I've been using clam win for about two months, and have until today seen only clean reports.
I use clamwin, and also MS security essentials in active mode, and also use spybot search and destroy.

MS security essentials does not report this trojan only clamwin. I tried deleting the files, and rebooting but the files are still there.



here are the files clamwin is reporting:

C:\WINDOWS\NOTEPAD.EXE: Trojan.Agent-142482 FOUND

C:\WINDOWS\system32\dllcache\notepad.exe: Trojan.Agent-142482 FOUND

C:\WINDOWS\system32\notepad.exe: Trojan.Agent-142482 FOUND

I can find and delete the first and thr third but they instantly come back.

The one in dllcache I can't even locate on a system seach when hiden files are selected in the search.
In fact I can't even locate the dllcache directory.

If anyone can advise what to do next, it's much appreciated.

Thanks

UPdate: I just tested two of the notepad.exe files through jotti and virustotal.

Jotti says only clam av reports it as a virus out of twenty scanners, but virustotal reports two out of 40 hits.

In virustotal:

clamav reports it as: Trojan.Agent-142482

esafe reports the same file as Win32.Banker

Appreciate any advice/help on this.

Thanks!

please submit the false positive online:
https://cgi.clamav.net/sendvirus.cgi

I also got the false positive on NOTEPAD.EXE and in addition to the files being quarantined I now have a pop-up dialog titled Windows File Protection which states "Files that are required for Windows to run properly have been replaced by unrecognized varsions. To maintain system stability, Windows must restore the original versions of these files." then "Insert your Windows XP Professional Service Pack 3 CD now.

Problem is this computer was installed as XP SP1 and upgraded via Windows Update to SP3. e.g. Now Windows SP3 CD.

What now?

I think that Microsoft has ISO versions of SP3 (you want only SP3--nothing else). Also, last year I had my SP3 scambled due to UBD4Win, and I found a site that also had it. It was rather large, and I had to download it via uTorrent. I downloaded it, burned it to CD as an ISO and was able to restore from SP 2/1--whichever UBD4Win changed it to back to SP3.

I would try to get Microsoft's version. You need to be careful at places that have Torrent stuff. Lots of viruses sometimes.

Regards,

This isn't a false-positive. I scanned my retail XP disc and got 0 infected files, but notepad.exe and notepad.ex_ both showed positive for Trojan.Agent-142482 on a downloaded XP image.

The false positive reports I have seen at Clam have just submitted a scan report--not the actual notepad.exe file. They need the actual file to do anything. Scan reports do not help.

I have just rpeorted the false postive to Clam with the notepad.exe file.

Regards,

So, I have this exact issue as well. Do I need to remove the quarantined files, rename them, re-install SP3 or wait and hear what the forum says? Sorry if my question is lame, I have been running ClamWin for 2 years and have now had two false positive issues in the last 6 weeks. Thanks for any advice on how to best proceed.

I am sure that Trojan.Agent-142482 is a false positive on notepad.exe. It has been reported to Clam. I think you can safely restore it to its original directory with the original name, if you can. Perhaps the Clamwin log can help you identify the home directory, and you need to delete the ".infected" from the name. You can exclude the file from ClamWin scans for a few days via the configuration tabs.

The notpad.exe file we have on our machines, now may not be the same as the original version from Microsoft. It is constantly changing Windows files, and each time a file changes, it is essentially a new file.

Regards,