qmgr.dll false positive?

Avast just popped up and said it had detected a rootkit, but I scanned it with Malewarebytes and got nothing, and the nature and location of the file indicate it may be a false positive. Here is the Avast message:

C:\Windows\System32\qmgr.dll Rootkit:HiddenService

Avast wanted me to delete it but this is a critical system file so I didn’t. There was a checkmark next to “Send the file to Avast” so hopefully it has been submitted to you.

Has anyone else encountered this detection?

ThreatExpert’s awareness of the file “qmgr.dll”:
http://www.threatexpert.com/files/qmgr.dll.html

This is a valid program that is required to run at startup.
http://www.bleepingcomputer.com/startups/qmgr.dll-21990.html

What is qmgr.dll?
http://processlist.com/info/qmgr-7.html

What scan detected this ?

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the [b]C:[/b] drive. Now exclude that folder in the File System Shield, Expert Settings, Exclusions, Add, type (or copy and paste) C:\Suspect* That will stop the File System Shield scanning any file you put in that folder.

I have scanned that file on my system and no alert.

The fact that it is a valid file name and location doesn’t mean it is clean.

Thank you for quick response. However, now I’m not sure what to do with the file. First of all, it’s not in any of the locations/names specified by http://www.threatexpert.com/files/qmgr.dll.html. Second, I scanned it manually with Avast and Malwarebytes again and it comes up clean.

However, I told Avast to ignore it when it was first detected, and now I can’t find anyway of telling Avast to not ignore it. Does Avast ignore the file when I right click it and do a manual scan?

And if it is a rootkit, how would I get rid of it? Avast only gave me the options of ignoring it or deleting it, and it can’t simply be deleted because it’s a critical system file.

Any suggestions would be appreciated.

DavidR, I wasn’t scanning when the pop-up occured. I came back from a shower and the dialog had popped up automatically, so I guess Avast was doing a background scan. And as I said, scanning it with Avast and Malwarebytes says it’s clean, no threat detected.

In any case, I copied the file from System32 and saved it to C:\Suspect and here’s what “VirusTotal - Multi engine on-line virus scanner said:”

MD5: 7f0c323fe3da28aa4aa1bda3f575707f
First received: 2009.10.21 14:54:23 UTC
Date: 2010.03.19 13:09:48 UTC [>61D]
Results: 0/41
Permalink: analisis/7ff09cbc16a9e5f357a76ff79a3f0dd047957d474031f51a6bb4916c7911f005-1269004188

However, there is one oddity. Since I hadn’t deleted it I initially tried to upload it directly from C:\Windows\System32, and the upload dialog box couldn’t see the file. I also tried to attach it to an email via Thunderbird, and the attachment dialog also couldn’t see it. However, if I look with Windows Explorer I can see the file fine, and as I said I was able to copy it with no problem. I’m running Windows 7 x64 with all updates, is there some type of security/protection feature that would prevent the upload and attachment dialogs from seeing critical system files? And by the way, I closed Windows Explorer a few times and reopened it and could always see the file.

Hi malware fighters,

There was an earlier FP here: http://forum.emsisoft.com/Default.aspx?g=posts&t=6309

polonus

avast runs its anti-rootkit scan 8 minutes after boot, so does that ring any bells ?

This is the wording that usually accompanied the detection in an earlier version of avast:
“A suspicious file has been detected (using a heuristic method). This may be a sign of malware infection. Please allow the file to be submitted to our virus lab for analysis.”

Can you actually see it in the system32 folder (it may be hidden) ?
This folder relates to earlier versions of windows as I though syswow64 replaced that in win7 x64 ?
Try a windows search for this file name and see if it can be found (and check if it isn’t in more than one location).

You could try and uncheck the hide system files and folders, etc. this example is also for earlier OSes so you will have to find the equivalent in win7.

  • Ensure that you have hidden files and folders enabled and disable hide system files in Windows Explorer, Tools, Folder Options, Hidden files and folders, uncheck Hide extensions for known file types, etc. see image.

Hi DavidR, I can see the file in System32 when using Windows Explorer (I’ve turned on the options to show system and hidden files in Windows Explorer). The only time I can’t see it is when trying to use a dialog box to upload it to VirusTotal or attach it to an email. However, when I copy it to C:\Suspect I can see it fine, and the size and MD5 are identical.

I also did some tests and found there are a lot of files in System32 that can’t be seen in dialog boxes, so it looks like the “show system/hidden files” options in Windows Explorer may not carry over to dialog boxes.

And what is most strange is if I do a manual scan with Avast by right clicking on the file in System32 and telling Avast to scan it it comes up clean. The same thing with Malwarebytes. And as I said, when I copied it to C:\Suspect and scanned it with VirusTotal it also comes up clean.

By the way, the Avast message was simply:

C:\Windows\System32\qmgr.dll Rootkit:HiddenService

And there are no reports of it in any of Avast’s logs. However, I told Avast to ignore it because I needed to check it out before deleting a critical system file, and I’m wondering how to turn off the “ignore” setting (Avast only gave me the option of deleting or ignoring it, there was no option to move it to the virus chest).

If I could make sure Avast still wasn’t ignoring it, and is scanning it for rootkits when I do a manual scan, I would assume it’s an FP. Does the “ignore” setting stick, and if so does anyone know how to turn it off?

No there is no stick in the Ignore, that really would be the last thing you would want if it were a good detection. Ignore just does nothing at that time, but the most important thing is to allow it to be “submitted to our virus lab for analysis.”

Well the anti-rootkit is a completely different scan than a common signature scan so an ordinary scan is unlikely to detect it. Check the C:\Documents and Settings\All Users\Application Data\Alwil Software\Avast5\log\aswAr.log (will be in a different location in win7) using notepad as this is the log file for the anti-rootkit scan.

Thank you DavidR.

I had already done a full scan with Avast and Malwarebytes and found nothing. However, after reading your last post I renamed the Rootkit logs and turned off/on my computer, waited about 15 minutes, and a Rootkit scan had been completed. I checked the log to make sure qmgr.dll had been scanned, and it had been. The Rootkit scan found nothing, so I really don’t know what to think at this point, although I’m leaning towards a FP.

I’ll take extra care for awhile and do some scanning with more tools, but at this point it looks like Avast made a mistake. If I find out I’m wrong I’ll post more information on the problem. It is odd that Avast would only complain once though. I’ve probably rebooted at least eight times today while researching the problem, and Avast only complained once.

Once again, thank you, and everyone, for your help.

You’re welcome.

Well if you had allowed the file to be sent for analysis (which should be an part of that detection) then it is entirely possible that it was found to be a hidden service, but not malicious and an update to the virus definitions & engine was made. This would mean that subsequent anti-rootkits wouldn’t detect it.

The strange thing being more people haven’t reported it as I would have expected if this were an issue across the board. That file was included on my scan when I started my system this morning and nothing.

I got the same exact message currently. I am doing a reinstall and think this is the same message I got recently. I had ignored it and did a scan and found nothing in the scan.

FWIW, there is a checkbox on mine that states “Do not tell me about this rootkit in the future” which is distinct from the ignore message.

Not sure if it will give me the option to submit it if I ignore it…

Will find out.