I ran a memory scan and got this result

C:\Program Files (x86)\Google\Chrome\Application\37.0.2062.124\chrome.dll: W32.Virut.Gen.D-148 FOUND

Is this a false positive?

Some more info.

I browsed to the location and found there were 2 versions of Chrome, C:\Program Files (x86)\Google\Chrome\Application\37.0.2062.124, and C:\Program Files (x86)\Google\Chrome\Application\37.0.2062.120.

I scanned chrome.dll in 37.0.2062.120 with Clamwin, Windows Security Essentials, MalwareBytes AntiMalware, and they all returned clean.

I scanned chrome.dll in 37.0.2062.124 with the same tools, and all but Clamwin returned clean.

I then uninstalled Chrome completely, and reinstalled it fresh and rescanned chrome.dll in the 37.0.2062.124 folder (now the only folder in there), and Clamwin still reported the same virus.

Does that make it more likely a false postive?

I was recommended to download the Farbar Recovery Scan Tool to help diagnose the issue but I scanned that before running it and got

"C:\Users\Matt\Desktop\FRST64.exe: Win.Trojan.Expone FOUND"


EDIT

I uninstalled Chrome and reinstalled it using the offline mode, and got the 64 bit version this time. Rescanned with Clamwin memory scan, no viruses found....

That is most likely a false positive. If you are concerned, you can scan files via virustotal here: https://www.virustotal.com/ If ClamAV shows up as the only one detected it, you can submit the false positive at ClamAV support here: https://www.clamav.net/contact.html Hope this helps your problem.

Who recommended using farbar, if you don't mind me asking? That is just a tool for diagnosing malware.

Virut Detections by the Clam AV scan engine used by ClamWin are often false positive detections because the signatures are usually based on a packer or something else that is common to "good" programs as well as the Virut malware. The Clam signature often detects Office and other Microsoft programs as Virut.

Farbar was recommended to me by "tashi", an employee on the spybot S&D forums.

After ClamWin listed the Virut, I ran a full scan with Spybot, and the Rootkit Analyzer returned these items



I posted them to Spybots forums since I wasnt sure if they were false positives either, and tashi recommended I download Farbar and post the results. Apparently its standard procedure on the Spybot forums.

Here https://forums.spybot.info/showthread.php?71145-RootKit-Analyzer-Deep-Scan-Results-do-I-have-a-RootKit&p=457761 is the thread if that helps

Man. I haven't used Spybot in years, back when 2.0 was still in beta and I left it because it was going downhill. The memories that program brings back. I didn't think anyone from spybot paid attention to the ClamWin forums, considering they are with, what was it called, F-Prot? Lots of negative reviews on C-Net and File hippo about Spybot. Too bad they didn't combine with ClamWin. That would have solved both Spybot and ClamWin's issues.

I just installed it after Clamwin reported the Virut.

Tbh I removed spybot years ago when they replaced the good old 1.6 version with the new stuff, it was pretty buggy back then. I thought Id give it another chance. I notice a lot of bad reviews, and the program does seem slower and more clunky still...

We don't do any log analysis here. Check the antimalware links page on the main ClamWin web page for help.

I think Spybot is still struggling,. They are using someone else's engine, I think. Malwarebytes is much better. I suggest you go with it.

Regards,

### CLAMWIN ###

Scan Started Wed Oct 08 16:30:00 2014
-------------------------------------------------------------------------------

*** Scanning Programs in Computer Memory ***
---Please login as an Administrator to scan System processes loaded in computer memory---
*** Memory Scan: using ToolHelp ***

C:\Program Files\Google\Chrome\Application\37.0.2062.124\chrome.dll: W32.Virut.Gen.D-148 FOUND

*** Scanned 17 processes - 283 modules ***
*** Computer Memory Scan Completed ***


----------- SCAN SUMMARY -----------
Known viruses: 3609794
Engine version: 0.98.4.1
Scanned directories: 1
Scanned files: 300
Infected files: 1
Not copied: 1
Data scanned: 259.86 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 46.684 sec (0 m 46 s)

Yep, that's a false positive, alright. If you guys could, submit the file to Virustotal here: https://www.virustotal.com/ and then submit the file and the Virustotal report to ClamAV false positive support here: https://www.clamav.net/contact.html They will come up with a fix for that.

It might take the Clam AV people a week or longer to correct their signature. In the meantime, whitelist the falsely-detected file in ClamWin's preferences and then restore it via the QRestore program in the ClamWin bin folder. This will keep ClamWin from detecting it again until the signature is corrected. I would give them about 3 weeks just to be sure before you delete the whitelisted file.

Regards,