Guest steve281499 Posted July 9, 2008 Posted July 9, 2008 I ran Zone Alarm Security spyware detection software last night and it detected a malware named "Win32.BackDoor.Bifrost" in "C:\WINDOWS \system32\Process.exe" . The Zone security suite gave me the option to quarantine the file of to delete the file. I am wondering if the file it is listed as being in is an actual Win 32 file? Should I delete the file? Thanks! Steve Quote
Guest Pegasus \(MVP\) Posted July 9, 2008 Posted July 9, 2008 "steve281499" <steve281499@gmail.com> wrote in message news:0b823844-c053-4904-b38b-d92fea175228@c65g2000hsa.googlegroups.com...<span style="color:blue"> >I ran Zone Alarm Security spyware detection software last night and it > detected a malware named "Win32.BackDoor.Bifrost" in "C:WINDOWS > system32Process.exe" . The Zone security suite gave me the option > to quarantine the file of to delete the file. I am wondering if the > file it is listed as being in is an actual Win 32 file? Should I > delete the file? > > Thanks! > > Steve</span> Process.exe does not appear to be a genuine Windows system file. Quote
Guest Mike Cawood, HND BIT Posted July 9, 2008 Posted July 9, 2008 "steve281499" <steve281499@gmail.com> wrote in message news:0b823844-c053-4904-b38b-d92fea175228@c65g2000hsa.googlegroups.com...<span style="color:blue"> >I ran Zone Alarm Security spyware detection software last night and it > detected a malware named "Win32.BackDoor.Bifrost" in "C:WINDOWS > system32Process.exe" . The Zone security suite gave me the option > to quarantine the file of to delete the file. I am wondering if the > file it is listed as being in is an actual Win 32 file? Should I > delete the file? > > Thanks! > > Steve</span> Delete it then restart the computer. There's no file called process.exe in my system32 folder. Regards Mike. Quote
Guest Rey Santos Posted July 9, 2008 Posted July 9, 2008 Read: http://www.bleepingcomputer.com/startups/p...s.exe-7200.html -- Rey "steve281499" wrote: <span style="color:blue"> > I ran Zone Alarm Security spyware detection software last night and it > detected a malware named "Win32.BackDoor.Bifrost" in "C:WINDOWS > system32Process.exe" . The Zone security suite gave me the option > to quarantine the file of to delete the file. I am wondering if the > file it is listed as being in is an actual Win 32 file? Should I > delete the file? > > Thanks! > > Steve > </span> Quote
Guest Daave Posted July 9, 2008 Posted July 9, 2008 Pegasus (MVP) wrote:<span style="color:blue"> > "steve281499" <steve281499@gmail.com> wrote in message > news:0b823844-c053-4904-b38b-d92fea175228@c65g2000hsa.googlegroups.com...<span style="color:green"> >> I ran Zone Alarm Security spyware detection software last night and >> it detected a malware named "Win32.BackDoor.Bifrost" in "C:WINDOWS >> system32Process.exe" . The Zone security suite gave me the option >> to quarantine the file of to delete the file. I am wondering if the >> file it is listed as being in is an actual Win 32 file? Should I >> delete the file? >> >> Thanks! >> >> Steve</span> > > Process.exe does not appear to be a genuine Windows system file.</span> Correct. However, there is a file called qprocess.exe in the system32 folder. Quote
Guest David H. Lipman Posted July 9, 2008 Posted July 9, 2008 From: "steve281499" <steve281499@gmail.com> | I ran Zone Alarm Security spyware detection software last night and it | detected a malware named "Win32.BackDoor.Bifrost" in "C:\WINDOWS | \system32\Process.exe" . The Zone security suite gave me the option | to quarantine the file of to delete the file. I am wondering if the | file it is listed as being in is an actual Win 32 file? Should I | delete the file? | Thanks! | Steve As others have noted, there is NO legitimate PROCESS.EXE in %windir%\system32 If you are unsure... Please submit a sample to Virus Total -- http://www.virustotal.com/flash/index_en.html The submission will then be tested against many different AV vendor's scanners. That will give you an idea what it is and who recognizes it. In addition Virus Total will provide the sample to all participating vendors. You can also submit a suspect, one at a time, via the following email URL... mailto:scan@virustotal.com?subject=SCAN When you get the report, please post back the exact results. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Guest MowGreen [MVP] Posted July 9, 2008 Posted July 9, 2008 Were any anti-malware tools used previously that were recommended by a helper on an anti-malware forum ? It is not uncommon to include process.exe in said tools. MowGreen [MVP 2003-2008] =============== -343- FDNY Never Forgotten =============== steve281499 wrote: <span style="color:blue"> > I ran Zone Alarm Security spyware detection software last night and it > detected a malware named "Win32.BackDoor.Bifrost" in "C:WINDOWS > system32Process.exe" . The Zone security suite gave me the option > to quarantine the file of to delete the file. I am wondering if the > file it is listed as being in is an actual Win 32 file? Should I > delete the file? > > Thanks! > > Steve</span> Quote
Guest Pegasus \(MVP\) Posted July 9, 2008 Posted July 9, 2008 "Daave" <dcwashNOSPAM@myrealboxXYZ.invalid> wrote in message news:%23XEuovd4IHA.4488@TK2MSFTNGP03.phx.gbl...<span style="color:blue"> > Pegasus (MVP) wrote:<span style="color:green"> >> "steve281499" <steve281499@gmail.com> wrote in message >> news:0b823844-c053-4904-b38b-d92fea175228@c65g2000hsa.googlegroups.com...<span style="color:darkred"> >>> I ran Zone Alarm Security spyware detection software last night and >>> it detected a malware named "Win32.BackDoor.Bifrost" in "C:WINDOWS >>> system32Process.exe" . The Zone security suite gave me the option >>> to quarantine the file of to delete the file. I am wondering if the >>> file it is listed as being in is an actual Win 32 file? Should I >>> delete the file? >>> >>> Thanks! >>> >>> Steve</span> >> >> Process.exe does not appear to be a genuine Windows system file.</span> > > Correct. > > However, there is a file called qprocess.exe in the system32 folder.</span> So? Malware is well noted for selecting file names that resemble those of genuine Windows files. Quote
Guest David H. Lipman Posted July 9, 2008 Posted July 9, 2008 From: "MowGreen [MVP]" <mowgreen@nowandzen.com> | Were any anti-malware tools used previously that were recommended by a | helper on an anti-malware forum ? | It is not uncommon to include process.exe in said tools. | MowGreen [MVP 2003-2008] | =============== | -343- FDNY | Never Forgotten | =============== Usually however they are placed in the same folder as the utility and not placed in %windir%\system32 and if so it would have been probably declared differently such as a hacktool or processkiller, etc. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Guest David H. Lipman Posted July 9, 2008 Posted July 9, 2008 From: "Pegasus (MVP)" <I.can@fly.com.oz> <span style="color:blue"><span style="color:green"> >> However, there is a file called qprocess.exe in the system32 folder.</span></span> | So? Malware is well noted for selecting file names that resemble | those of genuine Windows files. Exactly. This is to obfuscate their malicious intent. The most common name of a legitimate file is SVCHOST.EXE with a myriad of slight variations. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Guest Daave Posted July 9, 2008 Posted July 9, 2008 Pegasus (MVP) wrote:<span style="color:blue"> > "Daave" <dcwashNOSPAM@myrealboxXYZ.invalid> wrote in message > news:%23XEuovd4IHA.4488@TK2MSFTNGP03.phx.gbl...<span style="color:green"> >> Pegasus (MVP) wrote:<span style="color:darkred"> >>> "steve281499" <steve281499@gmail.com> wrote in message >>> news:0b823844-c053-4904-b38b-d92fea175228@c65g2000hsa.googlegroups.com... >>>> I ran Zone Alarm Security spyware detection software last night and >>>> it detected a malware named "Win32.BackDoor.Bifrost" in "C:WINDOWS >>>> system32Process.exe" . The Zone security suite gave me the >>>> option to quarantine the file of to delete the file. I am >>>> wondering if the file it is listed as being in is an actual Win 32 >>>> file? Should I delete the file? >>>> >>>> Thanks! >>>> >>>> Steve >>> >>> Process.exe does not appear to be a genuine Windows system file.</span> >> >> Correct. >> >> However, there is a file called qprocess.exe in the system32 >> folder.</span> > > So? Malware is well noted for selecting file names that resemble > those of genuine Windows files.</span> Good point. I only mentioned that because that might have been a typo on Steve's part. Googling that message implied a false positive on ZA's part. But malware always needs to be ruled out. And if Steve has something called Process.exe, it very well might be malware. Quote
Guest PA Bear [MS MVP] Posted July 9, 2008 Posted July 9, 2008 Did you ever download/run SmitFraudFix? steve281499 wrote:<span style="color:blue"> > I ran Zone Alarm Security spyware detection software last night and it > detected a malware named "Win32.BackDoor.Bifrost" in "C:WINDOWS > system32Process.exe" . The Zone security suite gave me the option > to quarantine the file of to delete the file. I am wondering if the > file it is listed as being in is an actual Win 32 file? Should I > delete the file? > > Thanks! > > Steve</span> Quote
Guest MowGreen [MVP] Posted July 9, 2008 Posted July 9, 2008 It's present here in sys32 from running an older malware removal tool for testing purposes, David. Did get an FP on it from a-squared and it was detected as a trojan, FWIW. If Steve ever posts back perhaps we'll find out just "what" detected it as a trojan. <w> MG David H. Lipman wrote: <span style="color:blue"> > From: "MowGreen [MVP]" <mowgreen@nowandzen.com> > > | Were any anti-malware tools used previously that were recommended by a > | helper on an anti-malware forum ? > | It is not uncommon to include process.exe in said tools. > > | MowGreen [MVP 2003-2008] > | =============== > | -343- FDNY > | Never Forgotten > | =============== > > > Usually however they are placed in the same folder as the utility and not placed in > %windir%system32 and if so it would have been probably declared differently such as a > hacktool or processkiller, etc. > </span> Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.