False Positive? Win32:Winspy-CK

[Ionna]

Hie all

With regards to the above, used avast to scan Windows yesterday after installing and running Ubuntu Hardy Heron (I switched back to Windows before I slept) and I was informed by avast that I had a malware running Win32:Winspy-CK [trj], which is attached to Ubuntu's Swap disk. Tried looking for relevant files and scanned my comp with Spybot, Ad Aware, AVG and Avast, and only avast picked up the malware at that location. I've been informed by the Ubuntu forumers that it's probably a false positive as Windows can't read linux files, but I'd still like confirmation if possible.

What can I do to make sure that it's NOT malware hiding on my system?

[DavidR]

What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx, etc.) ? 

Check the avast! Log Viewer (right click the avast 'a' icon), Warning section, this contains information on all avast detections.

Normally I would say to use VirusTotal or Jotti to scan the suspect file, but being a swap disk it is likely to exceed the max upload file size of 10MB. Also that would preclude sending the sample to avast as it would probably exceed the email attachment size of some ISPs, etc.

You could however send and email to virus@avast.com, giving a brief outline of the problem, a link to this topic might help and false positive/undetected malware in the subject. They may be unable to do anything about it without a sample but may be able to advise a course of action.

The windows swapfile.sys is normally excluded from scans because a) it is very large and b) constantly changing so it is possible that this volatility could replicate a signature contained in the avast VPS.

You could then possibly exclude this file from scans giving the full path and file name, add it to the exclusions lists:
Standard Shield, Customize, Advanced, Add and
Program Settings, Exclusions.

This may possibly the only advice they might be able to give being without a sample.