Guest steve281499 Posted July 9, 2008 Posted July 9, 2008 I ran Zone Alarm Security spyware detection software last night and it detected a malware named "Win32.BackDoor.Bifrost" in "C:\WINDOWS \system32\Process.exe" . The Zone security suite gave me the option to quarantine the file of to delete the file. I am wondering if the file it is listed as being in is an actual Win 32 file? Should I delete the file? Thanks! Steve
Guest Pegasus \(MVP\) Posted July 9, 2008 Posted July 9, 2008 Re: Malware in File "C:\WINDOWS\system32\Process.exe" "steve281499" <steve281499@gmail.com> wrote in message news:0b823844-c053-4904-b38b-d92fea175228@c65g2000hsa.googlegroups.com... >I ran Zone Alarm Security spyware detection software last night and it > detected a malware named "Win32.BackDoor.Bifrost" in "C:\WINDOWS > \system32\Process.exe" . The Zone security suite gave me the option > to quarantine the file of to delete the file. I am wondering if the > file it is listed as being in is an actual Win 32 file? Should I > delete the file? > > Thanks! > > Steve Process.exe does not appear to be a genuine Windows system file.
Guest Thee Chicago Wolf Posted July 9, 2008 Posted July 9, 2008 Re: Malware in File "C:\WINDOWS\system32\Process.exe" >I ran Zone Alarm Security spyware detection software last night and it >detected a malware named "Win32.BackDoor.Bifrost" in "C:\WINDOWS >\system32\Process.exe" . The Zone security suite gave me the option >to quarantine the file of to delete the file. I am wondering if the >file it is listed as being in is an actual Win 32 file? Should I >delete the file? > >Thanks! > >Steve This is not a Windows XP file. Maybe double check it using Spybot S&D 1.6. - Thee Chicago Wolf
Guest Mike Cawood, HND BIT Posted July 9, 2008 Posted July 9, 2008 Re: Malware in File "C:\WINDOWS\system32\Process.exe" "steve281499" <steve281499@gmail.com> wrote in message news:0b823844-c053-4904-b38b-d92fea175228@c65g2000hsa.googlegroups.com... >I ran Zone Alarm Security spyware detection software last night and it > detected a malware named "Win32.BackDoor.Bifrost" in "C:\WINDOWS > \system32\Process.exe" . The Zone security suite gave me the option > to quarantine the file of to delete the file. I am wondering if the > file it is listed as being in is an actual Win 32 file? Should I > delete the file? > > Thanks! > > Steve Delete it then restart the computer. There's no file called process.exe in my system32 folder. Regards Mike.
Guest Rey Santos Posted July 9, 2008 Posted July 9, 2008 RE: Malware in File "C:\WINDOWS\system32\Process.exe" Read: http://www.bleepingcomputer.com/startups/process.exe-7200.html -- Rey "steve281499" wrote: > I ran Zone Alarm Security spyware detection software last night and it > detected a malware named "Win32.BackDoor.Bifrost" in "C:\WINDOWS > \system32\Process.exe" . The Zone security suite gave me the option > to quarantine the file of to delete the file. I am wondering if the > file it is listed as being in is an actual Win 32 file? Should I > delete the file? > > Thanks! > > Steve >
Guest Daave Posted July 9, 2008 Posted July 9, 2008 Re: Malware in File "C:\WINDOWS\system32\Process.exe" Pegasus (MVP) wrote: > "steve281499" <steve281499@gmail.com> wrote in message > news:0b823844-c053-4904-b38b-d92fea175228@c65g2000hsa.googlegroups.com... >> I ran Zone Alarm Security spyware detection software last night and >> it detected a malware named "Win32.BackDoor.Bifrost" in "C:\WINDOWS >> \system32\Process.exe" . The Zone security suite gave me the option >> to quarantine the file of to delete the file. I am wondering if the >> file it is listed as being in is an actual Win 32 file? Should I >> delete the file? >> >> Thanks! >> >> Steve > > Process.exe does not appear to be a genuine Windows system file. Correct. However, there *is* a file called qprocess.exe in the system32 folder.
Guest David H. Lipman Posted July 9, 2008 Posted July 9, 2008 Re: Malware in File "C:\WINDOWS\system32\Process.exe" From: "steve281499" <steve281499@gmail.com> | I ran Zone Alarm Security spyware detection software last night and it | detected a malware named "Win32.BackDoor.Bifrost" in "C:\WINDOWS | \system32\Process.exe" . The Zone security suite gave me the option | to quarantine the file of to delete the file. I am wondering if the | file it is listed as being in is an actual Win 32 file? Should I | delete the file? | Thanks! | Steve As others have noted, there is NO legitimate PROCESS.EXE in %windir%\system32 If you are unsure... Please submit a sample to Virus Total -- http://www.virustotal.com/flash/index_en.html The submission will then be tested against many different AV vendor's scanners. That will give you an idea what it is and who recognizes it. In addition Virus Total will provide the sample to all participating vendors. You can also submit a suspect, one at a time, via the following email URL... mailto:scan@virustotal.com?subject=SCAN When you get the report, please post back the exact results. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
Guest David H. Lipman Posted July 9, 2008 Posted July 9, 2008 Re: Malware in File "C:\WINDOWS\system32\Process.exe" From: "Thee Chicago Wolf" <.@.> | This is not a Windows XP file. Maybe double check it using Spybot S&D | 1.6. | - Thee Chicago Wolf NO ! This is not the correct procedure. SpyBot S&D is limited in scope and will likely produce a False Negative. Sending the file to Virus Total is the proper methodology as you would then have your one sample examined by 33 anti virus scanners providing both heuristics and the wealth of 100's of thousands of signatures per AV vendor. Please submit all samples to Virus Total at... http://www.virustotal.com/flash/index_en.html The submission(s) will then be tested against many different AV vendor's scanners. That will give you an idea what it is and who recognizes it. In addition Virus Total will provide the sample(s) to all participating vendors. You can also submit a suspect, one at a time, via the following email URL... mailto:scan@virustotal.com?subject=SCAN -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
Guest MowGreen [MVP] Posted July 9, 2008 Posted July 9, 2008 Re: Malware in File "C:\WINDOWS\system32\Process.exe" Were any anti-malware tools used previously that were recommended by a helper on an anti-malware forum ? It is not uncommon to include process.exe in said tools. MowGreen [MVP 2003-2008] =============== *-343-* FDNY Never Forgotten =============== steve281499 wrote: > I ran Zone Alarm Security spyware detection software last night and it > detected a malware named "Win32.BackDoor.Bifrost" in "C:\WINDOWS > \system32\Process.exe" . The Zone security suite gave me the option > to quarantine the file of to delete the file. I am wondering if the > file it is listed as being in is an actual Win 32 file? Should I > delete the file? > > Thanks! > > Steve
Guest Thee Chicago Wolf Posted July 9, 2008 Posted July 9, 2008 Re: Malware in File "C:\WINDOWS\system32\Process.exe" >| This is not a Windows XP file. Maybe double check it using Spybot S&D >| 1.6. > >| - Thee Chicago Wolf > >NO ! > >This is not the correct procedure. SpyBot S&D is limited in scope and will likely produce >a False Negative. > >Sending the file to Virus Total is the proper methodology as you would then have your one >sample examined by 33 anti virus scanners providing both heuristics and the wealth of >100's of thousands of signatures per AV vendor. Give me a break. There are countless dozen utilities for determining what this baddie is. The user isn't going to do forensics on it. They want it deleted off their system if it is a threat. False negatives my posterior. - Thee Chicago Wolf
Guest Pegasus \(MVP\) Posted July 9, 2008 Posted July 9, 2008 Re: Malware in File "C:\WINDOWS\system32\Process.exe" "Daave" <dcwashNOSPAM@myrealboxXYZ.invalid> wrote in message news:%23XEuovd4IHA.4488@TK2MSFTNGP03.phx.gbl... > Pegasus (MVP) wrote: >> "steve281499" <steve281499@gmail.com> wrote in message >> news:0b823844-c053-4904-b38b-d92fea175228@c65g2000hsa.googlegroups.com... >>> I ran Zone Alarm Security spyware detection software last night and >>> it detected a malware named "Win32.BackDoor.Bifrost" in "C:\WINDOWS >>> \system32\Process.exe" . The Zone security suite gave me the option >>> to quarantine the file of to delete the file. I am wondering if the >>> file it is listed as being in is an actual Win 32 file? Should I >>> delete the file? >>> >>> Thanks! >>> >>> Steve >> >> Process.exe does not appear to be a genuine Windows system file. > > Correct. > > However, there *is* a file called qprocess.exe in the system32 folder. So? Malware is well noted for selecting file names that resemble those of genuine Windows files.
Guest David H. Lipman Posted July 9, 2008 Posted July 9, 2008 Re: Malware in File "C:\WINDOWS\system32\Process.exe" From: "MowGreen [MVP]" <mowgreen@nowandzen.com> | Were any anti-malware tools used previously that were recommended by a | helper on an anti-malware forum ? | It is not uncommon to include process.exe in said tools. | MowGreen [MVP 2003-2008] | =============== | *-343-* FDNY | Never Forgotten | =============== Usually however they are placed in the same folder as the utility and not placed in %windir%\system32 and if so it would have been probably declared differently such as a hacktool or processkiller, etc. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
Guest David H. Lipman Posted July 9, 2008 Posted July 9, 2008 Re: Malware in File "C:\WINDOWS\system32\Process.exe" From: "Thee Chicago Wolf" <.@.> | Give me a break. There are countless dozen utilities for determining | what this baddie is. The user isn't going to do forensics on it. They | want it deleted off their system if it is a threat. False negatives my | posterior. | - Thee Chicago Wolf Yes, beside Virus Total there is the Virus.Org scanner [ http://scanner.virus.org/ ], Jotti [ http://virusscan.jotti.org/ ] and VirScan [ http://www.virscan.org/ ]. These are the *best* ways to to determine if a given file is malicious with (in my opinion) Virus Total being the best of the bunch. This is NOT forensics. This is submitting one file to a service that will have the file tested amongst a multiture of anti virus scanners. Using ANUBIS may be considered a forensic examination of a give EXE sample. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
Guest David H. Lipman Posted July 9, 2008 Posted July 9, 2008 Re: Malware in File "C:\WINDOWS\system32\Process.exe" From: "Pegasus (MVP)" <I.can@fly.com.oz> >> However, there *is* a file called qprocess.exe in the system32 folder. | So? Malware is well noted for selecting file names that resemble | those of genuine Windows files. Exactly. This is to obfuscate their malicious intent. The most common name of a legitimate file is SVCHOST.EXE with a myriad of slight variations. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
Guest Daave Posted July 9, 2008 Posted July 9, 2008 Re: Malware in File "C:\WINDOWS\system32\Process.exe" Pegasus (MVP) wrote: > "Daave" <dcwashNOSPAM@myrealboxXYZ.invalid> wrote in message > news:%23XEuovd4IHA.4488@TK2MSFTNGP03.phx.gbl... >> Pegasus (MVP) wrote: >>> "steve281499" <steve281499@gmail.com> wrote in message >>> news:0b823844-c053-4904-b38b-d92fea175228@c65g2000hsa.googlegroups.com... >>>> I ran Zone Alarm Security spyware detection software last night and >>>> it detected a malware named "Win32.BackDoor.Bifrost" in "C:\WINDOWS >>>> \system32\Process.exe" . The Zone security suite gave me the >>>> option to quarantine the file of to delete the file. I am >>>> wondering if the file it is listed as being in is an actual Win 32 >>>> file? Should I delete the file? >>>> >>>> Thanks! >>>> >>>> Steve >>> >>> Process.exe does not appear to be a genuine Windows system file. >> >> Correct. >> >> However, there *is* a file called qprocess.exe in the system32 >> folder. > > So? Malware is well noted for selecting file names that resemble > those of genuine Windows files. Good point. I only mentioned that because that might have been a typo on Steve's part. Googling that message implied a false positive on ZA's part. But malware *always* needs to be ruled out. And if Steve has something called Process.exe, it very well might be malware.
Guest PA Bear [MS MVP] Posted July 9, 2008 Posted July 9, 2008 Re: Malware in File "C:\WINDOWS\system32\Process.exe" Did you ever download/run SmitFraudFix? steve281499 wrote: > I ran Zone Alarm Security spyware detection software last night and it > detected a malware named "Win32.BackDoor.Bifrost" in "C:\WINDOWS > \system32\Process.exe" . The Zone security suite gave me the option > to quarantine the file of to delete the file. I am wondering if the > file it is listed as being in is an actual Win 32 file? Should I > delete the file? > > Thanks! > > Steve
Guest MowGreen [MVP] Posted July 9, 2008 Posted July 9, 2008 Re: Malware in File "C:\WINDOWS\system32\Process.exe" It's present here in sys32 from running an older malware removal tool for testing purposes, David. Did get an FP on it from a-squared and it was detected as a trojan, FWIW. If Steve ever posts back perhaps we'll find out just "what" detected it as a trojan. <w> MG David H. Lipman wrote: > From: "MowGreen [MVP]" <mowgreen@nowandzen.com> > > | Were any anti-malware tools used previously that were recommended by a > | helper on an anti-malware forum ? > | It is not uncommon to include process.exe in said tools. > > | MowGreen [MVP 2003-2008] > | =============== > | *-343-* FDNY > | Never Forgotten > | =============== > > > Usually however they are placed in the same folder as the utility and not placed in > %windir%\system32 and if so it would have been probably declared differently such as a > hacktool or processkiller, etc. >
Recommended Posts