Jump to content

bitsadmin.exe - false positive as Trojan.Agent


tsbulldog

Recommended Posts

I ran a Quick Scan of my system and it came up clean. But, then I decided to run a Full Scan (for kicks, since, in Malwarebyte's developer Bruce Harrison's recent interview on BestTechie.net he so strongly endorsed the effectiveness of mbam's QuickScan when he said he rarely runs the Full Scan) and it turned up a true, false positive.

The file that got flagged as Trojan.Agent was C:\Program Files\Support Tools\bitsadmin.exe - Microsoft's Background Intelligent Transfer Service (BITS) Administration Utility - that happened to be included in the Windows XP SP2 Pro Support Tools (KB838079) that I installed last year. A Google search turned up some info about a similarly named file, but with "!I!" prefixed on the file name.

After running the Full Scan again to generate the "/developer" log a second file A0094844.exe (in System Restore) showed up as well, flagged also as Trojan.Agent. What I want to know is whether this file is also a false positive, or actually a piece of malware (?????). Thanks for your input.

Here's my scan log:

Malwarebytes' Anti-Malware 1.30

Database version: 1316

Windows 5.1.2600 Service Pack 3

10/24/2008 11:51:22 PM

mbam-log-2008-10-24 (23-51-19).txt

Scan type: Full Scan (C:\|)

Objects scanned: 112763

Time elapsed: 23 minute(s), 58 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Program Files\Support Tools\bitsadmin.exe (Trojan.Agent) -> No action taken. [4134524130538380756679153472707985130166261769206624192321242026716667256918716

66771252368192420662323]

C:\System Volume Information\_restore{ABE1D2C9-703B-4C03-AA3B-F9A310D64BDA}\RP454\A0094844.exe (Trojan.Agent) -> No action taken. [4134524130538380756679153472707985130166261769206624192321242026716667256918716

66771252368192420662323]

Link to post
Share on other sites

http://64.233.169.104/search?q=cache:MPYGu...;cd=3&gl=us

This must already be being used by malware to bypass firewalls and is why it got added .

I hate files like this because fixing the FP will make the bad guys happy .

I am going to try something that should allow the file to miss detection but only if it is being used where it should be used from . There is nothing I can do about the SVI hit , that will still hit but because it is only in a restore point it wont be breaking the actual tool .

I will look into this some more and if it is causeing problems still I might have to delist it .

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.