 |
 | IEXPLORE.EXE: Trojan.Downloader-25397 FOUND? |  |
|
norman6810
|
|
I just begin to use Clamwin, and it told me that the IEXPLORE.EXE was infected by Trojan.Downloader-25397.
The following is the scanlog: Scan Started Sat Mar 08 17:31:23 2008 ------------------------------------------------------------------------------- C:\Program Files\Internet Explorer\IEXPLORE.EXE: Trojan.Downloader-25397 FOUND ----------- SCAN SUMMARY ----------- Known viruses: 222441 Engine version: 0.92 Scanned directories: 4 Scanned files: 26 Skipped non-executable files: 0 Infected files: 1 Data scanned: 0.93 MB Time: 4.953 sec (0 m 4 s) I also send the sample to the virustotal, and 3 AVs alarmed,including Clamwin. This is the webpage of the result: https://www.virustotal.com/analisis/839933079b9816cc530eb32c3f80d3c1 Maybe it's a flase positive.  |
|||||||||||
|
|||||||||||||
 |
| |
|
GuitarBob
|
|
Hello Norman:
It is very likely a false positive. Some ClamWin users (including me) had a similar notice a day or so ago. The thread about it is just a couple of titles down from your post, but here it is:https://forums.clamwin.com/viewtopic.php?t=1574 on the ClamWin forum. They are getting a lot of false positivies lately--that's why it's probably best to configure ClamWin to Notify you of any infections (not Quarantine or Remove). That way, you can check the file out on Jotti or Virus Total to see if it is a false positive. If you Quarantine/Remove and it is a false positive, you could lose access to your computer if it is system file. Regards, |
|||||||||||
|
|||||||||||||
|
| re:Virus Scan Report | |
|
tobination
|
|
I am not sure whether it is a false report or not but it will be nice if you could contact the service people over there.May be you might have overlooked the installation procedure by missing out on some instructions.Definitely there will be an option to disable these false reports if you have received any.
Url removed suggestions for alternative antivirus are not a problem, but a link means advertising |
|||||||||||
|
|||||||||||||
|
| encountered the same problem | |
|
lovetide
|
|
I installed ClamWin 0.93, and scanned WINDOWS directory, it reports IE & notepad as Trojan:
The sha1sum & md5sum of these files:
Did these files really infected? |
|||||||||||||||
|
Last edited by lovetide on Mon Apr 21, 2008 10:39 am; edited 1 time in total
|
|||||||||||||||||
|
| |
|
alch
Site Admin
|
|
try scanning those on https://www.virustotal.com and see what other scanners find
|
|||||||||||
|
|||||||||||||
|
| |
|
sherpya
|
|
I've already seen a trojan that replaces ie in dllcache and program files directory, but just to be sure it's better to use something like virustotal
|
|||||||||||
|
|||||||||||||
|
| |
|
lovetide
|
|
results from virustotal.com: IE7 https://www.virustotal.com/zh-cn/analisis/c1c35000d4cce6f251c751ed72bcfd9e https://www.virustotal.com/zh-cn/analisis/c1c35000d4cce6f251c751ed72bcfd9e Notepad https://www.virustotal.com/zh-cn/analisis/6fb84558f0754176342b69cb9da2565e https://www.virustotal.com/zh-cn/analisis/6fb84558f0754176342b69cb9da2565e The following is a copy of the result: IE7
Notepad
|
|||||||||||||||||
|
|||||||||||||||||||
|
| |
|
alch
Site Admin
|
|
I tested notepad.exe and iexplore.exe from english XP and Vista and it did not report a virus there. Are your files from a non-english Windows and what version?
|
|||||||||||
|
|||||||||||||
|
| |
|
lovetide
|
|
I'm using a Simplified Chinese Windows XP operating system, IE7 is also a simplified chinese version |
|||||||||||||
|
|||||||||||||||
|
| |
|
alch
Site Admin
|
|
could you please submit those false positive files at https://cgi.clamav.net/sendvirus.cgi Please specify it's a traditional chinese XP and put the virustotal.com result links in the comments too.
Thanks |
|||||||||||
|
Last edited by alch on Mon Apr 21, 2008 10:47 pm; edited 1 time in total
|
|||||||||||||
|
| |
|
GuitarBob
|
|
For future reference: below is a link to a Chinese online file scanning site. They receive all kinds of files, of course, but you see more Chinese stuff there than on the other online scanning sites. Flower Pig is very helpful and always tries to have the latest version of ClamAV at the site.
https://virscan.org/ Regards |
|||||||||||
|
|||||||||||||
|
| |
|
lovetide
|
|
You mean 'simplified chinese XP' is it right? 
The false positive virus samples are submitted. 
Thank you GuitarBob, these are the result links from VirSCAN.org: IE7 (Simplifed Chinese version for Windows XP SP2): https://virscan.org/report/ecd35d17f66899882b9558f5b94c5798.html https://virscan.org/report/ecd35d17f66899882b9558f5b94c5798.html Notepad.exe (Simplifed Chinese Windows XP SP2): https://virscan.org/report/89fe32de8587b0dfd76efce00396eb56.html https://virscan.org/report/89fe32de8587b0dfd76efce00396eb56.html And yes, there are more chinese AV stuffs on VirSCAN.org, include Duba(金山毒霸 https://www.duba.net https://www.duba.net)、Rising(瑞星 https://www.rising-global.com https://www.rising-global.com / https://www.rising.com.cn https://www.rising.com.cn)、KV(江民杀毒 https://www.jiangmin.com https://www.jiangmin.com) , I know them, they are popular in china mainland  |
|||||||||||||||
|
|||||||||||||||||
|
 | IEXPLORE.EXE: Trojan.Downloader-25397 FOUND? | |
|
||
|
|
|
Powered by phpBB © phpBB Group
Design by phpBBStyles.com | Styles Database.
Content © ClamWin Free Antivirus GNU GPL Free Software Open Source Virus Scanner. Free Windows Antivirus. Stay Virus Free with Free Software.
Design by phpBBStyles.com | Styles Database.
Content © ClamWin Free Antivirus GNU GPL Free Software Open Source Virus Scanner. Free Windows Antivirus. Stay Virus Free with Free Software.