Blog for hpHosts, and whatever else I feel like writing about ....

Friday, 17 July 2009

ClamWin serious F/P again

ClamWin has developed 2 new F/P's in the latest sig update, one not so serious, and one very serious. If you've still not got ClamWin set to report only, I strongly urge you to do so;

C:\Program Files\NetMeeting\cb32.exe: Trojan.Waledac-389 FOUND
C:\WINDOWS\system32\dllcache\cb32.exe: Trojan.Waledac-389 FOUND
C:\WINDOWS\system32\dllcache\userinit.exe: Trojan.Agent-119464 FOUND
C:\WINDOWS\system32\userinit.exe: Trojan.Agent-119464 FOUN

As before, if you do have ClamWin quarantine these instead of reporting, you can restore them from the quarantine folder (just rename the file to remove ".infected" and put them back where they're supposed to be). If you have ClamWin automatically delete them (NO! NO! NO!), you'll need to restore them from the Service Pack files (you did download the ISO's for the SP's, right?).

These F/P's are occuring in this case, on Windows XP (all versions) and Windows Server 2003 (all versions), ClamWin hasn't shown the same F/P's on my Vista machine yet.

5 comments:

Scott D. Strader said...

Brilliant! I was just puzzling over that this morning. Thanks for the verification.

Zorsix Electro said...

Eeps, you may have just saved me a lot of time, unless I am infected. I got up this morning and noticed I had this virus on both my XP machines after running clamwin on them both.

C:\WINDOWS\ServicePackFiles\i386\userinit.exe: Trojan.Agent-119428 FOUND

C:\WINDOWS\system32\userinit.exe: Trojan.Agent-119428 FOUND

Found the same errors on both machines. Do you know by chance if they're both false positives?

I think I might have to start a section on veroy.com dedicated to this kind of thing cuz you're the only site I found anything relevance to this, after actually going through my registry for a couple of hours. I found this post on a whim. I hope very much it's correct.

Richard said...

Same experience here. Since ClamWin does seem to have a habit of doing this, I submit the contents of ClamWin's quarantine folder to http://www.virustotal.com before deleting anything. If virustotal shows that only ClamWin detects a virus I just assume it's a false positive.

Bernie Wojcik said...

We use CSA (with Clam embedded) and about a dozen machines came up with the problem, and handful of them had a variety of other spyware/malware but nothing consistent other than the userinit.exe: Trojan.Agent. In a few cases replacing userinit worked after disabling system restore, and in other cases uninstalling and reinstalling (with AV disabled) was the only option

kdericson said...

I have found several of my clients' machines unable to boot (logon/logoff loop) with the userinit.exe having been moved to the clamwin quarrantine folder. Additionally, however, I also have to edit the registry to remove an extraneous comma (",") at the end of the userinit path as listed in HKLM\SOFTWARE\Microsoft\Windows NT\CUrrentVersion\Winlogon\Userinit. I use the Trinity Rescue Kit to copy the userinit.exe file to the proper location and to edit the registry.