AR boot scan (solved)

I found this Anti-rootkit log file. Seems that ‘Anti-rootkit scan’ run at Windows boot-time. Is there a way to disable it?

Edit: Found solution here: http://support.avast.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=303&ratingconfirm=1

You don’t mention why you want to do this ?

It isn’t run at boot, but 8 minutes after boot to enable any boot activity to complete, allowing a comparison to be made against what is actually running and what is reported as running.

If you found the C:\Program Files\Alwil Software\Avast4\DATA\log\aswAr.log you will also have found that the scan takes seconds, my last one took 3 seconds (start time at top and finished time at the bottom of the report).
What did yours report ?

Btw, does Avast alarm right away, if there’s some hidden entries found on that AR “boot” scan?

Yes it would normally alert if a clearly recognised or suspect rootkit/hidden file is found, so the old adage, no news is good news, sort of applies.

Today this AR scan alerted me for the first time. It said that a hidden file was found - C:\Windows\system32\process.exe. I have a file like that in my system32 directory, but it’s not a hidden file, nor a running process. It’s a command line process utility from Beyondlogic.com. It’s sometimes treated as a virus file. Was Avast really meaning this file? I ignored it, and after that i scanned my system with Malwarebytes’ Anti-Malware and with F-Secure Blacklight rootkit detector, but nothing was found. Should i be worried?

I noticed the same thing and I think I sent it to be analyzed but I don’t know if it did or not.

Hi Kenny, i’m CeeCee. :slight_smile: Well, i think it’s just a false positive.

Well I have XP Pro SP3 and no such file on my system, there is qprocess.exe (Query Process Utility an MS file) in the system32 folder. I don’t have any products from beyondlogic.com (that I’m aware of) so you should check it out fully. You should elect to have it analysed by avast if it alerts on your next AR scan, the more submissions on the same file the better the statistics about the detection…

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

This type of thing (if not beyond logic’s command line process utility) could be trying to trick you into thinking it is a legit file.

I have downloaded it myself. I think it came along with SmitfraudFix. There’s such a file in SmitfraudFix folder too. The file creation date is the same.

Still worth investigating.

SmitfraudFix is a tool for removing rogue programs, so it may come with tools that could be detected as suspicious by the very way they work. Though RogurRemover, MalwareBytes AntiMalware and SAS are more commonly used for this purpose now. I would have though removal of smitfraudfix would clean up after it, so I don’t know if that file would have been placed in the system32 folder.

The other issue is that this process.exe file is active and it would appear to be hidden, hence its detection.

You mean that it is a running program? I don’t think that it is.

Well it has to be running or avast wouldn’t find it in the anti-rootkit scan as it compares what is reported as running (with the various windows APIs) against what is actually running. That is how it determines what is hidden and how rootkits slip under the radar of the windows APIs).

So the one in system32 is active and as I said that might have nothing to do with SmitfraudFix .

Oops… deleted post as it was in wrong thread. Sorry. ::slight_smile:

It’s all right saying it looks like it is part of smitfraud, looks can be very deceptive, since smitfraud is a stand alone tool that runs to do a scan and on completion its done. The URL of the VT results would have been better as it shows much more info than the partial image.

There should be no active elements always running, so I’m sorry I think this has nothing to do with smitfraud unless smitfraud was running, which it clearly isn’t.

I’m pretty sure that it is not anything serious. Not going to anything about it right now.

You’re system you’re choice, but to me pretty sure doesn’t cut it.

Well, guess i will go just ahead and remove that Smitfraud folder and that process.exe from system32 directory. I don’t use that Smitfraud anyway.

I just received another alert that I told it to ignore Again and I have just had a database update but I did send it in:

https://www.virustotal.com/analisis/5751910445049459da47064c40797aa5

I removed the Smitfraud folder but process.exe is still in system32 folder which I shall remove now.

Personally as a first step I would rename it so whatever is running it won’t find the original file and may just pop-up the file not found message and see if there is any way to get a handle on it.

If with it renamed if it isn’t causing any issues and I don’t believe it should then I would add it to the avast chest User Files section (so you always have a fall back option) before deleting it in the system32 folder.

Btw Kenny, there still might be few other Smitfraud files in your system32 folder. I had 4 same Smitfraud files in my system32 folder, that were also in my main Smitfraud folder. And yes, they were the same files, with a few minutes creation time difference.