-------------------------------------------- On Wed, 7/22/15, G.W. Haywood <cla...@jubileegroup.co.uk> wrote:
Subject: Re: [clamav-users] How to clean infection by Docx.Exploit.CVE_2015_1770 To: clamav-users@lists.clamav.net Date: Wednesday, July 22, 2015, 5:45 PM Hi there, On Wed, 22 Jul 2015, JD Ackle wrote: > I would like to know how can I remove Docx.Exploit.CVE_2015_1770 > from Windows/System32/config/SOFTWARE As others have said, you might have found a false positive. You need to find out if that is the case or not before you do anything else. If it is not a false positive but a real infection, then the ClamAV users' mailing list cannot really help you with your question. ClamAV tells you if it thinks that it has found something. It is up to you to decide what to do about it. You *can* choose to delete files if they are flagged by ClamAV, but in general that is not recommended; and as /Windows/System32/config/SOFTWARE is one of Windows' registry files, it will certainly damage your Windows installation if you delete it. There are many Internet help sites and similar which can help you with your question. Reading the rest of your message tells me that you need something. :) For self-help I personally recommend MalwareBytes Anti-Malware (MBAM). If you download it, be careful where you get it from. Some Websites have been seen to include malicious software with the download. Thank you for your advice, GW. I tried MBAM and it reported NO infections. However, the first run did crash the program, so I then used another tool provided by MBAM that stated that sometimes the main program may be prevented from running by viruses and that's what the other tool was meant to solve - it did run alright and reported no threats but... I then had Norton doing a scan and it found some tracking cookies in Firefox which is a tad odd on two accounts: 1) Norton had never complained about these before (but it might just be a new setting included with later updates...?) and 2) I have Firefox configured to "Keep cookies until I close Firefox" (which doesn't necessantly mean they are removed from the hard disk, maybe they'll just no longer be used again by Firefox after the program quits...?). Finally, I thought I might as well install the latest security update from Microsoft (which I was postponing for a couple days to have it installed on a clean(er) system). And then... the latest results from ClamAV run from Linux: - "/Windows/System32/config/" (where the previouly infected "SOFTWARE" file's located) is now CLEAN! - "/pagefile.sys" however is now clean of "Docx.Exploit.CVE_2015_1770" but is reportedly infected by "Exploit.Countdown" on every Remove-said-file-from-within-Linux->Reboot_to_Windows->Reboot-to-Linux-and-run-ClamAV-again. I had actually forgotten about this report when I told the "full story" earlier. This positive was detected at the time I had the Tenga virus and it was after removing the Tenga virus that the Docx.Exploit.CVE_2015_1770 started being detected. I am currently doing a new full ClamAV scan of my Windows partition to try and check if something new comes up. Thus far only pagefile.sys was reported with said "Exploit.Countdown" and ... a few warning messages that don't reference any particular file have come up as well: "LibClamAV Warning: cli_scanicon: found 1 invalid icon entries of 1 total" (eight times thus far on the current scan, all of them before the pagefile.sys detection) I have no idea what that means but I've noticed it happens every time I run a scan on a Windows folder (i.e. on more than one file at a time) and never when scanning a Linux folder. Just telling all this on this list because I'm not that sure these are false positives at the moment - hence no point in submiting anything to that list... I will look for help elsewhere, probably will start off at Microsoft Answers. If something comes up which I think might be relevant to ClamAV, I'll reply back on this thread. Thanks to all that replied. J.D. Ackle _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
