Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.Agent-119428


  • Please log in to reply
2 replies to this topic

#1 Beach Plum

Beach Plum

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 19 July 2009 - 08:31 AM

Clamwin found Trojan.Agent-119428 in two instances of userinit.exe.

C:\WINDOWS\ServicePackFiles\i386\userinit.exe: Trojan.Agent-119428 FOUND

C:\WINDOWS\system32\userinit.exe: Trojan.Agent-119428 FOUND

These files are 26 kb, while I believe they should be 24 kb from one malware discussion I read.

I seem to have at least one more userinit.exe. That is in $NtServicePackUninstall$ and is 24 kb

I dropped that on my desktop as userinit_good.exe in case, to use later, but began this web search.


Virustotal returned that Clamwin sees this 26 kb userinit.exe as a virus, but I gather no other scanner does.

One link leading to a Bleeping Puter forums post yesterday also mentioned Clamwin and Trojan.Agent-119428. I noticed that post had HP pre-packaged software running. Recently, I uninstalled HP's PC Doctor (I think this is HP's) from the Add/Remove Program list. I wonder if this problem is a corporate mutant, but I tend to have fanciful explanations.

Two days ago, I had a LSA Shell (Export Version) look to receive data through my firewall. I did not find any knowledgeable information on LSA Shell (Export Version) except there is no reason for lsass.exe to hear from the net. I ended up running Symantec sasser worm fix, but it did not find malware.

I will go run Spybot, HijackThis, and Autoruns, because I am curious. Do you think this Trojan.Agent-119428 is malware?

BC AdBot (Login to Remove)

 


#2 Guest_The weatherman_*

Guest_The weatherman_*

  • Guests
  • OFFLINE
  •  

Posted 19 July 2009 - 05:56 PM

Moved from HJT to a more appropriate forum. Tw

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA

Posted 19 July 2009 - 11:42 PM

Hello I am thinking this is a false positive. let's get a second opinion. Please upload those 2 files.

C:\WINDOWS\ServicePackFiles\i386\userinit.exe: Trojan.Agent-119428

C:\WINDOWS\system32\userinit.exe: Trojan.Agent-119428



Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

<filepath>suspect.file

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

Edited by boopme, 19 July 2009 - 11:43 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users