I just updated my flash player to the latest version (9.0.124.0) and on reboot of my XP/pro.sp2 laptop, got an Avast alert of a rootkit in procexp111.sys (part of Process Explorer). I run Process Explorer 11.11 (and just discovered that 11.12 is the latest version).
I have Process Explorer 11.11 on my system but there is no file on my system called procexp111.sys and it does not exist in the zip file that I downloaded as the Process Explorer 11.11 download from SystemInternals.
If the choice is offered to move it to the virus chest then do so. It will be unable to do any more harm if moved to the chest and you will then have time to consider it before any final deletion.
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings of these files here. This can’t be uploaded to VT whilst it is in the chest so it needs to be exported (right click on the file in the Infected Files section of the chest) to a temporary location and avast is likely to alert again when you do that, see below.
Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.
Mine is only version 11.1 tardy on the updates and that file isn’t in my system32 folder.
OK downloaded the 11.12 zip file and as Alan said no procexp111.sys in that zip either, just procexp.exe, procexp…chm and Eula.txt. As this is a stand alone application I don’t see how it would place a file in the system32 folder.
Driver is contained within exe as resource. It can be found by manual scan of the file. So it is rather common practice now, many progs use it (filemon, regmon etc.)
I have the following question about rootkit search ar the system start: is the some table of legit rpcessesor any hidden process is treated as rootkit?
Today I have obtained info message about rootkit found due to hidden process markfun.w32.
Obviously it is false positive because of this is quite legit process from Gigabyte EasyTune5 (I have ETCall in my startup).
BTW, I can not find any log record about this found “rootkit”.
If there is no log viewer entry then I would say that is a failing as it really should create an entry.
It may well be a common practice for the driver to be within the exe, but if so it isn’t being extracted to the system32 folder on my system. Just ran 11.12 and a search of windows and sub folders reveals no procexp*.sys even procexp*.* reveals no file.
It is hidden (or possible was deleted after being loaded successfully). I have old version Process Explorer which use older driver procexp100.sys. When Process Explorer is running I can not find this driver in system32\drivers but RootkitUnhooker claims that driver H:\Windows\System32\drivers\PROCEXP100.SYS is loaded at address 0xBA622000 with size 8192.
P.S. IceSword don’t find this driver on the disk, so it can be really deleted. Probably, we can use FileMon to detect creation/deletion of this driver.
What I can’t understand is why others who might be using procexp aren’t having any detection and if your supposition of it being deleted after loading it would seem to be both hanging around on speedlever’s system for it to be there on boot and if hidden avasts standard shield boot-time scan is seeing it (which is a good thing, not if it is a possible FP though).
Also it would appear that this might have been detected by the standard shield given the choices speedlever gave in his reply #2
My system logs do indeed show that the driver is created and then (after the display information is obtained) the driver is immediately deleted. Leaving just the main process running. The driver loading is also recorded in the boot log (ntbtlog).
That is fine, but it seems strange that it would be around at boot to be caught by avast Unless speedlever has procexp.exe run on boot. But equally why it is caught by avast yet yours isn’t. Definitely strange.