• Announcements

    • LS.Andy

      Support for other products than adaware, ad block, web protection and Web Companion   05/05/2017

      Support for the following products is handled by the Lavasoft support team: Lavasoft Tuneup Kit Lavasoft PC Optimizer Lavasoft Driver Updater Lavasoft Registry Tuner Lavasoft Privacy Toolbox Lavasoft File Shredder Lavasoft Digital Lock

      For help with these products, contact the support team here: http://www.lavasoft.com/support/supportcenter/
       
Sign in to follow this  
Followers 0
RichardLH

Win32.Trojan.Agent and HP Autotkit.exe file

4 posts in this topic

For the last 2 weeks, Ad-aware 2007 has detected the presence of Win32.Trojan.Agent on my HP Pavilion computer. Following is the relevant excerpt from the most recent log, using definition file 65:

 

Infections Found

Family Id Name Category TAI

941 Win32.Trojan.Agent Malware 10

[111006] File: C:\hp\bin\AUTOTKIT.EXE

[111006] File: C:\hp\EXPLOREBAR\AUTOTKIT.EXE

[111006] File: C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP758\A0122068.EXE

[111006] File: C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP758\A0122069.EXE

[111006] File: C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP758\A0122112.EXE

[111006] File: C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP758\A0122114.EXE

[300018957] Root: HKU Path: [s-1-5-21-....]\software\microsoft\internet explorer\main Value: Window title

[300031803] Root: HKLM Path: SYSTEM\ControlSet001\Services\wscsvc Value: Start Data: 4

 

 

The autotkit.exe file is a known HP file - both detected versions appear to be the original file version (based on size - 53,248 bytes - and date - Wednesday, June 18, 2003, 10:19:08 PM). The four System Restore detections appear to be the same file. The first registry entry detection makes sense, since I believe autotkit.exe puts an "HP view" logo on the explorer window. The second registry entry, which I believe may deactivate the windows security center service, is probably related to Norton Internet Security (NIS).

 

Also, scans with NIS, Windows Defender, and Spybot showed no problems.

 

I suspect this may be a false positive detection. If you want, I can send a copy of autotkit.exe - just let me know. Thanks.

 

RichardLH

Share this post


Link to post
Share on other sites
For the last 2 weeks, Ad-aware 2007 has detected the presence of Win32.Trojan.Agent on my HP Pavilion computer. Following is the relevant excerpt from the most recent log, using definition file 65:

 

Infections Found

Family Id Name Category TAI

941 Win32.Trojan.Agent Malware 10

[111006] File: C:\hp\bin\AUTOTKIT.EXE

[111006] File: C:\hp\EXPLOREBAR\AUTOTKIT.EXE

[111006] File: C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP758\A0122068.EXE

[111006] File: C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP758\A0122069.EXE

[111006] File: C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP758\A0122112.EXE

[111006] File: C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP758\A0122114.EXE

[300018957] Root: HKU Path: [s-1-5-21-....]\software\microsoft\internet explorer\main Value: Window title

[300031803] Root: HKLM Path: SYSTEM\ControlSet001\Services\wscsvc Value: Start Data: 4

 

 

The autotkit.exe file is a known HP file - both detected versions appear to be the original file version (based on size - 53,248 bytes - and date - Wednesday, June 18, 2003, 10:19:08 PM). The four System Restore detections appear to be the same file. The first registry entry detection makes sense, since I believe autotkit.exe puts an "HP view" logo on the explorer window. The second registry entry, which I believe may deactivate the windows security center service, is probably related to Norton Internet Security (NIS).

 

Also, scans with NIS, Windows Defender, and Spybot showed no problems.

 

I suspect this may be a false positive detection. If you want, I can send a copy of autotkit.exe - just let me know. Thanks.

 

RichardLH

 

 

Hi RichardLH !

 

Can you attach the suspect FP file in this thread. Put it in a zip/rar archive and name it FP.zip

If the file turns out to be a FP it will be removed from detection as of the next definiton file release.

 

Thank You for your detailed report.

 

/ Albin

 

Lavasoft Research

Share this post


Link to post
Share on other sites
Hi RichardLH !

 

Can you attach the suspect FP file in this thread. Put it in a zip/rar archive and name it FP.zip

If the file turns out to be a FP it will be removed from detection as of the next definiton file release.

 

Thank You for your detailed report.

 

/ Albin

 

Lavasoft Research

 

Albin -

 

Thanks for the quick response. Attached is the zip file "FP.zip", which is a zipped version of autotkit.exe.

 

RichardLH

Share this post


Link to post
Share on other sites

Thanks Richard !! :D

 

The FP is now removed from detection just download the latest def file and run a scan again !

 

/

 

Albin

 

Lavasoft Research

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0