Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.



  • Please log in to reply
2 replies to this topic

#1 Beach Plum

Beach Plum

  • Members
  • 32 posts
  • Local time:07:41 PM

Posted 19 July 2009 - 08:31 AM

Clamwin found Trojan.Agent-119428 in two instances of userinit.exe.

C:\WINDOWS\ServicePackFiles\i386\userinit.exe: Trojan.Agent-119428 FOUND

C:\WINDOWS\system32\userinit.exe: Trojan.Agent-119428 FOUND

These files are 26 kb, while I believe they should be 24 kb from one malware discussion I read.

I seem to have at least one more userinit.exe. That is in $NtServicePackUninstall$ and is 24 kb

I dropped that on my desktop as userinit_good.exe in case, to use later, but began this web search.

Virustotal returned that Clamwin sees this 26 kb userinit.exe as a virus, but I gather no other scanner does.

One link leading to a Bleeping Puter forums post yesterday also mentioned Clamwin and Trojan.Agent-119428. I noticed that post had HP pre-packaged software running. Recently, I uninstalled HP's PC Doctor (I think this is HP's) from the Add/Remove Program list. I wonder if this problem is a corporate mutant, but I tend to have fanciful explanations.

Two days ago, I had a LSA Shell (Export Version) look to receive data through my firewall. I did not find any knowledgeable information on LSA Shell (Export Version) except there is no reason for lsass.exe to hear from the net. I ended up running Symantec sasser worm fix, but it did not find malware.

I will go run Spybot, HijackThis, and Autoruns, because I am curious. Do you think this Trojan.Agent-119428 is malware?

BC AdBot (Login to Remove)


#2 Guest_The weatherman_*

Guest_The weatherman_*

  • Guests

Posted 19 July 2009 - 05:56 PM

Moved from HJT to a more appropriate forum. Tw

#3 boopme


    To Insanity and Beyond

  • Global Moderator
  • 73,566 posts
  • Gender:Male
  • Location:NJ USA

Posted 19 July 2009 - 11:42 PM

Hello I am thinking this is a false positive. let's get a second opinion. Please upload those 2 files.

C:\WINDOWS\ServicePackFiles\i386\userinit.exe: Trojan.Agent-119428

C:\WINDOWS\system32\userinit.exe: Trojan.Agent-119428

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.


Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

Edited by boopme, 19 July 2009 - 11:43 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users