Jump to content


Photo

Win32.Trojan.Agent and HP Autotkit.exe file


  • Please log in to reply
3 replies to this topic

#1 RichardLH

RichardLH

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 30 March 2008 - 10:36 PM

For the last 2 weeks, Ad-aware 2007 has detected the presence of Win32.Trojan.Agent on my HP Pavilion computer. Following is the relevant excerpt from the most recent log, using definition file 65:

Infections Found
Family Id Name Category TAI
941 Win32.Trojan.Agent Malware 10
[111006] File: C:\hp\bin\AUTOTKIT.EXE
[111006] File: C:\hp\EXPLOREBAR\AUTOTKIT.EXE
[111006] File: C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP758\A0122068.EXE
[111006] File: C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP758\A0122069.EXE
[111006] File: C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP758\A0122112.EXE
[111006] File: C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP758\A0122114.EXE
[300018957] Root: HKU Path: [S-1-5-21-....]\software\microsoft\internet explorer\main Value: Window title
[300031803] Root: HKLM Path: SYSTEM\ControlSet001\Services\wscsvc Value: Start Data: 4


The autotkit.exe file is a known HP file - both detected versions appear to be the original file version (based on size - 53,248 bytes - and date - Wednesday, June 18, 2003, 10:19:08 PM). The four System Restore detections appear to be the same file. The first registry entry detection makes sense, since I believe autotkit.exe puts an "HP view" logo on the explorer window. The second registry entry, which I believe may deactivate the windows security center service, is probably related to Norton Internet Security (NIS).

Also, scans with NIS, Windows Defender, and Spybot showed no problems.

I suspect this may be a false positive detection. If you want, I can send a copy of autotkit.exe - just let me know. Thanks.

RichardLH

#2 LS Albin (former Lavasoft employee)

LS Albin (former Lavasoft employee)

    Former Lavasoft Staff

  • Members
  • PipPipPip
  • 407 posts

Posted 31 March 2008 - 07:18 AM

For the last 2 weeks, Ad-aware 2007 has detected the presence of Win32.Trojan.Agent on my HP Pavilion computer. Following is the relevant excerpt from the most recent log, using definition file 65:

Infections Found
Family Id Name Category TAI
941 Win32.Trojan.Agent Malware 10
[111006] File: C:\hp\bin\AUTOTKIT.EXE
[111006] File: C:\hp\EXPLOREBAR\AUTOTKIT.EXE
[111006] File: C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP758\A0122068.EXE
[111006] File: C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP758\A0122069.EXE
[111006] File: C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP758\A0122112.EXE
[111006] File: C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP758\A0122114.EXE
[300018957] Root: HKU Path: [S-1-5-21-....]\software\microsoft\internet explorer\main Value: Window title
[300031803] Root: HKLM Path: SYSTEM\ControlSet001\Services\wscsvc Value: Start Data: 4


The autotkit.exe file is a known HP file - both detected versions appear to be the original file version (based on size - 53,248 bytes - and date - Wednesday, June 18, 2003, 10:19:08 PM). The four System Restore detections appear to be the same file. The first registry entry detection makes sense, since I believe autotkit.exe puts an "HP view" logo on the explorer window. The second registry entry, which I believe may deactivate the windows security center service, is probably related to Norton Internet Security (NIS).

Also, scans with NIS, Windows Defender, and Spybot showed no problems.

I suspect this may be a false positive detection. If you want, I can send a copy of autotkit.exe - just let me know. Thanks.

RichardLH



Hi RichardLH !

Can you attach the suspect FP file in this thread. Put it in a zip/rar archive and name it FP.zip
If the file turns out to be a FP it will be removed from detection as of the next definiton file release.

Thank You for your detailed report.

/ Albin

Lavasoft Research

#3 RichardLH

RichardLH

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 01 April 2008 - 12:34 AM

Hi RichardLH !

Can you attach the suspect FP file in this thread. Put it in a zip/rar archive and name it FP.zip
If the file turns out to be a FP it will be removed from detection as of the next definiton file release.

Thank You for your detailed report.

/ Albin

Lavasoft Research


Albin -

Thanks for the quick response. Attached is the zip file "FP.zip", which is a zipped version of autotkit.exe.

RichardLH

#4 LS Albin (former Lavasoft employee)

LS Albin (former Lavasoft employee)

    Former Lavasoft Staff

  • Members
  • PipPipPip
  • 407 posts

Posted 01 April 2008 - 11:49 AM

Thanks Richard !! :D

The FP is now removed from detection just download the latest def file and run a scan again !

/

Albin

Lavasoft Research




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users