Hello.

My ClamWin installation reported the following today in a routine scan:

C:\dell\drivers\R115707\Apps\iProData\mCore.msi: Trojan.Agent-297105 FOUND

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe: Trojan.Agent-297105 FOUND

C:\WINDOWS\Installer\iProData\mCore.msi: Trojan.Agent-297105 FOUND

Any ideas on what this is?

Thanks,

Owen.

I suspect they are false positive detections--where ClamWin falsely detects an infection. Most malware is stealthy, and you do not usually have multiple incidences of files infected by them (an exception is a file-infecting virus, but this appears to be a trojan). The way to be sure is to upload the files (one at a time) to either the Jotti or Virus Total scanning services. Either one will scan your file for you with multiple AVs, including our Clam AV scan engine. If multiple AVs see an infection, it probably is real and not a false positive. I always like to see 2 of these 5 AVs verify an infection: AntiVir, Bitdefender, Kaspersky, Nod32, and Sophos.

If it is a false positive, upload the file to Clam AV via the Submit A File link on their web site. They will correct their signature within a few days. Keep the files in the ClamWin quarantine folder until they are no longer detected as infected (scan them in the quarantine folder every day or so). You could restore them from quarantine via the ClamWin Quarantine Browser program, but you would have to whitelist them in the Configure, Filters, Exclude Matching Filenames option.

Regards,

Righto. I'll check this out and get back if I need.

Thanks,

Owen.

Hello again.

I've scanned these three files at Jotti, and according to this advice, I believe these detections are false positives. A detection was made on Clam AV of "PUA.Win32.Packer.NspackDotnetNor-1" for both copies of mCore.msi. No detection at all was made for the third.

I'll compare the two files to see if they're identical. If they are, I'll upload one of the files to Clam AV via the Submit A File link on their web site. I'll do this in a bit.

Owen.