Author Topic: Root kit says 'Process.exe' suspicious  (Read 37522 times)

0 Members and 1 Guest are viewing this topic.

Rick F

  • Guest
Re: Root kit says 'Process.exe' suspicious
« Reply #30 on: December 14, 2008, 07:42:21 PM »
I checked my archive of files from May, 2007 and the file 'Process.exe' does not exist.  Not sure exactly what that proves.

Rick F

  • Guest
Re: Root kit says 'Process.exe' suspicious
« Reply #31 on: December 14, 2008, 07:44:55 PM »
Rick F: Do you have Smitfraud and have you used it lately? I deleted my Smitfraud folder and that process.exe yesterday, and it's now gone for good.

Yes I do. AND, I did run SmitfraudFix after renaming that file yesterday to see if it would still run with that file renamed.  Maybe SmitfraudFix is rewriting that file there?  I'll run SmitfaudFix again and see if the file shows up.  If it doesn't, I'll consider deleting the whole thing.

Thanks.
« Last Edit: December 14, 2008, 09:41:26 PM by Rick F »

Avaster

  • Guest
Re: Root kit says 'Process.exe' suspicious
« Reply #32 on: December 14, 2008, 07:45:53 PM »
Rick F: Do you have Smitfraud and have you used it lately? I deleted my Smitfraud folder and that process.exe yesterday, and it's now gone for good.

Yes I do. AND, I did run Smitfraud after renaming that file yesterday.  Maybe Smitfraud is rewriting that file there?  I'll rung SmitfaudFix again and see if the file shows up.

Thanks.
Yes, Smitfraud will copy that file to system32 folder! Same file is in Smitfraud folder too.

Rick F

  • Guest
Re: Root kit says 'Process.exe' suspicious
« Reply #33 on: December 14, 2008, 07:49:08 PM »
Avastar,

You're right!!  SmitfraudFix is rewriting that file in the System32 folder.  Just launching smitfaud (not actually running it) causes that file to be rewritten.  I'll do an 'uninstall' then delete the whole Smitfraud folder to be sure.  I'd want the latest tool if I ever needed it anyway.

Thanks.  Hope this is the end of it.


fidmas

  • Guest
Re: Root kit says 'Process.exe' suspicious
« Reply #34 on: December 14, 2008, 07:50:30 PM »
boot) sounded the alarm again.  This time I clicked 'delete' and submit to Alwil for analysis. BUT... the file 'Process.exe' was still there! Still the same size so I don't think Avast is actually deleting it even when told to. I deleted it manually with Windows explorer. Probably won't matter because as soon as I reboot I'm pretty sure the file will show up again.

I haven't seen it come back yet, but I can tell you avast didn't delete mine either.  It just wrote in it to make it non-runnable.  If you look at the file with a hex file editor, you'll see an ASCII blurb something about "...disabled by avast..." or something like that.  I don't remember the exact wording.

fidmas
--

Avaster

  • Guest
Re: Root kit says 'Process.exe' suspicious
« Reply #35 on: December 14, 2008, 07:51:39 PM »
Avastar,

You're right!!  SmitfraudFix is rewriting that file in the System32 folder.  Just launching smitfaud (not actually running it) causes that file to be rewritten.  I'll do an 'uninstall' then delete the whole Smitfraud folder to be sure.  I'd want the latest tool if I ever needed it anyway.

Thanks.  Hope this is the end of it.


This is what i have been saying here "all the time". It's a Smitfraud file.

Actually Smitfraud copies 4 files to system32 folder. All those files are in Smitfraud main folder too.

« Last Edit: December 14, 2008, 07:53:45 PM by Avaster »

Dave_MK

  • Guest
Re: Root kit says 'Process.exe' suspicious
« Reply #36 on: December 14, 2008, 08:04:59 PM »
Avastar,

You're right!!  SmitfraudFix is rewriting that file in the System32 folder.  Just launching smitfaud (not actually running it) causes that file to be rewritten.  I'll do an 'uninstall' then delete the whole Smitfraud folder to be sure.  I'd want the latest tool if I ever needed it anyway.

Thanks.  Hope this is the end of it.


This is what i have been saying here "all the time". It's a Smitfraud file.

Actually Smitfraud copies 4 files to system32 folder. All those files are in Smitfraud main folder too.



Yes, and I have rebooted multiple times since I renamed the process.exe file in my WinXP system32 folder and deleted the entire smitfraudfix folder on the drive yesterday.  So far, I've had no recurrence of process.exe anywhere on the drive.

Rick F

  • Guest
Re: Root kit says 'Process.exe' suspicious
« Reply #37 on: December 14, 2008, 08:06:43 PM »
Avastar,

I would prefer to 'uninstall' Smitfraud rather than just delete the files and folders.  I don't see that as a possibility though.  Control panel doesn't offer that under 'add remove programs' nor is there an uninstall in the Smitfraud folder. Did you just delete the files and folder?

Also...

I wonder... since 'process.exe' was running HIDDEN, is/was Smitfraud fix ever a good program???  Maybe there's something underlying that we didn't know about.

Or... I'm a bit paranoid  ::)

Avaster

  • Guest
Re: Root kit says 'Process.exe' suspicious
« Reply #38 on: December 14, 2008, 08:09:33 PM »
Avastar,

I would prefer to 'uninstall' Smitfraud rather than just delete the files and folders.  I don't see that as a possibility though.  Control panel doesn't offer that under 'add remove programs' nor is there an uninstall in the Smitfraud folder. Did you just delete the files and folder?

Also...

I wonder... since 'process.exe' was running HIDDEN, is/was Smitfraud fix ever a good program???  Maybe there's something underlying that we didn't know about.

Or... I'm a bit paranoid  ::)
I would prefer it too, but there wasn't any uninstall option. I think Smitraud was just extract and run.

Was it really running hidden?  Maybe we are relieving smitfraud conspiracy here...
« Last Edit: December 14, 2008, 08:18:36 PM by Avaster »

fidmas

  • Guest
Re: Root kit says 'Process.exe' suspicious
« Reply #39 on: December 14, 2008, 08:10:18 PM »
I"m lost.  What is this Smitfraud folder people have installed?  I thought that was http://en.wikipedia.org/wiki/Spyware_Quake that I cured, on a neibor's system last year.

This box has never seen any signs of it.


Avaster

  • Guest
Re: Root kit says 'Process.exe' suspicious
« Reply #40 on: December 14, 2008, 08:12:20 PM »
I"m lost.  What is this Smitfraud folder people have installed? 


It's SmitfraudFix folder. Program that removes smitfraud virus.

Rick F

  • Guest
Re: Root kit says 'Process.exe' suspicious
« Reply #41 on: December 14, 2008, 08:15:25 PM »
Quote
Was it really running hidden?

Well, avast says it was a 'hidden process' from the alert I saw (image posted at beginning of thread).

I don't know a lot about rootkits -- except that they are very bad and can be hard to get rid of.  If David's explanation of how avast compares what is actually running to what Windows says is running is right, then sounds to me like somehow this process was running.

I'm going to make a list of the files in 'SmitfraudFix' folder with size & dates and then delete... or rename those files that happen to show up in the "Sytem32" folder.

Thanks to everyone for their help. This forum is one of the best things about avast... users helping users.  Not to mention that the developers or programmers step in here as well when needed.

I'll post back if it "rears its ugly head" again.  :o ::)
« Last Edit: December 14, 2008, 09:46:01 PM by Rick F »

Avaster

  • Guest
Re: Root kit says 'Process.exe' suspicious
« Reply #42 on: December 14, 2008, 08:15:58 PM »
Avastar,

I would prefer to 'uninstall' Smitfraud rather than just delete the files and folders.  I don't see that as a possibility though.  Control panel doesn't offer that under 'add remove programs' nor is there an uninstall in the Smitfraud folder. Did you just delete the files and folder?

Also...

I wonder... since 'process.exe' was running HIDDEN, is/was Smitfraud fix ever a good program???  Maybe there's something underlying that we didn't know about.

Or... I'm a bit paranoid  ::)
I would prefer it too, but there wasn't any uninstall option. I think Smitraud was just extract and run.

Was it really running hidden? Maybe we are relieving smitfraud conspiracy here...
This message can be deleted.
« Last Edit: December 14, 2008, 08:18:14 PM by Avaster »

Offline Maxx_original

  • Avast team
  • Super Poster
  • *
  • Posts: 1479
Re: Root kit says 'Process.exe' suspicious
« Reply #43 on: December 14, 2008, 08:20:19 PM »
DavidR: in this case greyzone meant apps, which are not absolutely clean (white) or absolutely bad (black)... Avira e.g. detects these files as PUP (they could be abused by some bad handler)... we have the ability to tune up the behavioral detections in the antirootkit module to detect more or less files/processes etc, it is scalable and we can make some little changes to ignore these PUPs... let's see, we must discuss it internally..

fidmas

  • Guest
Re: Root kit says 'Process.exe' suspicious
« Reply #44 on: December 14, 2008, 08:22:11 PM »
I"m lost.  What is this Smitfraud folder people have installed? 


It's SmitfraudFix folder. Program that removes smitfraud virus.

Ok.  Thanks.  I never used it.  At least not on this box.  So I still have no idea where Process.exe came from, or why (or how) it could be running 8 minutes after bootup.  The only thing that got installed in the last couple of days was DvdX and it got removed shortly after not doing what I needed.