I have done a virus scan with clamwin portable and it has detected trojan genome in program data files and all users files.I run various virus scans and none of them have spotted this.
Does anybody know if this is a false positive?

If a file has been on your computer for several days, and there has been no change to the original file and you suddenly get a detection, it is probably a false positive, but you should verify it just in case.

You can verify a file by uploading the file to either Jotti or Virus Total where they will scan the file with multiple AV programs, including the Clam AV scan engine used by ClamWin. If several AVs besides Clam AV detect a file as infected, it probably is infected. If there is only 1 or 2 detections besides Clam AV, then the file is probably a false positive, and you should submit the file to Clam AV at their web site so they can correct their bad signature.

Regards,

Thankyou for your reply.
I cant upload the file to check it out.
It is in 2 files, program data and users but when i go them the description in the clamwin log is nowhere to be seen.
C:\ProgramData\24036256-BFDB-4CD3-BE8A-A3D6160F2E16\D3742F82-1C1A-4DCC-ABBD-0E831C0185CC.msi: Win.Trojan.Genome-1288 FOUND

C:\Users\All Users\24036256-BFDB-4CD3-BE8A-A3D6160F2E16\D3742F82-1C1A-4DCC-ABBD-0E831C0185CC.msi: Win.Trojan.Genome-1288 FOUND

Okay. Do you have the ClamWin infected file option set to quarantine? If it is still set to the default of report only, change it to quarantine, and then you should be able to find the file in the ClamWin quarantine folder after you scan.

If the option is already set to quarantine, do a search on Google for C:\ProgramData\24036256-BFDB-4CD3-BE8A-A3D6160F2E16\D3742F82-1C1A-4DCC-ABBD-0E831C0185CC.msi and see what you find.

I have not seen very many .msi files that contain a virus, so I kind of think this is probably a false positive. Anyway, please get back here with results.

Regards,

checked google but cant find much info.
If i quarantine it and its a false positive how do i get it back.
also i am running clamwin from a usb drive.

The desktop version of ClamWin lets you use the Quarantine Restore mini-program to restore a file. You can access Quarantine Restore from Start, All Programs, ClamWin, Quarantine Browser or navigate to the ClamWin program folder/bin folder and click on Quarantine Restore to operate the restore program. I assume you also have a restore program with the USB versions as well.

If you use the Clam Sentinel program with ClamWin, you can access the restore program by using the right click menu on the Clam Sentinel system tray badge icon in the Windows system tray, select quarantine, and select Sentinel Recover . Since Clam Sentinel is a real-time scanner, you will have to Stop it before quarantining, whitelist the folder/file.extension in Sentinel's Advanced settings, and select paths or files not scanned. Then Start Sentinel again after you perform the restore with the Recover program.

If the file was detected by Clam Sentinel as a "suspicious file," it will do no good to submit it to Clam AV for signature correction--Clam Av and ClamWin have nothing to do with a "suspicious File" detection. That is a Clam Sentinel detection only, and it must remain permanently as a Clam Sentinel path or file not to be scanned.

Regards,

Thankyou for your reply and i will do as you suggest.
I have just ran a clamwin scan but forgot it is report only.
Is there a way to get the infected file into quarantine without running scan again.I have now changed the box to quarantine but it has not changed anything.

If you can locate the folder the file is in, then you will only have to scan that folder to quarantine it. If you can go directly to that file in the folder and manually scan it (via right click mouse menu), it will be quarantined.

Regards,

can understand that but as i said previous for some reason i cannot find this file on my pc.i have done a search from the run program but nothing.

The ClamWin scan report said the file is in C:\ProgramData\24036256-BFDB-4CD3-BE8A-A3D6160F2E16\D3742F82-1C1A-4DCC-ABBD-0E831C0185CC.msi. Check that.

I did a search on on that and turned this up at https://us.yhs4.search.yahoo.com/yhs/search?p=24036256-BFDB-4CD3-BE8A-A3D6160F2E16%5CD3742F82-1C1A-4DCC-ABBD-0E831C0185CC.msi&hspart=att&hsimp=yhs-att_001&type=att_lego_portal_home. It appears that a malware could really have been involved--perhaps some kind of worm.

Try a scan with Malwarebytes free antimalware and see if anything turns up. Update it before scanning. If nothing is found, try a scan in Windows Safe Mode (hit F8 upon bootup until you enter Safe Mode--select Safe Mode With Networking. You can't do this in Windows 8 however). If nothing is found, perhaps the worm was active in your first scan and deactivated itself upon detection. Last resort--scan with Malwarebytes free Anti-rootkit program from their web site. Download it and unzip to your desktop--it does not have to be installed. Update it before a scan and then select scan. The executable to run fronm the mbar folder is mbar.exe. Keep the 2 Malwarebyrtes programs around.

If nothing is found, run a couple of scans each day with Malwarebytes antimalware--update first, and do an occasional scan with the antirootkit program for a while to see if something turns up, but the malware may no longer be on your computer.

Regards,

Did everything you said and i thankyou for your help.nothing found so i just quarantined it.it looks as if its just a notepad text document that was supposedly infected.is that possible?
I uploaded the clamwin quarantined folder to jotti and virus total and they found nothing.

It is probably a false positive and not a real infection then--although a creative malware writer can infect almost anything given enough knowledge, resources, time, and motivation. For infected documents, however, you mainly have to worry about Office files and rtf files--pdf infections seem be be falling off.

Regards,