Everyday my daily scan report me :

/home/USER/logs/USER.org-May-2018.gz: {HEX}php.malware.magento.588.UNOFFICIAL FOUND
/home/USER/logs/USER.org-May-2018.gz: Removed.
/home/USER/logs/USER.it-May-2018.gz: {HEX}php.malware.magento.588.UNOFFICIAL FOUND
/home/USER/logs/USER.it-May-2018.gz: Removed.

----------- SCAN SUMMARY -----------
Known viruses: 6544637
Engine version: 0.99.4
Scanned directories: 58793
Scanned files: 564986
Infected files: 2
Data scanned: 59258.29 MB
Data read: 58805.30 MB (ratio 1.01:1)
Time: 28593.130 sec (476 m 33 s)

centos 6.9 , cpanel/whm 70

please i need help or documentation to remove it
thanks

First, make sure this zipped file contains a virus. If you can locate the file, upload it to Virus Total and see what about 50 AVs (including our Clam AV engine) detect. If only Clam AV and a few other AVs detect it, it is probably a false positive. Virus Total should send false positive files to the AV companies so they can correct their signatures. I like to see at least 2 of these AVs detect a file: Avira, Bitdefender, Eset Nod 32, Kaspersky, and Sophos.

If the file is infected, use another AV to detect/remove it. You should be using another AV with ClamWin as your primary AV because ClamWin does not provide real-time protection. One of these free AVs will provide good detection/removal: Malwarebytes Free, Zemana Antimalware Free, Forticlient's Fortinet AV, Emsisoft Antimalware, or Windows Defender (Security Essentials on older computers). MBAM/Zemana/Emsisoft have a free trial, and Forticlient/Windows Defender are free anyway. If the AV can not detect/remove a virus, get into Windows Safe Mode (get Safe Mode instructions on the web) and then run another scan. Not all AVs will work in Safe Mode.

If no results, try deleting the file manually from the Windows Explorer right context menu if you can find it.

If the file is infected, there might be a registry entry (or even another malware) that sets it up each time you turn on the computer. One of the AVs mentioned above should take care of this for you.

Let us know how it goes.

Regards,

unfortunatly this is not a desktop pc it is a production server .
But you're right i must check if is a false positive before delete
So i change option to clamscan (--remove=no) and i do not delete file containing virus
tomorrow after daily process i will check

thanks

Okay. For production use, you should be using a real-time AV as primary. ClamWin can serve as a backup, but it does not have enough signatures for the types/number of viruses that you are likely to encounter in a production environment.

Regards,

The signature is an "unofficial" one that was not developed by the Clam AV team, so it is highly suspect as being a bad signature. Do you develop your own signatures? If so, you might want to remove it. If there is a real virus in a Gzip file, it is probably not dangerous until the file is unzipped an executed.

Regards,

i use last version of WordPress 5.4 , also use last version of PHP 7.3 and MySQL

when i scan my site by Antivirus in Cpanel , it found 3 warning virus message like this :

cpmove_failed_mysql_dbs.1556361877/owjgrap2_retino.sql {HEX}php.malware.magento.594.UNOFFICIAL
cpmove_failed_mysql_dbs.1556361877/owjgrap2_rico2.sql {HEX}php.malware.magento.594.UNOFFICIAL
cpmove_failed_mysql_dbs.1556361877/owjgrap2_rico.sql {HEX}php.malware.magento.594.UNOFFICIAL

i try many WordPress security and malware plugins but none of them found anything important or related to this https://techzpod.com/ techzpod https://get-mobdrovip.com mobdro


is this message really dangerous ? how can i remove this ??

If ClamWin is not your antivirus, then we can not help here. These forums are only for ClamWin users.

If you are using ClamWin, it looks like there is an "unofficial" malware signature that detects a file. Clam AV (and therefore ClamWin) no longer supports "unofficial" signatures. I suggest you delete any unofficial signatures that are not from Clam AV.

You can upload a file to Virus Total to have it scanned with about 60 AV programs. If only 1 or 2 AVs spot malware, it is probably a false positive. I like to see at least 2 of these AVs spot something before I believe it: Avira, Bitdefender, Eset (Nod 32), Kaspersky, and Sophos.

Regards,