This is identified as a Trojan, but since it's in the system32 folder I thought I would ask about it before I permanently delete it. It has been present on my computer since 06/06/08. I recently reset Windows Media Player to its default settings. Could that have something to do with it?

Thanks for the help!

If you are sure the file has been on your computer for some time without any changes, it is probably a false positive. First upload it to Jotti or VirusTotal on the web. They will scan it with multiple AVs, including Clam AV, which provides the scan engine/signatures. If several respected AVs, like Kaspersky, McAfee, Microsoft, Symantec, Trend Micro, Bitdefender, NOD32, or Avast spot an infection, it's probably real. Otherwise, it's probably a false positive, and you should submit it to Clam AV so they can correct it. Start at https://www.clamav.net/sendvirus/ on the web. When you get to the upload page, indicate that it is a false positive, give them the name of the false positive detection, and tell them the results from Jotti/virusTotal in the comment section. Clam will adjust their signature, and ClamWin will benefit.

Regards,

CP Secure reported: 2010-01-11 Packed.W32.Klone.ay

All the others were negative, including Clam AV. ...?

If only a couple of AVs spot something, it is probably a false positive--unless it is brand-new and most AVs don't know about it yet. This doesn't happen very often--that's why you use a service that scans with multiple AVs.

Once in a while, Clam doesn't spot something on line. The scanning service may not be using the latest updates for Clam. VirusTotal is also using an older version of Clam, which may not support some of Clam/s generic signatures. That's why you look at the large AV companies that have lots of corporate customers--they can't afford to be wrong too often--AVs like McAfee, Microsoft, Symantec, and Trend Micro. The following AVs license their scan engine to other AVs, so they are pretty good also: Avast (from Alwil), Bitdefender, and Kaspersky. NOD32 is also good--few false positives, but they don't detect as much as some AVs--they rely too much on heuristics, as opposed to actual signatures.

You can upload a file (exe, dll, etc.) to Threat Expert (PC Toos), and they will run it for you and send you an email report. You will have to interpret the results, but they will have a threat rating. You can upload html, js, and flash files to Wepawet.

Regards,

I went to threat expert and the message was that the file is "not detected". *confusion*

I'm starting to be fairly certain that this ISN'T a virus or whatever. There was another file identified in the same scan that I deleted and didn't worry about, because it was just part of the flash player. This file was in the system32 folder and the last time I deleted stuff out of there... well, you guys know.

Thanks for the help!

Your false positive submission should be addressed in the next day or so.

I once quarantined a system file, and spent several days restoring everything.

You can look at the file information by right clicking on the file in Windows Explorer and select Properties. Compare the Creation date and the Modification date. If they are both the same date or if the Creation date is before the Modification date, it's probably okay, although a smart virus can change the dates. Virus writers are pretty lazy though and some aren't smart enough to do that. Sometimes you may see the modification date BEFORE the creation date--that's a bad sign.

Regards,