Every night (early morning) when WD runs, it finds Banker.TX, identifying it
as severe, calling it a password stealer, etc. That's enough for me to want
it gone for good, but every time I have WD remove it, it's again found the
next scan; same results when I've had WD quarantine it. Anyone know anything
about this? Thanks in advance!
--
Dean
USAF
Prattville, Alabama

In addtion to the scans already mentioned, I also did a "Full Service Scan"
via http://safety.live.com.
However nothing has been found.
Also an export via regedt32 of the applicable registry part does not show
anything wrong:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
..........
"Shell"=hex(2):65,00,78,00,70,00,6c,00,6f,00,72,00,65,00,72,00,2e,00,65,00,78,\
00,65,00,00,00

It just says "explorer.exe" in hex. If you want, I can sent the exported
Winlogon
part to your e-mail address.


"JohanL49" wrote:

> Additional info:
> Note that I have a Dutch Windows XP Home system.
> Could there be a relation with the other problem that I have:
> http://www.microsoft.com/athome/secu...c-210911b3fab9
>
> "JohanL49" wrote:
>
> > Hello Mike,
> >
> > It's just "explorer.exe" without anything following it!
> >
> > "Mike Treit [Msft]" wrote:
> >
> > > What is the content of the "shell" value under
> > > HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon?
> > >
> > > It should be "explorer.exe" without anything following it. If Windows
> > > Defender is detecting Banker.TX, then it's likely the value is set to
> > > something like "explorer.exe c:\windows\smss.exe"
> > >
> > > If your value is set to the latter, you had (or possibly still have) some
> > > malware on your system that uses that registry value to launch itself. You
> > > should run a scan of your system with an antivirus product, for instance
> > > http://safety.live.com. If that does not find anything, and if
> > > c:\windows\smss.exe does not exist, just replace the registry value with
> > > "explorer.exe" by itself and Windows Defender should stop detecting it.
> > >
> > > However, please let me know what you find as I'd like to understand why this
> > > didn't get cleaned up automatically - there are a couple of possible
> > > explanations, but I can't say for sure without some additional information.
> > >
> > > Thanks
> > >
> > > -Mike
> > >
> > > "JohanL49" <(E-Mail Removed)> wrote in message
> > > news:56016911-73D8-4165-B5FB-(E-Mail Removed)...
> > > >I have the same problem.
> > > > It shows as Resources: regkey:
> > > > HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\shell
> > > >
> > > > I have run CCleaner and Ewido has not found anything.
> > > > Neither do the scans of avast!, NOD32, Ad-Aware, Spybot -Search & Destroy,
> > > > a-squared, Bazooka.
> > > > Could it be a false-positive?
> > > >
> > > > "Engel" wrote:
> > > >
> > > >> Hello Dean,
> > > >>
> > > >> Banker.TX is a trojan.
> > > >> First remove all temporarily junk with CCleaner
> > > >> http://www.ccleaner.com
> > > >> Then try Ewido for removal:
> > > >> http://www.ewido.net/en/download/
> > > >>
> > > >> http://castlecops.com/t137442-CCSP_E...tructions.html
> > > >>
> > > >> I hope this post is helpful, let us know how it works ºut.
> > > >> ??ç?l
> > > >> --
> > > >>
> > > >> "Dean" wrote:
> > > >>
> > > >> > Every night (early morning) when WD runs, it finds Banker.TX,
> > > >> > identifying it
> > > >> > as severe, calling it a password stealer, etc. That's enough for me to
> > > >> > want
> > > >> > it gone for good, but every time I have WD remove it, it's again found
> > > >> > the
> > > >> > next scan; same results when I've had WD quarantine it. Anyone know
> > > >> > anything
> > > >> > about this? Thanks in advance!
> > > >> > --
> > > >> > Dean
> > > >> > USAF
> > > >> > Prattville, Alabama
> > >
> > >
> > >

That's clear enough for me, I think. Not sure what's going on, but it isn't
as simple as that key being munged in a way that conceals the fact.
--

"JohanL49" <(E-Mail Removed)> wrote in message
news:91A2C618-A73E-4050-893B-(E-Mail Removed)...
> In addtion to the scans already mentioned, I also did a "Full Service
> Scan"
> via http://safety.live.com.
> However nothing has been found.
> Also an export via regedt32 of the applicable registry part does not show
> anything wrong:
> Windows Registry Editor Version 5.00
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
> .........
> "Shell"=hex(2):65,00,78,00,70,00,6c,00,6f,00,72,00,65,00,72,00,2e,00,65,00,78,\
> 00,65,00,00,00
>
> It just says "explorer.exe" in hex. If you want, I can sent the exported
> Winlogon
> part to your e-mail address.
>
>
> "JohanL49" wrote:
>
>> Additional info:
>> Note that I have a Dutch Windows XP Home system.
>> Could there be a relation with the other problem that I have:
>> http://www.microsoft.com/athome/secu...c-210911b3fab9
>>
>> "JohanL49" wrote:
>>
>> > Hello Mike,
>> >
>> > It's just "explorer.exe" without anything following it!
>> >
>> > "Mike Treit [Msft]" wrote:
>> >
>> > > What is the content of the "shell" value under
>> > > HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon?
>> > >
>> > > It should be "explorer.exe" without anything following it. If Windows
>> > > Defender is detecting Banker.TX, then it's likely the value is set to
>> > > something like "explorer.exe c:\windows\smss.exe"
>> > >
>> > > If your value is set to the latter, you had (or possibly still have)
>> > > some
>> > > malware on your system that uses that registry value to launch
>> > > itself. You
>> > > should run a scan of your system with an antivirus product, for
>> > > instance
>> > > http://safety.live.com. If that does not find anything, and if
>> > > c:\windows\smss.exe does not exist, just replace the registry value
>> > > with
>> > > "explorer.exe" by itself and Windows Defender should stop detecting
>> > > it.
>> > >
>> > > However, please let me know what you find as I'd like to understand
>> > > why this
>> > > didn't get cleaned up automatically - there are a couple of possible
>> > > explanations, but I can't say for sure without some additional
>> > > information.
>> > >
>> > > Thanks
>> > >
>> > > -Mike
>> > >
>> > > "JohanL49" <(E-Mail Removed)> wrote in message
>> > > news:56016911-73D8-4165-B5FB-(E-Mail Removed)...
>> > > >I have the same problem.
>> > > > It shows as Resources: regkey:
>> > > > HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\shell
>> > > >
>> > > > I have run CCleaner and Ewido has not found anything.
>> > > > Neither do the scans of avast!, NOD32, Ad-Aware, Spybot -Search &
>> > > > Destroy,
>> > > > a-squared, Bazooka.
>> > > > Could it be a false-positive?
>> > > >
>> > > > "Engel" wrote:
>> > > >
>> > > >> Hello Dean,
>> > > >>
>> > > >> Banker.TX is a trojan.
>> > > >> First remove all temporarily junk with CCleaner
>> > > >> http://www.ccleaner.com
>> > > >> Then try Ewido for removal:
>> > > >> http://www.ewido.net/en/download/
>> > > >>
>> > > >> http://castlecops.com/t137442-CCSP_E...tructions.html
>> > > >>
>> > > >> I hope this post is helpful, let us know how it works ºut.
>> > > >> ??ç?l
>> > > >> --
>> > > >>
>> > > >> "Dean" wrote:
>> > > >>
>> > > >> > Every night (early morning) when WD runs, it finds Banker.TX,
>> > > >> > identifying it
>> > > >> > as severe, calling it a password stealer, etc. That's enough
>> > > >> > for me to
>> > > >> > want
>> > > >> > it gone for good, but every time I have WD remove it, it's again
>> > > >> > found
>> > > >> > the
>> > > >> > next scan; same results when I've had WD quarantine it. Anyone
>> > > >> > know
>> > > >> > anything
>> > > >> > about this? Thanks in advance!
>> > > >> > --
>> > > >> > Dean
>> > > >> > USAF
>> > > >> > Prattville, Alabama
>> > >
>> > >
>> > >

Please send the event log entries that are written when the detection
happens, and that should give a clearer picture of what is going on.

Thanks

-Mike

"JohanL49" <(E-Mail Removed)> wrote in message
news:91A2C618-A73E-4050-893B-(E-Mail Removed)...
> In addtion to the scans already mentioned, I also did a "Full Service
> Scan"
> via http://safety.live.com.
> However nothing has been found.
> Also an export via regedt32 of the applicable registry part does not show
> anything wrong:
> Windows Registry Editor Version 5.00
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
> .........
> "Shell"=hex(2):65,00,78,00,70,00,6c,00,6f,00,72,00,65,00,72,00,2e,00,65,00,78,\
> 00,65,00,00,00
>
> It just says "explorer.exe" in hex. If you want, I can sent the exported
> Winlogon
> part to your e-mail address.
>
>
> "JohanL49" wrote:
>
>> Additional info:
>> Note that I have a Dutch Windows XP Home system.
>> Could there be a relation with the other problem that I have:
>> http://www.microsoft.com/athome/secu...c-210911b3fab9
>>
>> "JohanL49" wrote:
>>
>> > Hello Mike,
>> >
>> > It's just "explorer.exe" without anything following it!
>> >
>> > "Mike Treit [Msft]" wrote:
>> >
>> > > What is the content of the "shell" value under
>> > > HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon?
>> > >
>> > > It should be "explorer.exe" without anything following it. If Windows
>> > > Defender is detecting Banker.TX, then it's likely the value is set to
>> > > something like "explorer.exe c:\windows\smss.exe"
>> > >
>> > > If your value is set to the latter, you had (or possibly still have)
>> > > some
>> > > malware on your system that uses that registry value to launch
>> > > itself. You
>> > > should run a scan of your system with an antivirus product, for
>> > > instance
>> > > http://safety.live.com. If that does not find anything, and if
>> > > c:\windows\smss.exe does not exist, just replace the registry value
>> > > with
>> > > "explorer.exe" by itself and Windows Defender should stop detecting
>> > > it.
>> > >
>> > > However, please let me know what you find as I'd like to understand
>> > > why this
>> > > didn't get cleaned up automatically - there are a couple of possible
>> > > explanations, but I can't say for sure without some additional
>> > > information.
>> > >
>> > > Thanks
>> > >
>> > > -Mike
>> > >
>> > > "JohanL49" <(E-Mail Removed)> wrote in message
>> > > news:56016911-73D8-4165-B5FB-(E-Mail Removed)...
>> > > >I have the same problem.
>> > > > It shows as Resources: regkey:
>> > > > HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\shell
>> > > >
>> > > > I have run CCleaner and Ewido has not found anything.
>> > > > Neither do the scans of avast!, NOD32, Ad-Aware, Spybot -Search &
>> > > > Destroy,
>> > > > a-squared, Bazooka.
>> > > > Could it be a false-positive?
>> > > >
>> > > > "Engel" wrote:
>> > > >
>> > > >> Hello Dean,
>> > > >>
>> > > >> Banker.TX is a trojan.
>> > > >> First remove all temporarily junk with CCleaner
>> > > >> http://www.ccleaner.com
>> > > >> Then try Ewido for removal:
>> > > >> http://www.ewido.net/en/download/
>> > > >>
>> > > >> http://castlecops.com/t137442-CCSP_E...tructions.html
>> > > >>
>> > > >> I hope this post is helpful, let us know how it works ºut.
>> > > >> ??ç?l
>> > > >> --
>> > > >>
>> > > >> "Dean" wrote:
>> > > >>
>> > > >> > Every night (early morning) when WD runs, it finds Banker.TX,
>> > > >> > identifying it
>> > > >> > as severe, calling it a password stealer, etc. That's enough
>> > > >> > for me to
>> > > >> > want
>> > > >> > it gone for good, but every time I have WD remove it, it's again
>> > > >> > found
>> > > >> > the
>> > > >> > next scan; same results when I've had WD quarantine it. Anyone
>> > > >> > know
>> > > >> > anything
>> > > >> > about this? Thanks in advance!
>> > > >> > --
>> > > >> > Dean
>> > > >> > USAF
>> > > >> > Prattville, Alabama
>> > >
>> > >
>> > >

This is the system event log entry that is written:

Windows Defender scan has detected potential malware.
For more information please see the following:
http://www.microsoft.com
Scan ID: {9E500AD6-933D-458C-B8A7-E22794455909}
Scan Type: AntiSpyware
Scan Parameters: Quick Scan
User: MEDION\Johan
Threat Name: Banker.TX
Threat Id: 17153
Threat Severity: 5
Threat Category: 3
Path Found: regkey:HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\\shell
Detection Type: Signatures

"Mike Treit [Msft]" wrote:

> Please send the event log entries that are written when the detection
> happens, and that should give a clearer picture of what is going on.
>
> Thanks
>
> -Mike
>
> "JohanL49" <(E-Mail Removed)> wrote in message
> news:91A2C618-A73E-4050-893B-(E-Mail Removed)...
> > In addtion to the scans already mentioned, I also did a "Full Service
> > Scan"
> > via http://safety.live.com.
> > However nothing has been found.
> > Also an export via regedt32 of the applicable registry part does not show
> > anything wrong:
> > Windows Registry Editor Version 5.00
> > [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
> > .........
> > "Shell"=hex(2):65,00,78,00,70,00,6c,00,6f,00,72,00,65,00,72,00,2e,00,65,00,78,\
> > 00,65,00,00,00
> >
> > It just says "explorer.exe" in hex. If you want, I can sent the exported
> > Winlogon
> > part to your e-mail address.
> >
> >
> > "JohanL49" wrote:
> >
> >> Additional info:
> >> Note that I have a Dutch Windows XP Home system.
> >> Could there be a relation with the other problem that I have:
> >> http://www.microsoft.com/athome/secu...c-210911b3fab9
> >>
> >> "JohanL49" wrote:
> >>
> >> > Hello Mike,
> >> >
> >> > It's just "explorer.exe" without anything following it!
> >> >
> >> > "Mike Treit [Msft]" wrote:
> >> >
> >> > > What is the content of the "shell" value under
> >> > > HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon?
> >> > >
> >> > > It should be "explorer.exe" without anything following it. If Windows
> >> > > Defender is detecting Banker.TX, then it's likely the value is set to
> >> > > something like "explorer.exe c:\windows\smss.exe"
> >> > >
> >> > > If your value is set to the latter, you had (or possibly still have)
> >> > > some
> >> > > malware on your system that uses that registry value to launch
> >> > > itself. You
> >> > > should run a scan of your system with an antivirus product, for
> >> > > instance
> >> > > http://safety.live.com. If that does not find anything, and if
> >> > > c:\windows\smss.exe does not exist, just replace the registry value
> >> > > with
> >> > > "explorer.exe" by itself and Windows Defender should stop detecting
> >> > > it.
> >> > >
> >> > > However, please let me know what you find as I'd like to understand
> >> > > why this
> >> > > didn't get cleaned up automatically - there are a couple of possible
> >> > > explanations, but I can't say for sure without some additional
> >> > > information.
> >> > >
> >> > > Thanks
> >> > >
> >> > > -Mike
> >> > >
> >> > > "JohanL49" <(E-Mail Removed)> wrote in message
> >> > > news:56016911-73D8-4165-B5FB-(E-Mail Removed)...
> >> > > >I have the same problem.
> >> > > > It shows as Resources: regkey:
> >> > > > HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\shell
> >> > > >
> >> > > > I have run CCleaner and Ewido has not found anything.
> >> > > > Neither do the scans of avast!, NOD32, Ad-Aware, Spybot -Search &
> >> > > > Destroy,
> >> > > > a-squared, Bazooka.
> >> > > > Could it be a false-positive?
> >> > > >
> >> > > > "Engel" wrote:
> >> > > >
> >> > > >> Hello Dean,
> >> > > >>
> >> > > >> Banker.TX is a trojan.
> >> > > >> First remove all temporarily junk with CCleaner
> >> > > >> http://www.ccleaner.com
> >> > > >> Then try Ewido for removal:
> >> > > >> http://www.ewido.net/en/download/
> >> > > >>
> >> > > >> http://castlecops.com/t137442-CCSP_E...tructions.html
> >> > > >>
> >> > > >> I hope this post is helpful, let us know how it works ºut.
> >> > > >> ??ç?l
> >> > > >> --
> >> > > >>
> >> > > >> "Dean" wrote:
> >> > > >>
> >> > > >> > Every night (early morning) when WD runs, it finds Banker.TX,
> >> > > >> > identifying it
> >> > > >> > as severe, calling it a password stealer, etc. That's enough
> >> > > >> > for me to
> >> > > >> > want
> >> > > >> > it gone for good, but every time I have WD remove it, it's again
> >> > > >> > found
> >> > > >> > the
> >> > > >> > next scan; same results when I've had WD quarantine it. Anyone
> >> > > >> > know
> >> > > >> > anything
> >> > > >> > about this? Thanks in advance!
> >> > > >> > --
> >> > > >> > Dean
> >> > > >> > USAF
> >> > > >> > Prattville, Alabama
> >> > >
> >> > >
> >> > >
>
>
>

Can you please use regedit to export the contents of
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon to a .reg file
then send that to me?

Thanks

-Mike

"JohanL49" <(E-Mail Removed)> wrote in message
news:EF25D475-262B-48C5-AED1-(E-Mail Removed)...
> This is the system event log entry that is written:
>
> Windows Defender scan has detected potential malware.
> For more information please see the following:
> http://www.microsoft.com
> Scan ID: {9E500AD6-933D-458C-B8A7-E22794455909}
> Scan Type: AntiSpyware
> Scan Parameters: Quick Scan
> User: MEDION\Johan
> Threat Name: Banker.TX
> Threat Id: 17153
> Threat Severity: 5
> Threat Category: 3
> Path Found: regkey:HKLM\Software\Microsoft\Windows
> NT\CurrentVersion\Winlogon\\shell
> Detection Type: Signatures
>
> "Mike Treit [Msft]" wrote:
>
>> Please send the event log entries that are written when the detection
>> happens, and that should give a clearer picture of what is going on.
>>
>> Thanks
>>
>> -Mike
>>
>> "JohanL49" <(E-Mail Removed)> wrote in message
>> news:91A2C618-A73E-4050-893B-(E-Mail Removed)...
>> > In addtion to the scans already mentioned, I also did a "Full Service
>> > Scan"
>> > via http://safety.live.com.
>> > However nothing has been found.
>> > Also an export via regedt32 of the applicable registry part does not
>> > show
>> > anything wrong:
>> > Windows Registry Editor Version 5.00
>> > [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
>> > NT\CurrentVersion\Winlogon]
>> > .........
>> > "Shell"=hex(2):65,00,78,00,70,00,6c,00,6f,00,72,00,65,00,72,00,2e,00,65,00,78,\
>> > 00,65,00,00,00
>> >
>> > It just says "explorer.exe" in hex. If you want, I can sent the
>> > exported
>> > Winlogon
>> > part to your e-mail address.
>> >
>> >
>> > "JohanL49" wrote:
>> >
>> >> Additional info:
>> >> Note that I have a Dutch Windows XP Home system.
>> >> Could there be a relation with the other problem that I have:
>> >> http://www.microsoft.com/athome/secu...c-210911b3fab9
>> >>
>> >> "JohanL49" wrote:
>> >>
>> >> > Hello Mike,
>> >> >
>> >> > It's just "explorer.exe" without anything following it!
>> >> >
>> >> > "Mike Treit [Msft]" wrote:
>> >> >
>> >> > > What is the content of the "shell" value under
>> >> > > HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon?
>> >> > >
>> >> > > It should be "explorer.exe" without anything following it. If
>> >> > > Windows
>> >> > > Defender is detecting Banker.TX, then it's likely the value is set
>> >> > > to
>> >> > > something like "explorer.exe c:\windows\smss.exe"
>> >> > >
>> >> > > If your value is set to the latter, you had (or possibly still
>> >> > > have)
>> >> > > some
>> >> > > malware on your system that uses that registry value to launch
>> >> > > itself. You
>> >> > > should run a scan of your system with an antivirus product, for
>> >> > > instance
>> >> > > http://safety.live.com. If that does not find anything, and if
>> >> > > c:\windows\smss.exe does not exist, just replace the registry
>> >> > > value
>> >> > > with
>> >> > > "explorer.exe" by itself and Windows Defender should stop
>> >> > > detecting
>> >> > > it.
>> >> > >
>> >> > > However, please let me know what you find as I'd like to
>> >> > > understand
>> >> > > why this
>> >> > > didn't get cleaned up automatically - there are a couple of
>> >> > > possible
>> >> > > explanations, but I can't say for sure without some additional
>> >> > > information.
>> >> > >
>> >> > > Thanks
>> >> > >
>> >> > > -Mike
>> >> > >
>> >> > > "JohanL49" <(E-Mail Removed)> wrote in message
>> >> > > news:56016911-73D8-4165-B5FB-(E-Mail Removed)...
>> >> > > >I have the same problem.
>> >> > > > It shows as Resources: regkey:
>> >> > > > HKLM\Software\Microsoft\Windows
>> >> > > > NT\CurrentVersion\Winlogon\\shell
>> >> > > >
>> >> > > > I have run CCleaner and Ewido has not found anything.
>> >> > > > Neither do the scans of avast!, NOD32, Ad-Aware, Spybot -Search
>> >> > > > &
>> >> > > > Destroy,
>> >> > > > a-squared, Bazooka.
>> >> > > > Could it be a false-positive?
>> >> > > >
>> >> > > > "Engel" wrote:
>> >> > > >
>> >> > > >> Hello Dean,
>> >> > > >>
>> >> > > >> Banker.TX is a trojan.
>> >> > > >> First remove all temporarily junk with CCleaner
>> >> > > >> http://www.ccleaner.com
>> >> > > >> Then try Ewido for removal:
>> >> > > >> http://www.ewido.net/en/download/
>> >> > > >>
>> >> > > >> http://castlecops.com/t137442-CCSP_E...tructions.html
>> >> > > >>
>> >> > > >> I hope this post is helpful, let us know how it works ºut.
>> >> > > >> ??ç?l
>> >> > > >> --
>> >> > > >>
>> >> > > >> "Dean" wrote:
>> >> > > >>
>> >> > > >> > Every night (early morning) when WD runs, it finds Banker.TX,
>> >> > > >> > identifying it
>> >> > > >> > as severe, calling it a password stealer, etc. That's enough
>> >> > > >> > for me to
>> >> > > >> > want
>> >> > > >> > it gone for good, but every time I have WD remove it, it's
>> >> > > >> > again
>> >> > > >> > found
>> >> > > >> > the
>> >> > > >> > next scan; same results when I've had WD quarantine it.
>> >> > > >> > Anyone
>> >> > > >> > know
>> >> > > >> > anything
>> >> > > >> > about this? Thanks in advance!
>> >> > > >> > --
>> >> > > >> > Dean
>> >> > > >> > USAF
>> >> > > >> > Prattville, Alabama
>> >> > >
>> >> > >
>> >> > >
>>
>>
>>

In the meantime Microsoft has identified the problem. It is a false positive
and it will be solved
after the next engine update later this month.


"Mike Treit [Msft]" wrote:

> Can you please use regedit to export the contents of
> HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon to a .reg file
> then send that to me?
>
> Thanks
>
> -Mike
>
> "JohanL49" <(E-Mail Removed)> wrote in message
> news:EF25D475-262B-48C5-AED1-(E-Mail Removed)...
> > This is the system event log entry that is written:
> >
> > Windows Defender scan has detected potential malware.
> > For more information please see the following:
> > http://www.microsoft.com
> > Scan ID: {9E500AD6-933D-458C-B8A7-E22794455909}
> > Scan Type: AntiSpyware
> > Scan Parameters: Quick Scan
> > User: MEDION\Johan
> > Threat Name: Banker.TX
> > Threat Id: 17153
> > Threat Severity: 5
> > Threat Category: 3
> > Path Found: regkey:HKLM\Software\Microsoft\Windows
> > NT\CurrentVersion\Winlogon\\shell
> > Detection Type: Signatures
> >
> > "Mike Treit [Msft]" wrote:
> >
> >> Please send the event log entries that are written when the detection
> >> happens, and that should give a clearer picture of what is going on.
> >>
> >> Thanks
> >>
> >> -Mike
> >>
> >> "JohanL49" <(E-Mail Removed)> wrote in message
> >> news:91A2C618-A73E-4050-893B-(E-Mail Removed)...
> >> > In addtion to the scans already mentioned, I also did a "Full Service
> >> > Scan"
> >> > via http://safety.live.com.
> >> > However nothing has been found.
> >> > Also an export via regedt32 of the applicable registry part does not
> >> > show
> >> > anything wrong:
> >> > Windows Registry Editor Version 5.00
> >> > [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
> >> > NT\CurrentVersion\Winlogon]
> >> > .........
> >> > "Shell"=hex(2):65,00,78,00,70,00,6c,00,6f,00,72,00,65,00,72,00,2e,00,65,00,78,\
> >> > 00,65,00,00,00
> >> >
> >> > It just says "explorer.exe" in hex. If you want, I can sent the
> >> > exported
> >> > Winlogon
> >> > part to your e-mail address.
> >> >
> >> >
> >> > "JohanL49" wrote:
> >> >
> >> >> Additional info:
> >> >> Note that I have a Dutch Windows XP Home system.
> >> >> Could there be a relation with the other problem that I have:
> >> >> http://www.microsoft.com/athome/secu...c-210911b3fab9
> >> >>
> >> >> "JohanL49" wrote:
> >> >>
> >> >> > Hello Mike,
> >> >> >
> >> >> > It's just "explorer.exe" without anything following it!
> >> >> >
> >> >> > "Mike Treit [Msft]" wrote:
> >> >> >
> >> >> > > What is the content of the "shell" value under
> >> >> > > HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon?
> >> >> > >
> >> >> > > It should be "explorer.exe" without anything following it. If
> >> >> > > Windows
> >> >> > > Defender is detecting Banker.TX, then it's likely the value is set
> >> >> > > to
> >> >> > > something like "explorer.exe c:\windows\smss.exe"
> >> >> > >
> >> >> > > If your value is set to the latter, you had (or possibly still
> >> >> > > have)
> >> >> > > some
> >> >> > > malware on your system that uses that registry value to launch
> >> >> > > itself. You
> >> >> > > should run a scan of your system with an antivirus product, for
> >> >> > > instance
> >> >> > > http://safety.live.com. If that does not find anything, and if
> >> >> > > c:\windows\smss.exe does not exist, just replace the registry
> >> >> > > value
> >> >> > > with
> >> >> > > "explorer.exe" by itself and Windows Defender should stop
> >> >> > > detecting
> >> >> > > it.
> >> >> > >
> >> >> > > However, please let me know what you find as I'd like to
> >> >> > > understand
> >> >> > > why this
> >> >> > > didn't get cleaned up automatically - there are a couple of
> >> >> > > possible
> >> >> > > explanations, but I can't say for sure without some additional
> >> >> > > information.
> >> >> > >
> >> >> > > Thanks
> >> >> > >
> >> >> > > -Mike
> >> >> > >
> >> >> > > "JohanL49" <(E-Mail Removed)> wrote in message
> >> >> > > news:56016911-73D8-4165-B5FB-(E-Mail Removed)...
> >> >> > > >I have the same problem.
> >> >> > > > It shows as Resources: regkey:
> >> >> > > > HKLM\Software\Microsoft\Windows
> >> >> > > > NT\CurrentVersion\Winlogon\\shell
> >> >> > > >
> >> >> > > > I have run CCleaner and Ewido has not found anything.
> >> >> > > > Neither do the scans of avast!, NOD32, Ad-Aware, Spybot -Search
> >> >> > > > &
> >> >> > > > Destroy,
> >> >> > > > a-squared, Bazooka.
> >> >> > > > Could it be a false-positive?
> >> >> > > >
> >> >> > > > "Engel" wrote:
> >> >> > > >
> >> >> > > >> Hello Dean,
> >> >> > > >>
> >> >> > > >> Banker.TX is a trojan.
> >> >> > > >> First remove all temporarily junk with CCleaner
> >> >> > > >> http://www.ccleaner.com
> >> >> > > >> Then try Ewido for removal:
> >> >> > > >> http://www.ewido.net/en/download/
> >> >> > > >>
> >> >> > > >> http://castlecops.com/t137442-CCSP_E...tructions.html
> >> >> > > >>
> >> >> > > >> I hope this post is helpful, let us know how it works ºut.
> >> >> > > >> ??ç?l
> >> >> > > >> --
> >> >> > > >>
> >> >> > > >> "Dean" wrote:
> >> >> > > >>
> >> >> > > >> > Every night (early morning) when WD runs, it finds Banker.TX,
> >> >> > > >> > identifying it
> >> >> > > >> > as severe, calling it a password stealer, etc. That's enough
> >> >> > > >> > for me to
> >> >> > > >> > want
> >> >> > > >> > it gone for good, but every time I have WD remove it, it's
> >> >> > > >> > again
> >> >> > > >> > found
> >> >> > > >> > the
> >> >> > > >> > next scan; same results when I've had WD quarantine it.
> >> >> > > >> > Anyone
> >> >> > > >> > know
> >> >> > > >> > anything
> >> >> > > >> > about this? Thanks in advance!
> >> >> > > >> > --
> >> >> > > >> > Dean
> >> >> > > >> > USAF
> >> >> > > >> > Prattville, Alabama
> >> >> > >
> >> >> > >
> >> >> > >
> >>
> >>
> >>
>
>
>