Windows, Clamwin and trojans – oh my!

20 07 2009

ClamWin serious F/P again

ClamWin has developed 2 new F/P’s in the latest sig update, one not so serious, and one very serious. If you’ve still not got ClamWin set to report only, I strongly urge you to do so;

C:\Program Files\NetMeeting\cb32.exe: Trojan.Waledac-389 FOUND
C:\WINDOWS\system32\dllcache\cb32.exe: Trojan.Waledac-389 FOUND
C:\WINDOWS\system32\dllcache\userinit.exe: Trojan.Agent-119464 FOUND
C:\WINDOWS\system32\userinit.exe: Trojan.Agent-119464 FOUN

As before, if you do have ClamWin quarantine these instead of reporting, you can restore them from the quarantine folder (just rename the file to remove “.infected” and put them back where they’re supposed to be). If you have ClamWin automatically delete them (NO! NO! NO!), you’ll need to restore them from the Service Pack files (you did download the ISO’s for the SP’s, right?).

These F/P’s are occuring in this case, on Windows XP (all versions) and Windows Server 2003 (all versions), ClamWin hasn’t shown the same F/P’s on my Vista machine yet.

I am running into the same sort of issue, on one machine (so far) malwarebytes shows an actual infection – not much to add




2 responses

20 07 2009

What infection is MBAM showing?

20 07 2009
Bernie Wojcik

We use CSA (with Clam embedded) and about a dozen machines came up with the problem, and handful of them had a variety of other spyware/malware but nothing consistent other than the userinit.exe: Trojan.Agent. In a few cases replacing userinit worked after disabling system restore, and in other cases uninstalling and reinstalling (with AV disabled) was the only option.Posted this on your blog as well…

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: