|
owenb
| Joined: 24 Dec 2011 |
| Posts: 0 |
| Location: NE Washington State |
|
|
 Posted: Sat Dec 24, 2011 3:07 pm |
|
 |
 |
|
|
After scanning I found the following within the report.
I would like a explanation of : "DOS.ComInfector-7 FOUND"
C:\Documents and Settings\All Users\.clamwin\quarantine\SysLib.sys.infected: W32.Virut.di FOUND
C:\Documents and Settings\All Users\.clamwin\quarantine\SysLib0.sys.infected: DOS.ComInfector-7 FOUND
Owen
|
|
|
|
GuitarBob
| Joined: 09 Jul 2006 |
| Posts: 9 |
| Location: USA |
|
|
| Posted: Sat Dec 24, 2011 8:14 pm |
|
|
|
|
|
Hello Owen:
DOS.ComInfector-7 was first published by Clam AV back in 2005 when file infecting viruses were more common. A virus cannot reproduce itself--it has to infect a file. Nowadays trojans and worms are most common.
Because of this, I suspect that your files (the Virut detection also) are false positive detections and not a real detection of malware. What you should do is upload the files (one at a time) to Jotti at https://virusscan.jotti.org/en or Virus Total at https://www.virustotal.com/ on the web and see how many AVs detect an infection. If several other AVs besides Clam AV (which provides its scan engine and signature database to ClamWin) say it is infected, it is probably a real infection and not a false positive. In that case, you should delete the file(s) from your computer. If only a few AVs say it is infected, it is probably a false positve, and you should upload the file to Clam AV, starting at https://www.clamav.net/lang/en/sendvirus/ on the web so they can correct the signature. Change the submission type from "virus" to "false positive." You can zip multiple files and upload the zipped file. If the file is too large, send email to luca at clamav dot net (spelled out here to prevent email address theft) and ask for instructions.
I like to see at least 2 of these AVs detect an infection before I believe it: AntiVir, Bitdefender, NOD32, Kaspersky, and Sophos, but if at least 6 AVs see an infection, you can probably believe it.
Regards,
|
|
|
|
owenb
| Joined: 24 Dec 2011 |
| Posts: 0 |
| Location: NE Washington State |
|
|
| Posted: Sun Dec 25, 2011 5:40 pm |
|
|
|
|
|
Hi Bob,
I'm in strange territory. My tech savvy is mostly limited to hitting icons.
When I go to \quarantine and open \"SysLib0.infected.txt"
I get the following
"\\?\C:\WINNT\system32\drivers\SysLib0.sys \\?\C:\Documents and Settings\All Users\.clamwin\quarantine\SysLib0.sys.infected"
An attempt to send "SysLib0.infected" a 8086KB file designated as INFECTED file failes because the file is too big.
Where or how do I find the correct file to send to Jotti or Virus Total?
Thanks,
Owen
|
|
|
|
GuitarBob
| Joined: 09 Jul 2006 |
| Posts: 9 |
| Location: USA |
|
|
| Posted: Sun Dec 25, 2011 6:11 pm |
|
|
|
|
|
So the file(s) are okay per Jotti or Virus Total? You have the right file in quarantine. As I mentioned above, if a file is too large to upload to Clam AV, send email to Luca at the address I mentioned. Use normal email format--I just spelled it out above to keep any spammers from automatically harvesting it. Luca will tell you what to do. Clam should look at the file and do any correcting within about 3 days. You can wait until then to restore the file from quarantine via the ClamWin quarantine browser if you do not need it.
Regards,
|
|
|
