Please send the event log entries that are written when the detection
happens, and that should give a clearer picture of what is going on.
Thanks
-Mike
In addtion to the scans already mentioned, I also did a "Full Service
Scan"
via
http://safety.live.com.
However nothing has been found.
Also an export via regedt32 of the applicable registry part does not
show
anything wrong:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon]
.........
"Shell"=hex(2):65,00,78,00,70,00,6c,00,6f,00,72,00,65,00,72,00,2e,00,65,00,78,\
00,65,00,00,00
It just says "explorer.exe" in hex. If you want, I can sent the
exported
Winlogon
part to your e-mail address.
:
Additional info:
Note that I have a Dutch Windows XP Home system.
Could there be a relation with the other problem that I have:
http://www.microsoft.com/athome/sec...950f&mid=317f1e34-fded-44ef-839c-210911b3fab9
:
Hello Mike,
It's just "explorer.exe" without anything following it!
:
What is the content of the "shell" value under
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon?
It should be "explorer.exe" without anything following it. If
Windows
Defender is detecting Banker.TX, then it's likely the value is set
to
something like "explorer.exe c:\windows\smss.exe"
If your value is set to the latter, you had (or possibly still
have)
some
malware on your system that uses that registry value to launch
itself. You
should run a scan of your system with an antivirus product, for
instance
http://safety.live.com. If that does not find anything, and if
c:\windows\smss.exe does not exist, just replace the registry
value
with
"explorer.exe" by itself and Windows Defender should stop
detecting
it.
However, please let me know what you find as I'd like to
understand
why this
didn't get cleaned up automatically - there are a couple of
possible
explanations, but I can't say for sure without some additional
information.
Thanks
-Mike
I have the same problem.
It shows as Resources: regkey:
HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\\shell
I have run CCleaner and Ewido has not found anything.
Neither do the scans of avast!, NOD32, Ad-Aware, Spybot -Search
&
Destroy,
a-squared, Bazooka.
Could it be a false-positive?
:
Hello Dean,
Banker.TX is a trojan.
First remove all temporarily junk with CCleaner
http://www.ccleaner.com
Then try Ewido for removal:
http://www.ewido.net/en/download/
http://castlecops.com/t137442-CCSP_Ewido_Install_and_Scan_Instructions.html
I hope this post is helpful, let us know how it works ºut.
??ç?l
--
:
Every night (early morning) when WD runs, it finds Banker.TX,
identifying it
as severe, calling it a password stealer, etc. That's enough
for me to
want
it gone for good, but every time I have WD remove it, it's
again
found
the
next scan; same results when I've had WD quarantine it.
Anyone
know
anything
about this? Thanks in advance!
