Author Topic: Root kit says 'Process.exe' suspicious  (Read 37513 times)

0 Members and 1 Guest are viewing this topic.

Avaster

  • Guest
Re: Root kit says 'Process.exe' suspicious
« Reply #45 on: December 14, 2008, 08:26:08 PM »
I"m lost.  What is this Smitfraud folder people have installed? 


It's SmitfraudFix folder. Program that removes smitfraud virus.

Ok.  Thanks.  I never used it.  At least not on this box.  So I still have no idea where Process.exe came from, or why (or how) it could be running 8 minutes after bootup.  The only thing that got installed in the last couple of days was DvdX and it got removed shortly after not doing what I needed.

check the date on that process.exe, if you still have it, and then search files created on that same date. Maybe you will find something.

fidmas

  • Guest
Re: Root kit says 'Process.exe' suspicious
« Reply #46 on: December 14, 2008, 08:33:12 PM »
I"m lost.  What is this Smitfraud folder people have installed? 


It's SmitfraudFix folder. Program that removes smitfraud virus.

Ok.  Thanks.  I never used it.  At least not on this box.  So I still have no idea where Process.exe came from, or why (or how) it could be running 8 minutes after bootup.  The only thing that got installed in the last couple of days was DvdX and it got removed shortly after not doing what I needed.

check the date on that process.exe, if you still have it, and then search files created on that same date. Maybe you will find something.

It's gone. :-(  But before I blew it, the date was June something.  Too far back to track, even if it was a valid date.

Avaster

  • Guest
Re: Root kit says 'Process.exe' suspicious
« Reply #47 on: December 14, 2008, 08:39:24 PM »
I"m lost.  What is this Smitfraud folder people have installed? 


It's SmitfraudFix folder. Program that removes smitfraud virus.

Ok.  Thanks.  I never used it.  At least not on this box.  So I still have no idea where Process.exe came from, or why (or how) it could be running 8 minutes after bootup.  The only thing that got installed in the last couple of days was DvdX and it got removed shortly after not doing what I needed.

check the date on that process.exe, if you still have it, and then search files created on that same date. Maybe you will find something.

It's gone. :-(  But before I blew it, the date was June something.  Too far back to track, even if it was a valid date.

You need the exact date and then use Windows Search to search by date.

It's very possible that it came with some program you have downloaded.
« Last Edit: December 14, 2008, 08:41:31 PM by Avaster »

Rick F

  • Guest
Re: Root kit says 'Process.exe' suspicious
« Reply #48 on: December 14, 2008, 08:41:51 PM »
BTW, there are more than 4 files of SmitfraudFix duplicated in the System32 folder on my machine.  I opened the SmitfraudFix folder along side the System32 folder and looked at them side by side and compared file name, size and creation date.  There are 12 such files in my System32 folder.  Not sure everyone's will be the same.  May depend on the actual date you installed SmitfraudFix.

If anyone wants or needs the list post here and I'll share it.

Avaster

  • Guest
Re: Root kit says 'Process.exe' suspicious
« Reply #49 on: December 14, 2008, 08:46:07 PM »
BTW, there are more than 4 files of SmitfraudFix duplicated in the System32 folder on my machine.  I opened the SmitfraudFix folder along side the System32 folder and looked at them side by side and compared file name, size and creation date.  There are 12 such files in my System32 folder.  Not sure everyone's will be the same.  May depend on the actual date you installed SmitfraudFix.

If anyone wants or needs the list post here and I'll share it.
Well, that might be possible, but i think there were 4 .exe files? Am i right?

fidmas

  • Guest
Re: Root kit says 'Process.exe' suspicious
« Reply #50 on: December 14, 2008, 08:49:05 PM »
I"m lost.  What is this Smitfraud folder people have installed? 


It's SmitfraudFix folder. Program that removes smitfraud virus.

Ok.  Thanks.  I never used it.  At least not on this box.  So I still have no idea where Process.exe came from, or why (or how) it could be running 8 minutes after bootup.  The only thing that got installed in the last couple of days was DvdX and it got removed shortly after not doing what I needed.

check the date on that process.exe, if you still have it, and then search files created on that same date. Maybe you will find something.

It's gone. :-(  But before I blew it, the date was June something.  Too far back to track, even if it was a valid date.

You need the exact date and then use Windows Search to search by date.

It's very possible that it came with some program you have downloaded.

Sure....  I wounder why avast waited until now then to gripe......... /-|

Avaster

  • Guest
Re: Root kit says 'Process.exe' suspicious
« Reply #51 on: December 14, 2008, 08:52:28 PM »
I"m lost.  What is this Smitfraud folder people have installed? 


It's SmitfraudFix folder. Program that removes smitfraud virus.

Ok.  Thanks.  I never used it.  At least not on this box.  So I still have no idea where Process.exe came from, or why (or how) it could be running 8 minutes after bootup.  The only thing that got installed in the last couple of days was DvdX and it got removed shortly after not doing what I needed.

check the date on that process.exe, if you still have it, and then search files created on that same date. Maybe you will find something.

It's gone. :-(  But before I blew it, the date was June something.  Too far back to track, even if it was a valid date.

You need the exact date and then use Windows Search to search by date.

It's very possible that it came with some program you have downloaded.

Sure....  I wounder why avast waited until now then to gripe......... /-|

Most likely because of new AR database update.

Rick F

  • Guest
Re: Root kit says 'Process.exe' suspicious
« Reply #52 on: December 14, 2008, 08:56:41 PM »
BTW, there are more than 4 files of SmitfraudFix duplicated in the System32 folder on my machine.  I opened the SmitfraudFix folder along side the System32 folder and looked at them side by side and compared file name, size and creation date.  There are 12 such files in my System32 folder.  Not sure everyone's will be the same.  May depend on the actual date you installed SmitfraudFix.

If anyone wants or needs the list post here and I'll share it.
Well, that might be possible, but i think there were 4 .exe files? Am i right?

No, all 12 of these are exe files with the exact same size and creation date as the files in the SmitfraudFix folder.  I haven't deleted (or renamed) any of these as yet.  Still trying to decide the best thing to do. I just rebooted to see if I get any rootkit alarms again.  There is no 'Process.exe' file present in the Sys32 folder.  It's been 10 mins now and no alarm as yet.

I'm still thinking that avast rootkit is detecting the presence of 'Process.exe' because it was there and matched a signature thru heuristics.   I'm still confused on the 'hidden process' running.

Dave_MK

  • Guest
Re: Root kit says 'Process.exe' suspicious
« Reply #53 on: December 14, 2008, 10:15:38 PM »
BTW, there are more than 4 files of SmitfraudFix duplicated in the System32 folder on my machine.  I opened the SmitfraudFix folder along side the System32 folder and looked at them side by side and compared file name, size and creation date.  There are 12 such files in my System32 folder.  Not sure everyone's will be the same.  May depend on the actual date you installed SmitfraudFix.

If anyone wants or needs the list post here and I'll share it.
Well, that might be possible, but i think there were 4 .exe files? Am i right?

No, all 12 of these are exe files with the exact same size and creation date as the files in the SmitfraudFix folder.  I haven't deleted (or renamed) any of these as yet.  Still trying to decide the best thing to do. I just rebooted to see if I get any rootkit alarms again.  There is no 'Process.exe' file present in the Sys32 folder.  It's been 10 mins now and no alarm as yet.

I'm still thinking that avast rootkit is detecting the presence of 'Process.exe' because it was there and matched a signature thru heuristics.   I'm still confused on the 'hidden process' running.

I have the following in my system32 folder that are the exact size and creation date as the files in the smitfraudfix folder.

dumphive.exe 7/31/2004
process.exe 3/25/2007
SrchSTS.exe 4/27/2006
swreg.exe 8/29/2006
swsc.exe 1/9/2006
swxcacls.exe 12/1/2006
VCCLSID.exe 9/5/2007

This would seem to correlate with the following section from the SmitfraudFix.cmd file:

if exist Update.cmd del Update.cmd
if not exist %syspath%\Process.exe copy Process.exe %syspath%\Process.exe >NUL
if not exist %syspath%\swreg.exe copy swreg.exe %syspath%\swreg.exe >NUL
if not exist %syspath%\swsc.exe copy swsc.exe %syspath%\swsc.exe >NUL
if not exist %syspath%\SrchSTS.exe copy SrchSTS.exe %syspath%\SrchSTS.exe >NUL
if not exist %syspath%\dumphive.exe copy dumphive.exe %syspath%\dumphive.exe >NUL
if not exist %syspath%\swxcacls.exe copy swxcacls.exe %syspath%\swxcacls.exe >NUL
if not exist %syspath%\VCCLSID.exe copy VCCLSID.exe %syspath%\VCCLSID.exe >NUL


I have only deleted the process.exe file thus far, which has stopped the alerts. Any advice as to risk of deleting the other files that could possibly be required by other processes? 

Here are the other files that are in the smithfraudfix folder, but not in the system32 folder.

Exit.exe 8/21/2007
GenericRenosFix.exe 5/9/2007
HostsChk.exe  3/28/2007
Reboot.exe 1/13/2005
restart.exe 3/7/2006
SmiUpdate.exe 9/19/2006




Rick F

  • Guest
Re: Root kit says 'Process.exe' suspicious
« Reply #54 on: December 14, 2008, 10:45:59 PM »
There are a number of discussions on the web about avast detecting 'process.exe' as suspicious.  Here's one where the responder suggests removal of a number of files put in the System32 folder by SmitfraudFix:

My Avast Anti Virus warned me today...

Since I renamed 'Process.exe' to 'Process.xxx' (and not run SmitfraudFix again) and rebooted - I've not had any more alerts.  Not sure if I'm going to delete all those SmitfraudFix files in the System32 folder yet or not.

Here's a list files in my Windows\System32\ folder that are exactly the same in the "SmitfraudFix folder":  (Included size and dates)

    404Fix.exe         80KB    5/23/2008
    dumphive.exe      50KB    7/31/2004
    IEDFix.C.exe        81KB    7/2/2008
    IEDFix.exe           81KB    5/18/2008
    Process.exe         52KB    6/5/2003
    SrchSTS.exe         282K    4/27/2006
    swreg.exe            132K    8/29/2006
    swsc.exe             40K      1/9/2006
    swxcacls.exe        78K     12/1/2006
    VACFix.exe          85K      5/29/2008
    VCCLISID.exe     283K     9/5/2007
    WS2Fix.exe          25K    10/3/2007
« Last Edit: December 14, 2008, 11:04:35 PM by Rick F »

Avaster

  • Guest
Re: Root kit says 'Process.exe' suspicious
« Reply #55 on: December 14, 2008, 11:02:05 PM »
Btw, if the process.exe file really was a "running program", how i was able to delete it just like that? You can't delete running programs (processes) just like that, since they are in use.
« Last Edit: December 14, 2008, 11:04:26 PM by Avaster »

Rick F

  • Guest
Re: Root kit says 'Process.exe' suspicious
« Reply #56 on: December 14, 2008, 11:09:14 PM »
Btw, if the process.exe file really was a "running program", how i was able to delete it just like that? You can't delete running programs (processes) just like that, since they are in use.

Good point. Avast called it a "hidden process".  I assumed it meant it was running.  Maybe not.  You would have to 'kill' a running process before being able to delete it -- which ironically the file 'process.exe' is for when used by SmitfraudFix.

Avaster

  • Guest
Re: Root kit says 'Process.exe' suspicious
« Reply #57 on: December 14, 2008, 11:14:13 PM »
Btw, if the process.exe file really was a "running program", how i was able to delete it just like that? You can't delete running programs (processes) just like that, since they are in use.

Good point. Avast called it a "hidden process".  I assumed it meant it was running.  Maybe not.  You would have to 'kill' a running process before being able to delete it -- which ironically the file 'process.exe' is for when used by SmitfraudFix.
There's absolutely no point it to be a running (hidden) process. It was/is not a running process, nor a hidden process. Avast just made a mistake, that's it.
« Last Edit: December 14, 2008, 11:18:57 PM by Avaster »

fidmas

  • Guest
Re: Root kit says 'Process.exe' suspicious
« Reply #58 on: December 14, 2008, 11:14:55 PM »
Btw, if the process.exe file really was a "running program", how i was able to delete it just like that? You can't delete running programs (processes) just like that, since they are in use.

I agree.  I'm just sitting back waiting for smarter people than me, but I smell a bug here.