Hello All,

Windows Server 2003 with SP2
Clamwin 0.96-1

As of Friday 9/25/2010 and Clamwin updating the daily database that day at 5'30pm and running that evening at 6:30pm as expected,Clamwin quaratined almost ALL C:\Windows\system32 files(exe's) ,on this system. The dll's and such were not touched. This system has been left alone for almost 4 years in regards to automatic updating etc,Windows,so this is not in the picture. This server provides our *payroll* so this is huge,in regards to me getting it straightened out!
ALL of the /Service Pack File s cache were deleted as well.
Here is the the virus that ALL were detected as: W32.Neshuta.A FOUND
Any ideas what would cause this?
It also quaratined the actual payroll program along with two other program(exe) applications that reside on the root of C: drive( not in the Program Files folder). Don't know why it appears stuff on the root C: drive gets knocked out as well?
Ideas?

Thanks,
Barry

That signature is several years old, and it is so general that it should probably not have been made. Here is what it looks like in English:

Here it is: U?????3??E??E??E??E??T?@??????3?Uh ?@?d?0d? ???@????????????\??????@????????????H??????@????????????4??????@???????????? ??????@?????

Please send one of those quarantined files to Clam AV, starting at https://www.clamav.net/lang/en/sendvirus/ on the web. When you get to the upload page, be sure to select False Positive, and tell them the exact name of the virus. They should correct the signature within a day or so (weekdays).

I suggest that you keep ClamWin's infected files option set to Report Only, and check files it flags as "infected" with the Jotti or Virus Total scanners before you do anything to them. ClamWin has some protection agailnst Windows system files false positives, but it only works on Vista/Win 7 computers.

Regards,

GuitBob,

thanks for the feedback.
I think if you look you'll see that Clamwin 0.96-1 ( which I listed) is in fact the latest Clamwin Engine being just a few months( not several years), old if that.
I am from here on out going to change back to default of "report" rather than quaratine.
The signature,is updating daily as expected.

Thanks,
Barry

The signature is what's old--not ClamWin. The sig was made in 2008, I believe. Many Windows system files have changed since then, so it will not identify them--only those files that were around in their 2008 form. This would probably only be a problem on Win 98/XP machines, as ClamWin will now check to see if an infected file has a Microsoft digital signature and if so, it will just give the user a message instead of remove/quarantine. I hope they can extend protection to older computers soon. Try to upload one of those files to Clam AV as a false positive so they can fix it.

Regards,

OK,, I belive what you are saying that the FOUND,
W32.Neshuta.A
Is way oudtaed?

Unless I'm out in left field ,Service Pack 2 is still the latest Service Pack for Windows Server 2003?
Maybe someone can tell me I am completely out to lunch on this 'theory'?...
Note: This is NOT Windows XP...
Also we have 8 other Windows Server 2003 servers with SP2 that this did not happen to..
I will upload one of the Service Pack files(SP2) that was deleted/quarantined,as you suggested to the Clamwin upload place.Thanks for the headsup as I missed this spot to do this on the forum here.
And yes,, Service Pack2/ Windows Sever 2003 is ancient at this point but I am sure there are lots of businesses still using it, After all ,after 2 years of production any Winders OS is outdated,This is why Linux was invented,right?...

Thanks,
Barry