thing is, everything you just said, went straight over my head lol
i know how to run a scan and then the software takes care of it if i have any virus.
im not that computer savy so dont understand what you said lol

A "false positive" is an erroneous detection of a virus in a file when it's really not infected. This happens sometimes because virus writers can use the same programming code as "good" files. When that happens, The antivirus company has to fix/correct/change their detection signature so it doesn't give a false positive on a "good" file.

If ClamWin spots the exact same virus name in more than one file, that is often a sign of a false positive. To make sure a reported infection is the real thing and not a false positive, you can upload the file to a few services on the web that will scan files for free with multiple antivirus programs. Two of these services are Jotti and VirusTotal. During their scan, if only Clam and a couple of other AVs on the services find a file is infected, it's likely a false positive--because several antiviruses there should be able to spot a real infection--I like to see about five AVs say a file is infected to be sure.

ClamWin uses the antivirus scanner and signature database supplied by Clam Antivirus. If you get a false positive in ClamWin, you can visit the Clam submission page on the web at
https://www.clamav.net/sendvirus/ to fill out a form (tell them it is a false positive detection and name the virus) and upload the file so they can fix their signature to no longer have a false positive detection on it. It usually takes a couple of days or so for them to get a fix out.

Regards,

Hi I am currently using the 0.95.1 version of Clamwin and it seems I am getting the same kind of 'false positive' viruses as members in here have stated.

I have actually set up my options to quarantine so all of these have been moved to there. Is it okay to leave them there or what should I do? Rename them or?

Thanks for the help.




Scan Started Fri May 01 17:47:55 2009
-------------------------------------------------------------------------------

C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\MiniMessage\2: Permission denied
C:\Documents and Settings\Midgie\Local Settings\Application Data\Downloaded Installations\AF14479A-9669-4426-AAB7-106A7DF65F79\Movavi Flash Converter.msi: moved to 'C:\Documents and Settings\All Users\.clamwin\quarantine\Movavi Flash Converter.msi.infected'
C:\Documents and Settings\Midgie\Local Settings\Application Data\Google\Google Desktop Search\dbc2e.ht1: Permission denied
C:\Documents and Settings\Midgie\Local Settings\Application Data\Google\Google Desktop Search\dbdam: Permission denied
C:\Documents and Settings\Midgie\Local Settings\Application Data\Google\Google Desktop Search\dbdao: Permission denied
C:\Documents and Settings\Midgie\Local Settings\Application Data\Google\Google Desktop Search\dbeam: Permission denied
C:\Documents and Settings\Midgie\Local Settings\Application Data\Google\Google Desktop Search\dbeao: Permission denied
C:\Documents and Settings\Midgie\Local Settings\Application Data\Google\Google Desktop Search\dbm: Permission denied
C:\Documents and Settings\Midgie\Local Settings\Application Data\Google\Google Desktop Search\dbu2d.ht1: Permission denied
C:\Documents and Settings\Midgie\Local Settings\Application Data\Google\Google Desktop Search\dbvm.cf1: Permission denied
C:\Documents and Settings\Midgie\Local Settings\Application Data\Google\Google Desktop Search\dbvmh.ht1: Permission denied
C:\Documents and Settings\Midgie\Local Settings\Application Data\Google\Google Desktop Search\fii.cf1: Permission denied
C:\Documents and Settings\Midgie\Local Settings\Application Data\Google\Google Desktop Search\fiih.ht1: Permission denied
C:\Documents and Settings\Midgie\Local Settings\Application Data\Google\Google Desktop Search\rpm.cf1: Permission denied
C:\Documents and Settings\Midgie\Local Settings\Application Data\Google\Google Desktop Search\rpmh.ht1: Permission denied
C:\Documents and Settings\Midgie\Local Settings\Temp\~DF41BD.tmp: Permission denied
C:\Documents and Settings\Midgie\Local Settings\Temp\~DF5974.tmp: Permission denied
C:\Documents and Settings\Midgie\Local Settings\Temp\~DF87B5.tmp: Permission denied
C:\Documents and Settings\Midgie\Local Settings\Temp\~DFB094.tmp: Permission denied
C:\Documents and Settings\Midgie\Local Settings\Temp\~DFB0BA.tmp: Permission denied
C:\Documents and Settings\Midgie\Local Settings\Temp\~DFD4DA.tmp: Permission denied
C:\Documents and Settings\Midgie\Local Settings\Temp\~DFD97F.tmp: Permission denied
C:\Documents and Settings\Midgie\Local Settings\Temp\~DFE017.tmp: Permission denied
C:\Documents and Settings\Midgie\Local Settings\Temporary Internet Files\Content.Word\~WRS0003.tmp: Permission denied
C:\Documents and Settings\Midgie\My Documents\Media items\FileFormatConverters.exe: moved to 'C:\Documents and Settings\All Users\.clamwin\quarantine\FileFormatConverters.exe.infected'
C:\pagefile.sys: Permission denied
C:\Program Files\Microsoft Office\Office12\excelcnv.exe: moved to 'C:\Documents and Settings\All Users\.clamwin\quarantine\excelcnv.exe.infected'
C:\Program Files\MSECache\O2007Cnv\1033\O12Conv.cab: moved to 'C:\Documents and Settings\All Users\.clamwin\quarantine\O12Conv.cab.infected'
C:\WINDOWS\Installer\32cdf97.msp: moved to 'C:\Documents and Settings\All Users\.clamwin\quarantine\32cdf97.msp.infected'
C:\WINDOWS\system32\CatRoot2\tmp.edb: Permission denied
C:\WINDOWS\system32\config\default: Permission denied
C:\WINDOWS\system32\config\SAM: Permission denied
C:\WINDOWS\system32\config\SECURITY: Permission denied
C:\WINDOWS\system32\config\software: Permission denied
C:\WINDOWS\system32\config\system: Permission denied

C:\Documents and Settings\Midgie\Local Settings\Application Data\Downloaded Installations\AF14479A-9669-4426-AAB7-106A7DF65F79\Movavi Flash Converter.msi: Trojan.Packed-142 FOUND
C:\Documents and Settings\Midgie\My Documents\Media items\FileFormatConverters.exe: W32.Virut.Gen.D-163 FOUND
C:\Program Files\Microsoft Office\Office12\excelcnv.exe: W32.Virut.Gen.D-163 FOUND
C:\Program Files\MSECache\O2007Cnv\1033\O12Conv.cab: W32.Virut.Gen.D-163 FOUND
C:\WINDOWS\Installer\32cdf97.msp: W32.Virut.Gen.D-163 FOUND
----------- SCAN SUMMARY -----------
Known viruses: 546247
Engine version: 0.95.1
Scanned directories: 10617
Scanned files: 102777
Infected files: 5

Data scanned: 98280.56 MB
Data read: 143757.02 MB (ratio 0.68:1)
Time: 20766.687 sec (346 m 6 s)
--------------------------------------
Completed

Hi,
How do I restore these "false positives" back to their original file names. Exel, Word, Power Point and Firefox all have problems. I have also submitted a copy of the scan log to Clamwin.
But have not yet received a reply. I have copied the names of the files in quarantine. I believe they are all false positives. They are :

_PREV_GoogleDesktopCommon.dll.infected

1dee163.msp.infected

7f0ae4.msp.infected

17e5129b.msp.infected

A0094894.EXE.infected

A0094895.EXE.infected

A0094896.EXE.infected

A0094897.EXE.infected

A0095280.dll.infected

A0095281.dll.infected

A0095282.dll.infected

EXCEL.EXE.infected

EXCEL.EXE.infected.000.infected

GoogleDesktopCommon.dll.infected

GoogleDesktopCommon.dll.infected.000

XL12CNV.EXE.infected

XL12CNV.EXE.infected.000.infected

When you get the same virus in several files, that's frequently an indication of a false positive, although you should try to verify it on Jotti or VirusTotal. In your cases, Clam/ClamWin know about some of the Virut.Gen.D infections and have already cleared up some and are in the process of fixing others. If your file is less than 3 MB in size, you can upload it to Clam to report the false positive. I've not had much luck reporting anything large than that to them. Their submission process starts on page https://www.clamav.net/sendvirus/ on the web. If your file is larger than that, let us know about it here and ClamWin will work something out.

If a false positive file is still in quarantine, I believe all you need to do to restore it is to delete the "infected" from the name and then copy or move it back to the original directory it was in. Perhaps you can look at old scan logs to find the directory if you need to do that.

This problem with false positives has pointed out to many of us that you should set ClamWin's Infected File Preference to Report only--do not use Quarantine. Don't blindly quarantine something until you know for sure it is a real infection and not a false positive.

Regards,

I keep getting these when I do my daily scan


C:\Documents and Settings\All Users\Application Data\avg8\Log\c11f009b-815f-4777-a29e-df685c89d79b: Permission denied
C:\Documents and Settings\All Users\Application Data\avg8\Log\f713a37b-ccf7-4e34-b0e4-7e7d8ced0b1b: Permission denied
C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\MiniMessage\2: Permission denied
C:\Documents and Settings\Paul\Application Data\Mozilla\Firefox\Profiles\0ddso3os.default\cookies.txt: Permission denied
C:\Documents and Settings\Paul\My Documents\Photoshop CS2 Disc\Photoshop CS2\Install notes and keygen\Photoshop.CS2.KeyGen.exe: Trojan.Keygen-10 FOUND
C:\Documents and Settings\Paul\My Documents\Photoshop CS2 Disc\Photoshop.CS2.KeyGen.exe: Trojan.Keygen-10 FOUND
C:\pagefile.sys: Permission denied
C:\WINDOWS\Installer\$PatchCache$\Managed\00002119410000000000000000F01FEC\12.0.6215\XL12CNV.EXE: W32.Virut.Gen.D-163 FOUND
C:\WINDOWS\Installer\22a4531.msp: W32.Virut.Gen.D-163 FOUND
C:\WINDOWS\Installer\9b3338.msp: W32.Virut.Gen.D-163 FOUND
C:\WINDOWS\system32\CatRoot2\tmp.edb: Permission denied
C:\WINDOWS\system32\config\default: Permission denied
C:\WINDOWS\system32\config\SAM: Permission denied
C:\WINDOWS\system32\config\SECURITY: Permission denied
C:\WINDOWS\system32\config\software: Permission denied
C:\WINDOWS\system32\config\system: Permission denied

Hello,

About the permission denied message check this thread: https://forums.clamwin.com/viewtopic.php?t=1959&highlight=permission

On the Photoshop files it seems that Clamwin has detetected a PUA (Potentially Unwanted Application), probably a crack (be careful with it, if it's the case). Such files do not necessarily harm the system but the user has to be aware that they changing some settings of the related application).
I suggest to upload the files to www.virustotal.com and see what comes out. Do the same also with the C:\WINDOWS\Installer files; probably these are false positives. If so please notify Clam about that. Use the form at https://cgi.clamav.net/sendvirus.cgi and tick the relevant box related to false positive. Normally the issue is fixed within some days so in future Clamwin scans they won't show.

Final suggestion is to keep Clamwin scan settings to default 'Report only' option so you won't have suspect files moved to Quarantine or deleted.

Hope this helps,
Antonio

Thank you I will try those things. I have it to report only just in case anyway. I'll post again after doing those things.

Oh I do have one problem with the Installer ones. I go to my C:\ drive and I go into the WINDOWS folder but I can not find the Installer folder. I have my settings to show hidden files but they aren't there but keep showing up.

This is what I got for the keygen file from the link you sent me

a-squared 4.0.0.101 2009.05.16 Worm.Autorun.cxl!IK
AntiVir 7.9.0.168 2009.05.15 Worm/Autorun.cxl
Authentium 5.1.2.4 2009.05.16 W32/Heuristic-210!Eldorado
CAT-QuickHeal 10.00 2009.05.15 Trojan.Agent.irc
ClamAV 0.94.1 2009.05.16 Trojan.Keygen-10
Comodo 1157 2009.05.08 TrojWare.Win32.Trojan.Agent.~FAJ
eSafe 7.0.17.0 2009.05.14 Suspicious File
F-Prot 4.4.4.56 2009.05.16 W32/Heuristic-210!Eldorado
Ikarus T3.1.1.49.0 2009.05.16 Worm.Autorun.cxl
McAfee-GW-Edition 6.7.6 2009.05.15 Worm.Autorun.cxl

Hello,

Seems that quite a bunch of av tools detected the Keygen file at least as suspicious (and amongst them Avira and MC Afee, which currently are reliable ones).
To make a check also on the windows/installer folder file first make it visibile using Control Panel->Folder Options->Visualition tab->Untick the box on 'Hide system protected files (recommended); the upload it to Virus total for a response.
Be careful handling these files; you are operating in system relevant places.

If also this file is spotted as infected by several av tools besides Clamwin my procedure would be:

1-Make a backup of personal/important files
2-Run a new scan setting Clamwin preferences to 'Move to Quarantine folder' option. Files should be quarantined.
3-Check if system/applications are running as usual.
If machine reboots correctly you may finally remove the quarantined files from their location.

Regards,
Antonio

P.S. - An open source alternative to Photoshop is on https://www.gimp.org/downloads/. The Software was developed for Linux OS but an installer for Windows is also available. Hope this helps.

So I uploaded the file and it came back with this

Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.05.18 -
AhnLab-V3 5.0.0.2 2009.05.16 -
AntiVir 7.9.0.168 2009.05.17 -
Antiy-AVL 2.0.3.1 2009.05.15 -
Authentium 5.1.2.4 2009.05.17 -
Avast 4.8.1335.0 2009.05.17 -
AVG 8.5.0.336 2009.05.17 -
BitDefender 7.2 2009.05.18 -
CAT-QuickHeal 10.00 2009.05.15 -
ClamAV 0.94.1 2009.05.16 -
Comodo 1157 2009.05.08 -
DrWeb 5.0.0.12182 2009.05.18 -
eSafe 7.0.17.0 2009.05.17 -
eTrust-Vet 31.6.6508 2009.05.16 -
F-Prot 4.4.4.56 2009.05.17 -
F-Secure 8.0.14470.0 2009.05.16 -
Fortinet 3.117.0.0 2009.05.18 -
GData 19 2009.05.18 -
Ikarus T3.1.1.49.0 2009.05.18 -
K7AntiVirus 7.10.737 2009.05.16 -
Kaspersky 7.0.0.125 2009.05.18 -
McAfee 5618 2009.05.17 -
McAfee+Artemis 5618 2009.05.17 -
McAfee-GW-Edition 6.7.6 2009.05.18 -
Microsoft 1.4602 2009.05.17 -
NOD32 4081 2009.05.17 -
Norman 6.01.05 2009.05.16 -
nProtect 2009.1.8.0 2009.05.17 -
Panda 10.0.0.14 2009.05.17 -
PCTools 4.4.2.0 2009.05.17 -
Prevx 3.0 2009.05.18 -
Rising 21.30.00.00 2009.05.18 -
Sophos 4.41.0 2009.05.17 -
Sunbelt 3.2.1858.2 2009.05.17 -
Symantec 1.4.4.12 2009.05.18 -
TheHacker 6.3.4.1.326 2009.05.18 -
TrendMicro 8.950.0.1092 2009.05.15 -
VBA32 3.12.10.5 2009.05.18 -
ViRobot 2009.5.15.1737 2009.05.15 -

So I'm kinda confused why it comes up on Clamwin when it says it doesn't on that...

Hello,

There seems to be an increase of false positives after implementing 0.95.1 version. As per the report below the file was reported as clean also by ClamAV (the version used @ Virustotal is still the 0.94.1). Kindly notify Clam team about this false positive using the form @ https://cgi.clamav.net/sendvirus.cgi and ticking the false positive block. Issue is going to be fixed within a few days so the infection notice will disappear from future scans. By doing this you will help Clam/Clamwin detection abilities.

If you wish to Quarantine only the keygen file you just have to set Clamwin preferences to Move to Quarantine option and scan only the folder containing that file (you can do it by Clamwin main Window or by navigating via Windows explorer till you reach the folder, then right click on it and choose the 'Scan with Clamwin' option).
After this has been moved to Quarantine remember to restore Preferences to Report Only.

Regards,
Antonio

Thank you very much for your help.

After 2 years it seems that this issue is still not solved, I found some false positives of this today...