Hello,
Today's clamwin scan found a trojan in the wise installation wizard. I can't find this folder in c:\Program Files\Common Files. What's going on?
Thanks!

Scan Started Wed Jul 02 10:56:26 2008

-------------------------------------------------------------------------------





C:\Program Files\Common Files\Wise Installation Wizard\WISE31C348B63A94CBF8D7FD932ABB63244_7_0_1_5.MSI: Trojan.Hupigon-14371 FOUND

C:\Program Files\Lavasoft\Ad-Aware 2007\aaw2007.exe: Trojan.Hupigon-14371 FOUND

C:\Program Files\Lavasoft\Ad-Aware 2007\Registration\registration_helper.prg: Trojan.Hupigon-14371 FOUND

----------- SCAN SUMMARY -----------

Known viruses: 334233

Engine version: 0.93.1

Scanned directories: 7031

Scanned files: 63633

Infected files: 3



Data scanned: 10396.63 MB

Time: 5651.172 sec (94 m 11 s)

--------------------------------------

Completed

--------------------------------------

Hello,
I am not sure it it will work properly (I am not a tech therefore my suggestion could not be satisfactory) but you should go to the Control Panel and on Folder Options you should enable the visualisation of hidden files. Then you should be able to see the file reported by ClamWin.

Note: Before getting rid of the files verify theyare really malware by submitting them to http://www.virustotal.com/. Files will be processed by multiple scanning engines and if most part of them spot it as infected they probably are.

If they do not appear as malware pls notify it to ClamAV team using the form on http://cgi.clamav.net/sendvirus.cgi and report as a false positive. Clam team is going to fix the issue shortly. Users support is largely appreciated as it makes Clam/Clamwin work better.

Hope this helps,
Antonio

I set the folder options to show all the hidden folders and unchecked "hide protected operating system files," but it's still invisible.

Hello,
Perhaps this tutorial may give further help
http://www.bleepingcomputer.com/tutorials/tutorial62.html


Regards
Antonio

If you have the same virus spotted in several different files, it is likely a false positive, but you should verify it by scanning it with Jotti or Virus Total before you tell Clam about it via their submission form.

Regards,

I have had the same problem. A scan today found the following.

C:\Program Files\Common Files\Wise Installation Wizard\WISDED53B0BB67C4244AE6AD6FD3C28D1EF_7_0_2_6.MSI: Trojan.Hupigon-14371 FOUND
C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisorDemo.exe: Trojan.LdPinch-3455 FOUND
C:\Program Files\Lavasoft\Ad-Aware 2007\Registration\infected_registration_helper.prg.wreck: Trojan.Hupigon-14371 FOUND
C:\Program Files\Lavasoft\Ad-Aware 2007\Registration\registration_helper.prg: Trojan.Hupigon-14371 FOUND
C:\Program Files\muvee Technologies\muvee autoProducer 6.0 - HPD\muveeapp.exe: Trojan.Hupigon-14371 FOUND
C:\ProgramData\Lavasoft\Ad-Aware 2007\update\new\Registration\registration_helper.prg.new: Trojan.Hupigon-14371 FOUND
C:\Users\All Users\Lavasoft\Ad-Aware 2007\update\new\Registration\registration_helper.prg.new: Trojan.Hupigon-14371 FOUND
C:\Users\Ian\Downloads\WISDED53B0BB67C4244AE6AD6FD3C28D1EF_7_0_2_6.MSI: Trojan.Hupigon-14371 FOUND

A scan yesterday found the same files but "infected" with another bit of malware.

C:\Program Files\Common Files\Wise Installation Wizard\WISDED53B0BB67C4244AE6AD6FD3C28D1EF_7_0_2_6.MSI: PUA.Packed.Armadillo FOUND
C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisorDemo.exe: Trojan.LdPinch-3455 FOUND
C:\Program Files\Lavasoft\Ad-Aware 2007\Registration\registration_helper.prg: PUA.Packed.Armadillo FOUND
C:\Program Files\muvee Technologies\muvee autoProducer 6.0 - HPD\muveeapp.exe: PUA.Packed.Armadillo FOUND
C:\Users\Ian\Downloads\WISDED53B0BB67C4244AE6AD6FD3C28D1EF_7_0_2_6.MSI: PUA.Packed.Armadillo FOUND

I ran muveeapp.exe through one of the free scanners and only a couple of virus checkers identified malware, three identified malware in WISDED53B0BB67C4244AE6AD6FD3C28D1EF_7_0_2_6.MSI out of 33 checkers. I'm new to this, does malware mutate or is clamwin getting confused?

How can I be sure I've got malware? My installed Norton doesn't pick up any, neither does Adaware or Spybot (other than tracking cookies).

Thanks in anticipation of any advice.

Regards

E Chen

You can disregard the PUA (potentially unwanted application) detections because they are designed to be informative only and tell you if there are files on your compter that contain tools sometimes used by malware writers or if they were created with such tools. The PUA detections are turned off by default, and you should probably leave them off. Clam intends to refine the PUA detection process at some point, and they will mean more.

When you have the same infection reported in several different files, it is probably a false positive. You should verify at least one of the files, however, before doing anything. Go to either the Jotti or Virus Total scanning services on the Web and upload the file for a free scan with multiple antiviruses. If more than a couple of other antiviruses besides Clam find a file is infected, it is probably a real infection, and you can remove the file from your computer. If only a couple of them find a file is infected, it is probably a "false positive" and not a real infection. Report false positives to Clam at http://cgi.clamav.net/sendvirus.cgi on the Web by filling out the submission form. Upload a copy of the file to Clam, but before you send it, be sure to check the false positive block on the form and tell them the exact name of the virus with the false positive.

Regards,