Avast detected Vista's trustedinstaller.exe as a Rootkit?

I am not sure what happened here, but I got major problems that ended in a full clean install of my Windows Vista 64 SP1 Ultimate.
During a recent Vista update, I got an Avast message saying that it found a rootkit using heuristic methods and it recommended not to delete this file.
The rootkit was “trustedinstaller.exe”. I did know that this file is a Vista system file, and since I was updating from Microsoft I thought this was a false message.
Everything went OK, but afterward I thought I might check my system files with cmd and the command sfc /verifyonly.
I got a message about problems with system files.
This time I tried sfc /scannow. The checking stopped early (5%), saying it could not repair the system files. I restored my system to previous dates but it didn’t help.
Even though my system didn’t have any other problems I decided to make a backup of my files and clean install Windows Vista 64 SP1 Ultimate.

This time I installed all Microsoft updates first and then I installed Avast Pro. So I am not sure what happened the last time. Now I have disabled auto Vista updates and I also disable Avast every time I perform a manual Vista update.

It should be fixed soon if it is a false positive.
To know if a file is a false positive, please submit it to VirusTotal and let us know the result. If it is indeed a false positive, send it in a password protected zip to virus@avast.com
Please, mention in the body of the message why you think it is a false positive and the password used. Thanks.
Other possibility is JOTTI. VirusTotal and Jotti both have file size limit of 10Mb.

As a workaround, you can add these files to the Standard Shield provider (on-access scanning) exclusion list.
Left click the ‘a’ blue icon, click on the provider icon at left and then Customize. Go to Advanced tab and click on Add button…
You can use wildcards like * and ?. But be careful, you should ‘exclude’ that many files that let your system in danger.

Thank you.
After some system restore actions and a clean install I have no infected files to submit and I doubt the trustedinstaller.exe file was an infected file.
I got the rootkit warning message during a Microsoft update. I never had any viruses or rootkits. I think Avast Pro performs auto scans for rootkits at startup.
I use Avast the last 5 years and I never got infected.
So I am not sure what really happened during this Microsoft update installation.

I got the same message when updating Vista.
C:\Windows\servicing\TrustedInstaller.exe found as rootkit.

I’ve run it through Jotti but none of the engines found anything.
Rescanning the file with Avast doesn’t find anything either so I guess this is something only during the update process.

Btw, a small issue, pressing the privacy statement in Avast home on the warning page, were it suggests me to send the file to AILWIL Software lab, leads me to a 404 webpage.
http://www.avast.com/eng/privacy_statement.html

And Home version too…

Indeed, seems a strange file. Glad you’re clean now.

Hassad, welcome to forums, do you have this file in your computer yet? Can you send to virus (at) avast (dot) com for analysis. Can you submit it to www.virustotal.com for analysis also?

Thanks,

I’m sure “it” was triggered due to the upgrade.
I’ve sent the file and the Virustotal information to the address.

FYI - as of today on version 1227 this is still occuring. I did the following twice and reproduced the issue both times.

  1. Clean install of Vista Ultimate Retail
  2. Driver installs
  3. SP1 standalone update
  4. Avast install
  5. Update avast to latest release
  6. Run Windows update

A heuristic scan finds windows\services\trustedinstaller.exe as a suspicious file.

It’s hard for me to ignore a possible rootkit warning on a fresh install.

note scanning the file itself comes up clean. I am guessing that whatever trustedinstaller.exe is trying to do to the OS during installation of updates is what triggers the heuristic scanner to alert the user.

Is it safe to ignore this issue for now?

OK This is still happening with avast! version 4.8 Home Edition Biuld Jul2008 (4.8.1229) VPS 080807-0 (all updated before allowing a new Vista install on the web).

This is on a Windows Vista Ultimate 64bit Edition SP1 immediately after installing/upgrading and adding SP1 when letting Windows Update do an automatic update of optional updates.

File is located at %WINDOWS%\servicing\TrustedInstaller.exe

VirusTotal produces a nil result on all engines (and this file has been submitted to VirusTotal before).

Have submitted copy of file. Alwil Software is normally pretty darned quick about these false positives. It is rather strange that this one is slipping through the net so long - is it because it is a 64bit system?

It’s not really a false positive in the usual sense - there’s no virus reported here (I mean, no virus name is given, right?)
What exactly does the window say?

Hard to tell now that I have hit ignore and told Windows Update to repeat lol (I can’t find out how to “un-ignore” the file so that I can get it scanned - right now if I instruct Avast! to scan that file it doesn’t produce any advisory presumably because the on-access scanner has set it to ignore.

No, there was no name of known malware. This was a heuristic find. It appears to be after downloaded optional Vista Ultimate 64bit updates and DURING the installation process. The only optional update affected is “Windows Sound Schemes” which suggests that this is an odd result of the heuristics. But I had them set on the default preferences.

The ODD thing is that there was NO advisory on this file when I did the same installation a week or so ago. Anyway, the answer is to note the file name, hit Ignore and repeat the update if a user wants it.

The point for the Avast! team is that if numerous Vista Ultimate 64bit users hit this advisory every time they do an update after installation of the OS, it is not encouraging them to trust Avast! which is a shame.

Well, I’d still like to know what exactly the dialog says. There’s a “Type” field there, for example (like, “hidden process”, “hidden service”, …)

Once I had done a web search for what Avast! means by “Ignore”, I felt safe to click it without ending up having the file ignored by my OS and therefore crashing my OS.

If you can tell me how, after clicking ignore, I can stop Avast! ignoring the file so that I can scan it and tell you what the heuristic advisory was, I would be pleased to post the message here. Otherwise, I don’t see how I can repeat the message even though I still have the file.

Thanks.

Did you allow it to be submitted for analysis ?

Windows errors related to trustedinstaller.exe? trustedinstaller.exe is a Windows Modules Installer from Microsoft Corporation belonging to Microsoft® Windows® Operating System. This enables management of Windows updates

It seems a very poor choice of name to me as why would a trusted installer need to be a hidden service, if it is only used for windows updates, you would think it could be started when an update is available and has to be installed.

I don’t know if it is an FP or not there simply isn’t enough information, since I don’t use Vista I cant check the file location.

It just looks suspicious and assuming there was the checking of digital signatures on suspect/infected files (something we discussed in another topic), that should show if it is a valid signature making the likelihood of infection less.

Anybody having this problem - can you please download the following file:
http://public.avast.com/~glucksmann/CheckInst.exe
Start it from the command-line and post the output here.
Thanks.

As I stated before, this is NOT a false positive. I submitted the file to VirusTotal and got the all-clear response from all programs.

However, I submitted the file to the avast! team so that they could discover why the heuristic analysis was producing an advisory on a file which is part of the Windows Vista updates.

I still hope that Avast! will change something in that advisory message. First of all, this particular file has the kind of name which looks suspicious - how could Microsoft come up with a more stupid name for a system file - TrustedInstaller - isn’t that just the kind of name a virus writer would come up with? lol

More importantly, many users (the vast majority?) will not have seen this advisory before. To be offered a choice where the “recommended” action is “Ignore” is not conducive to following the recommendation. Surely many will have the unanswered question in their minds: “Does ignore mean ignore the file or ignore this message?” A slightly more useful recommendation would include wording such as “Recommended Action: Ignore (which will allow the operating system to continue without action by avast! but the user should take note of the filename in case it is reported again”

Again, this was NOT a report that there was a virus.

Have you tried downloading and using the file Igor gave the link for ?
If so can you post the output.

Signature of “C:\Windows\servicing\TrustedInstaller.exe” verified.
Details:

Signature type: Catalog
Program name: Microsoft Windows
Program URL: http://www.microsoft.com/windows
Issuer : Microsoft Windows Verification PCA
Subject : Microsoft Windows
Signing Timestamp : 01/20/2008 00:49

(Note that I also sent the TrustedInstaller.exe file to the Alwil team as requested.)

:o
http://search.microsoft.com/results.aspx?form=MSHOME&setlang=en-us&q=trustedinstaller.exe+virus&mkt=en-us

Isn’t this contradictory? A signed file should be a clean file (if the source is secure).