Thread: Win10 boot problems swapping HDDs
View Single Post
  #42  
Old November 20th 19, 06:47 PM posted to alt.comp.os.windows-10,uk.comp.sys.mac
Paul[_32_]
external usenet poster
  
Posts: 11,873
Default Malware! (Was - Apple SuperDrive (Was - Win10 boot problems swappingHDDs))
David wrote:
On 20/11/2019 15:49, Paul wrote:
David wrote:


I used the Clamav facility within Knoppix on my laptop to scan my 'My
Book' - here's a photo I took nearing the end of the scan (it took
many hours!)
https://i.postimg.cc/sxQ4Ms2v/B5-C2-...95292-EFCA.jpg


Sadly, I could find no easy way to 'copy' the results of that scan. :-(

You can use the command line. The stdout option sends output to
the screen, and the tee command keeps a copy in result.txt .
The detect-pua, I added that so you could reproduce your
table of detections (as they're likely pua and not virii).
PUA is Potentially Unwanted Application.

https://i.postimg.cc/nrbxmTgS/clam.gif

cd /media/somewhere
clamscan --detect-pua --stdout -r . | tee result.txt

The program runs on one core, and is relatively slow.

And something like "sudo freshclam" will update the
database before you do a run.

I put a copy of EICAR in the test folder, and it found it.

./eicar: Eicar-Test-Signature FOUND

To give you some idea how stupid ClamAV is, I wrote a program
in C for my own usage, and it "found a virus in it". Ha! I
didn't know I was talented enough for that. It slices, it
dices, and makes Julienne fries.

But, it's a hobby, right ?

In the Terminal, you can type

apropos clam

and some of the clam executables will be listed.


Ah! Thank you for the explanation, Paul.

Would there be any benefit to others if I could show you more accurate
results of my scan? I suspect not, but I'll do it if it would assist in
any way. Please advise. TIA.

David

OK, I re-ran it, with detect-PUA turned on, and it found this.
When I run it on Virustotal ? Nothing. Clean. So this
is a false positive.

../audacity-win-2.1.0.exe: PUA.Win.Malware.Speedingupmypc-6718419-0 FOUND

*******

A program from Microsoft ? Actually... clean.

../Autoruns.zip: PUA.Win.Downloader.Aiis-6803892-0 FOUND
../Autoruns64.exe: PUA.Win.Downloader.Aiis-6803892-0 FOUND

Autoruns works to change registry entries, as one of its jobs.

*******

A program downloaded from the driver page at AMD ?

radeon-crimson-16.3.2-minimalsetup_web.exe: PUA.Win.Trojan.Generic-6629273-0 FOUND

Virustotal has two of its lesser lights report a problem,
while all the others say it is clean. Riskware isn't exactly
a strong signal either. It's the equivalent of "...be careful".

K7AntiVirus Riskware ( 0040eff71 )
K7GW Riskware ( 0040eff71 )

*******

qphotorec_win.exe: PUA.Win.Packer.Upx-49 FOUND === a packer (compresses the executable)
is not malware. Some AV products
don't have the UPX unpacker for this.
A "weak as ****" kind of warning.
Even I have a UPX unpacker :-)
*******

My homegrown program, compiled with MinGW ? Ha!
There's no network code in here. There are fopen()
calls and a few fwrite() calls, then fclose().

makefiles3.exe: PUA.Win.Downloader.Driverpack-6717506-0 FOUND

*******

The scan was small. The reason there are so many detections
is because the PUA detection was turned on. This drops to
1 detected, when just virus signatures are checked, and that's
because I put the EICAR test file into the directory on purpose,
so I would have at least one detection.

Scanned files: 704
Infected files: 84 === Big big Ha! (Drops to 1 with PUA detection switched off)

You should use some other materials for doing scans,
beside Clam. Clam is doing its best impression of
"scareware". The only thing missing, is the background
on my screen didn't turn red in embarrassment.

Paul
Ads