Avast Found Rootkit - TrustedInstaller.exe

[seag33k]

I have a 2 day old install has had limited Internet contact to only install updates and AV/Firewall/Malware software. Avast prompted me with a Rootkit Found message pointing to C:\Windows\servicing\TrustedInstaller.exe. I ran Avast and Emsisoft Anti-Malware on the file in that location showing it is clean. My guess is that this is a false positive. Is anyone else aware of this notification? My work PC with Win 7 has this file as well, but I am running MSE on that machine.

Thanks!

 

[logicearth]

There is suppose to be said file on Windows. Maybe take a copy of the file and send it up to VirusTotal.com and have it checked.

 

[seag33k]

Thanks for the link! I got the following results:

File has already been analysed:


MD5: 840f7fb849f5887a49ba18c13b2da920 First received: 2009.08.26 17:49:21 UTC Date: 2010.05.27 20:16:22 UTC [<1D] Results: 0/41
I assume that this means that 0 out of the 41 AV engines found this to be a dangerous file? Not sure if it was also able to use the MD5 to compare with MS.

Thanks,

 

[logicearth]

0/41 means 0 of the 41 AVs flagged this file as dangerous....meaning it is safe.

 

[Warhammer68m]

Tell Avast to ignore that warning, or you won't be able to install any updates at all.

Avast seems to consider the TrustedInstaller (which is actually a hidden user account installed by windows update the first time you use it) as a rootkit since it tempers with critical system components and change the behavior of your windows OS. We can't assume it as a false positive, in fact the TrustedInstaller IS a rootkit, but not in the sense of a malicious one. It should be ignored and placed in the list of trusted software in most anti-virus software.

One of the drawbacks of that kind of detection, you never know if it is the real TrustedInstaller or a malicious one. If you receive the message only when you try to install software and especially updates, it should be safe to ignore the message. Otherwise, make sure that the message is not related to some malicious software that would make itself look as if it was the real TrustedInstaller. You should pay more attention especially when installing third party software that no one knows about, that could temper with critical system files. It could potentially hide malicious software that could compromise your Windows 7 installation.

 

[CarlTR6]

Good post, Warhammer.

 

[Corrine]

Good post, Warhammer.

Agreed!

 

[RockStar21]

I deleted mine... could someone please upload a copy of trustedinstaller.exe for Windows 7 Home Premium 64-bit?

 

[Airbot]

Why did you delete it? It's an important system component.

Run sfc/scannow with an elevated cmd prompt.

 

[CarlTR6]

I deleted mine... could someone please upload a copy of trustedinstaller.exe for Windows 7 Home Premium 64-bit?

Welcome to the forum, RockStar. A word of advice - don't mess with Windows system files.

 

[RockStar21]

Avast prompted me to and like a fool I followed the recommended action.

 

[RockStar21]

Tried sfc /scannow... got the following message.

"Another servicing or repair operation is currently running. Wait for this to finish and run sfc again."

I also noticed that Windows Modules Installer is not listed under services.

 

[Airbot]

Strange. maybe you could reboot, and try it again.

Can you do a system restore to before you deleted it?

 

[RockStar21]

Tried rebooting, tried safe mode... same message.

Unfortunately, before I realized I had a problem... I deleted my restore points.

 

[profdlp]

This is from Win 7 Home Premium 64-Bit. Not sure if that matters. (Except probably the 64-Bit part.) I'd use it only as a last resort if the SFC gets you nowhere.

Use at your own risk! :shock:

 

[CarlTR6]

If that does not work, you can try a repair install. Check these two threads:

http://www.sevenforums.com/tutorials/668-system-recovery-options.html

http://www.sevenforums.com/tutorials/3413-repair-install.html

 

[HammerHead]

Cab Files

Isn't there a convention to extract files from the cabs on the install disk. It used to run in a dos box (probably elevated)?

 

[Lasy B]

Isn't there a convention to extract files from the cabs on the install disk. It used to run in a dos box (probably elevated)?

There is a way but its a bit convoluted compared to XP. There's a tutorial here:- Extract Files from Windows 7 installation DVD. You'll need to download 7-zip though.

 

[RockStar21]

Thanks guys for the suggestions. Copied the trustedinstaller.exe profdlp uploaded to the servicing folder and everything seems to be working fine. Ran sfc and did not find any integrity violations. So big thanks to profdlp for the upload and everyone else for their input!!

Best Regards,
RS21

 

[logicearth]

Isn't there a convention to extract files from the cabs on the install disk. It used to run in a dos box (probably elevated)?

There is a way but its a bit convoluted compared to XP. There's a tutorial here:- Extract Files from Windows 7 installation DVD. You'll need to download 7-zip though.

There is no need to go though that. Every single file the system needs is already extracted to C:\Windows\Winsxs