ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
Reply to topic
Virus: Joke.Flipped; Trojan.Clicker.Bomka-13 and other...
Lela68


Joined: 08 Feb 2006
Posts: 9
Reply with quote
Help!!! I'm desperate Crying or Very sad ...
Every time I scan ClamWin find the following (is has been happening from one month, more or less...):
C:\System Volume Information\_restore4C4F1E11-5726-40D7-A837-1FCFC6669404\RP297\A0051292.exe: Joke.Flipped-2 FOUND
C:\System Volume Information\_restore4C4F1E11-5726-40D7-A837-1FCFC6669404\RP297\A0051293.exe: Dialer-488 FOUND
C:\System Volume Information\_restore4C4F1E11-5726-40D7-A837-1FCFC6669404\RP297\A0051294.exe: Dialer-221 FOUND
C:\System Volume Information\_restore4C4F1E11-5726-40D7-A837-1FCFC6669404\RP297\A0051295.exe: Joke.Flipped-2 FOUND
C:\System Volume Information\_restore4C4F1E11-5726-40D7-A837-1FCFC6669404\RP297\A0051296.exe: Trojan.Clicker.Bomka-13 FOUND
Before today, I always gave instructions of moving the files to quarantine folders and then I deleted them. But... every day ClamWin scanned again, it found them again... I suppose these virus recreated themselves... Today I gave instruction of "deleting them directly without passing from the quarantine" but... I'm afraid this would not solve the problem. Ah, with the awful Windows XP I'm using in this laptop, I cannot even find the Folder "System Volume Information" (I'm missing the old Windows 98 where you can find everything everywhere!!! Even for a person who is not a technician as unluckily I am) in order to see if i found out the origin of the virus...
I use this pc for my job and I'm really desperate... On Sunday (I wasn't connected) many mails lefts my account for some clients' destination and it automatically created also an Italian text inviting people to poen the funny joke!... The Zipped file sent was named "passatempo.zip" and it contained the file "darts-freccette.exe".
Pleaseeeeeeeeeee, I have no idea of how to escape from this problem without loosing days of work... Sad
Thanks to anyone who could help me!!! PS Sorry for my English but I'm really nervous ... now I'm a nervous Italian speaking horrible English... Embarassed
Emanuela
View user's profileSend private message
alch
Site Admin

Joined: 27 Nov 2005
Posts: 1751
Reply with quote
Hi,

don't despair. Firstly set Clamwin back to quarantine or report as deleting can leave your PC inoperable.

Get to "System Volume Information" using this article
http://support.microsoft.com/default.aspx/kb/309531?
then grab those 5 exe files and scan them online with different AV products here:
http://www.virustotal.com

If Virustotal confirms they are viruses, then let me know here and we will try to remove them from your computer.


Alch
View user's profileSend private message
Lela68


Joined: 08 Feb 2006
Posts: 9
Reply with quote
Thank you very very much!!!

I'll try everything and I'll report! Very Happy
View user's profileSend private message
Lela68


Joined: 08 Feb 2006
Posts: 9
Reply with quote
Lela68 wrote:
Thank you very very much!!!

I'll try everything and I'll report! Very Happy


Hi, here I am again! Very Happy First of all I confirm you that I solved the problem!!!! THANKS THANKS THANKS!!!

Secondary, I'm sorry that I couldn't check my 5 virus on virustotal because (as I explained you before) this time I had already given the instruction to "delete" the infected file (before writing you; now I have "move to quarantine folder..") and - thanks to a friend of mine that in the meanwhile suggested it to me - I "switched off" (just for a while) the "restore instructions of windows xp" so... now anything more has been created... It's very complicated for me to explain it in English but I hope you understand what I mean...

That's all for now, but THANK YOU AGAIN, you have no idea of how much you helped me!!! Wink
Emanuela
View user's profileSend private message
alch
Site Admin

Joined: 27 Nov 2005
Posts: 1751
Reply with quote
I am afraid it may be too early to celebrate yet. If the same files were quarantined form system restore number of times, it means they were copied there from somewhere and Clamwin could not read them to detect.

Can you do a scan of C:\Windows and paste the scan log - I am intersted to see what errors clamwin will report (it wioll report an error if it can't open a file).

Thanks
View user's profileSend private message
Lela68


Joined: 08 Feb 2006
Posts: 9
Reply with quote
alch wrote:
I am afraid it may be too early to celebrate yet. If the same files were quarantined form system restore number of times, it means they were copied there from somewhere and Clamwin could not read them to detect.

Can you do a scan of C:\Windows and paste the scan log - I am intersted to see what errors clamwin will report (it wioll report an error if it can't open a file).

Thanks


Hi! This morning I did immediately a scan (but I was almost sure it was ok because, even if I didn't write it, I repeated the proceedings many times in order to be surer it was ok). I copy hereinafter the detailed report:

--------------------------------------
Scan started: Thu Feb 9 09:15:15 2006

ERROR: Can't open file C:\WINDOWS\system32\config\system.LOG
ERROR: Can't open file C:\WINDOWS\system32\config\software.LOG
ERROR: Can't open file C:\WINDOWS\system32\config\default.LOG
ERROR: Can't open file C:\WINDOWS\system32\config\SAM.LOG
ERROR: Can't open file C:\WINDOWS\system32\config\SECURITY.LOG
ERROR: Can't open file C:\WINDOWS\SoftwareDistribution\EventCache\F8F2A0D6-77C8-452B-AD2D-1DE4F3DCCF7F.bin
ERROR: Can't open file C:\Documents and Settings\NetworkService\NTUSER.DAT
ERROR: Can't open file C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat
ERROR: Can't open file C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG
ERROR: Can't open file C:\Documents and Settings\NetworkService\ntuser.dat.LOG
ERROR: Can't open file C:\Documents and Settings\LocalService\NTUSER.DAT
ERROR: Can't open file C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat
ERROR: Can't open file C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG
ERROR: Can't open file C:\Documents and Settings\LocalService\ntuser.dat.LOG
ERROR: Can't open file C:\Documents and Settings\Emanuela\NTUSER.DAT
ERROR: Can't open file C:\Documents and Settings\Emanuela\ntuser.dat.LOG
ERROR: Can't open file C:\Documents and Settings\Emanuela\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG
ERROR: Can't open file C:\Documents and Settings\Emanuela\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat

-- summary --
Known viruses: 44053
Engine version: 0.88
Scanned directories: 4091
Scanned files: 43986
Infected files: 0

Data scanned: 9339.57 MB
Time: 4984.162 sec (83 m 4 s)
-------------------
Completed
__________________________________________________________-

Here I am again. It seems perfect, doesnt' it?... Shocked

I hope so... Confused
View user's profileSend private message
alch
Site Admin

Joined: 27 Nov 2005
Posts: 1751
Reply with quote
Quote:
Here I am again. It seems perfect, doesnt' it?...

it does look good, all those errors are normal and do not come form a virus.
View user's profileSend private message
Worm found: need help
PeterVan


Joined: 11 Feb 2006
Posts: 0
Reply with quote
Hello,
I ask for help what to do.
I got from clamwin in restore etc. that a worm is found : Worm of Mytob of Gen-6
C:\System Volume Information\_restore0CB41C48-B31D-41B1-8349-B293FC560F16\RP265\A0026066.exe: Worm.Mytob.Gen-6 FOUND

What can I do? Please be very precise in your advise.
Thanks.

O yes, I tried a login name like "A b?r". It was accepted by the registration, but not by the login.
I had to change my name to "PeterVan".
PeterVan
View user's profileSend private message
alch
Site Admin

Joined: 27 Nov 2005
Posts: 1751
Reply with quote
follow the instructions from above
Quote:

Get to "System Volume Information" using this article
http://support.microsoft.com/default.aspx/kb/309531?


to get into "System Volume Information" and remove the reported file.
View user's profileSend private message
Virus: Joke.Flipped; Trojan.Clicker.Bomka-13 and other...
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 1  

  
  
 Reply to topic