I just reinstalled Windows 7 Home Premium 64-bit on my computer, and as I was installing updates avast popped up and said it found a rootkit.
Don’t delete, select Ignore for now, don’t check any option ‘not to show this detection again’ or words to that effect, as I don’t know if there is an easy way to reverse that decision if it happens to be correct.
Try a forum search for trustedinstaller.exe would reveal a couple of topics on this, check this one out http://forum.avast.com/index.php?topic=60682.0 and http://forum.avast.com/index.php?topic=60635.0. This trustedinstaller being picked up as a rootkit seems to happen every now an them, why I don’t really know and this is why I suggest Ignore rather than delete until it is confirmed 100%.
I don’t know why the trustedinstaller needs to be a hidden service and that may be why it keeps getting flagged.
When did this happen, 8 minutes after boot (auto anti-rootkit scan) or during a windows update, etc. etc. ?
Is your avast fully updated (program and virus definitions)?
Hi,
Thanks for your responses. It was about 8 minutes after booting up, so I guess it was probably the startup rootkit scan. Also, I’m using the latest avast program and database (5.0.594 & 100709-1).
Can you submit the file to www.virustotal.com ?
Most probably a false positive.
Unfortunately VT is useless in this case as it only runs the standard avast on-demand/command line scan and not the anti-rootkit scan which can only be done on the users system as it is comparing what is reported by the windows API and what is actually running on the users system.
This one really needs some intervention by one of the virus labs team.
But isn’t it included in the other antivirus definitions and can be detected by Virus Total?
No it isn’t as it is being detected in the anti-rootkit scan , in other instances of this when it has been sent to VT there are zero hits.
As per the OPs image (extract here) that hidden service must have been loaded at some point in the boot, yet the standard scans didn’t detect anything. Given that this was a win7 reinstall I would say that this file has a high degree of being clean and presumably the OP would have also have run an on-demand scan at some point before this.
DavidR I read on another post that you say the default action of the
auto anti-rootkit scan can not be changed. Can you confirm that or
tell me how to change the delete default action to ignore on that scan.
If anybody else can tell me how to do what I want, please help.
Bo
No I don’t believe I said that at all, so if you have a reference to that post please post it.
There is a drop down list in which you can choose Ignore or Delete, whilst avast displays what it considers the best option based on its detection you don’t have to choose that option. So it isn’t a default action as such but as it says a (recommended) action, that is likely to change depending on the circumstances of the detection. There is however, no way to change how avast comes to that decision, but you don’t have to accept the recommended action, that you should be able to change.
By clicking the inverted triangle, see image extract from the OPs post, it should also show Ignore as an option.
I might be wrong DavidR. What I think I read is that the selected action for
default can not be changed. I know you did not write that the action can not
be changed when the auto-rootkit scan detects something.
Bo
There isn’t a default action (so that certainly means it can’t be changed if it doesn’t exist), but a recommended action, so depending on the circumstances of the detection avast will either recommend Ignore Or Delete. Personally I would never select Delete before I had fully investigated it.
Unfortunately for the greatest majority they wouldn’t know where to start to investigate and those are the people that avast are trying to look out for. So for me that would be not to recommend deletion unless for whatever parameters (API/heuristic/behavioural, etc.) that are used to determine a rootkit it has to be 100%.
+1
I got it now, thanks.
Bo
You’re welcome.
So what do you do if you told it to delete the supposed rootkit?
Hmmm… Delete is not the best alternative, nor the safer.
Better would be send files to Chest (that allows restore).
Get the file from another (similar) computer?
Overinstall Windows?
I can’t guess other solutions. Once deleted, the file is gone.
Thanks. What I wound up doing was restoring the OS. Fortunately that was easy and I had backups of my data.