Attention: The forums will be placed on read only mode this Saturday (Oct. 20, 2018)

During this outage (6:30 AM to 8 PM PDT) the forums will be placed on read only mode. We apologize for this inconvenience. Click here to read details

Spyware, Viruses, & Security forum

General discussion

Did I Boo-Boo? Process ExplorerNT.zip...

by tobeach / February 14, 2007 4:35 PM PST

/procexp.exe was found today for the first time during an AVG A.S. full system scan. AS rated it as a High Risk Threat (Back door Trojan).
It was located in Docs & Settings/Sandy/My Documents.
I chose my normal setting for "Quarantine' & AS said couldn't quarantine as it was in an archive(not named) & then asked if should quarantine entire archive? I replied NO I then chose to "Delete".
AS responded: "Done".

I then ran a search of all files & folders and found procexp.exe listed as still in My Docs. I selected to delete it. It took about 4 mins to delete (very large).

Now I'm second guessing myself. I searched Google and found SysInternals had it listed in several locations but felt that if in Docs & Settings the danger level was only 1 (higher in sys32).
They describe it as a process monitor but not a Windows core file.
Some mention of protection of buffer overflow & browser hooks (hijacking) or host file protection. Real one has Verisign certificate but I didn't see it under properties of the .exe.

Search of Symantec knowledge base had no listing & unfortunately Castle Cops seemed to have a site outage at the time.

Just to be sure, I then ran a checkdisk/R and all seems OK.
Followed up w/ another AS full scan which came up clean.

The .exe properties had date in 2006. I wonder why at least 10 previous full AS scans (in 2007) didn't detect it?
False positive or maybe new detection def?

Now I wonder if it might have been an important element of Spybots Tea Timer/anti-hijack function or???

So I need opinions and should I try and find & replace it, since whole file is gone? Thanks for your thoughts. ConfusedHappy

Computer info in profile.

Discussion is locked
You are posting a reply to: Did I Boo-Boo? Process ExplorerNT.zip...
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: Did I Boo-Boo? Process ExplorerNT.zip...
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Did AVG AS find Dropper.Agent.bct ?
by Marianna Schmudlach / February 14, 2007 11:54 PM PST
Collapse -
OOPS!!! You're Right Again! It Did Not Show...
by tobeach / February 15, 2007 7:20 PM PST

Dropper.Agent.bct when I repeatedly placed cursor over it, only backdoor trojan.
But now, after Wilder's link you provided, I went & checked the reports and sure enough that was it.
Report says ": Cleaned with backup (quarantined).". After looking in Infections/Quarantine, there are no objects listed as being there. I guess my order to delete was equal to "a dump quarantine" but suppose that means I also can't restore it to it's original location either.

I further surmise that the file I manually deleted via "search all file" was in fact the "cleaned version" AS put back in.

Because it was a "zip" and in MY Docs, I wondered if it was contained in one of the many repair tools I store there just in case I ever need them. Several of those tools came down as zips (which I've never opened). Looking there now, I actually see THE zip file (which I could NOT find while searching via the C: Tree). It was right next to "Qoofix.zip!
The .zip file, when explored ,shows total of 63.7 KB:
EULA: 1 KB & Procexp.chm : 63KB. No .exe appears there.

Given all this, guess I should delete the rest of the .zip file.
Question: Is this tool worth re finding and re downloading into storage?? (I must have thought so a some point). Thanks again! Happy

Collapse -
Yes, I would delete the rest of the zip.......
by Marianna Schmudlach / February 16, 2007 12:22 AM PST
Question: Is this tool worth re finding and re downloading into storage?? (I must have thought so a some point).

You are talking about the "Qoofix.zip!" ? I hope you know, that this fix is updated regularly ?

You're Welcome Happy

Popular Forums

icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

FALL TV PREMIERES

Your favorite shows are back!

Don’t miss your dramas, sitcoms and reality shows. Find out when and where they’re airing!