For the last 2 weeks, Ad-aware 2007 has detected the presence of Win32.Trojan.Agent on my HP Pavilion computer. Following is the relevant excerpt from the most recent log, using definition file 65:
Infections Found
Family Id Name Category TAI
941 Win32.Trojan.Agent Malware 10
[111006] File: C:\hp\bin\AUTOTKIT.EXE
[111006] File: C:\hp\EXPLOREBAR\AUTOTKIT.EXE
[111006] File: C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP758\A0122068.EXE
[111006] File: C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP758\A0122069.EXE
[111006] File: C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP758\A0122112.EXE
[111006] File: C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP758\A0122114.EXE
[300018957] Root: HKU Path: [S-1-5-21-....]\software\microsoft\internet explorer\main Value: Window title
[300031803] Root: HKLM Path: SYSTEM\ControlSet001\Services\wscsvc Value: Start Data: 4
The autotkit.exe file is a known HP file - both detected versions appear to be the original file version (based on size - 53,248 bytes - and date - Wednesday, June 18, 2003, 10:19:08 PM). The four System Restore detections appear to be the same file. The first registry entry detection makes sense, since I believe autotkit.exe puts an "HP view" logo on the explorer window. The second registry entry, which I believe may deactivate the windows security center service, is probably related to Norton Internet Security (NIS).
Also, scans with NIS, Windows Defender, and Spybot showed no problems.
I suspect this may be a false positive detection. If you want, I can send a copy of autotkit.exe - just let me know. Thanks.
RichardLH
Win32.Trojan.Agent and HP Autotkit.exe file
Started by
RichardLH
, Mar 30 2008 10:36 PM
3 replies to this topic
#2
LS Albin (former Lavasoft employee)
-
- Members
-
- 407 posts
Former Lavasoft Staff
Posted 31 March 2008 - 07:18 AM
For the last 2 weeks, Ad-aware 2007 has detected the presence of Win32.Trojan.Agent on my HP Pavilion computer. Following is the relevant excerpt from the most recent log, using definition file 65:
Infections Found
Family Id Name Category TAI
941 Win32.Trojan.Agent Malware 10
[111006] File: C:\hp\bin\AUTOTKIT.EXE
[111006] File: C:\hp\EXPLOREBAR\AUTOTKIT.EXE
[111006] File: C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP758\A0122068.EXE
[111006] File: C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP758\A0122069.EXE
[111006] File: C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP758\A0122112.EXE
[111006] File: C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP758\A0122114.EXE
[300018957] Root: HKU Path: [S-1-5-21-....]\software\microsoft\internet explorer\main Value: Window title
[300031803] Root: HKLM Path: SYSTEM\ControlSet001\Services\wscsvc Value: Start Data: 4
The autotkit.exe file is a known HP file - both detected versions appear to be the original file version (based on size - 53,248 bytes - and date - Wednesday, June 18, 2003, 10:19:08 PM). The four System Restore detections appear to be the same file. The first registry entry detection makes sense, since I believe autotkit.exe puts an "HP view" logo on the explorer window. The second registry entry, which I believe may deactivate the windows security center service, is probably related to Norton Internet Security (NIS).
Also, scans with NIS, Windows Defender, and Spybot showed no problems.
I suspect this may be a false positive detection. If you want, I can send a copy of autotkit.exe - just let me know. Thanks.
RichardLH
Hi RichardLH !
Can you attach the suspect FP file in this thread. Put it in a zip/rar archive and name it FP.zip
If the file turns out to be a FP it will be removed from detection as of the next definiton file release.
Thank You for your detailed report.
/ Albin
Lavasoft Research
#3
RichardLH
-
- Members
-
- 2 posts
Newbie
Posted 01 April 2008 - 12:34 AM
Hi RichardLH !
Can you attach the suspect FP file in this thread. Put it in a zip/rar archive and name it FP.zip
If the file turns out to be a FP it will be removed from detection as of the next definiton file release.
Thank You for your detailed report.
/ Albin
Lavasoft Research
Albin -
Thanks for the quick response. Attached is the zip file "FP.zip", which is a zipped version of autotkit.exe.
RichardLH
#4
LS Albin (former Lavasoft employee)
-
- Members
-
- 407 posts
Former Lavasoft Staff
Posted 01 April 2008 - 11:49 AM
Thanks Richard !! 
The FP is now removed from detection just download the latest def file and run a scan again !
/
Albin
Lavasoft Research
The FP is now removed from detection just download the latest def file and run a scan again !
/
Albin
Lavasoft Research
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
