Jump to content
Buffalo

False Positive internat.exe

Recommended Posts

During the extra and hueristics scan, Winnit\System32\internat.exe is found as a Trojan Agent in my Win2000Pro SP4 system.

It is a MS file dated 1999 and it is a Keyboard Language Indicator

Applet, version 5.0.2920.0.

The log is:

Malwarebytes' Anti-Malware 1.33

Database version: 1725

Windows 5.0.2195 Service Pack 4

2/4/2009 9:00:50 AM

mbam-log-2009-02-04 (09-00-50).txt

Scan type: Quick Scan

Objects scanned: 45818

Time elapsed: 1 minute(s), 27 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

I:\WINNT\system32\internat.exe (Trojan.Agent) -> Not selected for removal. [3857535134305383807566791534727079851301422761564247475361849084857078201961747

985708379668515708970]

Share this post


Link to post
Share on other sites
During the extra and hueristics scan, Winnit\System32\internat.exe is found as a Trojan Agent in my Win2000Pro SP4 system.

It is a MS file dated 1999 and it is a Keyboard Language Indicator

Applet, version 5.0.2920.0.

The log is:

Malwarebytes' Anti-Malware 1.33

Database version: 1725

Windows 5.0.2195 Service Pack 4

2/4/2009 9:00:50 AM

mbam-log-2009-02-04 (09-00-50).txt

Scan type: Quick Scan

Objects scanned: 45818

Time elapsed: 1 minute(s), 27 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

I:\WINNT\system32\internat.exe (Trojan.Agent) -> Not selected for removal. [3857535134305383807566791534727079851301422761564247475361849084857078201961747

985708379668515708970]

Got the same thing today. Did an online analysis with jotti and virustotal - file was found not infected. Emailed the zipped file to MB. Waiting for their response.

Share this post


Link to post
Share on other sites

It showed up on my boss' computer, as well. I tried removing it, but it comes back the next time I scan, so I opened up c:\winnt\system32\ in Explorer and deleted internat.exe manually, but it respawns itself in a few seconds. I also tried overwriting it with a 0 byte text file named internat.exe and it overwrote it within a few seconds. AVG did not detect it. Here are some of its attributes:

File Version: 5.0.2920.0

Description: Keyboard Language Indicator Applet

Copyright: Copyright © Microsoft Corp. 1994-1999

Company Name: Microsoft Corporation

Internal Name: INTERNAT

Language: English (United States)

Original Filename: INTERNAT.EXE

Product Name: Microsoft® Windows ® 2000 Operating System

Product Version: 5.00.2920.0000

Size: 20.2 KB (20,752 bytes)

Size on disk: 24.0 KB (24,576 bytes)

Created: Monday, July 14, 2003, 4:00:00 AM

Modified: Monday, July 14, 2003, 4:00:00 AM

Accessed: Today, February 04, 2009, 11:09:02 AM

Share this post


Link to post
Share on other sites
It showed up on my boss' computer, as well. I tried removing it, but it comes back the next time I scan, so I opened up c:\winnt\system32\ in Explorer and deleted internat.exe manually, but it respawns itself in a few seconds. I also tried overwriting it with a 0 byte text file named internat.exe and it overwrote it within a few seconds. AVG did not detect it. Here are some of its attributes:

File Version: 5.0.2920.0

Description: Keyboard Language Indicator Applet

Copyright: Copyright

Share this post


Link to post
Share on other sites
It is a valid file, as far as I can tell.

Looks that way to me, too, but there's nothing stopping a good virus coder from replicating that information for their replacement file.

Do not delete files like that unless you are sure they are really bad.

You can Quarantine them if you wish, because that way you can easily put them back where they belong, if necessary.

Yeah, I know. I just know this isn't an applet we use and we have other Windows 2000 Professional systems should I need to replace it, so I figured I'd delete it and restore it if necessary.

Share this post


Link to post
Share on other sites

Hello All.

Sorry about this, our hueristics are hitting on a combination of things Trojan.Agent is known to take advantage of. Please select to ignore the file for the time being.

Share this post


Link to post
Share on other sites
Hello All.

Sorry about this, our hueristics are hitting on a combination of things Trojan.Agent is known to take advantage of. Please select to ignore the file for the time being.

Database Version 1731 no longer picks it up. Thanks for the quick action.

Buffalo

Share this post


Link to post
Share on other sites
Database Version 1731 no longer picks it up. Thanks for the quick action.

Buffalo

It is flagged for me in Database Version 1766 (internat.exe in Win2000 SP4).

Share this post


Link to post
Share on other sites

1767 will have an adjustment , I need to know if this resolves this issue .

If it does noes not I need a scan log .

Share this post


Link to post
Share on other sites
1767 will have an adjustment , I need to know if this resolves this issue .

If it does noes not I need a scan log .

Nosirrah, thanks--when/where should I look for that DV?

Share this post


Link to post
Share on other sites

I got this false positive with database version: 1773

Here's the log file:

Malwarebytes' Anti-Malware 1.34

Database version: 1773

Windows 5.0.2195 Service Pack 4

18.02.2009 11:32:46

mbam-log-2009-02-18 (11-32-31).txt

Scan type: Quick Scan

Objects scanned: 72081

Time elapsed: 7 minute(s), 39 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\internat.exe (Trojan.Agent) -> No action taken. [3857535134304144385864365451513847536454523851615248395356345138614674688380848

07185615674796980888461368683837079855570838474807961518679937479857083796685157

0

8970]

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINNT\system32\internat.exe (Trojan.Agent) -> No action taken. [3857535134304144385864365451513847536454523851615248395356345138614674688380848

07185615674796980888461368683837079855570838474807961518679937479857083796685157

0

8970]

Share this post


Link to post
Share on other sites
I tweaked this even further , let me know if it is completely fixed now .

It seems to be OK now.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.