Hello all. I scanned my mates computer with clamwin portable from portable apps. And it said he had a trojan, problem is i can't see it in the folder its supposedly in and can't remove it.

I also scanned with AVG and it found nothing so we could be looking at a false postive maybe?

Clamwin found - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP122F.tmp\mscorlib.dll: Trojan.Spy-11241 FOUND

I used VirusTotal and submitted the file path and it uploaded the file but it had already had it analyzed, i looked at the analysis here. -[url]http://www.virustotal.com/analisis/945736dbc7c0c0badb749e6d77d2cccf[/url]

As you see only 1/32 scanners identified it as bad. So is it bad or a false positive???

And as the gateway washer scanner says its .dam which means the file is damaged, thats why i probably couldn't see it.

To futhur speculate here as clamwin says its a Spy Trojan is it likely that its keylogger that has injected itself into a windows process? As he says the i/o light on his router have been flashing more than often when his computer is idle, but i think its him being a bit paranoid and i don't think he can make that assumtion. I might have to get a packet sniffer on it though but i don't know what to look for.

If it is a keylogger then this is quite bad, his steam account has ?50 of games on it.

Any help will be deeply appreciated. Cheers Trantula.

sorry for the late response, but It is definitely NOT a virus if all those ather anti's dont detect it

I also scanned my pc with clamwin 0.94 and it found several viruses. But after scanning no heal option was there, not sure why? Here's the details.

E:\boboy folder\installer\20070314072214062_ContactsCopier_Installer.exe: Trojan.Agent-19301 FOUND

E:\boboy folder\installer\ContactsCopier_Installer.exe: Trojan.Agent-19301 FOUND

E:\boboy folder\installer\samsung\Samsung_PC_Studio_312_GCB_Setup.exe: Trojan.Agent-19301 FOUND

E:\boboy folder\installer\Samsung_PC_Studio.exe: Trojan.Agent-19301 FOUND

E:\Ragnarok val\GameGuard\NPSCAN.DES: Trojan.Mmust FOUND

----------- SCAN SUMMARY -----------

Known viruses: 430821

Engine version: 0.94

Scanned directories: 626

Scanned files: 34728

Infected files: 5



Data scanned: 7774.05 MB

Time: 3585.375 sec (59 m 45 s)

--------------------------------------

Completed

--------------------------------------

ClamWin doesn't heal viruses/malware. It identifies malware from its signature database and either Reports, Removes, or Quarantine the file that contains the signature, as you have selected for the Infected Files Option in ClamWin's General Preferences. You shouldn't bother with Remove--in case you get a "false positive" (not a real virus) in an important Windows file, if it is removed, you might lose access to the Windows system. So Report or Quarantine are your best options, and I use Report because you could still lose access to a Windows file if it is placed in Quarantine.

Frequently, when you get the same in virus in several files, it is a false positive, which is a file that ClamWin thinks contains a virus but it really doesn't. Anyway, you should verify any files that ClamWin finds are infected. You can upload the file to either Jotti at http://virusscan.jotti.org/ on the web or to VirusTotal at http://www.virustotal.com/ on the web and they will scan your file with multiple antivirus programs. If more than a couple of AVs besides Clam find an infection, it is probably a real infection and not a false positive, so you can manually remove the file from your computer (replace from backup if it is an important file to you). The ClamWin scan report shows the location of the file if you selected Report. You can manually remove infected files from the Quarantine directory (location is shown below the Infected Files option in ClamWin's General Preferences).

If the file is a false positive, go to http://cgi.clamav.net/sendvirus.cgi on the web and fill out the submission form and upload the file to Clam so they can take the false positive signature out of their database. Be sure to check False Positive, and give them the name of the false positive virus in the description block. This is one way we users can help make Clam/ClamWin a better antivirus--by submitting false positives and new/unknown viruses to Clam/ClamWin.

Regards,

Regards,

Sorry for the wrong interpretation, i just thought that if its an anti-virus is has a way of removing viruses without deleting the files. Anyway, thanks for clearing it out.

Sorry forgot to mention that, i scanned an mp4 player with clam 0.93.1 it was able to detect a script virus (can't remember the exact details) and there was a heal option after scanning the mp4 player. The script virus was also detected by AVG 8.0 free edition but was not able to heal the virus. The virus was healed by clamwin that's why i was expecting the heal option after the scanning. This time i did run other anti-virus and they weren't able to detect the viruses i posted, probably i your right, that it was just a false positive. Thanks again.

I'm glad you got the problem solved. There is no heal option in ClamWin. If you see one, you must be running something else besides the official, stand-alone ClamWin. Clam/ClamWin devote all their code to detection. The cure code (and some stuff is too hard to cure) would bloat the programs, and you would wind up with another Norton!

Dr. Web's free Cureit program, available for download at http://www.freedrweb.com/cureit/ on the web is pretty good at cleaning up current infections. You don't have to install it--just put it on your desktop and run it--keep it updated whenever you run it and it tells you to.

Regards,

Hello,
Presently Clamwin has no 'heal' options. It can be set (on Preferences tab) to report, quarantine or delete the file which is being detected as infected.

Mine is just a guess but probably Clamwin has moved the file to quarantine; so if the player just works as usual it is likely the file was not giving much trouble to the MP4 device.

However, if you are looking for some free malware removal tools have a look at the Anti Malware Resources page on Clamwin's site. This may give extra help.

Regards,
Antonio

Update: Sorry All, Bob is faster than me posting back, he has done it while I was typing the reply