Heres my scan logs, I have no idea if any of this is bad:

:: RootAlyzer Results
File:"Unknown ADS","C:\Users\Matt\Local Settings:P4B9xHBUVoEcIaPw0ywC:$DATA"
File:"Unknown ADS","C:\Users\Matt\AppData\Local:P4B9xHBUVoEcIaPw0ywC:$DATA"
File:"Unknown ADS","C:\Users\Matt\AppData\Local\3xAHBiaTTG:zH4MA7j5SOc4Svn6w0D9Q:$DATA"
File:"Unknown ADS","C:\Users\Matt\AppData\Local\Application Data:P4B9xHBUVoEcIaPw0ywC:$DATA"
File:"Unknown ADS","C:\ProgramData\Microsoft:9Oyhl36j8JRO1OR8haiHu:$DATA"
File:"Unknown ADS","C:\ProgramData\Microsoft:viBoRxnQpSb51qm7FuRetaUqE:$DATA"
File:"Unknown ADS","C:\ProgramData\Microsoft\YfPUvE4qBtufJQ:U8BnASnuhOFScTeU:$DATA"
File:"No admin in ACL","C:\cygwin64\usr\share\doc\Cygwin\ctags-5.8.README"
File:"No admin in ACL","C:\cygwin64\usr\share\doc\ctags-5.8\ctags.html"
File:"No admin in ACL","C:\cygwin64\home\Matt\.bash_history"
File:"No admin in ACL","C:\cygwin64\etc\inittab"
File:"No admin in ACL","C:\cygwin64\etc\rebase.db.x86_64"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Applets\SysTray\BattMeter\","Flyout"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Wow6432Node\Microsoft\Security Center\","Svc"


also, I closed the Analyzer without deleting these entries, do I have to rerun a complete Deep Scan again if I do actually need to delete any of these items?

Hello matthewjumpsoffbuilding,

In general all items found by the RootAlyzer are not necessarily malicious but shows items it believes to be out of the ordinary and may give a hint for an infection.

Sometimes even legitimate software uses rootkit technologies. How is the computer running, was there a particular reason for running the scan? :)

Best regards.

It hasnt been running particularly badly.

The main reason for the scan was Clamwins memory scan reported something while I was running Chrome

C:\Program Files (x86)\Google\Chrome\Application\37.0.2062.124\chrome.dll: W32.Virut.Gen.D-148 FOUND

Hello matthewjumpsoffbuilding,



The main reason for the scan was Clamwins memory scan reported something while I was running Chrome

C:\Program Files (x86)\Google\Chrome\Application\37.0.2062.124\chrome.dll: W32.Virut.Gen.D-148 FOUND

Possibly a false positive, however it might be best for someone to take a look at the system. Please see the Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22) sticky which includes guidelines and instructions in post #2 on how to provide the logs from Farbar Recovery Scan Tool and aswMBR, which are the logs used in the preliminary analysis.

http://forums.spybot.info/showthread.php?t=288

Then start a new topic in that forum providing the logs so a volunteer analyst can guide you, also provide a link back to this thread please.

Best regards.

I will check that out, thanks.

Some more info.

I browsed to the location and found there were 2 versions of Chrome, C:\Program Files (x86)\Google\Chrome\Application\37.0.2062.124, and C:\Program Files (x86)\Google\Chrome\Application\37.0.2062.120.

I scanned chrome.dll in 37.0.2062.120 with Clamwin, Windows Security Essentials, MalwareBytes AntiMalware, and they all returned clean.

I scanned chrome.dll in 37.0.2062.124 with the same tools, and all but Clamwin returned clean.

I then uninstalled Chrome completely, and reinstalled it fresh and rescanned chrome.dll in the 37.0.2062.124 folder (now the only folder in there), and Clamwin still reported the same virus.

Does that make it more likely a false postive?

Hi matthewjumpsoffbuilding,



Does that make it more likely a false postive?

Could be but Virut is nasty. :bomb:

I see you reported it at the Clamwin forums: http://forums.clamwin.com/search.php?search_author=matthewjumpsoffbuildings

I downloaded Farbar and scanned it with Clamwin, and got

"C:\Users\Matt\Desktop\FRST64.exe: Win.Trojan.Expone FOUND"

I uninstalled Chrome and installed the 64 bit version, in offline mode. Now Clamwin isnt reporting anything?

Hello matthewjumpsoffbuilding,


I uninstalled Chrome and installed the 64 bit version, in offline mode. Now Clamwin isnt reporting anything?

Clamwin would need to help you with any questions regarding their software at their site. :)

You could either wait for Clamwin to respond to your topic over there or do as I suggested here in post #4 above.

"Please see the Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22) sticky which includes guidelines and instructions in post #2 on how to provide the logs from Farbar Recovery Scan Tool and aswMBR, which are the logs used in the preliminary analysis.

http://forums.spybot.info/showthread.php?t=288

Then start a new topic in that forum providing the logs so a volunteer analyst can guide you, also provide a link back to this thread please."

Best regards.

Hello matthewjumpsoffbuilding,

I see you posted in your topic (http://forums.clamwin.com/search.php?search_author=matthewjumpsoffbuildings) at the Clamwin forums.

"Farbar was recommended to me by "tashi", an employee on the spybot S&D forums."

To clarify, what I actually did say was,

"Please see the Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22) sticky which includes guidelines and instructions in post #2 on how to provide the logs from Farbar Recovery Scan Tool and aswMBR, which are the logs used in the preliminary analysis.

http://forums.spybot.info/showthread.php?t=288 (http://forums.spybot.info/showthread.php?t=288)

Then start a new topic in that forum providing the logs so a volunteer analyst can guide you, also provide a link back to this thread please."

That information was given so a volunteer analyst could provide their advice if you started a topic in the malware forum; not to use the tools without supervision or invite negativity. :eek:

Hopefully you resolve your issue with the detections made by Clamwin.

Best regards. :greeting:

i appreciate that Farbar was recommended as part of your process, but the Clamwin support asked me who told me to install Farbar, and it made sense to mention this conversation.

as i mentioned, i hesitate to install Farbar since Clamwin is reporting a virus in the Farbar install file.