ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
Reply to topic
21 Viruses that I think most of them are false positive
yma981


Joined: 06 Jun 2008
Posts: 6
Reply with quote
Hello

I have Fully Scanned my windows xp C: D: and E:

The Result was 21 Viruses Sad. I usually scanned these partitions many times with clamwin and AVG 7.5 Free, both didn't identified those files as viruses. Today Clamwin scan resulted in 21 viruses that i think most of them/all of them r "False positive" Look at the Scan result below:

Note:
- Microsoft Office 2007 is totally legitimate and the files are installed from MS Office DVD.
- MS Visual Studio 2005 is downloaded from the internet.
- Even bettergmail2 (firefox extension) downloaded from the official mozilla addons site is identified as a suspect Sad.

Please help me in this matter.

Regards



Scan Started Fri Jun 06 12:06:41 2008
-------------------------------------------------------------------------------


C:\Documents and Settings\All Users\.clamwin\quarantine\infected.bettergmail2.jar: Suspect.Zip FOUND
C:\Documents and Settings\yahya.alameddine.INTELLIGILE\Application Data\Mozilla\Firefox\Profiles\a1grnj3e.Home\extensions\bettergmail2@ginatrapani.org\chrome\bettergmail2.jar: Suspect.Zip FOUND
C:\Documents and Settings\yahya.alameddine.INTELLIGILE\Application Data\Mozilla\Firefox\Profiles\wcg6gfn2.Work.Secondary\extensions\bettergmail2@ginatrapani.org\chrome\bettergmail2.jar: Suspect.Zip FOUND
C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSO.DLL: W32.Virut.Gen.D-145 FOUND
C:\Program Files\Common Files\Microsoft Shared\VBA\VBA6\VBE6.DLL: W32.Virut.Gen.D-159 FOUND
C:\Program Files\HP\Digital Imaging\BE4CEA63-8351-4A12-9E3A-556F8B76683A\hpzcdl01.exe: W32.Virut.Gen.D-165 FOUND
C:\Program Files\HP\Digital Imaging\BE4CEA63-8351-4A12-9E3A-556F8B76683A\setup\hpzcdl01.exe: W32.Virut.Gen.D-165 FOUND
C:\Program Files\Microsoft Office\Office12\EXCEL.EXE: W32.Virut.Gen.D-163 FOUND
C:\Program Files\Microsoft Office\Office12\excelcnv.exe: W32.Virut.Gen.D-163 FOUND
C:\Program Files\Microsoft Office\Office12\GrooveStorageMgr.dll: W32.Virut.Gen.D-148 FOUND
C:\Program Files\Microsoft Visual Studio 8\SDK\v2.0\CompactFramework\netcfsetupv2.msi: W32.Virut.Gen.D-148 FOUND
C:\Program Files\Microsoft Visual Studio 8\SmartDevices\SDK\CompactFramework\2.0\v2.0\Debugger\BCL\System.Data.dll: W32.Virut.Gen.D-148 FOUND
C:\Program Files\Microsoft Visual Studio 8\SmartDevices\SDK\CompactFramework\2.0\v2.0\WindowsCE\wce400\armv4\NETCFv2.ppc.armv4.cab: W32.Virut.Gen.D-148 FOUND
C:\Program Files\Microsoft Visual Studio 8\SmartDevices\SDK\CompactFramework\2.0\v2.0\WindowsCE\wce500\armv4i\NETCFv2.wce5.armv4i.cab: W32.Virut.Gen.D-148 FOUND
C:\Program Files\Microsoft Visual Studio 8\SmartDevices\SDK\CompactFramework\2.0\v2.0\WindowsCE\wce500\armv4i\NETCFv2.wm.armv4i.cab: W32.Virut.Gen.D-148 FOUND
C:\Program Files\Microsoft Visual Studio 8\SmartDevices\SDK\CompactFramework\2.0\v2.0\WindowsCE\wce500\mipsii\NETCFv2.wce5.mipsii.cab: W32.Virut.Gen.D-148 FOUND
C:\Program Files\Microsoft Visual Studio 8\SmartDevices\SDK\CompactFramework\2.0\v2.0\WindowsCE\wce500\mipsiv\NETCFv2.wce5.mipsiv.cab: W32.Virut.Gen.D-148 FOUND
C:\Program Files\Microsoft Visual Studio 8\SmartDevices\SDK\CompactFramework\2.0\v2.0\WindowsCE\wce500\sh4\NETCFv2.wce5.sh4.cab: W32.Virut.Gen.D-148 FOUND
C:\Program Files\Microsoft Visual Studio 8\SmartDevices\SDK\CompactFramework\2.0\v2.0\WindowsCE\wce500\x86\NETCFv2.wce5.x86.cab: W32.Virut.Gen.D-148 FOUND
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\cffbcb973e039887155ce7e735be67e4\Microsoft.VisualStudio.EnterpriseTools.ClassDesigner.ni.dll: W32.Virut.Gen.D-144 FOUND
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.AddIn\514e98c9aa203a2983cbf329753cb9c3\System.AddIn.ni.dll: W32.Virut.Gen.D-146 FOUND
----------- SCAN SUMMARY -----------
Known viruses: 305005
Engine version: 0.93
Scanned directories: 12548
Scanned files: 101945
Infected files: 21

Not copied: 1
Data scanned: 47231.39 MB
Time: 13214.844 sec (220 m 14 s)
--------------------------------------
Completed
--------------------------------------
View user's profileSend private message
alch
Site Admin

Joined: 27 Nov 2005
Posts: 1719
Reply with quote
thanks for alerting. It is a false positive, same result on my machine.
We will work with clamav team to get them removed asap.
View user's profileSend private message
yma981


Joined: 06 Jun 2008
Posts: 6
Reply with quote
Excuse me for asking, as expected these files are ok. How can i restore them to their previous state since for instance excel isn't working anymore.
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 3555
Location: USA
Reply with quote
Clam has done a mass delete of that version of Virut from its signatures. To remove/replace from quarantine, keep that scan report handy. ClamWin has renamed them in quarantine. You will have to rename each quarantined file to its original name and then put it back in its original directory location referenced in the scan report.

Regards,
View user's profileSend private message
scarlett_156


Joined: 06 Jun 2008
Posts: 24
Location: eastern rural Colorado (USA)
Reply with quote
This is the reason I joined the forum just today too. All of a sudden I get all of these notices that these files--which have been on the computer for awhile and never been identified as viruses--have something wrong with them. There were quite a few. I'm glad I checked this before deleting these files.
View user's profileSend private messageSend e-mail
GuitarBob


Joined: 09 Jul 2006
Posts: 3555
Location: USA
Reply with quote
You probably should not delete a file based on an infection without verifying it with several other antivirus programs. You can upload suspect files (one at a time) to the Jotti scanning service at http://virusscan.jotti.org/ on the Web for a free scan with about 20 antiviruses. If several other AVs besides Clam spot an infection, it's probably for real.

Really good malware generally is silent, so if the same infection is spotted in several files on your hard drive during the same scan, there's a good chance it's a false positive. You should always upload files with false positives to the Clam submission page at http://cgi.clamav.net/sendvirus.cgi on the Web--tell them it is false and give the name of the false detection. You will be helping to make Clam/ClamWin a better antivirus program.

Regards,
View user's profileSend private message
scarlett_156


Joined: 06 Jun 2008
Posts: 24
Location: eastern rural Colorado (USA)
Reply with quote
Thanks, I was gonna do that. I was researching the individual names of the viruses that were found on this morning's scan one by one. I will get a scan from bitdefender in a little while and see what that says, AND I will save that scan report so that I can upload it if it is showing false positives.
View user's profileSend private messageSend e-mail
Need help restoring false positive quarantined files
jaeasan


Joined: 10 Jun 2008
Posts: 1
Location: Minnesota
Reply with quote
My MS Excel is disabled and MS Word has problems following the scan.

I was able to replace the following 2 excel files, which permitted opening and reading spreadsheets, but not writing in them.
C:\Program Files\Microsoft Office\Office12\EXCEL.EXE: W32.Virut.Gen.D-163 FOUND
C:\Program Files\Microsoft Office\Office12\excelcnv.exe: W32.Virut.Gen.D-163 FOUND

I am unable to find the location for the other files as documented in the scan report below. Please help, as I have already tried to reinstall Office, and the reinstall also does not work, and redoing the entire system is costly.
Thanks

Scan Started Sat Jun 07 01:10:32 2008
-------------------------------------------------------------------------------

C:\Documents and Settings\Jae\My Documents\Downloads\Trend Micro\Full Version of 32 Bit Trend Micro Inter Sec 2008 XP & Vista\TrendMicro_TIS-Pro_16.0_1412_x32_F\Setup\Function\32bit\169\TS-TGP.zip: W32.Virut.Gen.D-165 FOUND
C:\Program Files\Common Files\Microsoft Shared\VBA\VBA6\VBE6.DLL: W32.Virut.Gen.D-159 FOUND
C:\Program Files\Intuit\QuickBooks 2007\Components\Payroll\Setup\nozwizui.dll: W32.Virut.Gen.D-147 FOUND
C:\Program Files\Intuit\QuickBooks 2007\Components\Payroll\staging17\setup\nozwizui.dll: W32.Virut.Gen.D-147 FOUND
C:\Program Files\Microsoft Office\Office12\EXCEL.EXE: W32.Virut.Gen.D-163 FOUND
C:\Program Files\Microsoft Office\Office12\excelcnv.exe: W32.Virut.Gen.D-163 FOUND
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Iris.Mapi.MessageSt#\5a45816c1354aa1c3aa0007b828b52f9\Iris.Mapi.MessageStore.ni.dll: W32.Virut.Gen.D-144 FOUND
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\PresentationBuildTa#\41bd82648d480ec304ea0c04034787bc\PresentationBuildTasks.ni.dll: W32.Virut.Gen.D-144 FOUND
C:\WINDOWS\Installer\$PatchCache$\Managed\00002119410000000000000000F01FEC\12.0.4518\EXCEL.EXE: W32.Virut.Gen.D-163 FOUND
C:\WINDOWS\Installer\$PatchCache$\Managed\00002119410000000000000000F01FEC\12.0.4518\MSO.DLL: W32.Virut.Gen.D-145 FOUND
C:\WINDOWS\Installer\$PatchCache$\Managed\00002119410000000000000000F01FEC\12.0.4518\VBE6.DLL: W32.Virut.Gen.D-159 FOUND
C:\WINDOWS\Installer\$PatchCache$\Managed\00002119410000000000000000F01FEC\12.0.4518\XL12CNV.EXE: W32.Virut.Gen.D-163 FOUND
C:\WINDOWS\Installer\$PatchCache$\Managed\00002119410000000000000000F01FEC\12.0.6215\EXCEL.EXE: W32.Virut.Gen.D-163 FOUND
C:\WINDOWS\Installer\$PatchCache$\Managed\00002119410000000000000000F01FEC\12.0.6215\XL12CNV.EXE: W32.Virut.Gen.D-163 FOUND
C:\WINDOWS\Installer\133fdd.msp: W32.Virut.Gen.D-163 FOUND
C:\WINDOWS\SoftwareDistribution\Download\e77f132315684b128e9532ab271ae83a\excel.cab: W32.Virut.Gen.D-163 FOUND
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 3555
Location: USA
Reply with quote
Seems like those viruses you found were false positives from last week, and the signatures were either corrected or dropped from the signature database a day or so after they were first noticed. Make sure your ClamWin signatures are up to date. If these falsies still show up on your scans, upload the files involved (one at a time) to Clam at http://cgi.clamav.net/sendvirus.cgi on the Web. Be sure to check the false positive block on the submission form, tell them the exact name of the virus that showed up as false, and explain things in the Note block. If you have more than two submissions/files to upload, contact Luca Gibelli first at the link shown near the start of the page.

This is a good reason not to automatically quarantine any virus detected by ClamWin. If there is a false positive on an important file, you could lose it when it goes in quarantine. Set ClamWin's detection preferences to notify instead. I learned this after a false positive showed up on Winlogon and I spent a couple of days restoring my system.

Regards,
View user's profileSend private message
Continue to receive false positives (vbe6.dll and more)
ppoteete


Joined: 17 Feb 2009
Posts: 1
Location: Monterey, CA
Reply with quote
/mnt/app05/c/Program Files/Dell/Lasso/bin/EMCRPTS_V28.exe: Adware.Borlander FOUND
/mnt/app05/c/Program Files/Dell/Lasso/bin/xCmd.exe: Trojan.RAdmin-19 FOUND
/mnt/app09/c/Program Files/Millennium 3/MillMeta.dll: W32.Virut.Gen.D-161 FOUND
/mnt/app03/c/Program Files/VMware/VMware Tools/VMwareService.exe: Trojan.Mybot-6508 FOUND
/mnt/tx09/c/Program Files/Common Files/Microsoft Shared/VBA/VBA6/vbe6.dll: W32.Virut.Gen.D-159 FOUND
/mnt/tx04/c/Program Files/Common Files/Microsoft Shared/VBA/VBA6/vbe6.dll: W32.Virut.Gen.D-159 FOUND
/mnt/tx08/c/Program Files/Common Files/Microsoft Shared/VBA/VBA6/vbe6.dll: W32.Virut.Gen.D-159 FOUND

I've submitted the files as a false positive online. I'm not sure what else I can do.
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 3555
Location: USA
Reply with quote
Submitting the false positives to Clam online is about all you can do for now. With that many FPs, I think they will address it pretty quickly. Continue to do scans of those directories WITH CLAMWIN PREFERENCES SET TO REPORT ONLY. When you no longer detect them, Clam has adjusted their signatures. Give them about three days, and if you continue to get infection notices, resubmit those files. Clam's sigmakers usually handle their own false positives, so if someone is away for a while, it might take a little longer.

If you don't want to worry/work at it, you can set ClamWin preferences to exclude those files from directory scans, but you will not know when/if Clam adjusts the sigs.

Regards,
View user's profileSend private message
daduck


Joined: 16 Apr 2009
Posts: 1
Location: Castro Valley
Reply with quote
So what does all this mean? Has Clamscan been up dated to eliminate these false positives?
I ran a scan today and found very much the same errors. Are they False positives ???

C:\Program Files\Microsoft Office\Office12\EXCEL.EXE: W32.Virut.Gen.D-163 FOUND
C:\Program Files\Microsoft Office\Office12\excelcnv.exe: W32.Virut.Gen.D-163 FOUND
C:\Program Files\MSECache\O2007Cnv\1033\O12Conv.cab: W32.Virut.Gen.D-163 FOUND
C:\WINDOWS\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6021\XL12CNV.EXE: W32.Virut.Gen.D-163 FOUND
C:\WINDOWS\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6215\XL12CNV.EXE: W32.Virut.Gen.D-163 FOUND
C:\WINDOWS\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.4518\EXCEL.EXE: W32.Virut.Gen.D-163 FOUND
C:\WINDOWS\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.6215\EXCEL.EXE: W32.Virut.Gen.D-163 FOUND
C:\WINDOWS\Installer\$PatchCache$\Managed\000021091A0000000000000000F01FEC\12.0.4518\VBE6.DLL: W32.Virut.Gen.D-159 FOUND
C:\WINDOWS\Installer\133c30.msp: W32.Virut.Gen.D-163 FOUND
C:\WINDOWS\Installer\148246f.msp: W32.Virut.Gen.D-163 FOUND
C:\WINDOWS\Installer\338bb14.msp: W32.Virut.Gen.D-163 FOUND
C:\WINDOWS\Installer\585b8.msp: W32.Virut.Gen.D-163 FOUND
C:\WINDOWS\Installer\66f0304.msp: W32.Virut.Gen.D-163 FOUND
C:\WINDOWS\Installer\7f8d36.msp: W32.Virut.Gen.D-163 FOUND
C:\WINDOWS\Installer\baad7b.msp: W32.Virut.Gen.D-163 FOUND
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 3555
Location: USA
Reply with quote
It looks like false positives. There are lots of files found infected, but there are only two viruses involved. This is usually a sign of a false positive. Clam will not change a signature until you/someone uploads a file containing a false positive detection and tell them it is a false positive. The Clam upload site is at http://www.clamav.net/sendvirus/ on the web. You will be doing yourself/all ClamWin users a favor if you report the false positives and upload one of the files where each virus is detected. Put each file/virus in a separate report.

They appear to be having problems with some generic (GEN) detections with version 0.95.1.

Regards,
View user's profileSend private message
hi, im new to this.
devillish tease


Joined: 28 Apr 2009
Posts: 2
Reply with quote
I just done a scan and it said i had 5 virus, so i googled one of them and came across this page, im not sure if ive copied the right part of the scan, but are these virus or just glitchs with clamwin?
Thank you in advance for any help anyone can give me.


C:\Users\bexz\ntuser.dat.LOG1: Permission denied
C:\Windows\Installer\$PatchCache$\Managed\00002119130000000000000000F01FEC\12.0.4518\EXCEL.EXE: W32.Virut.Gen.D-163 FOUND
C:\Windows\Installer\$PatchCache$\Managed\00002119130000000000000000F01FEC\12.0.4518\XL12CNV.EXE: W32.Virut.Gen.D-163 FOUND
C:\Windows\Installer\$PatchCache$\Managed\00002119130000000000000000F01FEC\12.0.6215\EXCEL.EXE: W32.Virut.Gen.D-163 FOUND
C:\Windows\Installer\$PatchCache$\Managed\00002119130000000000000000F01FEC\12.0.6215\XL12CNV.EXE: W32.Virut.Gen.D-163 FOUND
C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe.config: Permission denied
C:\Windows\panther\diagerr.xml: Permission denied
C:\Windows\panther\diagwrn.xml: Permission denied
C:\Windows\panther\UnattendGC\diagerr.xml: Permission denied
C:\Windows\panther\UnattendGC\diagwrn.xml: Permission denied
C:\Windows\security\database\secedit.sdb: Permission denied
C:\Windows\SoftwareDistribution\Download\9c50f58c375d536720c74a564e5e3daa\xlconv.cab: W32.Virut.Gen.D-163 FOUND
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0: Permission denied
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0: Permission denied
C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb: Permission denied
C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb: Permission denied
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 3555
Location: USA
Reply with quote
Clam knows about the false positive on Excel-related files for Virut.Gen.D-163 and are supposed to be working on it. Whenever you get several files with the same "infection," that's often a sign of a false positive. Viruses that are designed to make their creators money by evil means generally try to be a little more stealthy than infecting every file around!

Send any other files that you think that may be false positives to Clam via their file submission page, which can be accessed at http://www.clamav.net/sendvirus/ on the web. For false positives, be sure to check the false positive block and name the virus in the comment section and tell why you think it is a false positive.

Regards,
View user's profileSend private message
21 Viruses that I think most of them are false positive
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 3  

  
  
 Reply to topic