Hello

scanned my PC this week Monday with only one infected file tcpip.sys (false positive) this was solved with clamwin latest updates virus definations.

Today friday scanned my pc again with result 11 infected files related to adobe reader.

According to Jotti this is false positives. files were moved to quarantine but restored to default destination by me thinking it is false positives again.
Because infact i havent used the computer since last scan.

The computer is running fine, the doubt is if i have i virus or not.
Sending the scan log for you to see.


C:\Documents and Settings\All Users\Application Data\Adobe\ARM\Reader_10.1.4\4434\AcrobatUpdater.exe: Win.Trojan.Zbot-10374 FOUND
C:\Documents and Settings\All Users\Application Data\Adobe\ARM\Reader_10.1.4\4434\AdobeARMHelper.exe: Win.Trojan.Zbot-10374 FOUND
C:\Documents and Settings\All Users\Application Data\Adobe\ARM\Reader_10.1.4\4434\ReaderUpdater.exe: Win.Trojan.Zbot-10374 FOUND
C:\Documents and Settings\All Users\Application Data\Adobe\ARM\Reader_10.1.4\AdbeRdrUpd1015.msp: Win.Trojan.Zbot-10374 FOUND
C:\Documents and Settings\All Users\Application Data\Adobe\ARM\Reader_10.1.4\AdobeARM.bin: Win.Trojan.Zbot-10374 FOUND
C:\Documents and Settings\All Users\Application Data\Adobe\ARM\Reader_10.1.4\ARM.msi: Win.Trojan.Zbot-10374 FOUND
C:\Program\Adobe\Reader 10.0\Reader\plug_ins\DigSig.api: Win.Trojan.Agent-224119 FOUND
C:\Program\Adobe\Reader 10.0\Reader\plug_ins\eBook.api: [b]Win.Trojan.Agent-224065 FOUND[/b]
C:\Program\Adobe\Reader 10.0\Reader\plug_ins3d\drvSOFT.x3d: Win.Trojan.Zbot-10338 FOUND
C:\Program\Delade filer\Adobe\ARM\1.0\AdobeARMHelper.exe: Win.Trojan.Zbot-10374 FOUND
C:\WINDOWS\Installer\18a8b.msp: Win.Trojan.Zbot-10374 FOUND


----------- SCAN SUMMARY -----------
Known viruses: 1953826
Engine version: 0.97.6
Scanned directories: 2364
Scanned files: 33763
Infected files: 11
Data scanned: 5396.27 MB
Data read: 7759.47 MB (ratio 0.70:1)
Time: 1939.375 sec (32 m 19 s)

ClamAV update process started at Sat Mar 09 00:37:06 2013
main.cvd is up to date (version: 54, sigs: 1044387, f-level: 60, builder: sven)
daily.cld is up to date (version: 16814, sigs: 914802, f-level: 63, builder: guitar)
bytecode.cld is up to date (version: 214, sigs: 41, f-level: 63, builder: neo)


Any tips on proceeder ?
Best regards alex

When you have a lot of detections of the same virus (as in that Z-bot detection), it is frequently a false positive--unless it is a file infector (a virus like Sality or Virut) instead of a trojan.

The way the automated Clam AV signatures are prepared increases the chance of false positives--particularly on Windows System files.

I suggest you upload one of those Z-bot-10374 files to Clam AV via the false positive report on the "submit a file" link on their web page. I would also report the trojans and the other Z-bot, since they are different detections. I think it might speed things up if you report them one at a time.

Regards,

Thank you "GuitarBob" for quick answer.

I will report files to Clam Av one at a time.
Using https://www.clamav.net/lang/en/sendvirus/ "Send a false positive report"
only sending file in quarantine not including the .txt right?

have a nice weekend GuitarBob.

best regards alex

Yes--Clam AV only needs the files. You can either insert the virus name on the false positive submit form or leave the default "unknown virus"--they will get the name when they scan your file.

The text in quarantine is to help if you want to restore the false positive file back to where it was--via the ClamWin Quarantine Browser program accessable via Start, All Programs, ClamWin, Quarantine Browser. I would just leave it there for 2 or 3 days if you don't need it. Otherwise, you will have to exclude the file from scanning and then remove the exclusion after Clam has corrected the false positive. When you can scan the file in quarantine without a ClamWin detection, they have fixed it, and you can then restore it.

Have a nice weekend, too.

Regards,