Is there a trojan in this file?

I am a avast user. After I set up windows 2003 OS, I accept a bootscan of the avast server edition. Two files were reported Trojan was found in them, and they are C:\windows\system32\userinit.exe and C:\windows\system32\dllcache\userinit.exe. Then I selected ignore it. And when I scaned it with avast ,nothing was found. But when I copy it and paste in another partition F:,the avast show that there was a Trojan. And the log is :sign of “Win32:Spyware-gen[trj]” has been found in “F:userinit.exe” file.Then I post the file to the www.virscan.org,the result is this:

VirSCAN.org Scanned Report :
Scanned time : 2009/08/24 12:25:14 (CST)
Scanner results: 8%的杀软(3/37)报告发现病毒
File Name : userinit.exe
File Size : 25088 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 2ee4b34b6da4c8199da3cd18668f5504
SHA1 : 416dfc041f3633938d1db01e17ef2a50c7fae7ca
Online report : http://virscan.org/report/315ac85fb03989ddc245fd66cd086af0.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20090822190221 2009-08-22 0.33 -
安博士V3 2009.08.22.00 2009.08.22 2009-08-22 0.90 -
AntiVir 8.2.1.3 7.1.5.149 2009-08-21 0.24 -
安天 2.0.18 20090823.2728168 2009-08-23 0.12 -
Arcavir 2009 200908232012 2009-08-23 0.04 -
Authentium 5.1.1 200908231730 2009-08-23 1.34 -
AVAST! 4.7.4 090823-0 2009-08-23 0.00 Win32:Spyware-gen [Trj]
AVG 8.5.288 270.13.65/2322 2009-08-24 0.41 -
BitDefender 7.81008.3912317 7.27311 2009-08-24 3.47 -
CA (VET) 9.0.0.143 31.6.6693 2009-08-21 3.77 -
ClamAV 0.95.2 9728 2009-08-23 0.01 -
Comodo 3.10 2076 2009-08-24 0.95 -
CP Secure 1.1.0.715 2009.08.23 2009-08-23 12.23 -
Dr.Web 4.44.0.9170 2009.08.23 2009-08-23 5.29 -
F-Prot 4.4.4.56 20090823 2009-08-23 1.22 -
F-Secure 7.02.73807 2009.08.23.05 2009-08-23 0.19 -
Fortinet 2.81-3.120 10.751 2009-08-23 0.21 -
GData 19.7343/19.449 20090824 2009-08-24 6.03 Win32:Spyware-gen [Trj] [Engine:B]
ViRobot 20090822 2009.08.22 2009-08-22 0.44 -
Ikarus T3.1.01.68 2009.08.24.73341 2009-08-24 4.04 -
Jiangmin 11.0.800 2009.08.23 2009-08-23 4.25 -
kaspersky 5.5.10 2009.08.24 2009-08-24 0.17 -
Kingsoft 2009.2.5.15 2009.8.24.7 2009-08-24 0.82 -
Mcafee 5.3.00 5718 2009-08-23 3.20 -
Microsoft 1.4903 2009.08.23 2009-08-23 5.79 -
Norman 6.01.09 6.01.00 2009-08-21 4.01 -
Panda Security 9.05.01 2009.08.22 2009-08-22 0.60 -
Trend Micro 8.700-1004 6.390.01 2009-08-23 0.03 -
Quick Heal 10.00 2009.08.22 2009-08-22 1.18 -
RISING 20.0 21.44.00.00 2009-08-24 0.83 -
Sophos 2.89.1 4.44 2009-08-24 3.26 -
Sunbelt 5350 5350 2009-08-22 1.36 -
Symantec 1.3.0.24 20090823.003 2009-08-23 0.05 -
nProtect 20090823.01 5121977 2009-08-23 6.59 Trojan-Downloader/W32.Small.25088.AG
The Hacker 6.3.4.3 v00386 2009-08-22 0.73 -
VBA32 3.12.10.9 20090823.1723 2009-08-23 2.02 -
VirusBuster 4.5.11.10 10.112.14/1801590 2009-08-23 2.22 -

Hello verelife

could you please add it to avast chest, click email to avast and do a manual update?. if it is a false positive then it’ll be fixed.

come back.

Thank you very much! So soon !

No problem. please tell us what you did:

did you upload it to avast?.

yes. I uploaded it two days ago. How can I know the answer?

Hi,
thank you for uploading, but I can’t find the file with this md5/sha1 (maybe didn’t arrived), so the best way to report false positve is to follow the link “Report as false positive…” from “avast! Warning” window, marked at the picture below.

Thank you! I will do it soon.

This is the file information.(I sent the file from my guest OS of VMware to my host and got its md5 and sha1 here.)

文件: E:\userinit.exe
大小: 25088 字节
文件版本: 5.2.3790.3959 (srv03_sp2_rtm.070216-1710)
修改时间: 2007年2月17日, 6:54:22
MD5: 2EE4B34B6DA4C8199DA3CD18668F5504
SHA1: 416DFC041F3633938D1DB01E17EF2A50C7FAE7CA
CRC32: 80FF4BD3

I uploaded the file as nmb said, because my avast is server version,I can’t see this window.and I attach the file here with another name.

Thank you!

Thank you for direct attachement, it is really false positive and will be fixed in next VPS update.

If you will put some attachement next time (here in forum or to email) it’s prefered to zip in archive with some password i.e. “infected” or “virus”. to prevent unpacking with antivirus during downloading.

Best regards,
Milos

Thank you for your answer and your advice.I can not express my happiness. Thank you! It is a good forum. :slight_smile:

you are welcome verelife. :slight_smile:

come back if you have any problems, see ya