On April 2, I got the following entry in my scan log on VlamWin:

----------- SCAN SUMMARY -----------
Known viruses: 749241
Engine version: 0.95.3
Scanned directories: 15179
Scanned files: 100089
Infected files: 0
Data scanned: 32162.68 MB
Data read: 29573.90 MB (ratio 1.09:1)
Time: 19941.359 sec (332 m 21 s)

Scan Started Fri Apr 02 01:30:00 2010
-------------------------------------------------------------------------------

*** Scanning Programs in Computer Memory ***
*** Memory Scan: using ToolHelp ***


*** Scanned 57 processes - 636 modules ***
*** Computer Memory Scan Completed ***

C:\Program Files\Amazon\MP3 Downloader\Uninstall.exe: Trojan.FakeAV-1884 FOUND
C:\Program Files\Amazon\MP3 Downloader\Uninstall.exe: moved to 'C:\Documents and Settings\All Users\.clamwin\quarantine\Uninstall.exe.infected'
C:\Program Files\Pinnacle\Studio 9\OEM\DPSLib2.bin: Trojan.FakeAV-2533 FOUND
C:\Program Files\Pinnacle\Studio 9\OEM\DPSLib2.bin: moved to 'C:\Documents and Settings\All Users\.clamwin\quarantine\DPSLib2.bin.infected'

On April 21, the hit on Trojan.FakeAV-2533 went away, even though I had not removed the file from quarantine. Having bee bit by false positives before, I wait to destroy a file.

----------- SCAN SUMMARY -----------
Known viruses: 756470
Engine version: 0.96
Scanned directories: 15481
Scanned files: 101749
Infected files: 2
Not copied: 2
Data scanned: 27106.55 MB
Data read: 32052.44 MB (ratio 0.85:1)
Time: 19429.688 sec (323 m 49 s)

Scan Started Wed Apr 21 05:51:43 2010
-------------------------------------------------------------------------------

*** Scanning Programs in Computer Memory ***
*** Memory Scan: using ToolHelp ***


*** Scanned 58 processes - 667 modules ***
*** Computer Memory Scan Completed ***

C:\Documents and Settings\All Users\.clamwin\quarantine\Uninstall.exe.infected: Trojan.FakeAV-1884 FOUND
C:\Documents and Settings\All Users\.clamwin\quarantine\Uninstall.exe.infected not moved/copied since already in quarantine

Today I went in to clean out quarantine and ran a manual check on each file and got the following reports:

Scan Started Thu Apr 29 21:31:21 2010
-------------------------------------------------------------------------------


----------- SCAN SUMMARY -----------
Known viruses: 758602
Engine version: 0.96
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 1.89 MB
Data read: 0.52 MB (ratio 3.67:1)
Time: 14.968 sec (0 m 14 s)


Scan Started Thu Apr 29 21:32:13 2010
-------------------------------------------------------------------------------

C:\Documents and Settings\All Users\.clamwin\quarantine\Uninstall.exe.infected not moved/copied since already in quarantine

C:\Documents and Settings\All Users\.clamwin\quarantine\Uninstall.exe.infected: Trojan.FakeAV-1884 FOUND
----------- SCAN SUMMARY -----------
Known viruses: 758602
Engine version: 0.96
Scanned directories: 0
Scanned files: 1
Infected files: 1
Not copied: 1
Data scanned: 0.11 MB
Data read: 0.07 MB (ratio 1.65:1)
Time: 26.812 sec (0 m 26 s)


It looks like there was a false positive on Trojan.FakeAV-2533 that got fixed. Is this a false positive on Trojan.FakeAV-1884?

I also ran the file still getting the hit through VirusTotal and go the following report:

https://www.virustotal.com/analisis/6106c9ec5cb72085118029faf60eb53f5ba7947f8a133c38719a23f1c5882582-1271112406

Since Clam is the only AV out of 40 on VirusTotal to detect it, it is very likely to be a false positive. Please submit it to Clam so they can correct it. I am sure you know the drill in filling out the submission form--check the false positve radio button, exact name/VirusTotal results in the explanation block.

The Fake AV trojans are really rampant now, and in this case, the original malware that was siged may be using a section of install code or an unpacker that "good" programs are also using. When Clam checked the signature, it did not have one of the "good" program "animals" on its false positive farm.

Regards,

File has been submitted to ClamAV.net.