ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
This topic is locked: you cannot edit posts or make replies.
Sudden malware or false positives?
davebit


Joined: 18 Jan 2016
Posts: 28
Location: America
Reply with quote
ClamWin today reported a bunch of malware FOUND while previously had not, and most of these look like normal programs from trusted sources.

I'll look through each one later today but it could take me hours; can someone advise?

C:\Users\Dave\Desktop\ClamScanLog.txt
00903: C:\HP Universal Print Driver\pcl6-x64-6.0.0.18849\hpcu175u.cab: Win.Adware.Browsefox-12346 FOUND
00905: C:\Program Files\Android\Android Studio\lib\libpty\win\x86\libwinpty.dll: Win.Adware.Browsefox-12535 FOUND
00906: C:\Program Files\Android\Android Studio\lib\libpty\win\x86\winpty-agent.exe: Win.Adware.Browsefox-12535 FOUND
00907: C:\Program Files\Android\Android Studio\lib\libpty\win\xp\libwinpty.dll: Win.Adware.Browsefox-12535 FOUND
00908: C:\Program Files\Android\Android Studio\lib\libpty\win\xp\winpty-agent.exe: Win.Adware.Browsefox-12535 FOUND
00909: C:\Program Files\Oracle\VirtualBox\VBoxGuestAdditions.iso: Win.Adware.Agent-59030 FOUND
00910: C:\Program Files (x86)\Agilo\uninstall.exe: Win.Adware.Agent-59030 FOUND
00911: C:\Program Files (x86)\Arora\uninst.exe: Win.Adware.Agent-59032 FOUND
00912: C:\Program Files (x86)\Common Files\Apple\Apple Application Support\JavaScriptCore.dll: Win.Adware.Browsefox-12945 FOUND
00913: C:\Program Files (x86)\Common Files\Apple\Apple Application Support\WebKit.dll: Win.Adware.Browsefox-12823 FOUND
00914: C:\Program Files (x86)\Common Files\Windows Live\.cache\80873ef81cf5d2009\WLXSuite.msi: Win.Adware.Browsefox-12994 FOUND
00915: C:\Program Files (x86)\Steam\amf\mcl-windesktop32.dll: Win.Trojan.Ramnit-8022 FOUND
00916: C:\Program Files (x86)\Steam\bin\gameoverlayui.dll: Win.Adware.Browsefox-12346 FOUND
00917: C:\Program Files (x86)\Steam\v8.dll: Win.Adware.Browsefox-12346 FOUND
00918: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\AcroRead.msi: Win.Adware.Browsefox-12824 FOUND
03330: C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\AcroRead.msi: Win.Adware.Browsefox-12824 FOUND
05742: C:\Users\Dave\AppData\Local\Apps\2.0\28LMGM8X.YBW\2C067VN3.KV3\gith..tion_317444273a93ac29_0003.0000_12384c781d7f8ad4\GitHub.exe: Win.Adware.Browsefox-12346 FOUND
05743: C:\Users\Dave\AppData\Local\Apps\2.0\28LMGM8X.YBW\2C067VN3.KV3\gith..tion_317444273a93ac29_0003.0000_328216539257acd4\GitHub.exe: Win.Adware.Browsefox-12346 FOUND
05764: C:\Users\Dave\AppData\Local\Mozilla\Firefox\Profiles\nt5nzi2w.default-1441286678254\cache2\entries\8FD400E0424753D70232AA3BCCF31FF28AE6BFB7: Win.Adware.Browsefox-12346 FOUND
05765: C:\Users\Dave\AppData\Local\Mozilla\Firefox\Profiles\nt5nzi2w.default-1441286678254\cache2\entries\B27FFE6E190C1C47E24D34AC86BFE555B1A83DAA: Win.Adware.Browsefox-12346 FOUND
05766: C:\Users\Dave\AppData\LocalLow\Sun\Java\JRERunOnce.exe: Win.Adware.Softpulse-215 FOUND
05767: C:\Users\Dave\AppData\Roaming\Mozilla\Firefox\Profiles\nt5nzi2w.default-1441286678254\gmp-eme-adobe\15\eme-adobe.dll: Win.Adware.Browsefox-12968 FOUND
05768: C:\Users\Dave\Development\Android\Stencyl-full.exe: Win.Adware.Agent-59030 FOUND
05769: C:\Users\Dave\Development\fiddler4setup.exe: Win.Adware.Agent-59030 FOUND
05770: C:\Users\Dave\Development\Games\GameSalad-Creator-Setup.exe: Win.Adware.Agent-59030 FOUND
05771: C:\Users\Dave\Development\PHP\Eclipse\PDT\Projects\dhinged\coreftplite.exe: Win.Adware.Agent-59030 FOUND
05772: C:\Users\Dave\Development\win-sshfs-0.0.1.5-setup.exe: Win.Adware.Agent-59030 FOUND
05773: C:\Users\Dave\Documents\Games\Duke_Nukem_3D-1.0.exe: Win.Adware.Agent-59030 FOUND
05774: C:\Users\Dave\Documents\Games\Shadow_Warrior-1.0.exe: Win.Adware.Agent-59030 FOUND
05775: C:\Users\Dave\Documents\Network\Wireshark-win64-2.0.0.exe: Win.Adware.Agent-59030 FOUND
05776: C:\Users\Dave\Downloads\7z922.exe: Win.Adware.Agent-59030 FOUND
05777: C:\Users\Dave\Downloads\Arora 0.10.0-1 Installer.exe: Win.Adware.Agent-59032 FOUND
05778: C:\Users\Dave\Downloads\chromeinstall-7u67.exe: Win.Adware.Softpulse-215 FOUND
05779: C:\Users\Dave\Downloads\GwxControlPanelSetup.exe: Win.Adware.Agent-59030 FOUND
05780: C:\Users\Dave\Downloads\mirc743.exe: Win.Adware.Agent-59030 FOUND
05781: C:\Users\Dave\Downloads\Network\proXPN-4.2.2-install.exe: Win.Adware.Agent-59030 FOUND
05782: C:\Users\Dave\Downloads\openvpn-install-2.3.4-I002-x86_64 (1).exe: Win.Adware.Agent-59030 FOUND
05783: C:\Users\Dave\Downloads\openvpn-install-2.3.4-I002-x86_64.exe: Win.Adware.Agent-59030 FOUND
05784: C:\Users\Dave\Downloads\RCATSetup.exe: Win.Adware.Agent-59030 FOUND
05785: C:\Users\Dave\Downloads\rufus-2.1.exe: Win.Adware.Softpulse-215 FOUND
05786: C:\Users\Dave\Downloads\SpaceMonger3_setup.exe: Win.Trojan.Generickd-4331 FOUND
05787: C:\Users\Dave\Downloads\wordpadfix.msi: Win.Adware.Softpulse-215 FOUND
05788: C:\Users\Dave\Music\audiograbber.zip: Win.Adware.Softpulse-215 FOUND
05789: C:\Users\Dave\Music\sc_serv2_win64-latest.exe: Win.Adware.Agent-59030 FOUND
05790: C:\Users\Dave\Music\shoutcast-dsp-2-3-5-windows.exe: Win.Adware.Agent-59030 FOUND
05792: C:\Windows\Installer\8e6d91.msi: Win.Adware.Browsefox-12824 FOUND
05793: C:\Windows\Installer\c28bb6.msi: Win.Adware.Browsefox-12994 FOUND
05805: C:\Windows\System32\DriverStore\FileRepository\hpcu175u.inf_amd64_neutral_3a55bc5c34503f8a\hpcdmc32.dll: Win.Adware.Browsefox-12346 FOUND
05808: C:\Windows\System32\spool\drivers\x64\PCC\hpcu175u.inf_amd64_neutral_3a55bc5c34503f8a.cab: Win.Adware.Browsefox-12346 FOUND
05970: C:\Windows\SysWOW64\hpcdmc32.dll: Win.Adware.Browsefox-12346 FOUND
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4360
Location: USA
Reply with quote
I think there is a new sigmaker at Clam AV, and he has a bit to learn. I have been getting some false positives on files I have had for some time. If you have had the file for some time, I wouldn't worry about it. It's a lot of work, but if you upload each file to Virus Total, Clam AV will probably note that it is a FP and will prepare a corrected signature.

If you are running another AV alongside ClamWin (and you should be), scan the files with it if you need some extra assurance.

Thanks for using ClamWin.

Regards,
View user's profileSend private message
jimimaseye


Joined: 04 Jan 2014
Posts: 95
Reply with quote
GuitarBob wrote:
It's a lot of work, but if you upload each file to Virus Total, Clam AV will probably note that it is a FP and will prepare a corrected signature.

Dont hold your breath, though. I am sick and tired of getting similar false positives and doing the above (as well as direct reporting False Positive on ClamAV site) and it takes them ages to rectify (days or weeks). And then another couple of days pass and then some same programs get detected again with a NEW virus signature.

Its endless.

Some regular contenders (for me):
Skype
Hp printer drivers
McAfee Virus Removal programs
View user's profileSend private message
Lipper


Joined: 31 Oct 2010
Posts: 123
Location: USA
Reply with quote
jimimaseye wrote:
Its endless.

Some regular contenders (for me):
Skype
Hp printer drivers
McAfee Virus Removal programs


Same here, but some of my repeaters are any program from portableapps.com or Karenware, and Free Download Manager.
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4360
Location: USA
Reply with quote
I saw recently that about 75% of malware is now what is considered PUP/PUA--potentially unwanted programs (mostly adware related), so watch that free stuff. Even some AVs are now starting to bundle it! Some of it comes with valid digital certificates.

Regards,
View user's profileSend private message
ROCKNROLLKID


Joined: 23 Sep 2013
Posts: 562
Location: **UNKNOWN**
Reply with quote
You guys can also make your own fixes for false positives in ClamWin/ClamAV, if the team takes too long to fix them. You might want to exclude directories that malware don't normal hit, if that helps.
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4360
Location: USA
Reply with quote
Below is the format for whitelisting Clam AV files that are falsely detected. Put all whitelisted files in a single Notepad or text file named Sigfile.fp and save it in the ClamWin db folder. For the Submission ID (SID), I use the 6 digit date. Put the filename preceeded by an underscore at the end without any extension. This works for any malware file. Using the file size in the signature minimizes the possibility of some malware with the same file name being ignored.

MD5hash:filesize:SIDnumber_filenamenoextn

Real Example:
8fb6c6e66968ccad84ade2df9fea3a9a:18330984:012216_excel

Regards,
View user's profileSend private message
davebit


Joined: 18 Jan 2016
Posts: 28
Location: America
Reply with quote
The problem is I can't tell if a file is a false positive unless I look up each "malware" identified by ClamWin:

Win.Adware.Browsefox
Win.Adware.Agent
Win.Trojan.Ramnit
Win.Adware.Softpulse
Win.Trojan.Generickd

They all sound bad, but they might all just be fine (and there may be multiple instances of each with different appended numbers). The point is that ClamWin should be identifying for me what's actually bad, not me having to manually figure it out for myself every time.

I'm going to run ClamAV USB and every other anti-malware I can find, but I'm feeling like I can less rely on ClamWin now.
View user's profileSend private message
ROCKNROLLKID


Joined: 23 Sep 2013
Posts: 562
Location: **UNKNOWN**
Reply with quote
Have you tried disabling PUP/PUA detections to see if these malware pieces go away? If they do, then you have your answer already. Remember that PUP/PUA are not malicious but rather a collection of unwanted software that may act in a form of similar to adware.
View user's profileSend private message
jimimaseye


Joined: 04 Jan 2014
Posts: 95
Reply with quote
ROCKNROLLKID wrote:
Have you tried disabling PUP/PUA detections to see if these malware pieces go away? .
Where do you do that? I have checked in Clamwin Preferences and cant see anything obvious.
View user's profileSend private message
davebit


Joined: 18 Jan 2016
Posts: 28
Location: America
Reply with quote
As an aside, I just downloaded Duplicate File Finder, uploaded it to virustotal.com, and it found one of the things my ClamWin found: Win.Adware.Agent-59032

https://www.virustotal.com/en/file/d2e54df1e2714c2cf8a401c248a68245d72438a15659414b4080848af392bdf0/analysis/

An online search finds this very thread, but also "File has been identified by at least one AntiVirus on VirusTotal as malicious. Installs itself for autorun at Windows startup"

http://threatinfo.net/win-adware-agent-59032-file-has-been-identified-by-at-least-one-antivirus-on-virustotal-as-malicious/

So maybe ClamWin is right and this actually is malicious, and there's more info here:

"Win.Adware.Agent is a specific detection used by Microsoft Security Essentials, Emsisoft Anti-Malware and other antivirus products to indicate and detect an adware program."

https://malwaretips.com/blogs/win-adware-agent-removal/

"Win.Adware.Agent is a program that contains adware, installs toolbars or will display pop-up advertisements on the computer." and "itís technically not a virus, but it does exhibit plenty of malicious traits, such as rootkit capabilities to hook deep into the operating system, browser hijacking, and in general just interfering with the user experience."

What I can't tell yet is if I have the option to not install this when I run the software I downloaded.
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4360
Location: USA
Reply with quote
You never have this option for a lot of the stuff that is forced upon us by some installers. However, you certainly have the option to uninstall a program via Windows control panel if it is installed by normal Windows installation procedures. Bleeping Computer's adware cleaner might also help.

Regards,
View user's profileSend private message
jimimaseye


Joined: 04 Jan 2014
Posts: 95
Reply with quote
davebit wrote:
As an aside, I just downloaded Duplicate File Finder, uploaded it to virustotal.com, and it found one of the things my ClamWin found: Win.Adware.Agent-59032

https://www.virustotal.com/en/file/d2e54df1e2714c2cf8a401c248a68245d72438a15659414b4080848af392bdf0/analysis/

An online search finds this very thread, but also "File has been identified by at least one AntiVirus on VirusTotal as malicious. Installs itself for autorun at Windows startup"

http://threatinfo.net/win-adware-agent-59032-file-has-been-identified-by-at-least-one-antivirus-on-virustotal-as-malicious/

So maybe ClamWin is right and this actually is malicious, and there's more info here:

"Win.Adware.Agent is a specific detection used by Microsoft Security Essentials, Emsisoft Anti-Malware and other antivirus products to indicate and detect an adware program."

https://malwaretips.com/blogs/win-adware-agent-removal/

"Win.Adware.Agent is a program that contains adware, installs toolbars or will display pop-up advertisements on the computer." and "itís technically not a virus, but it does exhibit plenty of malicious traits, such as rootkit capabilities to hook deep into the operating system, browser hijacking, and in general just interfering with the user experience."

What I can't tell yet is if I have the option to not install this when I run the software I downloaded.

In not sure you are making a valid point there Davebit.

What you have shown is

1, CLamAv detects Duplicate File Finder ("DFF") as malware
2, Virustotal reports that ClamAv has detected DFF as malware - this proves nothing, its just reporting the facts that Clam thinks its malware (1, above)
3, The malware that CLamAV has detected it as (Win.Adware.Agent) is dangerous - again, factual but not important if you dont actually have the malware

To me this looks like a classic case of False Positive. 55 different AV solutions and only Clam thinking its Malware (which in my personal opinion is the least trusted of them all for good reason....and this justifies it)
View user's profileSend private message
ROCKNROLLKID


Joined: 23 Sep 2013
Posts: 562
Location: **UNKNOWN**
Reply with quote
If you look at the description described on Virustotal by ClamAV, it says that ClamAV is detecting this as a PUA. As I said, these are more likely PUP/PUA detections. I do not believe the ClamAV team will fix any false positives related to PUP/PUA since they are optional.
View user's profileSend private message
jimimaseye


Joined: 04 Jan 2014
Posts: 95
Reply with quote
ROCKNROLLKID wrote:
If you look at the description described on Virustotal by ClamAV, it says that ClamAV is detecting this as a PUA. As I said, these are more likely PUP/PUA detections. I do not believe the ClamAV team will fix any false positives related to PUP/PUA since they are optional.

An interesting point.

I have never actually looked at that page before against any of the previous 'false positives' on my genuine programs I have quoted above in previous posts. However, the pattern of 1/55 by Clam (on Virustotal) is the same as the others. And as I type those others have since been rectified (for the last 3 days it isnt detecting fp's).

So in the future, to prove or disprove whether they do 'fix' FP's against PUAs I shall take a closer look at that details page on Virustotal to see if my FP's are what clam thinks are genuine malwares or PUA's.
View user's profileSend private message
Sudden malware or false positives?
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 7  

  
  
 This topic is locked: you cannot edit posts or make replies.