Malware in File "C:\WINDOWS\system32\Process.exe"

S

steve281499

I ran Zone Alarm Security spyware detection software last night and it
detected a malware named "Win32.BackDoor.Bifrost" in "C:\WINDOWS
\system32\Process.exe" . The Zone security suite gave me the option
to quarantine the file of to delete the file. I am wondering if the
file it is listed as being in is an actual Win 32 file? Should I
delete the file?

Thanks!

Steve
 
P

Pegasus \(MVP\)

"steve281499" <steve281499@gmail.com> wrote in message
news:0b823844-c053-4904-b38b-d92fea175228@c65g2000hsa.googlegroups.com...
>I ran Zone Alarm Security spyware detection software last night and it
> detected a malware named "Win32.BackDoor.Bifrost" in "C:\WINDOWS
> \system32\Process.exe" . The Zone security suite gave me the option
> to quarantine the file of to delete the file. I am wondering if the
> file it is listed as being in is an actual Win 32 file? Should I
> delete the file?
>
> Thanks!
>
> Steve

Process.exe does not appear to be a genuine Windows system file.
 
M

Mike Cawood, HND BIT

"steve281499" <steve281499@gmail.com> wrote in message
news:0b823844-c053-4904-b38b-d92fea175228@c65g2000hsa.googlegroups.com...
>I ran Zone Alarm Security spyware detection software last night and it
> detected a malware named "Win32.BackDoor.Bifrost" in "C:\WINDOWS
> \system32\Process.exe" . The Zone security suite gave me the option
> to quarantine the file of to delete the file. I am wondering if the
> file it is listed as being in is an actual Win 32 file? Should I
> delete the file?
>
> Thanks!
>
> Steve

Delete it then restart the computer.
There's no file called process.exe in my system32 folder.
Regards Mike.
 
R

Rey Santos

Read:
http://www.bleepingcomputer.com/startups/process.exe-7200.html
--
Rey


"steve281499" wrote:

> I ran Zone Alarm Security spyware detection software last night and it
> detected a malware named "Win32.BackDoor.Bifrost" in "C:\WINDOWS
> \system32\Process.exe" . The Zone security suite gave me the option
> to quarantine the file of to delete the file. I am wondering if the
> file it is listed as being in is an actual Win 32 file? Should I
> delete the file?
>
> Thanks!
>
> Steve
>
 
D

Daave

Pegasus (MVP) wrote:
> "steve281499" <steve281499@gmail.com> wrote in message
> news:0b823844-c053-4904-b38b-d92fea175228@c65g2000hsa.googlegroups.com...
>> I ran Zone Alarm Security spyware detection software last night and
>> it detected a malware named "Win32.BackDoor.Bifrost" in "C:\WINDOWS
>> \system32\Process.exe" . The Zone security suite gave me the option
>> to quarantine the file of to delete the file. I am wondering if the
>> file it is listed as being in is an actual Win 32 file? Should I
>> delete the file?
>>
>> Thanks!
>>
>> Steve
>
> Process.exe does not appear to be a genuine Windows system file.

Correct.

However, there *is* a file called qprocess.exe in the system32 folder.
 
D

David H. Lipman

From: "steve281499" <steve281499@gmail.com>

| I ran Zone Alarm Security spyware detection software last night and it
| detected a malware named "Win32.BackDoor.Bifrost" in "C:\WINDOWS
| \system32\Process.exe" . The Zone security suite gave me the option
| to quarantine the file of to delete the file. I am wondering if the
| file it is listed as being in is an actual Win 32 file? Should I
| delete the file?

| Thanks!

| Steve

As others have noted, there is NO legitimate PROCESS.EXE in %windir%\system32

If you are unsure...


Please submit a sample to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition Virus
Total will provide the sample to all participating vendors.

You can also submit a suspect, one at a time, via the following email URL...
mailto:scan@virustotal.com?subject=SCAN

When you get the report, please post back the exact results.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 
M

MowGreen [MVP]

Were any anti-malware tools used previously that were recommended by a
helper on an anti-malware forum ?
It is not uncommon to include process.exe in said tools.

MowGreen [MVP 2003-2008]
===============
*-343-* FDNY
Never Forgotten
===============


steve281499 wrote:

> I ran Zone Alarm Security spyware detection software last night and it
> detected a malware named "Win32.BackDoor.Bifrost" in "C:\WINDOWS
> \system32\Process.exe" . The Zone security suite gave me the option
> to quarantine the file of to delete the file. I am wondering if the
> file it is listed as being in is an actual Win 32 file? Should I
> delete the file?
>
> Thanks!
>
> Steve
 
P

Pegasus \(MVP\)

"Daave" <dcwashNOSPAM@myrealboxXYZ.invalid> wrote in message
news:%23XEuovd4IHA.4488@TK2MSFTNGP03.phx.gbl...
> Pegasus (MVP) wrote:
>> "steve281499" <steve281499@gmail.com> wrote in message
>> news:0b823844-c053-4904-b38b-d92fea175228@c65g2000hsa.googlegroups.com...
>>> I ran Zone Alarm Security spyware detection software last night and
>>> it detected a malware named "Win32.BackDoor.Bifrost" in "C:\WINDOWS
>>> \system32\Process.exe" . The Zone security suite gave me the option
>>> to quarantine the file of to delete the file. I am wondering if the
>>> file it is listed as being in is an actual Win 32 file? Should I
>>> delete the file?
>>>
>>> Thanks!
>>>
>>> Steve
>>
>> Process.exe does not appear to be a genuine Windows system file.
>
> Correct.
>
> However, there *is* a file called qprocess.exe in the system32 folder.

So? Malware is well noted for selecting file names that resemble
those of genuine Windows files.
 
D

David H. Lipman

From: "MowGreen [MVP]" <mowgreen@nowandzen.com>

| Were any anti-malware tools used previously that were recommended by a
| helper on an anti-malware forum ?
| It is not uncommon to include process.exe in said tools.

| MowGreen [MVP 2003-2008]
| ===============
| *-343-* FDNY
| Never Forgotten
| ===============


Usually however they are placed in the same folder as the utility and not placed in
%windir%\system32 and if so it would have been probably declared differently such as a
hacktool or processkiller, etc.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 
D

David H. Lipman

From: "Pegasus (MVP)" <I.can@fly.com.oz>

>> However, there *is* a file called qprocess.exe in the system32 folder.

| So? Malware is well noted for selecting file names that resemble
| those of genuine Windows files.


Exactly. This is to obfuscate their malicious intent.

The most common name of a legitimate file is SVCHOST.EXE with a myriad of slight
variations.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 
D

Daave

Pegasus (MVP) wrote:
> "Daave" <dcwashNOSPAM@myrealboxXYZ.invalid> wrote in message
> news:%23XEuovd4IHA.4488@TK2MSFTNGP03.phx.gbl...
>> Pegasus (MVP) wrote:
>>> "steve281499" <steve281499@gmail.com> wrote in message
>>> news:0b823844-c053-4904-b38b-d92fea175228@c65g2000hsa.googlegroups.com...
>>>> I ran Zone Alarm Security spyware detection software last night and
>>>> it detected a malware named "Win32.BackDoor.Bifrost" in "C:\WINDOWS
>>>> \system32\Process.exe" . The Zone security suite gave me the
>>>> option to quarantine the file of to delete the file. I am
>>>> wondering if the file it is listed as being in is an actual Win 32
>>>> file? Should I delete the file?
>>>>
>>>> Thanks!
>>>>
>>>> Steve
>>>
>>> Process.exe does not appear to be a genuine Windows system file.
>>
>> Correct.
>>
>> However, there *is* a file called qprocess.exe in the system32
>> folder.
>
> So? Malware is well noted for selecting file names that resemble
> those of genuine Windows files.

Good point. I only mentioned that because that might have been a typo on
Steve's part. Googling that message implied a false positive on ZA's
part.

But malware *always* needs to be ruled out. And if Steve has something
called Process.exe, it very well might be malware.
 
P

PA Bear [MS MVP]

Did you ever download/run SmitFraudFix?

steve281499 wrote:
> I ran Zone Alarm Security spyware detection software last night and it
> detected a malware named "Win32.BackDoor.Bifrost" in "C:\WINDOWS
> \system32\Process.exe" . The Zone security suite gave me the option
> to quarantine the file of to delete the file. I am wondering if the
> file it is listed as being in is an actual Win 32 file? Should I
> delete the file?
>
> Thanks!
>
> Steve
 
M

MowGreen [MVP]

It's present here in sys32 from running an older malware removal tool
for testing purposes, David. Did get an FP on it from a-squared and it
was detected as a trojan, FWIW.
If Steve ever posts back perhaps we'll find out just "what" detected it
as a trojan. <w>

MG


David H. Lipman wrote:

> From: "MowGreen [MVP]" <mowgreen@nowandzen.com>
>
> | Were any anti-malware tools used previously that were recommended by a
> | helper on an anti-malware forum ?
> | It is not uncommon to include process.exe in said tools.
>
> | MowGreen [MVP 2003-2008]
> | ===============
> | *-343-* FDNY
> | Never Forgotten
> | ===============
>
>
> Usually however they are placed in the same folder as the utility and not placed in
> %windir%\system32 and if so it would have been probably declared differently such as a
> hacktool or processkiller, etc.
>
 
You must log in or register to reply here.

Similar threads

M
Malware issue Windows System32 network popup
Replies
0
Views
47
Ma'at Ra
M
J
all my windows\system32\ file where removed and admin rights lost just user c:/ is locked housed system32
Replies
0
Views
29
justin adams3
J
H
No result of items or file for C:\Windows\System32\oobe\images
Replies
0
Views
32
hmmmm.......
H
Y
1008 Microsoft-Windows-Perflib S-1-5-18 N/A Warning Error in open procedure "BITS" in DLL "C:\Windows\System32\bitsperf.dll"
Replies
0
Views
56
Yasin Gencer
Y
Y
1008 Microsoft-Windows-Perflib S-1-5-18 N/A Warning Error in open procedure "BITS" in DLL "C:\Windows\System32\bitsperf.dll"
Replies
0
Views
53
Yasin Gencer
Y
Back
Top Bottom