Hello everybody!

I have at home a PC not connected to internet, so I never did install an antivirus in it. Since every file I load into this machine via USB or other means is free of virus (scanned in the pc where the files comes), I never felt the need of install an antivirus.

However, yesterday I installed in my USB the portable version of ClamWin antivirus and did a complete scan and this is the report:

WARNING: Can't open file C:\hiberfil.sys: Permission denied
WARNING: Can't open file C:\pagefile.sys: Permission denied
WARNING: Can't open file C:\WINDOWS\system32\CatRoot2\tmp.edb: Permission denied
WARNING: Can't open file C:\WINDOWS\system32\config\default: Permission denied
WARNING: Can't open file C:\WINDOWS\system32\config\SAM: Permission denied
WARNING: Can't open file C:\WINDOWS\system32\config\SECURITY: Permission denied
WARNING: Can't open file C:\WINDOWS\system32\config\software: Permission denied
WARNING: Can't open file C:\WINDOWS\system32\config\system: Permission denied

C:\Documents and Settings\Owner\Application Data\Thinstall\{EB8C2B22-9813-4712-99E5-A15602B66160}\300000003400002i\dwwin.exe: Trojan.IRCBot-3427 FOUND
C:\Documents and Settings\Owner\Application Data\Thinstall\{EB8C2B22-9813-4712-99E5-A15602B66160}\400000200002i\RunHiddenConsole.exe: Trojan.IRCBot-3427 FOUND
C:\Documents and Settings\Owner\Application Data\Thinstall\{EB8C2B22-9813-4712-99E5-A15602B66160}\400000f900002i\racing.exe: Trojan.IRCBot-3427 FOUND
C:\Documents and Settings\Owner\Application Data\Thinstall\{EB8C2B22-9813-4712-99E5-A15602B66160}\4ad000006100003i\cmd.exe: Trojan.IRCBot-3427 FOUND
C:\WINDOWS\Installer\16dbe1.msi: Trojan.Agent-194410 FOUND
----------- SCAN SUMMARY -----------

Today by the morning I did another scan, but set ClamWin to put the infections in a quarantine folder, so now there they are.

What I would like to know is if these trojans are dangerous and what should I do: can I simply delete them?

Thanks in advance & sorry for my english, is not my natural tongue.

Did you make sure to update your ClamWin signatures before scanning? How did you do this if not connected to the internet? I guess you could manually update via another computer and then copy the files to the signature (DB) directory on the USB.

If you have several files in which the same virus/malware is detected, this is often the sign of a false positive--where ClamWin detectes a file as infected when it is not really infected. Viruses can use the same code/techniques as "good" files, and sometimes ClamWin catches a "good" file in error.

You can upload detected files to Jotti at https://virusscan.jotti.org/en or to Virus Total at https://www.virustotal.com/ on the web, where they will check your file with multiple AV scanners--including the Clam AV engine used by Clam Win. If several other AVs say it is detected, it is probably not a false positive, and you can delete it from quarantine or wherever it is located on your computer. I like to see a couple of these scanners say it is infected before I believe it: AntiVir (Avira), Avast, Gdata, Nod32, and Sophos.

You can upload false positive files (and undetected virus files also) to Clam AV at https://www.clamav.net/lang/en/sendvirus/ on the web. On the upload form, be sure to classify the detection as a false positive. Clam will correct false positive signatures or prepare signatures for undetected viruses within a couple of days.

Regards,

Thank you very much for your answer, Guitar Bob!

Regarding ClamWin signatures: do you mean the virus data base? Let me explain, now I am writing this at my job, where I have internet connection and where I downloaded the ClamWin portable version and installed in my pen drive. After install ClamWin in the pen drive, I tested in this PC (at my job) and ClamWin ask me to load the virus data base, which -of course- I did. Then I went home, plug the pen drive & did there the scan, which resulted in the above report.

Tomorrow I will bring the files in the quarantine folder here an upload them to the webs you mentioned.

Thanks again!

That is a good way to update ClamWin's signature database, and I wanted to make sure that it was current to minimize false positives. I think the files you found were false positives, which should be cleared up in a couple of days--if someone has had a similar false detection and already uploaded one of the files to Clam AV.

If you do not have internet contact on the computer, you only have to worry about files from other sources, and most viruses are now obtained from the internet. USB drives are a common infection method, too but I assume your antivirus at work will protect against that.

Regards, and welcome to ClamWin!

Well, here are the results from Jetti (by the way, it's a really fast & great service)

cmd.exe: found malware 7 of 20 av. Among your favourites, only AntiVir found malware.
dwwin.exe: found malware 10 of 20 av. Among your favourites, only Gdata found malware.
racing.exe: found malware 6 of 20 av. Among your favourites, only AntiVir found malware.
RunHideenConsole: found malware 11 of 20 av. Among your favourites, AntiVir & Gdata found malware.

In none of the above Avast, Nod32 and Sophos found any malware. And, of course, ClamWin found malware in the four files.

I also scanned with AVG, the av I have at my PC at work, and also did not found any malware (which is the reason that explains why I bring those virus from the pc at work to my pc at home).

What should I do? Just let them be there at the quarantine folder? or should I try to delete them? I am a total newbie in this subject of viruses, however I know that no matter how many times you try to delete virus, some re apperar again.

Thanks again and greetings!

Most of the files show an IRC bot, and there is also one Trojan Agent. They are in the Documents and Settings folder, which is a "popular" place for malware (the User directory on some other Windows machines). I think it looks like they are all infected, and you can safely remove them from quarantine.

My "rule" is not perfect, but it helps me when I work new malware to see a couple of those AVs detect something. If 5 AVs spot something, and one of them is one of mine, it is probably a real infection. If you have 10 AVs spot something, it is probably infected--surely they can not all be wrong! One problem, however, many AVs do not have their own scanning engine--they license it from another AV. Bit Defender, Kaspersky, Virus Buster, and Ikarus are all used by other AVs.

Clam Win has protection against quarantine for false positives on "good" Windows system files, but this only works on Vista and XP computers. So if you have an XP or older computer, you might want to set the infected files option to Report Only (not Quarantine/Remove) and check out any detected files manually like you did before removing them.

I like the Jotti scanning service. It is faster than Virus total because it has fewer AVs, and they may be higher quality than those on Virus Total. Virus Total does have a nice script that can be downloaded to upload a file from your desktop.

Regards,

Both at work and home PCs run XP, so I must set ClamWin in "Report only" mode.

I discovered yesterday that I had to set Windows Explorer to show system folders, in which the malware was placed.

By the way, you wrote that "...but this only works on Vista and XP computers. So if you have an XP or older computer, you might want to set the infected files option to Report Only", which I did not understood well, did you try to say: "...but this only works on Vista and Seven computers?"

Changing subject: I forgot to bring here to my work (and upload to Jetti) the last virus of the list (the agent): 16dbe1.msi

Just one little question more:

Are these warnings...
WARNING: Can't open file C:\hiberfil.sys: Permission denied
WARNING: Can't open file C:\pagefile.sys: Permission denied
WARNING: Can't open file C:\WINDOWS\system32\CatRoot2\tmp.edb: Permission denied
WARNING: Can't open file C:\WINDOWS\system32\config\default: Permission denied
WARNING: Can't open file C:\WINDOWS\system32\config\SAM: Permission denied
WARNING: Can't open file C:\WINDOWS\system32\config\SECURITY: Permission denied
WARNING: Can't open file C:\WINDOWS\system32\config\software: Permission denied
WARNING: Can't open file C:\WINDOWS\system32\config\system: Permission denied
...normal? I guess those are system files that are protected by Windows, which do not let them open. Am I right?

Thanks for your BIG help!

"IBy the way, you wrote that [i]"...but this only works on Vista and XP computers. So if you have an XP or older computer, you might want to set the infected files option to Report Only"[/i], which I did not understood well, did you try to say: "...but this only works on Vista and [b]Seven[/b] computers?"

Yes--I meant Vista and Windows 7 computers--sorry for the mistake.

"Changing subject: I forgot to bring here to my work (and upload to Jetti) the last virus of the list (the agent): 16dbe1.msi"

I do not see many viruses hiding in the .msi extension, but check it out anyway

"Just one little question more:

Are these warnings...
WARNING: Can't open file C:\hiberfil.sys: Permission denied
WARNING: Can't open file C:\pagefile.sys: Permission denied
WARNING: Can't open file C:\WINDOWS\system32\CatRoot2\tmp.edb: Permission denied
WARNING: Can't open file C:\WINDOWS\system32\config\default: Permission denied
WARNING: Can't open file C:\WINDOWS\system32\config\SAM: Permission denied
WARNING: Can't open file C:\WINDOWS\system32\config\SECURITY: Permission denied
WARNING: Can't open file C:\WINDOWS\system32\config\software: Permission denied
WARNING: Can't open file C:\WINDOWS\system32\config\system: Permission denied
...normal? I guess those are system files that are protected by Windows, which do not let them open. Am I right?"

Hiberfil and pagefile are normally permission denied. The others are probably okay. I am always a litle suspicious of those generic file names, however, like security, system, etc. See if you can upload to check. If not, you might get into Safe Mode (F8 upon bootup) and rescan to see what happens.

Regards,

Many thanks!

I just want to say thank you for the information.
It is very valuable for me..newbie here https://www.1st-levitra-pharmacy.com levitra and encountering the same situation.
Thanks and keep up the good work..