

See image below for Rootkit alert:
« Last Edit: December 13, 2008, 04:37:46 PM by Rick F »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88898
  • No support PMs thanks
Re: Root kit says 'Process.exe' suspicious
« Reply #1 on: December 13, 2008, 05:38:29 PM »
A forum search would have found this, http://forum.avast.com/index.php?topic=38236.0.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Maxx_original

  • Avast team
  • Super Poster
  • *
  • Posts: 1479
Re: Root kit says 'Process.exe' suspicious
« Reply #2 on: December 13, 2008, 05:56:28 PM »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88898
  • No support PMs thanks
Re: Root kit says 'Process.exe' suspicious
« Reply #3 on: December 13, 2008, 06:05:10 PM »
Well that one is related to one in the %Windows% folder, but there are plenty of google hits that are in the system32 folder and are less than desirable.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Rick F

  • Guest
Re: Root kit says 'Process.exe' suspicious
« Reply #4 on: December 13, 2008, 08:00:18 PM »
Sorry David.  I had posted the following response in the wrong thread.  This time I'll post a URL of VirusTotal instead of the partial image.
___________

I think this is a false positive.  I uploaded it to VirusTotal for analysis, and some report as undesireable program (avast says nothing though  :-\ ).  Looks like it's part of SmitFraud fix.  NOD32 calls it, "Win32/PrcView".

Just not sure why the date of the file is 2003.  I downloaded Smitfraud fix in the past year... but maybe just a module of SmitFraud that didn't need to be updated.

VirusTotal URL of scan results.

www.virustotal.com/analisis/45ae254a2480c11c94612429f90b4046

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88898
  • No support PMs thanks
Re: Root kit says 'Process.exe' suspicious
« Reply #5 on: December 13, 2008, 08:19:19 PM »
Sorry but when your talking about a possible rootkit, looks, just doesn't cut it, 100% certainty is what is required or as close as makes no difference.

Smitfraud is a tool and could just as easily have components used for malicious purposes, the fact that as far as I'm aware smitfraud doesn't install anything in the system32 folder makes me less than certain this is anything to do with smitfraud.

And the obvious point everyone seems to be ignoring smitfraud doesn't run on boot so why would something supposedly (as far as you and others think) be running, hidden on every boot.

There could quite possibly be an innocent explanation for this (but smitfraud isn't it) and that is what needs to be found. So google process.exe and find what other programs use this file name and do you have that installed. Obviously sending it to avast when detected is advisable as it certainly needs much further analysis.

It isn't being detected by the normal avast detection signatures (why it isn't in the VT results) but by the heuristic scanning of the anti-rootkit scan.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Rick F

  • Guest
Re: Root kit says 'Process.exe' suspicious
« Reply #6 on: December 13, 2008, 09:09:36 PM »
Just so I'm sure David,

If the Rootkit scan detects something it means the process is actually active at that time?  You're right, SmitfraudFix was not running when avast popped up with the alert.

What I did for now is rename the file, 'Process.exe' to 'Process.xxx' so it won't run.  Then... I ran smitfraudfix.  The program still runs fine.  But... if I understand correctly, the file 'Process.exe' only runs if it needs to stop a suspicious process.  Since Smitfraudfix finds nothing, it may not need it.  But... there is a file 'Process.exe' in the 'Smitfraud folder' which may be the correct one.  Not sure.

At my next boot and if avast finds another file as suspect, should I delete it then?  The recommended action was to 'ignore'.

Thanks.

________

<< edit >>

Had a thought...

I use LiveState Recovery to backup my HDD each week and keep 3 weeks worth of backups (complete image of my 'C' drive). I looked in my backup images 3 weeks ago and see that the file, 'Process.exe' was there on Nov 29, 2008.  So this file has been there awhile... not new.
« Last Edit: December 13, 2008, 10:05:55 PM by Rick F »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88898
  • No support PMs thanks
Re: Root kit says 'Process.exe' suspicious
« Reply #7 on: December 13, 2008, 10:16:59 PM »
I would still follow the recommended action, if avast was more certain of the heuristic detection it would I'm sure recommend deletion.

Having run smitfraud again if it was responsible for the file in the system32 folder then I would have expected it to replace the missing (renamed) file, since it didn't that makes me feel more confident that it isn't actually a part of smitfaud, but something else. That is why I suggested checking out google hits for other applications that use process.exe.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

fidmas

  • Guest
Re: Root kit says 'Process.exe' suspicious
« Reply #8 on: December 13, 2008, 10:38:34 PM »
For what it's worth, I found the same thing yesterday.  Went through the same boot scan and found nothing.  avast! found it again after reboot, so I answered "Delete, but not befor checking the size.  It is from: http://www.beyondlogic.org/consulting/processutil/processutil.htm

It still was left there, but when I looked inside, avast had written in it, making it non-runable.  I know this because I tried to run it on a VPC.  Since I could no longer prove anything, I blew it away.

My problem is I never ran smitfraudfix or anything like it.  So, I have no idea how it got there!  There were no registry entries to run it, so I'm puzzled.

/fidmas

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88898
  • No support PMs thanks
Re: Root kit says 'Process.exe' suspicious
« Reply #9 on: December 13, 2008, 10:49:11 PM »
It isn't a problem as I have been saying all along this isn't a part of smitfraud and is just a coincidence that smitfraud also uses this tool/file.

The problem with tools like this is their function can be for good or bad, and there may be many different tools that would use this file, the difficult part is what application put it in the system32 folder and why is it running hidden on every boot.
A registry search for process.exe, a hidden process might also have its registry entry hidden as you haven't been able to find a registry entry responsible for running it.

So I'm not entirely sure what else can be done to pin down why it is there or running.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

fidmas

  • Guest
Re: Root kit says 'Process.exe' suspicious
« Reply #10 on: December 13, 2008, 11:08:14 PM »
Yeah.  Beats me.  Anyway it's gone now, and I see no problems or anything in the Event Logs.

Are we *sure* it had to be running to be found?

fidmas
--

Avaster

  • Guest
Re: Root kit says 'Process.exe' suspicious
« Reply #11 on: December 13, 2008, 11:15:21 PM »
My system32\process.exe was sure created by Smitfraud. I checked the creation date of that system32\process.exe, and then did a Windows search to find files created on that same date. All files that came up, were smitfraud files. There were 4 files in that Smitfraud folder, that were also in system32 directory. So smitfraud has copied those files to system32 few minutes after the Smitfraud folder was created - so i guess after i ran Smitfraud. They were same files, no doubt about it.

I removed all those Smitfraud files, even though there wasn't any real need for it.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88898
  • No support PMs thanks
Re: Root kit says 'Process.exe' suspicious
« Reply #12 on: December 14, 2008, 12:36:58 AM »
Yeah.  Beats me.  Anyway it's gone now, and I see no problems or anything in the Event Logs.

Are we *sure* it had to be running to be found?

As sure as we can be as we can't use any normal windows tools as that is what it is hidden from.

The avast anti-rootkit scan makes two lists to compare, what the windows APIs, etc. say is running against a raw check on what is actually running, that is how rootkits are generally found, though there is no real information other than this is a hidden process as in the imahe posted by Rick F.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88898
  • No support PMs thanks
Re: Root kit says 'Process.exe' suspicious
« Reply #13 on: December 14, 2008, 12:42:25 AM »
My system32\process.exe was sure created by Smitfraud. I checked the creation date of that system32\process.exe, and then did a Windows search to find files created on that same date. All files that came up, were smitfraud files. There were 4 files in that Smitfraud folder, that were also in system32 directory. So smitfraud has copied those files to system32 few minutes after the Smitfraud folder was created - so i guess after i ran Smitfraud. They were same files, no doubt about it.

I removed all those Smitfraud files, even though there wasn't any real need for it.

That is all well and good, however it doesn't account for why it would be a) running all the time and b) a hidden process. It also doesn't account for if the file in the system32 folder is renamed or removed and you run smitfraud again the missing/renamed file isn't replaced.

So having removed the smitfraud folder, if you rename the system32 file and recreate the creation of the smitfraud folder see if it is replaced. Run smitfraud and see if it is replaced.

So there is very much more to this than meets the eye.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

fidmas

  • Guest
Re: Root kit says 'Process.exe' suspicious
« Reply #14 on: December 14, 2008, 01:32:16 AM »
Yeah.  Beats me.  Anyway it's gone now, and I see no problems or anything in the Event Logs.

Are we *sure* it had to be running to be found?

As sure as we can be as we can't use any normal windows tools as that is what it is hidden from.

The avast anti-rootkit scan makes two lists to compare, what the windows APIs, etc. say is running against a raw check on what is actually running, that is how rootkits are generally found, though there is no real information other than this is a hidden process as in the imahe posted by Rick F.

Confusing as all hell, since this "process.exe" just acts on a command line and never stays running very long. :-/