[clamav-users] How to clean infection by Docx.Exploit.CVE_2015_1770

Al Varnell alvarnell at mac.com
Thu Jul 23 18:27:11 UTC 2015 

I know there are often issues when trying to scan a Windows partition from OS X, so that my be part of your problem.

I always recommend my OS X users who run a Windows partition to scan it with ClamWIN which is a Windows GUI application for ClamAV.
<www.clamwin.com>.

-Al[

On Thu, Jul 23, 2015 at 11:15 AM, JD Ackle wrote:
> 
> On Wed, 7/22/15, G.W. Haywood <clamav at jubileegroup.co.uk> wrote:
> 
> Subject: Re: [clamav-users] How to clean infection by	Docx.Exploit.CVE_2015_1770
> To: clamav-users at lists.clamav.net
> Date: Wednesday, July 22, 2015, 5:45 PM
> 
> Hi there,
> 
> On Wed, 22 Jul 2015, JD Ackle wrote:
> 
>> I would like to know how can I remove
> Docx.Exploit.CVE_2015_1770
>> from Windows/System32/config/SOFTWARE
> 
> As others have said, you might have found a false
> positive.  You need to
> find out if that is the case or not before you do anything
> else.
> 
> If it is not a false positive but a real infection, then the
> ClamAV
> users' mailing list cannot really help you with your
> question.
> 
> ClamAV tells you if it thinks that it has found
> something.  It is up to
> you to decide what to do about it.  You *can* choose to
> delete files if
> they are flagged by ClamAV, but in general that is not
> recommended; and
> as /Windows/System32/config/SOFTWARE is one of Windows'
> registry files,
> it will certainly damage your Windows installation if you
> delete it.
> 
> There are many Internet help sites and similar which can
> help you with
> your question.
> 
> Reading the rest of your message tells me that you need
> something. :)
> For self-help I personally recommend MalwareBytes
> Anti-Malware (MBAM).
> If you download it, be careful where you get it from. 
> Some Websites
> have been seen to include malicious software with the
> download.
> 
> 
> Thank you for your advice, GW.
> 
> I tried MBAM and it reported NO infections. However, the first run did crash the program, so I then used another tool provided by MBAM that stated that sometimes the main program may be prevented from running by viruses and that's what the other tool was meant to solve - it did run alright and reported no threats but...
> 
> I then had Norton doing a scan and it found some tracking cookies in Firefox which is a tad odd on two accounts: 1) Norton had never complained about these before (but it might just be a new setting included with later updates...?) and 2) I have Firefox configured to "Keep cookies until I close Firefox" (which doesn't necessantly mean they are removed from the hard disk, maybe they'll just no longer be used again by Firefox after the program quits...?).
> 
> Finally, I thought I might as well install the latest security update from Microsoft (which I was postponing for a couple days to have it installed on a clean(er) system).
> 
> And then... the latest results from ClamAV run from Linux:
> - "/Windows/System32/config/" (where the previouly infected "SOFTWARE" file's located) is now CLEAN!
> - "/pagefile.sys" however is now clean of "Docx.Exploit.CVE_2015_1770" but is reportedly infected by "Exploit.Countdown" on every Remove-said-file-from-within-Linux->Reboot_to_Windows->Reboot-to-Linux-and-run-ClamAV-again. I had actually forgotten about this report when I told the "full story" earlier. This positive was detected at the time I had the Tenga virus and it was after removing the Tenga virus that the Docx.Exploit.CVE_2015_1770 started being detected.
> 
> I am currently doing a new full ClamAV scan of my Windows partition to try and check if something new comes up. Thus far only pagefile.sys was reported with said "Exploit.Countdown" and ... a few warning messages that don't reference any particular file have come up as well:
> "LibClamAV Warning: cli_scanicon: found 1 invalid icon entries of 1 total" (eight times thus far on the current scan, all of them before the pagefile.sys detection)
> I have no idea what that means but I've noticed it happens every time I run a scan on a Windows folder (i.e. on more than one file at a time) and never when scanning a Linux folder.
> 
> Just telling all this on this list because I'm not that sure these are false positives at the moment - hence no point in submiting anything to that list...
> I will look for help elsewhere, probably will start off at Microsoft Answers. If something comes up which I think might be relevant to ClamAV, I'll reply back on this thread.
> 
> Thanks to all that replied.
> J.D. Ackle

More information about the clamav-users mailing list