Avast Found Rootkit - TrustedInstaller.exe

CarlTR6 · 13 Aug 2010

RockStar21 said:

Thanks guys for the suggestions. Copied the trustedinstaller.exe profdlp uploaded to the servicing folder and everything seems to be working fine. Ran sfc and did not find any integrity violations. So big thanks to profdlp for the upload and everyone else for their input!!

Best Regards,
RS21

That is good news! Glad you solved the problem. Thanks for reporting back.

rhj · 13 Aug 2010

I have the same problem, by proxy. I'm helping a friend try to restore TustedInstaller to their new Windows 7 Home Premium 64Bit machine after they deleted it using Avast. I found the same solution as is posted here, for Vista machines, and tried it. However the step of just copying it into the servicing folder failed miserably for me. I'm not a Windows 7 expert, or even that familiar, but I consider myself to be competent for a non-IT user.

I had no luck accessing the servicing folder. No matter what approach I took, access was denied. I could not copy and paste the copy of TrustedInstaller into the folder. The root admin account was similarly locked out which I found surprising. I suspect there is a simple step I didn't try (eg. turning off read only, or changing permissions for the folder, both of which I tried). It would be very helpfull if Rockstar posted how this is accomplished, or if someone else could.

Fortunately, we're prepared for a full restore approach, so we should be fine. However it would be great for future Avast users on Win7 if we could get all of the instructions in one thread. My experience of finding half finshed threads and solutions was very frustrating.

thefabe · 13 Aug 2010

RockStar21 said:

I deleted mine... could someone please upload a copy of trustedinstaller.exe for Windows 7 Home Premium 64-bit?

This is a good example of why I reccomend creating a restore point before you make any changes to your system be it installing a new program or whatever.
It just makes it so much easier to get your system back to where it was before.
I do it before I download a new program, then I scan the program with MSE or Avast or both then I install it. if I decide I no longer want it i can uninstall it then restore my system back to where it was.
I know this doesn't help you now but might want to try it in the future.
I'm not sure it would restore deleted system files. Hope you can get it sorted out without to much trouble but their is a lesson to be learned here, some are harder than others, but learned none the less. Fabe

profdlp · 13 Aug 2010

rhj said:

...I suspect there is a simple step I didn't try (eg. turning off read only, or changing permissions for the folder, both of which I tried)...

You can try using TakeOwn, unless that's one of the things that didn't work, of course. I'd just use it on the servicing folder located in C:\Windows\servicing.

Run the program and it will give you a new option to take ownership when you right-click a file or folder.

Don't go wild with it and try to take ownership of an entire drive or your whole Windows folder or something. I made that mistake during the Win7 beta period and regretted it.

Lasy B · 14 Aug 2010

logicearth said:

There is no need to go though that. Every single file the system needs is already extracted to C:\Windows\Winsxs

That's true. Didn't have my thinking head on!
Mine is in C:\Windows\winsxs\amd64_microsoft-windows-trustedinstaller_31bf3856ad364e35_6.1.7600.16385_none_ed02252b66d7bca2

Phone Man · 17 Aug 2010

A while back Avast! gave me the same report. After the next definition update it was fine. Guess they tweaked the definitions and it was causing a false positive.

Jim