This morning I noticed my PC going slower than usual so I went on a little malware research spree, having been using avast home edition since a while and running a legit and updated copy of windows I gave a go at scanning my windows folder with clamwin. Actually knew the linux version since a while but just discovered today there was a win version.

Result is that it found my svchost.exe infected by downadup (message: C:\WINDOWS\system32\svchost.exe: Worm.Downadup-342 FOUND), so I went on the web and grabbed specific removal tools but what then puzzled me is that none of them did even see any infected file (I ran symantec's and bitdefender's ones), malwarebyte's didn't detect anything either.

So I'm wondering if it's a false positive from clamwin or if the removal tools are rendered ineficients by the worm and I'd greatly appreciate advices on that subject.

Clam has had a lot of Downadup/Conficker signatures during the last day or so--to recognize different re-packings/compression of the same virus. It is possible that you have a false positive, with so many signatures around. I think that at least a few of the other AVs should have also recoginzed it if there was an infection. See if any other AVs on the Jotti scanning site spot anything now, and submit the file to Clam as a false positive if they don't. I understand the "acid test for the latest Downadup is to see if you can navigate to the Symantec or McAfee web sites. If you can, then you don't have it. I don't think Downadup will detect anything trying to find it though.

Regards,

Hello,

At one of our coustomers all Win XP clients have : "C:\WINDOWS\system32\svchost.exe: Worm.Downadup-342 FOUND" messages while scanning , all Vista Clients and Servers didn`t have the messages.
I was scanning with bitdefender, symantec, etc. tools and antivir, avast etc., because I couldnt repair the files , but all other didn´t find the downadup.
Then I tried to scan my own XP with the new Clam 0.94.1 and here it was also "found", called my Office to check the XP - MAschines there with Clam, also found the downadup, called some of my friends to check this again, and all of them have the same!
All XP where SP3 German Version, it seems to me like an false Positive.

thanks for the answers, yes I have windows xp sp3 too (french version) so I guess it's a false positive for this version of svchost

Hi,

I typically use Avira Premium Security Suite. Lately I used ClamAV to scan my system (Windows XP Pro SP3) and it found an infection:
[b]C:\WINDOWS\system32\svchost.exe: Worm.Downadup-342 FOUND[/b]

Avira and Microsoft Windows Malicious Software Removal Tool didn't find anything, on the USB drive used by ClamAV nothing, too. I'm able to enter sites like Symantec, Kaspersky and so on.

I think that's a false alarm by ClamAV, it's a pity. Hope the virus defintions will be corrected soon.

cu willie

Hello,

Upload the suspect file to www.virustotal.com. If only a couple of Av's find something it is quite surely a false positive. Notify Clam team using the form @ cgi.clamav.net/sendvirus.cgi. and tick the relevant field related to false positive. The team will fix the issue rapidly so the detection won't appear in next scans.
Thanks for helping Clam/Clamwin to improve its detection abilities.

Regards,
Antonio

I have uploaded the file and filed out the fields.

I did so.

Thanks to Clam/Clamwin for helping me!

:-D willie

Hello,

the actual version https://portableapps.com/apps/utilities/clamwin_portable ClamWin Portable 0.94.1 Rev 2 fixed the problem.

Thanx to the ClamAV Team!
willie

I'm sure the Clam people had fixed the false positive by the time you scanned it with ClamWin Portable, so any version of Clam/ClamWin would not have shown the infection any more.

I like to scan every infection detected by ClamWin with Jotti/VirusTotal before I remove/quarantine it--in case of a false positive. You need to be especially careful with important Windows files. I once lost access to my computer when ClamWin found a false positive infection in Winlogon.

Regards,