Hello all. I scanned my mates computer with clamwin portable from portable apps. And it said he had a trojan, problem is i can't see it in the folder its supposedly in and can't remove it.

I also scanned with AVG and it found nothing so we could be looking at a false postive maybe?

Clamwin found - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP122F.tmp\mscorlib.dll: Trojan.Spy-11241 FOUND

I used VirusTotal and submitted the file path and it uploaded the file but it had already had it analyzed, i looked at the analysis here. - [url]https://www.virustotal.com/analisis/945736dbc7c0c0badb749e6d77d2cccf[/url]

As you see only 1/32 scanners identified it as bad. So is it bad or a false positive???

And as the gateway washer scanner says its .dam which means the file is damaged, thats why i probably couldn't see it.

To futhur speculate here as clamwin says its a Spy Trojan is it likely that its keylogger that has injected itself into a windows process? As he says the i/o light on his router have been flashing more than often when his computer is idle, but i think its him being a bit paranoid and i don't think he can make that assumtion. I might have to get a packet sniffer on it though but i don't know what to look for.

If it is a keylogger then this is quite bad, his steam account has $70 of games on it.

Any help will be deeply appreciated. Cheers Trantula.

It appears a false positive to me. A dll injection would not be detected in a injected file by ClamWin because it scans the actual file, not the image loaded into memory. It would pick up the injector itself though.

Please submit the false positive file here:
https://cgi.clamav.net/sendvirus.cgi