Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Win32.TrojanSpy.banker

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Win32.TrojanSpy.banker

Unread postby six-h » February 6th, 2008, 3:32 pm

Hi Scotty,
Any point in me keeping the Kaspersky scanner open?
Just don't want to have to go through the download process again if we have to do another scan! :|

six-h
six-h
Banned Member
 
Posts: 152
Joined: June 7th, 2007, 8:02 pm
Location: England
Advertisement
Register to Remove

Re: Win32.TrojanSpy.banker

Unread postby Scotty » February 6th, 2008, 3:56 pm

Hi

You are ok to close it. Back soon.
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Re: Win32.TrojanSpy.banker

Unread postby six-h » February 7th, 2008, 10:46 am

Hi Scotty,

Forgive my impatience, but hunting around for information on this trojan has led me back to "Sys32.Process.20",
which I thought was more nuisance than problem.
I did a search for "process.exe" in the sys 32 folder, and it turned up an entry: -"qprocess.exe 20kb application, last modified 04/08/2004 00:56!

Now I'm really spooked.
This has lain undetected through all my visits to this forum, and scans with everything known to man!!!
Fortunately, I've never "Banked" online (paranoia) but I've used two credit cards which are still current, and my debit card which I've now changed.
Happily, I've not had any unidentified traffic on any of my cards.

Are you having problems with my Kaspersky results?
Why were 65 items listed as "locked"?

I may have to go out this afternoon for an hour or so, but would really appreciate some reassurance!!
:cry:
six-h
six-h
Banned Member
 
Posts: 152
Joined: June 7th, 2007, 8:02 pm
Location: England

Re: Win32.TrojanSpy.banker

Unread postby Scotty » February 7th, 2008, 11:19 am

Hi

This file could well be a false positive. Could you tell me the full file name? Kaspersky didnt find anything, those locked files are not bad.

This is an example of a file name
C:\Windows\System32\blah.dll.

If you look at the Quarantined file, you should see the name. If you are unsure just tell me everything you see about it.
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Re: Win32.TrojanSpy.banker

Unread postby six-h » February 7th, 2008, 11:39 am

Thanks for comming back Scotty,
The file path is: -C:\WINDOWS\system32\process.exe

as I say, searching sys32folder lists it now as "qprocess.exe"
hope it is a false pos, but I'm increasingly worried buy the strange behavior as bootup, (desktop build)
Why on earth would that be affected by it? :shock:
Back in an hour or so ;)
six-h
six-h
Banned Member
 
Posts: 152
Joined: June 7th, 2007, 8:02 pm
Location: England

Re: Win32.TrojanSpy.banker

Unread postby six-h » February 7th, 2008, 5:09 pm

Hi Scotty,

You still there?
Or like me, running out of ideas! :roll:

I've been over my search of the sys 32 folder again,
'cos I notice that the file quarentined by a-Squared is "Process.exe" - (capital P)
I was searching for "process.exe", (lower case p)
thought it might change things, but my new search with a capital "P" still pulls up "qprocess.exe"

Discussing it on the PCA forum, someone came back and pointed out that "qprocess.exe" is in fact a bona-fide Windows file. "Query process Utility, File version 5.1.2600.2180"
I didn't know that! :shock:

Since a-Squared has quarentined something called "Process.exe", I thought that my search of the sys 32 folder had indeed found the file, and prefixed it with a "q" for quarentined.
It appears this is not the case.

Given that a-Squared has quarentined "Process.exe", is it now invisible to windows "search" facility?? :?:

How about releasing it, just to try a reboot and see if it is infact that which is cocking up my startup?
Then re-capturing it with a-Squared. :!:

six-h
six-h
Banned Member
 
Posts: 152
Joined: June 7th, 2007, 8:02 pm
Location: England

Re: Win32.TrojanSpy.banker

Unread postby Scotty » February 7th, 2008, 5:37 pm

Hi

Ill try and be back asap. Ive been busy domestically.
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Re: Win32.TrojanSpy.banker

Unread postby Scotty » February 11th, 2008, 11:50 am

Hi six-h

You can reinstate that file although I do not see it being the cause of any problems.

It is situated in the System32 folder which is where some of the tools ie Smitfraudfix, place process.exe. That is a harmless file flagged up by some anti-viruses as "riskware".

If it had been in the Windows folder only, then I would have said yes that is what you feared. When Beynac assisted you, it may have been one of the tools he used that installed that file or perhaps something someone suggested at PCA.

To put your mind at rest reinstate the file then do this.

Go to http://virusscan.jotti.org
Copy the following line into the white textbox:
C:\WINDOWS\system32\process.exe
Click Submit.
Please post the results of this scan to this thread.

Also, describe the Desktop problems in more detail, and well see if we can find a solution.
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Re: Win32.TrojanSpy.banker

Unread postby six-h » February 13th, 2008, 12:33 pm

Sorry for the delay Scotty,
The good weather down here enticed me outside!
God knows, we don't get much of it. The down side is of course that the garden begins to demand attention, not that I've got much more than a patch of grass and some dirt!!

Relieved to hear that process.exe may be harmless, do you know how to get a-Squared to release it?
I suspect that once in the wild again, maybe my Desktop build will return to normal (hopes!).

If you can instruct me on how to "let it go", I'll do that, and then do a re-start, and post back with the outcome.

Whilst out, the sun soaked through my thinning thatch and I began thinking where this could have come from.
Round about Dec 5th, my gmail account came under attack from phishers.
All credit to the G-mail spam filters, which caught almost every one!
In an effort to help stamp out these pests, I struggled to find a way to forward these messages to the banks (supposedly) concerned complete with the necessary header info.
The way I initially did it was to open the message in my browser, then to the right of the "reply" button, clicked the down pointing arrow. From that list, I selected "Show Original", then from the "edit" menu, "select all", followed by "copy".
I then opened my pop3 account in Outlook Express, and pasted the resulting text into a message and sent it to the bank concerned. :)
It was only after doing this 5 times, that I was told that I could have done it more simply in g-mail by just selecting "forward" from the menu that opens when clicking the down arrow next to "reply".
Maybe this copying and pasting invited the creature onto my machine??
I was careful not to click on anything in the messages for fear that it might alert the sender that my address was in fact valid. To be truthful, I'm still not sure if even opening such messages would alert them. But I understand that opening such a message within g-mail protects me from anything that may jump out and bite me on the bum! :shock:
Is that correct?? :?
There was a bit of a lull in receiving these mails towards the end of Jan, but they've started again this last few days, so I'm still forwarding them to the banks concerned. Tiresome!!

Sorry to witter on, but maybe there's something that may shed light in there :D

I'll go now, 'cos I'm fighting a battle with Windows update that keeps whining at me to do a re-start!

six-h
six-h
Banned Member
 
Posts: 152
Joined: June 7th, 2007, 8:02 pm
Location: England

Re: Win32.TrojanSpy.banker

Unread postby Scotty » February 13th, 2008, 1:19 pm

Hi

Do this bit first.

Go to http://virusscan.jotti.org
Copy the following line into the white textbox:
C:\WINDOWS\system32\process.exe
Click Submit.
Please post the results of this scan to this thread.

Also, describe the Desktop problems in more detail, and well see if we can find a solution.
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Re: Win32.TrojanSpy.banker

Unread postby six-h » February 13th, 2008, 1:53 pm

Back again Scotty!

Discovered how to re-instate "Process.exe", and done a restart. :)
The Desktop build is still out of character :(

On booting up, I get the usual Energy star screen, followed by the DOS screen, then the "Windows Loading screen", all as usual. The change comes with the "Welcome screen" which used to be accompanied with the music.

Now, I see the welcome screen in silence, and the desktop starts to build.

Watching the System tray, the first item to apear, after the clock, is the "Realmon" icon, (Part of e-trust anti virus), showing that it is monitoring in/outbound files. The fact that this was never the first to appear, is perhaps not significant, but it now appears in a disabled state,(with a red cross over it), the build continues with the icons for Power Cinima, ATI, Prism LAN card (which again appears disabled, unlike before), then the icons for Ulead Calender checker, Wireless Keyboard, 3D Audio configuration, and (this is unusual) the icon for e-trust anti virus "downloading" - but it's not downloading, it just sits there for a few minutes then disappears! Only to appear about 6/8 minutes later and actually download, or at least make contact, as was usual.
Meanwhile, build continues, with icons for my scanner, "safely remove hardware", volume control, and at some point, the "welcome music" plays, and the "disabled" icons are activated then there is a few seconds pause, before icons for my LAN, and WAN appear.
Finally, something called "LED Hotkey" appears in the taskbar, and stays there until I right click and close it. That used to just appear briefly for less than a second, previously!
Oh, I don't know why,but my wireless mouse and Keyboard seem to have two icons related to them.
one called "Wireless Keyboard Einstellung" (Installation), which just has the options of exit, and position of the onscreen display.
The other icon, which I more frequently need, has the form of a keyboard icon, when clicked brings up the on screen display, showing the state of the Caps, Num, and Scroll locks, along with battery condition indication.
This icon for some reason disappears, and I can't get it back.
I can find it in "desktop properties", under "Past Items", but don't know how to get it to show again!

All these changes happened after I quarantined all that a-Squared found.
Just releasing "Process.exe" has not altered any of these changes.
Could it be that something else in the quarantine list is causing this??

Pheww that was a long one!! :mrgreen:
six-h
Banned Member
 
Posts: 152
Joined: June 7th, 2007, 8:02 pm
Location: England

Re: Win32.TrojanSpy.banker

Unread postby six-h » February 13th, 2008, 1:57 pm

Sorry again Scotty,

Didn't see your last post till I posted my last! :(
Do you still want me to run the virus scan, even though I've let "process.exe" free?? :?

six-h
six-h
Banned Member
 
Posts: 152
Joined: June 7th, 2007, 8:02 pm
Location: England

Re: Win32.TrojanSpy.banker

Unread postby Scotty » February 14th, 2008, 12:45 pm

Hello

The key point of what you said is that the problems arose after A-squared quarantined everything. I have been informed that A-squared is notorious for false-positives and your next course of action is to post on their forums click here
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Re: Win32.TrojanSpy.banker

Unread postby six-h » February 14th, 2008, 2:04 pm

Hi Scotty


I've already started a thread on the a-Squared forum, trying to find out about process.exe, and didn't realise that they didn't mail you to advise of postings against your thread, so just looked, and there is a few posts advising me to post in their malware removal section. :o
I had already said that it was under investigation here, and that I would do nothing till you had cleaned me.
A guy called "ShadowPuterDude" advises that : -
Many malware removal tools make use of process.exe, including tools that I have written.

So that seems to confirm your findings that process.exe is harmless.
They also advised me to scan with jotti, still not run this scan, waiting your instruction: -

Do you still want me to run the virus scan, even though I've let "process.exe" free??



Regarding: -
The key point of what you said is that the problems arose after A-squared quarantined everything. I have been informed that A-squared is notorious for false-positives and your next course of action is to post on their forums click here

Things are not that simple, (are they ever!), I had not re-booted,between the AdAware scan that captured, and removed "TrojanSpy.Banker", and running the a-Squared scan that quarentined process.exe .....so I suppose it could be either one that has caused the changes to my desktop build!? :shock:

I do understand the problems that cross posting can cause, and don't propose to do more than respond and re-iterate my position to the a-Squared forum.
Until you have given me the all clear, it is your advice that I am following, or does your link to a-Squared mean that you don't wish to proceed further with helping me?
I hope not! :?

six-h
six-h
Banned Member
 
Posts: 152
Joined: June 7th, 2007, 8:02 pm
Location: England

Re: Win32.TrojanSpy.banker

Unread postby six-h » February 14th, 2008, 4:25 pm

Scotty

Still no advice regarding whether to scan with jotti in spite of having released "process.exe", so I've run the scan anyway.
Not sure how to post the results, since there is no method of saving them mentioned on the site.
I've tried copy & paste, hope it gives you what's needed, I've highlighted all the items found, and holding the scanner page open in case you need to instruct me further.

six-h

1) Scanner results.
Scan taken on 14 Feb 2008 20:05:01 (GMT)
A-Squared Found Riskware.RiskTool.Win32.Processor.20
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found Tool.Prockill
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found Win32/PrcView application
Norman Virus Control Found nothing
Panda Antivirus Found Application/Processor
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

2) Statistics

Last file scanned at least one scanner reported something about: 3.exe (MD5: 0a063f869bcf7b12492ef0af5a53edf7, size: 132305 bytes), detected by:

Scanner Malware name
A-Squared X
AntiVir X
ArcaVir X
Avast Win32:Neptunia-HK
AVG Antivirus X
BitDefender X
ClamAV X
CPsecure X
Dr.Web X
F-Prot Antivirus Possibly a new variant of W32/new-malware!Maximus
F-Secure Anti-Virus X
Fortinet X
Ikarus Virus.Win32.Rbot.CXK
Kaspersky Anti-Virus X
NOD32 X
Norman Virus Control X
Panda Antivirus X
Rising Antivirus X
Sophos Antivirus X
VirusBuster X
VBA32 X


You're free to (mis)interpret these automated, flawed statistics at your own discretion. For antivirus comparisons, visit AV comparatives
We are not affiliated with any third parties that conduct tests using this service.
six-h
Banned Member
 
Posts: 152
Joined: June 7th, 2007, 8:02 pm
Location: England
Advertisement
Register to Remove

PreviousNext

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 392 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware