my problem is: after all my research into these two 'files', i don't know whether or not they are supposed to be in my computer AND whether the second scan picked them up again in the quarantine file. i have copied and pasted the the logs of the only two scans i have done with clamwin. if someone could help me out a bit, i would appreciate it. i do want to participate in clamwin's development, if only thru sharing my experiences. thanks in advance
~bek~
ps: i also scanned the files at virustotal.com and posted each report it gave me after this post.



Scan Started Sat Mar 01 10:42:45 2008
-------------------------------------------------------------------------------


Scanning aborted...

----------- SCAN SUMMARY -----------
Known viruses: 218817
Engine version: 0.92
Scanned directories: 56
Scanned files: 440
Skipped non-executable files: 3
Infected files: 0
Data scanned: 57.56 MB

Scan Started Sat Mar 01 12:00:00 2008
-------------------------------------------------------------------------------

*** Scanning Programs in Computer Memory ***


*** Scanned 32 processes - 289 modules ***
*** Computer Memory Scan Completed ***

WARNING: Can't open file \\?\C:\pagefile.sys, Permission denied
C:\WINDOWS\$NtUninstallQ317277$\ntkrnlpa.exe: Trojan.Patched-1 FOUND
C:\WINDOWS\$NtUninstallQ317277$\ntkrnlpa.exe: moved to 'C:\Documents and Settings\All Users\.clamwin\quarantine\infected.ntkrnlpa.exe'
C:\WINDOWS\$NtUninstallQ317277$\ntoskrnl.exe: Trojan.Patched-3 FOUND
C:\WINDOWS\$NtUninstallQ317277$\ntoskrnl.exe: moved to 'C:\Documents and Settings\All Users\.clamwin\quarantine\infected.ntoskrnl.exe'
C:\WINDOWS\I386\NTOSKRNL.EX_: Trojan.Patched-3 FOUND
C:\WINDOWS\I386\NTOSKRNL.EX_: moved to 'C:\Documents and Settings\All Users\.clamwin\quarantine\infected.NTOSKRNL.EX_'

----------- SCAN SUMMARY -----------
Known viruses: 218817
Engine version: 0.92
Scanned directories: 4732
Scanned files: 59651
Skipped non-executable files: 743
Infected files: 3
Data scanned: 14422.68 MB
Time: 17933.469 sec (298 m 53 s)

Scan Started Sun Mar 02 12:00:02 2008
-------------------------------------------------------------------------------

*** Scanning Programs in Computer Memory ***


*** Scanned 34 processes - 323 modules ***
*** Computer Memory Scan Completed ***

C:\Documents and Settings\All Users\.clamwin\quarantine\infected.ntkrnlpa.exe: Trojan.Patched-1 FOUND
WARNING: C:\Documents and Settings\All Users\.clamwin\quarantine\infected.ntkrnlpa.exe not moved/copied since already in quarantine
C:\Documents and Settings\All Users\.clamwin\quarantine\infected.ntkrnlpa.exe: moved to 'C:\Documents and Settings\All Users\.clamwin\quarantine\infected.ntkrnlpa.exe.000'
C:\Documents and Settings\All Users\.clamwin\quarantine\infected.ntoskrnl.exe: Trojan.Patched-3 FOUND
WARNING: C:\Documents and Settings\All Users\.clamwin\quarantine\infected.ntoskrnl.exe not moved/copied since already in quarantine
C:\Documents and Settings\All Users\.clamwin\quarantine\infected.ntoskrnl.exe: moved to 'C:\Documents and Settings\All Users\.clamwin\quarantine\infected.ntoskrnl.exe.000'
C:\Documents and Settings\All Users\.clamwin\quarantine\infected.NTOSKRNL.EX_: Trojan.Patched-3 FOUND
WARNING: C:\Documents and Settings\All Users\.clamwin\quarantine\infected.NTOSKRNL.EX_ not moved/copied since already in quarantine
C:\Documents and Settings\All Users\.clamwin\quarantine\infected.NTOSKRNL.EX_: moved to 'C:\Documents and Settings\All Users\.clamwin\quarantine\infected.NTOSKRNL.EX_.000'
WARNING: Can't open file \\?\C:\pagefile.sys, Permission denied

----------- SCAN SUMMARY -----------
Known viruses: 218902
Engine version: 0.92
Scanned directories: 4740
Scanned files: 59719
Skipped non-executable files: 743
Infected files: 3
Not copied: 3
Data scanned: 14468.88 MB
Time: 19358.390 sec (322 m 38 s)

https://www.virustotal.com/analisis/b61226d65055e73b3af7da8a3d385805

https://www.virustotal.com/analisis/7d5e75313ec5e40b7df038d1c5e682c4

https://www.virustotal.com/analisis/0a753cb126fd3840331ff995c7355bc4

please use this form and report it as false positive
https://cgi.clamav.net/sendvirus.cgi https://cgi.clamav.net/sendvirus.cgi

According to my research, NTOSKRNL.exe is a critical Microsoft file having to do with bootup. NTKRNLPA.exe is also a Microsoft file, but it is not critical. From your documentation, it appears that your two files aren't activie and were left after some Microsoft patching in case the patches ever need to be reversed. AVs sometimes erroneously find the Microsoft patching process to be a virus--it happend to me a short while ago. Like Sherpya said, just make sure Clam knows about this so they can "soften" their signature.

By the way, an active ntoskrnl.exe file shouldn't show up in task manager. If it does, it's probably a virus.

Regards,

bob that file is the winxp kernel, it's not really a process, it's loaded at startup but not in "gui" fashion, there are different
kernel for uni and multi processors

Files in the $NTUninstall folders are backups made when Microsoft patches are installed. As such, deleting them won't damage anything. However, I would suspect that the reports are false-positives, it is not very likely that these are infected.

If the in-use copy of ntoskrnl were quarantined that would turn your computer into a doorstop, it's essential to the boot process. Roughly the equivalent of 'vmlinuz' in that other OS.