hkcmd.exe Trojan?

Discussion in 'malware problems & news' started by luvhirez, May 22, 2005.

Thread Status:
Not open for further replies.
  1. luvhirez

    luvhirez Registered Member

    Joined:
    May 13, 2005
    Posts:
    87
    Location:
    Melbourne
    Hi,
    I just did a scan with ewido with the current database.
    and it came up with "TrojanDropper.Agent.le" it was the file hkcmd.exe in the system32 directory. I did a google search for hkcmd.exe and found nothing at all of any trojans,it had a security risk of 0. it is meant to be a intel graphics driver file.
    I also searched for trojandropper.agent.le and found absoloutly nothing.
    I have cleaned it and quarrantined it. and the file is no longer in sys32 dir.

    can anybody tell me anything about this?

    please help
    thanks
     
  2. peter.ewido

    peter.ewido former ewido team

    Joined:
    Nov 10, 2003
    Posts:
    737
    Location:
    Brno, Czech Republic
    Should be a false postive :( Will be fixed. :)
    Edit: fixed :)
     
    Last edited: May 22, 2005
  3. luvhirez

    luvhirez Registered Member

    Joined:
    May 13, 2005
    Posts:
    87
    Location:
    Melbourne
    Hi fish25,

    Is it an error?SORRY i just saw your edit :D

    if so what should i do.
    The trojan was found in

    system32\hkcmd.exe
    system32\reinstallbackups\0015\driverfiles\hkcmd.exe
    and 2 in a system restore point

    do i need to retore them.

    Is this trojan also called trojandownloader.agent.le
    as i did recieve a popup which resembled this trojan, as found with a google search.
     
  4. peter.ewido

    peter.ewido former ewido team

    Joined:
    Nov 10, 2003
    Posts:
    737
    Location:
    Brno, Czech Republic
    Yes, simply restore the files... Sorry for the inconvenience!
     
  5. luvhirez

    luvhirez Registered Member

    Joined:
    May 13, 2005
    Posts:
    87
    Location:
    Melbourne
    Hi fish25,
    Sorry for being a little paranoid,
    I did spot some weird behaviour from my computer not long before i did this scan. Similar to what happens with the trojan "trojandownloader.agent.le"
    I got a pop up saying that my computer was infected and to download a program by selecting download. My computer is usually squeeky clean. never get popups or anything.
    Is it possible that the trojan could have used this file?
    can I send the sample anywhere? if so how do i do it?

    cheers :)
     
  6. luvhirez

    luvhirez Registered Member

    Joined:
    May 13, 2005
    Posts:
    87
    Location:
    Melbourne
    I did a search on my computer for hkcmd.exe
    and there were still 2 there in IBM files. so it didnt get all of them. That brings me to the question, what is different about those 2 files? how come they didnt get flagged?
     
  7. peter.ewido

    peter.ewido former ewido team

    Joined:
    Nov 10, 2003
    Posts:
    737
    Location:
    Brno, Czech Republic
  8. luvhirez

    luvhirez Registered Member

    Joined:
    May 13, 2005
    Posts:
    87
    Location:
    Melbourne
    how do i send them from quarantine?
     
  9. peter.ewido

    peter.ewido former ewido team

    Joined:
    Nov 10, 2003
    Posts:
    737
    Location:
    Brno, Czech Republic
    The files are located in "ewido\security suite\Quarantine", unfortunately they are not named like the infections so better send them all :)
     
  10. luvhirez

    luvhirez Registered Member

    Joined:
    May 13, 2005
    Posts:
    87
    Location:
    Melbourne
    Sent :)

    thanks fish25
     
  11. peter.ewido

    peter.ewido former ewido team

    Joined:
    Nov 10, 2003
    Posts:
    737
    Location:
    Brno, Czech Republic
    Nothing but a false positive ;)
     
Loading...
Thread Status:
Not open for further replies.