I hope this is a false positive. During a Rootkit scan (about 8 minutes after I booted my PC this morning) avast says that ‘Process.exe’ is believed to be infected.
File name: C:\Windows\System 32\Process.exe
Type: Rootkit hidden process
Means of detection was ‘rootkit scan’ using heuristic method. The recommended action was to ‘Ignore’. I clicked ‘ignore’, left a box checked to ‘submit to Alwil team for analysis’ (not sure this actually occurred), then did the recommended ‘Boot time scan’. After about 20 or 30 minutes, Boot scan says nothing found. (aswboot.text below)
12/13/2008 09:48
Scan of all local drives
Number of searched folders: 4371
Number of tested files: 45182
Number of infected files: 0
I have avast 4.8.1296 with Vps 081212-0 (latest).
While typing this, Rootkit scan detected the same file again. I clicked ignore. I checked the file (process.exe) and it’s dated 6/5/2003 and is 52K in size.
Well that one is related to one in the %Windows% folder, but there are plenty of google hits that are in the system32 folder and are less than desirable.
Sorry David. I had posted the following response in the wrong thread. This time I’ll post a URL of VirusTotal instead of the partial image.
I think this is a false positive. I uploaded it to VirusTotal for analysis, and some report as undesireable program (avast says nothing though :-\ ). Looks like it’s part of SmitFraud fix. NOD32 calls it, “Win32/PrcView”.
Just not sure why the date of the file is 2003. I downloaded Smitfraud fix in the past year… but maybe just a module of SmitFraud that didn’t need to be updated.
Sorry but when your talking about a possible rootkit, looks, just doesn’t cut it, 100% certainty is what is required or as close as makes no difference.
Smitfraud is a tool and could just as easily have components used for malicious purposes, the fact that as far as I’m aware smitfraud doesn’t install anything in the system32 folder makes me less than certain this is anything to do with smitfraud.
And the obvious point everyone seems to be ignoring smitfraud doesn’t run on boot so why would something supposedly (as far as you and others think) be running, hidden on every boot.
There could quite possibly be an innocent explanation for this (but smitfraud isn’t it) and that is what needs to be found. So google process.exe and find what other programs use this file name and do you have that installed. Obviously sending it to avast when detected is advisable as it certainly needs much further analysis.
It isn’t being detected by the normal avast detection signatures (why it isn’t in the VT results) but by the heuristic scanning of the anti-rootkit scan.
If the Rootkit scan detects something it means the process is actually active at that time? You’re right, SmitfraudFix was not running when avast popped up with the alert.
What I did for now is rename the file, ‘Process.exe’ to ‘Process.xxx’ so it won’t run. Then… I ran smitfraudfix. The program still runs fine. But… if I understand correctly, the file ‘Process.exe’ only runs if it needs to stop a suspicious process. Since Smitfraudfix finds nothing, it may not need it. But… there is a file ‘Process.exe’ in the ‘Smitfraud folder’ which may be the correct one. Not sure.
At my next boot and if avast finds another file as suspect, should I delete it then? The recommended action was to ‘ignore’.
Thanks.
<< edit >>
Had a thought…
I use LiveState Recovery to backup my HDD each week and keep 3 weeks worth of backups (complete image of my ‘C’ drive). I looked in my backup images 3 weeks ago and see that the file, ‘Process.exe’ was there on Nov 29, 2008. So this file has been there awhile… not new.
I would still follow the recommended action, if avast was more certain of the heuristic detection it would I’m sure recommend deletion.
Having run smitfraud again if it was responsible for the file in the system32 folder then I would have expected it to replace the missing (renamed) file, since it didn’t that makes me feel more confident that it isn’t actually a part of smitfaud, but something else. That is why I suggested checking out google hits for other applications that use process.exe.
For what it’s worth, I found the same thing yesterday. Went through the same boot scan and found nothing. avast! found it again after reboot, so I answered "Delete, but not befor checking the size. It is from: http://www.beyondlogic.org/consulting/processutil/processutil.htm
It still was left there, but when I looked inside, avast had written in it, making it non-runable. I know this because I tried to run it on a VPC. Since I could no longer prove anything, I blew it away.
My problem is I never ran smitfraudfix or anything like it. So, I have no idea how it got there! There were no registry entries to run it, so I’m puzzled.
It isn’t a problem as I have been saying all along this isn’t a part of smitfraud and is just a coincidence that smitfraud also uses this tool/file.
The problem with tools like this is their function can be for good or bad, and there may be many different tools that would use this file, the difficult part is what application put it in the system32 folder and why is it running hidden on every boot.
A registry search for process.exe, a hidden process might also have its registry entry hidden as you haven’t been able to find a registry entry responsible for running it.
So I’m not entirely sure what else can be done to pin down why it is there or running.
My system32\process.exe was sure created by Smitfraud. I checked the creation date of that system32\process.exe, and then did a Windows search to find files created on that same date. All files that came up, were smitfraud files. There were 4 files in that Smitfraud folder, that were also in system32 directory. So smitfraud has copied those files to system32 few minutes after the Smitfraud folder was created - so i guess after i ran Smitfraud. They were same files, no doubt about it.
I removed all those Smitfraud files, even though there wasn’t any real need for it.
As sure as we can be as we can’t use any normal windows tools as that is what it is hidden from.
The avast anti-rootkit scan makes two lists to compare, what the windows APIs, etc. say is running against a raw check on what is actually running, that is how rootkits are generally found, though there is no real information other than this is a hidden process as in the imahe posted by Rick F.
That is all well and good, however it doesn’t account for why it would be a) running all the time and b) a hidden process. It also doesn’t account for if the file in the system32 folder is renamed or removed and you run smitfraud again the missing/renamed file isn’t replaced.
So having removed the smitfraud folder, if you rename the system32 file and recreate the creation of the smitfraud folder see if it is replaced. Run smitfraud and see if it is replaced.
So there is very much more to this than meets the eye.
Confusing yes, most certainly, but it is apparently running when the anti-rootkit scan takes place 8 minutes after boot.
I still don’t know what starts this (as people have tried to find an entry in registry) or why it needs to start at all or why it would need to be hidden.
I even tried the “REG Query” command to find any entry hidden with the “Looooooong name” trick. No “process.exe” anywhere. If it’s being started by the registry, it’s not directly. Has to be the registry starting something else that then starts “process.exe” and causes no errors if it’s removed, as I did. I wish I hadn’t let avast destroy the original process.exe file, so I could make sure it still worked as advertised (or kept running).
I have accounted for everything in \Run and \RunOnce keys and non-MS services. What ever it is/was, it is/was hidden well!
That Process.exe is not a running process and it doesn’t start by itself. That’s pretty sure. It’s a command line utility. Sure the name is suspicious, though.