ClamAV gives a false positive for the abovementioned file. VS6sp510.cab is one of the cabinet files for Visual Studio 6 SP5 and is certainly not a virus. For certainty I have also scanned it using www.virustotal.com and ClamWin/ClamAV is the only scanner that reports an infection.

Since the file is over 4MB in size, I cannot report it using ClamWin's online form. Here's part of the scan report.

Trojan.Poebot-14 FOUND
-- summary --
Known viruses: 53242
Engine version: 0.88.2
Scanned directories: 0
Scanned files: 1
Infected files: 1

Are you using the latest version of ClamWin and the latest definitions?

could you unpack the cab file and scan files individuall to see if there is one file that triggers the false positive?

I'm not sure if I can legally distribute the cabinet file, but it can be downloaded from the following URL:

https://www.mrcll.com/ftp/windows/updates/Microsoft/Visual%20Studio/Service%20Pack%205/VS6sp510.cab

I've checked that the .cab file there is identical to mine in binary.

The virus definition as well as the scan engine I'm using are the latest ones. As suggested by a poster, I've extracted the files inside the .cab archive and found that it was regtlib.exe that triggers the alarm. In an old thread in this forum,

https://forums.clamwin.com/viewtopic.php?t=292&sid=07dfa2d09214bd32592109edbe00a611

it was said that the problem arises because the regtlib.exe file is a broken executable. While I know little about broken executables, I did have scanned the file twice with the "Detect Broken Executables" turned on or turned off and both options give the same result (see the scan report below). So, is regtlib.exe really a broken executable or is it a problem of ClamWin/ClamAV? BTW, I haven't got this virus alert before when I was using some earlier (0.86 I think) version of ClamWin.

--------------------------------------
Scan started: Thu May 04 18:01:38 2006


C:\...[snip]...\VS6sp510\regtlib.exe: Trojan.Poebot-14 FOUND
-- summary --
Known viruses: 53249
Engine version: 0.88.2
Scanned directories: 14
Scanned files: 24
Infected files: 1

Data scanned: 8.68 MB
Time: 3.765 sec (0 m 3 s)
--------------------------------------
Completed
--------------------------------------

thanks for the additional info, I have notified clamav db team and it will hopefully get fixed soon.

Correction: I misunderstood the old thread I noted previously. Actually someone used ClamWin to scan his files. ClamWin reported that a number of them are broken executables AND ALSO that regtlib.exe was infected with Trojan.Poebot-14. So there are two different issues in his case. The discussion there, however, doesn't reveal whether the Trojan.Poebot-14 report is really a false positive or not (but both the original poster of that thread and I think so).

P.S. I've just used VIRUSTOTAL to scan the regtlib.exe file and again, only ClamAV reports an infection.

I've confirmed it is a false positive in regtlib.exe and notified clamav team, see my above post

Thanks a lot

Thank God, it's only a false positive.

This really scared me. I was feeling especially paranoid today as my kids just played with our home PC when I was at work. For one thing, OSA9.EXE surprisingly appeared to hang at bootup consistently now whereas it posed no problem before today. So I scanned my PC only to find this similar warning:

By the way, I'm using ClamWin 0.88.2.3 and my DB version as of this writing is reported as main:38 daily:1483 Updated 25 May 2006.

I tried downloading what appears to be a reliably clean copy of REGTLIB.EXE from https://www.baysidestudios.com/Developer/A011202a.cfm and then compared that with my own C:\WINDOWS\REGTLIB.EXE and FileCompare said they're the same.

Incidentally, this Sophos warning also gave me the spooks: https://66.102.7.104/search?q=cache:JuledRe_QNIJ:www.sophos.com/virusinfo/analyses/trojqlowf.html+regtlib.exe&hl=en&ct=clnk&cd=2