TechSpot

Imapi.exe, trojan or not?

By W00tW00t10
Dec 1, 2008
  1. Hi, I'm very paranoid and some stuff happened recently such as finding a hidden application (microsoft character encoder) named "a" on my desktop. My pc also slowed down, then the mouse stopped working then the computer rebooted. (Might just be hardware problem, just happened once.)
    I scanned my pc with ad-aware, spybot, avast!(more or less, it takes a whole eternity), avg anti-rootkit and f-secures anti rootkit. None of the programs found anything suspicious.
    I scanned the three imapi.exe files and also uploaded them on jotti but no malware were detected.

    Now, here's why I'm suspicious:
    I used the kaspersky webscanner, it told me that "imapi.exe" located in WINDOWS\system 32 was a trojan named "Trojan.Win32.Starter.cu"
    I searched my computer and found imapi.exe located in system32 and two in WINDOWS\SoftwareDistribution\Download. One were located in the folder named "dd9ab5193501484cf5e6884fa1d22f9e" and the other one were located in some other random named folder.

    I googled the trojan name but didn't get any good matches so I removed ".cu" and I found: a link to Sophos, I tried to follow the removing methods but I didn't find any imapi.exe related stuff and I didn't find the HKCR folder either? (Less than 5 posts so I can't post the link but if you still want to have a look, google Trojan.Win32.Starter and pick the Sophos link you'll get there)
    Anyway, once again I located the imapi.exe files and deleted them and cleared my trashbin but the imapi.exe in system32 keeps reappearing.


    For the "too long, didn't read" people:
    Summary:
    - Kaspersky webscanner told me Imapi.exe is a trojan
    - Scanned with several different anti-malware programs and also uploaded it on Jotti but no malware were found.
    - Deleted the imapi.exe but it keeps reappearing in the system32 folder

    Do I need to be worried?
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    imapi.exe is a part of the Microsoft Windows operating system, more specifically the Image Mastering Applications Programming Interface, which is used for CD recording. This program is important for the stable and secure running of your computer and should not be terminated.

    Recommendation:imapi.exe should not be disabled, required for essential applications to work properly..

    http://onecare.live.com/standard/en-us/virusenc/VirusEncInfo.htm?VirusName=Trojan:Win32/Starter
     
  3. jobeard

    jobeard TS Ambassador Posts: 9,317   +618

    unfortunately, this file is also associated with the Vundo Trojan :(

    Reportedly, superantispyware will remove the trojan
     
  4. W00tW00t10

    W00tW00t10 TS Rookie Topic Starter

    Hi, thanks for the information guys.
    I suppose it's false alarm then? It shouldn't be the vundo virus right? I'm not experiencing any pop ups or adware. Just in case, I will download the superantispyware program anyway but I suppose the other anti-malware programs like Spybot and Ad-aware should also be able to find Vundo right?
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...