I am running ClamWin Free AntiVirus 0.95.02 on a Windows 2008 Standard Edition 32-bit server. The viewer for the virus database has been copied and pasted below:

ClamAV update process started at Wed Jul 15 14:21:00 2009
main.cld is up to date (version: 51, sigs: 545035, f-level: 42, builder: sven)
daily.cld updated (version: 9570, sigs: 49189, f-level: 43, builder: ccordes)
Database updated (594224 signatures) from database.clamav.net (IP: 64.142.100.50)
--------------------------------------
ClamAV update process started at Thu Jul 16 14:21:00 2009
main.cld is up to date (version: 51, sigs: 545035, f-level: 42, builder: sven)
daily.cld updated (version: 9574, sigs: 50940, f-level: 43, builder: neo)
Database updated (595975 signatures) from database.clamav.net (IP: 65.120.238.5)
--------------------------------------
ClamAV update process started at Fri Jul 17 11:19:31 2009
main.cld is up to date (version: 51, sigs: 545035, f-level: 42, builder: sven)
daily.cld updated (version: 9583, sigs: 52002, f-level: 43, builder: ccordes)
Database updated (597037 signatures) from database.clamav.net (IP: 65.120.238.5)

A scan occurs every night at 10:00 PM, Central Daylight time (USA).

The Scan Summary for the previous two nights reported the following:

----------- SCAN SUMMARY -----------
Known viruses: 593613
Engine version: 0.95.2
Scanned directories: 9326
Scanned files: 47298
Infected files: 0
Data scanned: 10270.27 MB
Data read: 9173.30 MB (ratio 1.12:1)
Time: 1875.323 sec (31 m 15 s)

Scan Started Wed Jul 15 19:30:00 2009
-------------------------------------------------------------------------------

*** Scanning Programs in Computer Memory ***
---Please login as an Administrator to scan System processes loaded in computer memory---
*** Memory Scan: using ToolHelp ***


*** Scanned 7 processes - 166 modules ***
*** Computer Memory Scan Completed ***


----------- SCAN SUMMARY -----------
Known viruses: 593613
Engine version: 0.95.2
Scanned directories: 157
Scanned files: 2049
Infected files: 0
Data scanned: 2347.46 MB
Data read: 3486.66 MB (ratio 0.67:1)
Time: 424.476 sec (7 m 4 s)


Upon reviewing the scan report of this morning, The following was reported:

C:\Windows\system32\USER32.dll: Trojan.Waledac-132 FOUND

*** Scanned 7 processes - 167 modules ***
*** Computer Memory Scan Completed ***


----------- SCAN SUMMARY -----------
Known viruses: 595364
Engine version: 0.95.2
Scanned directories: 157
Scanned files: 2059
Infected files: 1
Not copied: 6
Data scanned: 2351.98 MB
Data read: 3487.30 MB (ratio 0.67:1)
Time: 424.086 sec (7 m 4 s)


The check box to quarantine infections is checked but nothing appears in the C:\program Data\Quarantine folder.

Two manual scans after viewing the above scan summary reported the following:

C:\Windows\System32\user32.dll: Trojan.Waledac-132 FOUND

C:\Windows\winsxs\Backup\x86_microsoft-windows-user32_31bf3856ad364e35_6.0.6001.18000_none_cd386c416d5c7f32_user32.dll_55f4ed20: Trojan.Waledac-132 FOUND

C:\Windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.0.6001.18000_none_cd386c416d5c7f32\user32.dll: Trojan.Waledac-132 FOUND

----------- SCAN SUMMARY -----------

Known viruses: 596426

Engine version: 0.95.2

Scanned directories: 9323

Scanned files: 46968

Infected files: 3

The most recent Spybot Search & Destroy version was downloaded, updated, and run, as was the free version of SUPER Antispyware. They found no threats.

How likely is it that the reported infections are false positives? If it is likely the files have been infected, could anoone offer advice regarding their removal. A Google search finds precious little on this infection.

I am a newbie and want to say thank you for your help.

Richard

Similar reports here.

Clamwin 95.2, XP SP3

ClamAV update process started at Fri Jul 17 09:59:01 2009
main.cld is up to date (version: 51, sigs: 545035, f-level: 42, builder: sven)
daily.cld updated (version: 9578, sigs: 51881, f-level: 43, builder: ccordes)
Database updated (596916 signatures) from database.clamav.net (IP: 81.91.100.173)

C:\pagefile.sys: Permission denied
C:\Program Files\NetMeeting\cb32.exe: Trojan.Waledac-389 FOUND
C:\WINDOWS\$NtServicePackUninstall$\userinit.exe: Trojan.Agent-119464 FOUND
C:\WINDOWS\ServicePackFiles\i386\userinit.exe: Trojan.Agent-119428 FOUND
C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\userinit.exe: Trojan.Agent-119428 FOUND
C:\WINDOWS\system32\CatRoot2\tmp.edb: Permission denied
C:\WINDOWS\system32\config\default: Permission denied
C:\WINDOWS\system32\config\SAM: Permission denied
C:\WINDOWS\system32\config\SECURITY: Permission denied
C:\WINDOWS\system32\config\software: Permission denied
C:\WINDOWS\system32\config\system: Permission denied
C:\WINDOWS\system32\dllcache\cb32.exe: Trojan.Waledac-389 FOUND
C:\WINDOWS\system32\userinit.exe: Trojan.Agent-119428 FOUND
C:\WINDOWS\Temp\hsperfdata_SYSTEM\308: Permission denied

----------- SCAN SUMMARY -----------
Known viruses: 596305
Engine version: 0.95.2
Scanned directories: 23447
Scanned files: 198684
Infected files: 6
Data scanned: 84672.93 MB
Data read: 129112.53 MB (ratio 0.66:1)
Time: 16412.828 sec (273 m 32 s)

Scan Started Sat Jul 18 08:45:31 2009
-------------------------------------------------------------------------------

*** Scanning Programs in Computer Memory ***
*** Memory Scan: using ToolHelp ***


Re-scanned memory this morning, there appears to be nothing nasty actually running.

The only thing I've installed is the Photograph editing/management tool ACDSee Pro 2.5

Hello,

I also found a detection of Trojan.Waledac-389 during one recent scan of C: on Vista home. Checked with virustotal and appeared to be a false positive. Already notified Clam team of the occurrance.
I'll suggest you do the same with your files. Seems that clam is getting many of these FP recently.

Regards,
Antonio

Saturday, July 18, 2009

This is a follow-up to my original post. A manual scan of the server reported the following:

----------- SCAN SUMMARY -----------

Known viruses: 596427

Engine version: 0.95.2

Scanned directories: 9357

Scanned files: 47118

Infected files: 0



Data scanned: 10344.23 MB

Data read: 9319.91 MB (ratio 1.11:1)

Time: 2014.929 sec (33 m 34 s)

--------------------------------------

The location C:\Program Data\Quarantine contains no files. It seems that the server is clean. I cannot explain it but I am satisfied.

Should you need it, on page 67 of the August 2009 issue of "PC World" magazine is an advertisement offering a trial version of bitdefender. The link to the site is bitdefender.com/clientsecurity. I did not need the product but possibly someone else might. Thank you for your help.

Richard

Because of false positives, you should probably set ClamWin's Infected Files option to Report Only and verify all reported infections, (especially if in the Windows or Programs/Microsoft/Office directories) before you remove or quarantine them. If you get a reported infection of the same virus in several different files, that is usually a sign of a false positive (but verify one of them).

Regards,

Hello,
I got the message below after the most recent run of ClamWin version 0.95.2

Is this a false positive?

Thanks in advance for any help or advice.
Cheers,

Craig

C:\WINDOWS\notepad.exe: Trojan.Zbot-5074 FOUND

C:\WINDOWS\ServicePackFiles\i386\notepad.exe: Trojan.Zbot-5074 FOUND

C:\WINDOWS\system32\dllcache\notepad.exe: Trojan.Zbot-5074 FOUND

C:\WINDOWS\system32\notepad.exe: Trojan.Zbot-5074 FOUND

----------- SCAN SUMMARY -----------

Known viruses: 603144

Engine version: 0.95.2

Scanned directories: 3013

Scanned files: 36128

Infected files: 4



Data scanned: 10383.15 MB

Data read: 6876.80 MB (ratio 1.51:1)

Time: 4186.016 sec (69 m 46 s)

The same infection reported in multiple files is sometimes (not always) an indication of a false positive. Viruses now tend to be quiet, so they can make the perpetrators money somehow, and multiple infections would increase the chances of it getting caught.

I suggest you upload one of the files to Jotti at https://virusscan.jotti.org/en on the web. Jotti will scan it for you with 21 antiviruses, including Clam. If only a couple of AVs there find an infection, it is probably false. I like to see at least 5 AVs confirm an infection--especially if a couple of these AVs are included: Bitdefender, Kaspersky, F-Secure, NOD32, Symantec, McAfee.

If it is a false positive, report it to Clam, starting at https://www.clamav.net/sendvirus/ on the web. Give them the name of the virus that is falsely detected, and tell why you think it is a false detection.

Regards,

These are surely false positives. I just had a detection on Notepad when I ran a scan. There were a bunch of signatures submitted yesterday for Trojan.Zbot, and it looks like one of the, at least, was false.

Make sure you have ClamWin's infected files option set to Report Only. The ClamWin developers are working on a fix for all these false positives that zap Windows files.

Regards,

Yep, this happened to me, too:

Scan Started Sat Jul 25 19:48:05 2009
-------------------------------------------------------------------------------


C:\WINDOWS\ServicePackFiles\i386\notepad.exe: Trojan.Zbot-5074 FOUND
C:\WINDOWS\SYSTEM32\notepad.exe: Trojan.Zbot-5074 FOUND
C:\WINDOWS\notepad.exe: Trojan.Zbot-5074 FOUND
----------- SCAN SUMMARY -----------
Known viruses: 603148
Engine version: 0.95.2
Scanned directories: 0
Scanned files: 18
Infected files: 3

Data scanned: 0.54 MB
Data read: 0.41 MB (ratio 1.33:1)
Time: 11.204 sec (0 m 11 s)
--------------------------------------
Completed


I DID upload the files to the Jotti service (thanks a lot for that, guys!) and only Clamwin AV detected malware. So, yeah: There's a problem.

I do wonder, though: Why is the notepad.exe file present in so many directories? That seems strange.

Thanks so much as always for the help.

~~~ yours in Chaos, Scarlett

It is a false positive and is being dealt with. Thanks for your patience