On 7/23/2015 1:15 PM, JD Ackle wrote: > -------------------------------------------- > On Wed, 7/22/15, G.W. Haywood <[email protected]> wrote: > > Subject: Re: [clamav-users] How to clean infection by > Docx.Exploit.CVE_2015_1770 > To: [email protected] > Date: Wednesday, July 22, 2015, 5:45 PM > > Hi there, > > On Wed, 22 Jul 2015, JD Ackle wrote: > > > I would like to know how can I remove > Docx.Exploit.CVE_2015_1770 > > from Windows/System32/config/SOFTWARE > > As others have said, you might have found a false > positive. You need to > find out if that is the case or not before you do anything > else. > > If it is not a false positive but a real infection, then the > ClamAV > users' mailing list cannot really help you with your > question. > > ClamAV tells you if it thinks that it has found > something. It is up to > you to decide what to do about it. You *can* choose to > delete files if > they are flagged by ClamAV, but in general that is not > recommended; and > as /Windows/System32/config/SOFTWARE is one of Windows' > registry files, > it will certainly damage your Windows installation if you > delete it. > > There are many Internet help sites and similar which can > help you with > your question. > > Reading the rest of your message tells me that you need > something. :) > For self-help I personally recommend MalwareBytes > Anti-Malware (MBAM). > If you download it, be careful where you get it from. > Some Websites > have been seen to include malicious software with the > download. > > > Thank you for your advice, GW. > > I tried MBAM and it reported NO infections. However, the first run did crash > the program, so I then used another tool provided by MBAM that stated that > sometimes the main program may be prevented from running by viruses and > that's what the other tool was meant to solve - it did run alright and > reported no threats but... > > I then had Norton doing a scan and it found some tracking cookies in Firefox > which is a tad odd on two accounts: 1) Norton had never complained about > these before (but it might just be a new setting included with later > updates...?) and 2) I have Firefox configured to "Keep cookies until I close > Firefox" (which doesn't necessantly mean they are removed from the hard disk, > maybe they'll just no longer be used again by Firefox after the program > quits...?). > > Finally, I thought I might as well install the latest security update from > Microsoft (which I was postponing for a couple days to have it installed on a > clean(er) system). > > And then... the latest results from ClamAV run from Linux: > - "/Windows/System32/config/" (where the previouly infected "SOFTWARE" file's > located) is now CLEAN! > - "/pagefile.sys" however is now clean of "Docx.Exploit.CVE_2015_1770" but is > reportedly infected by "Exploit.Countdown" on every > Remove-said-file-from-within-Linux->Reboot_to_Windows->Reboot-to-Linux-and-run-ClamAV-again. > I had actually forgotten about this report when I told the "full story" > earlier. This positive was detected at the time I had the Tenga virus and it > was after removing the Tenga virus that the Docx.Exploit.CVE_2015_1770 > started being detected. > > I am currently doing a new full ClamAV scan of my Windows partition to try > and check if something new comes up. Thus far only pagefile.sys was reported > with said "Exploit.Countdown" and ... a few warning messages that don't > reference any particular file have come up as well: > "LibClamAV Warning: cli_scanicon: found 1 invalid icon entries of 1 total" > (eight times thus far on the current scan, all of them before the > pagefile.sys detection) > I have no idea what that means but I've noticed it happens every time I run a > scan on a Windows folder (i.e. on more than one file at a time) and never > when scanning a Linux folder. > > Just telling all this on this list because I'm not that sure these are false > positives at the moment - hence no point in submiting anything to that list... > I will look for help elsewhere, probably will start off at Microsoft Answers. > If something comes up which I think might be relevant to ClamAV, I'll reply > back on this thread. > > Thanks to all that replied. > J.D. Ackle > _______________________________________________ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml >
Tracking cookies are exactly what they sound like, and are not an indicator of malware. You can remove them for privacy reasons. pagefile.sys is basically a dump of random memory pages. The chance of a false positive when scanning random data is very high. It's likely safe to ignore anything reported here if there are no other indications of a problem. I don't see any clear sign of infection here. -- Noel Jones _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
