 |
 | All Clear but still keep getting 20 Infected files on rescan |  |
|
Sam11119
|
|
I downloaded a Trojan on the weekend through a fake MS removal program.
After starting my computer in safe mode I scanned first with Malware bytes & Spybot and managed to get rid of most of it. After doing a system restore, my computer seemed to be operating normally. I then checked it by doing a ClamWin scan which revealed some hidden Trojans which were quarantined and others which were highlighted + false positives. I deleted the quarantined files and not the highlighted ones. I then rescanned my computer with Microsoft essentials, Trojan hunter, Trojan remover and malwarebytes again and they all say no problems. I uploaded the ClamWin suspicious files (Highlighted & False Positive) to Jotti and they all came up perfect. But when I rescan with CamWin I still get 20 infected files. Previous to me getting the Trojans the results were always 0. Why do I still get 20 infected files on scan when all methods say it is good. How do I get back to 0 infected files please. Summary of files below C:\Program Files\Common Files\Windows Live\.cache\d64e96901cbd7ff0c\crt90.msi: Trojan.GenericFF-1 FOUND C:\Program Files\Google\Update\1.3.21.53\GoogleCrashHandler.exe: Trojan.Agent-204 FOUND C:\Program Files\Microsoft Office\Office12\EXCEL.EXE: W32.Virut.Gen.D-163 FOUND C:\Program Files\Microsoft Office\Office12\excelcnv.exe: W32.Virut.Gen.D-163 FOUND C:\Program Files\Microsoft Office\Office12\OUTLFLTR.DLL: Trojan.GenericFF-1 FOUND C:\Program Files\Microsoft Office\Office12\SSGEN.DLL: Trojan.GenericFF-1 FOUND C:\Users\Sam Lucic\AppData\Local\Google\Update\1.3.21.53\GoogleCrashHandler.exe: Trojan.Agent-204 FOUND C:\Windows\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\OUTLFLTR.DLL: Trojan.GenericFF-1 FOUND C:\Windows\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\SSGEN.DLL: Trojan.GenericFF-1 FOUND C:\Windows\Installer\$PatchCache$\Managed\00002119A30000000000000000F01FEC\12.0.4518\OUTLFLTR.DLL: Trojan.GenericFF-1 FOUND C:\Windows\Installer\$PatchCache$\Managed\00002119A30000000000000000F01FEC\12.0.6425\OUTLFLTR.DLL: Trojan.GenericFF-1 FOUND C:\Windows\Installer\1a4604b.msp: W32.Virut.Gen.D-163 FOUND C:\Windows\Installer\1a460b9.msp: W32.Virut.Gen.D-163 FOUND C:\Windows\SoftwareDistribution\Download\2e20b1c504c73996816224b4ec45d00a91fd37c0: Trojan.GenericFF-1 FOUND C:\Windows\SoftwareDistribution\Download\d6b2fddbac6f7a21fe694fe571fd6446e98f1665: Trojan.GenericFF-1 FOUND C:\Windows\System32\spool\drivers\w32x86\3\dopdfui6.dll: Trojan.GenericFF-1 FOUND C:\Windows\System32\spool\drivers\w32x86\dopdfui6.dll: Trojan.GenericFF-1 FOUND C:\Windows\winsxs\x86_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_none_ecdf8c290e547f39\vcomp90.dll: Trojan.GenericFF-1 FOUND C:\Windows\winsxs\x86_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.30729.4148_none_80b7c8a91e9dd16a\vcomp90.dll: Trojan.GenericFF-1 FOUND C:\Windows\winsxs\x86_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.30729.5570_none_80bb811d1e9a4ed2\vcomp90.dll: Trojan.GenericFF-1 FOUND ----------- SCAN SUMMARY ----------- Known viruses: 952475 Engine version: 0.96 Scanned directories: 41599 Scanned files: 245401 Infected files: 20 Not copied: 17 Data scanned: 41098.95 MB Data read: 60957.01 MB (ratio 0.67:1) Time: 12467.691 sec (207 m 47 s) The following files are Digitally Signed by Microsoft and have been incorrectly detected as viruses: C:\Windows\System32\drivers\USBCAMD.sys: [Trojan.GenericFF-1] FALSE POSITIVE FOUND C:\Windows\System32\drivers\USBCAMD2.sys: [Trojan.GenericFF-1] FALSE POSITIVE FOUND C:\Windows\System32\DriverStore\FileRepository\netw2.inf_cfad6bd0\NETw2v32.sys: [Trojan.GenericFF-1] FALSE POSITIVE FOUND C:\Windows\System32\DriverStore\FileRepository\netw5v32.inf_19ca124c\NETw5v32.sys: [Trojan.GenericFF-1] FALSE POSITIVE FOUND C:\Windows\System32\wscript.exe: [Trojan.GenericFF-1] FALSE POSITIVE FOUND C:\Windows\winsxs\x86_microsoft-windows-scripting_31bf3856ad364e35_6.0.6001.18000_none_486853160059f17b\wscript.exe: [Trojan.GenericFF-1] FALSE POSITIVE FOUND C:\Windows\winsxs\x86_microsoft-windows-scripting_31bf3856ad364e35_6.0.6001.18068_none_482f75de008363d9\wscript.exe: [Trojan.GenericFF-1] FALSE POSITIVE FOUND C:\Windows\winsxs\x86_microsoft-windows-scripting_31bf3856ad364e35_6.0.6001.22175_none_48ab41df19abd38f\wscript.exe: [Trojan.GenericFF-1] FALSE POSITIVE FOUND C:\Windows\winsxs\x86_microsoft-windows-scripting_31bf3856ad364e35_6.0.6002.18005_none_4a53cc21fd7bbcc7\wscript.exe: [Trojan.GenericFF-1] FALSE POSITIVE FOUND C:\Windows\winsxs\x86_microsoft-windows-usbcamd_31bf3856ad364e35_6.0.6002.18005_none_a173da9c755cd9a9\USBCAMD.sys: [Trojan.GenericFF-1] FALSE POSITIVE FOUND C:\Windows\winsxs\x86_microsoft-windows-usbcamd_31bf3856ad364e35_6.0.6002.18005_none_a173da9c755cd9a9\USBCAMD2.sys: [Trojan.GenericFF-1] FALSE POSITIVE FOUND Please do not be alarmed and help us by submitting the files identified above as FALSE POSITIVE at https://www.clamav.net/sendvirus/ -------------------------------------- Completed |
|||||||||||
|
|||||||||||||
 |
| |
|
GuitarBob
|
|
Those generic/gen files are mos assuredly false positive (FP) detections. Make sure you are using the newest version (.97 of ClamWin). If you are using something older, then download verson .97 and rescan. New versions can sometimes eliminate some FPs. If you still have FPs, then upload at least one file to Clam AV for each separately-named false detection. I would upload all Virut false positive file detections. On the upload form for each file, change the description from Virus to False Positive. Clam AV should correct their signatures within a couple of days. During the meantime, you can exclude each falsely-detected file from future scans via ClamWin's exclude filter (filename.extension).
Regards, |
|||||||||||
|
|||||||||||||
|
| |
|
Sam11119
|
|
Thanks for the reply.
I feel better now. Will do what you suggested. |
|||||||||||
|
|||||||||||||
|
| trojan 204 in google | |
|
tartan
|
|
I also found trojan 204 in GoogleCrashHandler.exe using Clam AV on spyware terminator when I downloaded Google Earth today. And also 3 Trojan Generic FF-1. Are the Generic FF false positives ?
Maybe Google have got an infected web download site. I also saw someone on another forum saying they found the trojan 204 in the same google file. on the same day. Here's my scan report Preparing structures Creating System Restore Point Quarantine GenericFF-1 Moved File: c:\Program Files (x86)\Windows Live\Mail\wlmfilter.dll Moved File: c:\SWSETUP\APP\Prereq1\HP\Setuptools\1.18.2010\2008\vcredist_x86.exe Moved File: c:\Windows\winsxs\x86_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_none_ecdf8c290e547f39\vcomp90.dll Quarantine Agent-204 Moved File: c:\Program Files (x86)\Google\Update\1.3.21.53\GoogleCrashHandler.exe Quarantine Heuristics.Broken.Executable Moved File: c:\Program Files (x86)\Common Files\Windows Live\.cache\a1905521cc0cec\wlc.msi Moved File: c:\SWSETUP\DRV\Graphics\AMD\UMAGraphics\8.702\src\Packages\Apps\VC8RTx64\vc864.msi Moved File: c:\Users\paul\AppData\Local\Temp\AAWInstallerTemp\Ad-Aware.msi Moved File: c:\Windows\Installer\4ce2e.msi Moved File: c:\Windows\Installer\b912ac.msi Moved File: c:\Windows\SoftwareDistribution\Download\cebd843912f9517dbb8e129aaa4b541af05f4047 Quarantine Invalid Startup Items Closing System Restore Point Done |
|||||||||||
|
|||||||||||||
|
| |
|
Sam11119
|
|
Hi
After I took GuitarBob's advice ie - Uninstalled .96 ClamWin and then installed .97 followed by a rescan - All the problems went away including 204 in GoogleCrashHandler.exe. Curently my infected files read 0. |
|||||||||||
|
|||||||||||||
|
| |
|
GuitarBob
|
|
Clam often adds increased signature detections in their new versions, and it is also in ClamWin when the developers do the Windows port. Older versions of the scan engine may not be able to process the new detections correctly. This may result in false positives when the older engine processes part of the signature but is unable to process the rest of it. This will most often happen with new heuristic/generic signatures, when an older engine processes the signature but is unable to process the "qualifier" code that tells the engine when the signature is to be applied. That is why it is important to always update to the latest version of ClamWin when it becomes available.
Regards, |
|||||||||||
|
|||||||||||||
|
| *sigh* | |
|
BellaMephista
|
|
I have recently downloaded ClamWin and I am getting the C:\Windows\winsxs\x86_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_none_ecdf8c290e547f39
as a "false positive" for a trojan virus. I have the most recent software so it seems that this might not be updated as of yet.....  |
|||||||||||
|
|||||||||||||
|
| |
|
GuitarBob
|
|
Submit the file that causes the false positive to Clam AV starting at https://www.clamav.net/lang/en/sendvirus/ on the web. When you get to the upload form, change the type of submission to "false positive" from "virus. Tell the name of the virus in the Comments section. If there is a real false positive (and not one caused by an out-of-date ClamWin version), this is way to handle it. If the file is too large to upload, send email to Luca@clamav.net.
Regards, |
|||||||||||
|
|||||||||||||
|
 | All Clear but still keep getting 20 Infected files on rescan | |
|
||
|
|
|
Powered by phpBB © phpBB Group
Design by phpBBStyles.com | Styles Database.
Content © ClamWin Free Antivirus GNU GPL Free Software Open Source Virus Scanner. Free Windows Antivirus. Stay Virus Free with Free Software.
Design by phpBBStyles.com | Styles Database.
Content © ClamWin Free Antivirus GNU GPL Free Software Open Source Virus Scanner. Free Windows Antivirus. Stay Virus Free with Free Software.