Hello, Currently, ClamAV run from Linux reports Docx.Exploit.CVE_2015_1770 in my Windows 8.1 install, in files: - pageFile.sys - Windows/System32/config/SOFTWARE (a piece of the Windows registry)
If I understand it correctly, pageFile.sys works much like a Linux swap, hence basically containing RAM dumps. After removing the file from the Windows system and booting to it I noticed Windows just made a new one when needed, as I expected. Thus I am actually using that file as a checkpoint to track whether the system is clean or not - whether the virus appears in the volatile memory when Windows is run. When I first noticed the infection, pageFile.sys did not get infected upon a Windows startup without logging on a user (it would however otherwise, regardless of whether the user was and administrator or a regular one). I noticed the infection on Windows/System32/config/SOFTWARE later and moved it to Linux to try and fix it - even though I was not really sure how to do it. Upon giving up on the later plan I simply tried booting onto Windows which failed. Since copying the SOFTWARE file back in, pageFile.sys now becomes infected even if I don't logon any user. I presume the reason for this may be that the file lost its Windows permission upon being copied to my Linux install and is now world-accessible, thus being run by the system even before an allowed user is logged on...? On another hand, I am hesitant to consider this a false positive as ClamAV did detect another virus in my Windows system: - Program Files (x86)/Hewlett-Packard/Shared/WizLink.exe: Win.Worm.Tenga-113 FOUND I don't need that file at all, so I simply deleted and no further infections of that virus have been detected since. My Windows install was running considerably slow (specially network-related tasks) before removing that file and seems to have picked back up on its speed, so I am assuming the said virus was indeed, at least for the most common use of that system, been removed. However, I'm not sure whether this worm and the Docx.Exploit.CVE_2015_1770 are not related...? No other infections were detected by ClamAV on the affected system and Norton Internet Security, which I have installed and running on Windows, doesn't seem to have ever noticed anything. So that's basically the full story. At this moment, I would like to know how can I remove Docx.Exploit.CVE_2015_1770 from Windows/System32/config/SOFTWARE (any particular key or value I should be looking for?), so that I'm sure it's not its loading into RAM at startup that's making its signature appear on /pageFile.sys. Thanks in advance, JD Ackle _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
