 |
 | Virus found... Should I try to remove it or just reformat? |  |
|
Shmithers
|
|
Hey everyone, I've been using clamwin for the past year and a bit. I just registered here because My usual method for dealing with viruses (reformat) takes a while and I am hoping some people can help me actually remove the virus this time. I don't know if I should be asking for Virus help here, correct me if I made a mistake.
I made a mistake and installed a Trojan into my system. My Clamwin hasn't competed it's scan of my computer yet, but it shows the original file, C:\WINDOWS\system\Reg.exe and SysWOW64\service.exe as being infected. I'd hate to have to reformat again, but if I have to I will. A bit more info: Virus name:Trojan.Mybot-10213 My OS: Version 5.2 (XP Professional x64 Edition) Service Pack 2) So far there has been no symptoms, so I have been wondering if this is a false positive or not... Thank you very much, Nathan |
|||||||||||
|
|||||||||||||
 |
| |
|
Theoracle117
|
|
why reformat when you an just repair your system? first quarantine the virus, then upload the file to virustotal.com to verify if it is a virus. If it is, just delete it. if your system is damaged, hit run and type in
sfc /scannow that will initiate windows to repair itself. people don't know about this much surprisingly. *there is a space between sfc and /scannow |
|||||||||||
|
|||||||||||||
|
| |
|
Shmithers
|
|
Sorry for being amateur, but how would you recommend quarantining the virus?
EDIT: I think I must have mis-understood you, by quarantine the virus do you mean to find the source file? EDIT2: I have ran the file through VirusTotal and here is what it comes up with: http://www.virustotal.com/analisis/d91392e9073749094d9257bb746fa8e7 Here is the virus report out of clamwin: Scan Started Sun Oct 05 10:22:02 2008 ------------------------------------------------------------------------------- WARNING: Can't access file A:\ C:\Documents and Settings\nspratt-dsa.DSPRATT-ASSOCIA\Application Data\Mozilla\Firefox\Profiles\t3klwa6z.default\places.sqlite-journal: Permission denied C:\WINDOWS\SoftwareDistribution\EventCache\52C4E885-185A-47D0-A94E-0944A0C007CC.bin: Permission denied C:\WINDOWS\system32\config\default: Permission denied C:\WINDOWS\system32\config\SAM: Permission denied C:\WINDOWS\system32\config\SECURITY: Permission denied C:\WINDOWS\system32\config\software: Permission denied C:\WINDOWS\system32\config\system: Permission denied WARNING: Can't access file E:\ Scanning aborted... C:\Documents and Settings\nspratt-dsa.DSPRATT-ASSOCIA\Desktop\KeyGen.exe: Trojan.Mybot-10213 FOUND C:\WINDOWS\system\Reg.exe: Trojan.Mybot-10213 FOUND C:\WINDOWS\SysWOW64\service.exe: Trojan.Mybot-10213 FOUND ----------- SCAN SUMMARY ----------- Known viruses: 434265 Engine version: 0.94 Scanned directories: 12558 Scanned files: 117297 Infected files: 3 Data scanned: 191492.70 MB -------------------------------------- Cancelled -------------------------------------- |
|||||||||||
|
|||||||||||||
|
| u | |
|
GuitarBob
|
|
You don't need to reformat your computer every time you find a virus. Some viruses are worse than others. Also, the virus might not have been activated yet. Your antivirus scanner just looks for signature patterns that indicate a virus, and sometimes it can be wrong--they call that a false positive. Sometimes when you see the same virus in several different files, it can be an indication of a false positive.
First, you should verify that you really have a virus. To do that, upload a copy of the file containing the virus to either Jotti at http://virusscan.jotti.org/ on the web or to VirusTotal at http://www.virustotal.com/ on the web. Either service will scan files for free for you, using multiple antivirus programs, including Clam. If five or more antivirus programs find a file is infected, it probably is a real infection and not a false positive. In that case, you need to delete the infected file from your system and restore a backup if it was an important file to you. ClamWin's scan report will tell you the location of the infected file on your comptuer. With ClamWin's General preferences, you can configure ClamWin to Report Only, Quarantine, or Remove any infected file it finds. If you select Quarantine, ClamWin will move the infected file to its quarantine folder (see the location listed on the General preferences page). For most cases, the Quarantine option is ok, but I use Report only--because if it turns out to be a false positive, I won't have to worry about restoring it, and if you quarantine an important Windows file that is a false positive, you can lose access to your system--permanently. If the file is a false positive, tell Clam about it at http://cgi.clamav.net/sendvirus.cgi on the web. You will have to upload the file, indicate it is a false positive, give the name, and provide an explanation. Clam will change the signature to prevent any more false positives within a day or so. Go to the ClamWin Antimalware page for more help with malware. Regards, |
|||||||||||
|
|||||||||||||
|
| ! | |
|
Shmithers
|
|
This is why I always reformat when I get a virus: I looked up the file on VirusTotal. Confirm it is a virus 27/36 virus scanners say that it is a virus. I Follow Theoracle117's suggestion. Nothing changes. Still have virus. I try to do a repair on my computer. After doing a Re-install of windows the virus is still there! (Yes, I delited the original virus file) Unless I get a reply soon I'll be reformatting. It doesn't bother me to reformat though... I have all my data on the server, and only a few apps and drivers to re-install.
|
|||||||||||
|
|||||||||||||
|
| |
|
Theoracle117
|
|
Reinstall of windows and the virus is still there? THAT IS ONE SERIOUS VIRUS. If all else fails, use combofix.
EDIT: oh i know what you mean. repairing the system won't take care of the virus, just repairs the system files but the virus will reinfect them so you need to delete the virus first Combofix is sort of a last resort kind of thing. Don't mistake it. It IS an Antivirus. follow these instuctions carefully http://www.bleepingcomputer.com/combofix/how-to-use-combofix download link is somewhere on that page, but read everything. That is last resort. But first, you sound like you don't really know how to use clamwin's quarantine feature. Go to the preference tab, and click the checkbox that is next to move to quarantine folder. what will happen is, if it detects a virus, it will rename it and move it to the clamwin/data/quarantine. Renaming it prevents other viruses from activating it. Viruses cant trigger on their own. They need something to activate them. So after that, you can verify which files are the culprits and which ones are innocent. keep the logfile so you will know where to put each file back into its original folder. While it is in the quarantine folder, (in most antiviruses, I dont know about clam win) It is completely harmless. But since they are viruses, and i don't think you are going to analyze them, you should just delete them. hope this helps! unless you already formatted your computer. |
|||||||||||
|
|||||||||||||
|
 | Virus found... Should I try to remove it or just reformat? | |
|
||
|
|
|
Powered by phpBB © phpBB Group
Design by phpBBStyles.com | Styles Database.
Content © ClamWin Free Antivirus GNU GPL Free Software Open Source Virus Scanner. Free Windows Antivirus. Stay Virus Free with Free Software.
Design by phpBBStyles.com | Styles Database.
Content © ClamWin Free Antivirus GNU GPL Free Software Open Source Virus Scanner. Free Windows Antivirus. Stay Virus Free with Free Software.