Malware in File "C:\WINDOWS\system32\Process.exe"

[Guest steve281499]

I ran Zone Alarm Security spyware detection software last night and it

detected a malware named "Win32.BackDoor.Bifrost" in "C:\WINDOWS

\system32\Process.exe" . The Zone security suite gave me the option

to quarantine the file of to delete the file. I am wondering if the

file it is listed as being in is an actual Win 32 file? Should I

delete the file?

 

Thanks!

 

Steve

[Guest Pegasus \(MVP\)]

Re: Malware in File "C:\WINDOWS\system32\Process.exe"

 

 

"steve281499" <steve281499@gmail.com> wrote in message

news:0b823844-c053-4904-b38b-d92fea175228@c65g2000hsa.googlegroups.com...

>I ran Zone Alarm Security spyware detection software last night and it

> detected a malware named "Win32.BackDoor.Bifrost" in "C:\WINDOWS

> \system32\Process.exe" . The Zone security suite gave me the option

> to quarantine the file of to delete the file. I am wondering if the

> file it is listed as being in is an actual Win 32 file? Should I

> delete the file?

>

> Thanks!

>

> Steve

 

Process.exe does not appear to be a genuine Windows system file.

[Guest Thee Chicago Wolf]

Re: Malware in File "C:\WINDOWS\system32\Process.exe"

 

>I ran Zone Alarm Security spyware detection software last night and it

>detected a malware named "Win32.BackDoor.Bifrost" in "C:\WINDOWS

>\system32\Process.exe" . The Zone security suite gave me the option

>to quarantine the file of to delete the file. I am wondering if the

>file it is listed as being in is an actual Win 32 file? Should I

>delete the file?

>

>Thanks!

>

>Steve

 

This is not a Windows XP file. Maybe double check it using Spybot S&D

1.6.

 

- Thee Chicago Wolf

[Guest Mike Cawood, HND BIT]

Re: Malware in File "C:\WINDOWS\system32\Process.exe"

 

"steve281499" <steve281499@gmail.com> wrote in message

news:0b823844-c053-4904-b38b-d92fea175228@c65g2000hsa.googlegroups.com...

>I ran Zone Alarm Security spyware detection software last night and it

> detected a malware named "Win32.BackDoor.Bifrost" in "C:\WINDOWS

> \system32\Process.exe" . The Zone security suite gave me the option

> to quarantine the file of to delete the file. I am wondering if the

> file it is listed as being in is an actual Win 32 file? Should I

> delete the file?

>

> Thanks!

>

> Steve

 

Delete it then restart the computer.

There's no file called process.exe in my system32 folder.

Regards Mike.

[Guest Rey Santos]

RE: Malware in File "C:\WINDOWS\system32\Process.exe"

 

Read:

http://www.bleepingcomputer.com/startups/process.exe-7200.html

--

Rey

 

 

"steve281499" wrote:

> I ran Zone Alarm Security spyware detection software last night and it

> detected a malware named "Win32.BackDoor.Bifrost" in "C:\WINDOWS

> \system32\Process.exe" . The Zone security suite gave me the option

> to quarantine the file of to delete the file. I am wondering if the

> file it is listed as being in is an actual Win 32 file? Should I

> delete the file?

>

> Thanks!

>

> Steve

>

[Guest Daave]

Re: Malware in File "C:\WINDOWS\system32\Process.exe"

 

Pegasus (MVP) wrote:

> "steve281499" <steve281499@gmail.com> wrote in message

> news:0b823844-c053-4904-b38b-d92fea175228@c65g2000hsa.googlegroups.com...

>> I ran Zone Alarm Security spyware detection software last night and

>> it detected a malware named "Win32.BackDoor.Bifrost" in "C:\WINDOWS

>> \system32\Process.exe" . The Zone security suite gave me the option

>> to quarantine the file of to delete the file. I am wondering if the

>> file it is listed as being in is an actual Win 32 file? Should I

>> delete the file?

>>

>> Thanks!

>>

>> Steve

>

> Process.exe does not appear to be a genuine Windows system file.

 

Correct.

 

However, there *is* a file called qprocess.exe in the system32 folder.

[Guest David H. Lipman]

Re: Malware in File "C:\WINDOWS\system32\Process.exe"

 

From: "steve281499" <steve281499@gmail.com>

 

| I ran Zone Alarm Security spyware detection software last night and it

| detected a malware named "Win32.BackDoor.Bifrost" in "C:\WINDOWS

| \system32\Process.exe" . The Zone security suite gave me the option

| to quarantine the file of to delete the file. I am wondering if the

| file it is listed as being in is an actual Win 32 file? Should I

| delete the file?

 

| Thanks!

 

| Steve

 

As others have noted, there is NO legitimate PROCESS.EXE in %windir%\system32

 

If you are unsure...

 

 

Please submit a sample to Virus Total --

http://www.virustotal.com/flash/index_en.html

The submission will then be tested against many different AV vendor's scanners.

That will give you an idea what it is and who recognizes it. In addition Virus

Total will provide the sample to all participating vendors.

 

You can also submit a suspect, one at a time, via the following email URL...

mailto:scan@virustotal.com?subject=SCAN

 

When you get the report, please post back the exact results.

 

 

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

[Guest David H. Lipman]

Re: Malware in File "C:\WINDOWS\system32\Process.exe"

 

From: "Thee Chicago Wolf" <.@.>

 

 

 

| This is not a Windows XP file. Maybe double check it using Spybot S&D

| 1.6.

 

| - Thee Chicago Wolf

 

NO !

 

This is not the correct procedure. SpyBot S&D is limited in scope and will likely produce

a False Negative.

 

Sending the file to Virus Total is the proper methodology as you would then have your one

sample examined by 33 anti virus scanners providing both heuristics and the wealth of

100's of thousands of signatures per AV vendor.

 

 

Please submit all samples to Virus Total at...

http://www.virustotal.com/flash/index_en.html

The submission(s) will then be tested against many different AV vendor's scanners.

That will give you an idea what it is and who recognizes it. In addition Virus

Total will provide the sample(s) to all participating vendors.

 

You can also submit a suspect, one at a time, via the following email URL...

mailto:scan@virustotal.com?subject=SCAN

 

 

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

[Guest MowGreen [MVP]]

Re: Malware in File "C:\WINDOWS\system32\Process.exe"

 

Were any anti-malware tools used previously that were recommended by a

helper on an anti-malware forum ?

It is not uncommon to include process.exe in said tools.

 

MowGreen [MVP 2003-2008]

===============

*-343-* FDNY

Never Forgotten

===============

 

 

steve281499 wrote:

> I ran Zone Alarm Security spyware detection software last night and it

> detected a malware named "Win32.BackDoor.Bifrost" in "C:\WINDOWS

> \system32\Process.exe" . The Zone security suite gave me the option

> to quarantine the file of to delete the file. I am wondering if the

> file it is listed as being in is an actual Win 32 file? Should I

> delete the file?

>

> Thanks!

>

> Steve

[Guest Thee Chicago Wolf]

Re: Malware in File "C:\WINDOWS\system32\Process.exe"

 

>| This is not a Windows XP file. Maybe double check it using Spybot S&D

>| 1.6.

>

>| - Thee Chicago Wolf

>

>NO !

>

>This is not the correct procedure. SpyBot S&D is limited in scope and will likely produce

>a False Negative.

>

>Sending the file to Virus Total is the proper methodology as you would then have your one

>sample examined by 33 anti virus scanners providing both heuristics and the wealth of

>100's of thousands of signatures per AV vendor.

 

Give me a break. There are countless dozen utilities for determining

what this baddie is. The user isn't going to do forensics on it. They

want it deleted off their system if it is a threat. False negatives my

posterior.

 

- Thee Chicago Wolf

[Guest Pegasus \(MVP\)]

Re: Malware in File "C:\WINDOWS\system32\Process.exe"

 

 

"Daave" <dcwashNOSPAM@myrealboxXYZ.invalid> wrote in message

news:%23XEuovd4IHA.4488@TK2MSFTNGP03.phx.gbl...

> Pegasus (MVP) wrote:

>> "steve281499" <steve281499@gmail.com> wrote in message

>> news:0b823844-c053-4904-b38b-d92fea175228@c65g2000hsa.googlegroups.com...

>>> I ran Zone Alarm Security spyware detection software last night and

>>> it detected a malware named "Win32.BackDoor.Bifrost" in "C:\WINDOWS

>>> \system32\Process.exe" . The Zone security suite gave me the option

>>> to quarantine the file of to delete the file. I am wondering if the

>>> file it is listed as being in is an actual Win 32 file? Should I

>>> delete the file?

>>>

>>> Thanks!

>>>

>>> Steve

>>

>> Process.exe does not appear to be a genuine Windows system file.

>

> Correct.

>

> However, there *is* a file called qprocess.exe in the system32 folder.

 

So? Malware is well noted for selecting file names that resemble

those of genuine Windows files.

[Guest David H. Lipman]

Re: Malware in File "C:\WINDOWS\system32\Process.exe"

 

From: "MowGreen [MVP]" <mowgreen@nowandzen.com>

 

| Were any anti-malware tools used previously that were recommended by a

| helper on an anti-malware forum ?

| It is not uncommon to include process.exe in said tools.

 

| MowGreen [MVP 2003-2008]

| ===============

| *-343-* FDNY

| Never Forgotten

| ===============

 

 

Usually however they are placed in the same folder as the utility and not placed in

%windir%\system32 and if so it would have been probably declared differently such as a

hacktool or processkiller, etc.

 

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

[Guest David H. Lipman]

Re: Malware in File "C:\WINDOWS\system32\Process.exe"

 

From: "Thee Chicago Wolf" <.@.>

 

 

 

| Give me a break. There are countless dozen utilities for determining

| what this baddie is. The user isn't going to do forensics on it. They

| want it deleted off their system if it is a threat. False negatives my

| posterior.

 

| - Thee Chicago Wolf

 

Yes, beside Virus Total there is the Virus.Org scanner [ http://scanner.virus.org/ ],

Jotti [ http://virusscan.jotti.org/ ] and VirScan [ http://www.virscan.org/ ].

 

These are the *best* ways to to determine if a given file is malicious with (in my

opinion) Virus Total being the best of the bunch.

 

This is NOT forensics. This is submitting one file to a service that will have the file

tested amongst a multiture of anti virus scanners.

 

Using ANUBIS may be considered a forensic examination of a give EXE sample.

 

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

[Guest David H. Lipman]

Re: Malware in File "C:\WINDOWS\system32\Process.exe"

 

From: "Pegasus (MVP)" <I.can@fly.com.oz>

>> However, there *is* a file called qprocess.exe in the system32 folder.

 

| So? Malware is well noted for selecting file names that resemble

| those of genuine Windows files.

 

 

Exactly. This is to obfuscate their malicious intent.

 

The most common name of a legitimate file is SVCHOST.EXE with a myriad of slight

variations.

 

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

[Guest Daave]

Re: Malware in File "C:\WINDOWS\system32\Process.exe"

 

Pegasus (MVP) wrote:

> "Daave" <dcwashNOSPAM@myrealboxXYZ.invalid> wrote in message

> news:%23XEuovd4IHA.4488@TK2MSFTNGP03.phx.gbl...

>> Pegasus (MVP) wrote:

>>> "steve281499" <steve281499@gmail.com> wrote in message

>>> news:0b823844-c053-4904-b38b-d92fea175228@c65g2000hsa.googlegroups.com...

>>>> I ran Zone Alarm Security spyware detection software last night and

>>>> it detected a malware named "Win32.BackDoor.Bifrost" in "C:\WINDOWS

>>>> \system32\Process.exe" . The Zone security suite gave me the

>>>> option to quarantine the file of to delete the file. I am

>>>> wondering if the file it is listed as being in is an actual Win 32

>>>> file? Should I delete the file?

>>>>

>>>> Thanks!

>>>>

>>>> Steve

>>>

>>> Process.exe does not appear to be a genuine Windows system file.

>>

>> Correct.

>>

>> However, there *is* a file called qprocess.exe in the system32

>> folder.

>

> So? Malware is well noted for selecting file names that resemble

> those of genuine Windows files.

 

Good point. I only mentioned that because that might have been a typo on

Steve's part. Googling that message implied a false positive on ZA's

part.

 

But malware *always* needs to be ruled out. And if Steve has something

called Process.exe, it very well might be malware.

[Guest PA Bear [MS MVP]]

Re: Malware in File "C:\WINDOWS\system32\Process.exe"

 

Did you ever download/run SmitFraudFix?

 

steve281499 wrote:

> I ran Zone Alarm Security spyware detection software last night and it

> detected a malware named "Win32.BackDoor.Bifrost" in "C:\WINDOWS

> \system32\Process.exe" . The Zone security suite gave me the option

> to quarantine the file of to delete the file. I am wondering if the

> file it is listed as being in is an actual Win 32 file? Should I

> delete the file?

>

> Thanks!

>

> Steve

[Guest MowGreen [MVP]]

Re: Malware in File "C:\WINDOWS\system32\Process.exe"

 

It's present here in sys32 from running an older malware removal tool

for testing purposes, David. Did get an FP on it from a-squared and it

was detected as a trojan, FWIW.

If Steve ever posts back perhaps we'll find out just "what" detected it

as a trojan. <w>

 

MG

 

 

David H. Lipman wrote:

> From: "MowGreen [MVP]" <mowgreen@nowandzen.com>

>

> | Were any anti-malware tools used previously that were recommended by a

> | helper on an anti-malware forum ?

> | It is not uncommon to include process.exe in said tools.

>

> | MowGreen [MVP 2003-2008]

> | ===============

> | *-343-* FDNY

> | Never Forgotten

> | ===============

>

>

> Usually however they are placed in the same folder as the utility and not placed in

> %windir%\system32 and if so it would have been probably declared differently such as a

> hacktool or processkiller, etc.

>