RE: Banker.TX found...now what?

I have the same problem.
It shows as Resources: regkey:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\shell

I have run CCleaner and Ewido has not found anything.
Neither do the scans of avast!, NOD32, Ad-Aware, Spybot -Search & Destroy,
a-squared, Bazooka.
Could it be a false-positive?

"Engel" wrote:

> Hello Dean,
>
> Banker.TX is a trojan.
> First remove all temporarily junk with CCleaner
> http://www.ccleaner.com
> Then try Ewido for removal:
> http://www.ewido.net/en/download/
>
> http://castlecops.com/t137442-CCSP_...structions.html
>
> I hope this post is helpful, let us know how it works ºut.
> Еиçеl
> --
>
> "Dean" wrote:
>
> > Every night (early morning) when WD runs, it finds Banker.TX, identifying it
> > as severe, calling it a password stealer, etc. That's enough for me to want
> > it gone for good, but every time I have WD remove it, it's again found the
> > next scan; same results when I've had WD quarantine it. Anyone know anything
> > about this? Thanks in advance!
> > --
> > Dean
> > USAF
> > Prattville, Alabama

What is the content of the "shell" value under
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon?

It should be "explorer.exe" without anything following it. If Windows
Defender is detecting Banker.TX, then it's likely the value is set to
something like "explorer.exe c:\windows\smss.exe"

If your value is set to the latter, you had (or possibly still have) some
malware on your system that uses that registry value to launch itself. You
should run a scan of your system with an antivirus product, for instance
http://safety.live.com. If that does not find anything, and if
c:\windows\smss.exe does not exist, just replace the registry value with
"explorer.exe" by itself and Windows Defender should stop detecting it.

However, please let me know what you find as I'd like to understand why this
didn't get cleaned up automatically - there are a couple of possible
explanations, but I can't say for sure without some additional information.

Thanks

-Mike

"JohanL49" <JohanL49@discussions.microsoft.com> wrote in message
news:56016911-73D8-4165-B5FB-089CD1B05A02@microsoft.com...
>I have the same problem.
> It shows as Resources: regkey:
> HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\shell
>
> I have run CCleaner and Ewido has not found anything.
> Neither do the scans of avast!, NOD32, Ad-Aware, Spybot -Search & Destroy,
> a-squared, Bazooka.
> Could it be a false-positive?
>
> "Engel" wrote:
>
>> Hello Dean,
>>
>> Banker.TX is a trojan.
>> First remove all temporarily junk with CCleaner
>> http://www.ccleaner.com
>> Then try Ewido for removal:
>> http://www.ewido.net/en/download/
>>
>> http://castlecops.com/t137442-CCSP_...structions.html
>>
>> I hope this post is helpful, let us know how it works ºut.
>> ??ç?l
>> --
>>
>> "Dean" wrote:
>>
>> > Every night (early morning) when WD runs, it finds Banker.TX,
>> > identifying it
>> > as severe, calling it a password stealer, etc. That's enough for me to
>> > want
>> > it gone for good, but every time I have WD remove it, it's again found
>> > the
>> > next scan; same results when I've had WD quarantine it. Anyone know
>> > anything
>> > about this? Thanks in advance!
>> > --
>> > Dean
>> > USAF
>> > Prattville, Alabama

Hello Mike,

It's just "explorer.exe" without anything following it!

"Mike Treit [Msft]" wrote:

> What is the content of the "shell" value under
> HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon?
>
> It should be "explorer.exe" without anything following it. If Windows
> Defender is detecting Banker.TX, then it's likely the value is set to
> something like "explorer.exe c:\windows\smss.exe"
>
> If your value is set to the latter, you had (or possibly still have) some
> malware on your system that uses that registry value to launch itself. You
> should run a scan of your system with an antivirus product, for instance
> http://safety.live.com. If that does not find anything, and if
> c:\windows\smss.exe does not exist, just replace the registry value with
> "explorer.exe" by itself and Windows Defender should stop detecting it.
>
> However, please let me know what you find as I'd like to understand why this
> didn't get cleaned up automatically - there are a couple of possible
> explanations, but I can't say for sure without some additional information.
>
> Thanks
>
> -Mike
>
> "JohanL49" <JohanL49@discussions.microsoft.com> wrote in message
> news:56016911-73D8-4165-B5FB-089CD1B05A02@microsoft.com...
> >I have the same problem.
> > It shows as Resources: regkey:
> > HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\shell
> >
> > I have run CCleaner and Ewido has not found anything.
> > Neither do the scans of avast!, NOD32, Ad-Aware, Spybot -Search & Destroy,
> > a-squared, Bazooka.
> > Could it be a false-positive?
> >
> > "Engel" wrote:
> >
> >> Hello Dean,
> >>
> >> Banker.TX is a trojan.
> >> First remove all temporarily junk with CCleaner
> >> http://www.ccleaner.com
> >> Then try Ewido for removal:
> >> http://www.ewido.net/en/download/
> >>
> >> http://castlecops.com/t137442-CCSP_...structions.html
> >>
> >> I hope this post is helpful, let us know how it works ºut.
> >> ??ç?l
> >> --
> >>
> >> "Dean" wrote:
> >>
> >> > Every night (early morning) when WD runs, it finds Banker.TX,
> >> > identifying it
> >> > as severe, calling it a password stealer, etc. That's enough for me to
> >> > want
> >> > it gone for good, but every time I have WD remove it, it's again found
> >> > the
> >> > next scan; same results when I've had WD quarantine it. Anyone know
> >> > anything
> >> > about this? Thanks in advance!
> >> > --
> >> > Dean
> >> > USAF
> >> > Prattville, Alabama
>
>
>

Additional info:
Note that I have a Dutch Windows XP Home system.
Could there be a relation with the other problem that I have:
http://www.microsoft.com/athome/sec...9c-210911b3fab9

"JohanL49" wrote:

> Hello Mike,
>
> It's just "explorer.exe" without anything following it!
>
> "Mike Treit [Msft]" wrote:
>
> > What is the content of the "shell" value under
> > HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon?
> >
> > It should be "explorer.exe" without anything following it. If Windows
> > Defender is detecting Banker.TX, then it's likely the value is set to
> > something like "explorer.exe c:\windows\smss.exe"
> >
> > If your value is set to the latter, you had (or possibly still have) some
> > malware on your system that uses that registry value to launch itself. You
> > should run a scan of your system with an antivirus product, for instance
> > http://safety.live.com. If that does not find anything, and if
> > c:\windows\smss.exe does not exist, just replace the registry value with
> > "explorer.exe" by itself and Windows Defender should stop detecting it.
> >
> > However, please let me know what you find as I'd like to understand why this
> > didn't get cleaned up automatically - there are a couple of possible
> > explanations, but I can't say for sure without some additional information.
> >
> > Thanks
> >
> > -Mike
> >
> > "JohanL49" <JohanL49@discussions.microsoft.com> wrote in message
> > news:56016911-73D8-4165-B5FB-089CD1B05A02@microsoft.com...
> > >I have the same problem.
> > > It shows as Resources: regkey:
> > > HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\shell
> > >
> > > I have run CCleaner and Ewido has not found anything.
> > > Neither do the scans of avast!, NOD32, Ad-Aware, Spybot -Search & Destroy,
> > > a-squared, Bazooka.
> > > Could it be a false-positive?
> > >
> > > "Engel" wrote:
> > >
> > >> Hello Dean,
> > >>
> > >> Banker.TX is a trojan.
> > >> First remove all temporarily junk with CCleaner
> > >> http://www.ccleaner.com
> > >> Then try Ewido for removal:
> > >> http://www.ewido.net/en/download/
> > >>
> > >> http://castlecops.com/t137442-CCSP_...structions.html
> > >>
> > >> I hope this post is helpful, let us know how it works ºut.
> > >> ??ç?l
> > >> --
> > >>
> > >> "Dean" wrote:
> > >>
> > >> > Every night (early morning) when WD runs, it finds Banker.TX,
> > >> > identifying it
> > >> > as severe, calling it a password stealer, etc. That's enough for me to
> > >> > want
> > >> > it gone for good, but every time I have WD remove it, it's again found
> > >> > the
> > >> > next scan; same results when I've had WD quarantine it. Anyone know
> > >> > anything
> > >> > about this? Thanks in advance!
> > >> > --
> > >> > Dean
> > >> > USAF
> > >> > Prattville, Alabama
> >
> >
> >