banker.ceu ?

[lardboy]

I keep getting the following detection -

Banker.ceu: Settings (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1655073370-3743346858-1230028903-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\*\microsoft?????.exe


I have scanned with the following -

AVG Antispy - no results
spyware doctor SE - no results
AVG antivirus - no results
Kaspersky online antivirus - no results
Norton security scan - no results

I have no winx.log file in my windows directory and no services.exe in windows\system32\drivers\

I've checked with hijackthis, startup cpl & defender (network connected programs) and I can't find anything unexpected. I also have no unexpected tasks in my task manager.

Is this a false positive?

 

[Yodama]

hello,

this could be a false positive, this entry actually shows that a file named microsoft<followed_by_five_characters>.exe
for instance: microsoft12345.exe , microsoftserve.exe and so on,
has been executed.

It would be best if you could find the file in question and identify it or submit it for analysis. There are actually not that many files which do have microsoft in the filename.

 

[lardboy]

Thanks for the feedback.

I searched for files named microsoft?????.exe (including hidden files & system files) and all I found was microsoft word.exe. I then searched for microsoft only and found nothing suspicious in the list. Also the only file in my prefetch with microsoft in the name is word again.

I've also checked that location in the registry and I can't find anything pointing to microsoft(5digits).exe as detailed.

I keep fixing this issue and it comes back.

 

[Yodama]

hi,

it really does look like a false positive, it will be removed from detection with the next update.
You can have Spybot ignore this entry until the update is released.

thanks for reporting.

 

[lardboy]

OK thanks

 

[lardboy]

latest update has "fixed" this problem.