ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
Reply to topic
ClamWin cannot delete Copy of Desktop.ini
omarshehab


Joined: 08 Sep 2007
Posts: 6
Location: Dhaka
Reply with quote
Here is the scan report:



Scan Started Fri Sep 07 19:46:54 2007

-------------------------------------------------------------------------------





G:\Copy of Desktop.ini: Worm.VB-354 FOUND

----------- SCAN SUMMARY -----------

Known viruses: 149167

Engine version: 0.91.1

Scanned directories: 286

Scanned files: 2910

Skipped non-executable files: 1

Infected files: 1



Data scanned: 1486.76 MB

Time: 430.125 sec (7 m 10 s)

--------------------------------------

Completed

--------------------------------------
View user's profileSend private message
alch
Site Admin

Joined: 27 Nov 2005
Posts: 1751
Reply with quote
from the report I guess clamwin is configured to report only, you need to set it to quarantine
View user's profileSend private message
ClamWin cannot delete Copy of Desktop.ini
omarshehab


Joined: 08 Sep 2007
Posts: 6
Location: Dhaka
Reply with quote
My ClamWin is configured to Remove. Still it can't clean/delete the file. Thanks any way for your reply.
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4359
Location: USA
Reply with quote
You might consider upgrading to the latest lamWin version--0.91.2.

The desktop.ini file is used primarily to tell Windows how to display the contents of a folder (thumbnail view, etc.). I suggest you upload a copy of the file to Virustotal at http://www.virustotal.com/ so they can scan it for you with multiple AV programs there. If a couple of other AVs also spot malware in it, then it is proably a real infection. If Clam/ClamWin is the only AV that spots it, then it is probably a false positive, and you should upload a copy to Clam at http://cgi.clamav.net/sendvirus.cgi and them all about it, so they can update the signature database to eliminate the false positive.

Regardless, you can probably safely delete the file if it is not in the Windows directory or a subdirectory.

Regards,
View user's profileSend private message
Thanks
omarshehab


Joined: 08 Sep 2007
Posts: 6
Location: Dhaka
Reply with quote
Thanks Bob for your informative reply.
View user's profileSend private message
ClamWin cannot delete Copy of Desktop.ini
omarshehab


Joined: 08 Sep 2007
Posts: 6
Location: Dhaka
Reply with quote
I have upgraded my ClamWin with the latest version and checked to delete a file if a virus is found. Still it detects but can't delete the file. Here is the test report:



Scan Started Mon Sep 10 16:20:08 2007

-------------------------------------------------------------------------------



WARNING: \\?\F:\Copy of Desktop.ini: Can't remove



F:\Copy of Desktop.ini: Worm.VB-354 FOUND

----------- SCAN SUMMARY -----------

Known viruses: 151998

Engine version: 0.91.2

Scanned directories: 286

Scanned files: 2911

Skipped non-executable files: 1

Infected files: 1



Not removed: 1

Data scanned: 1486.80 MB

Time: 720.078 sec (12 m 0 s)

--------------------------------------

Completed

--------------------------------------



I have tested the Copy of Desktop.ini file in VirusTotal. Here is the report:

Antivirus Version Last Update Result
AhnLab-V3 2007.9.8.0 2007.09.10 Win-Trojan/Xema.variant
AntiVir 7.6.0.5 2007.09.10 TR/Agent.FVL
Authentium 4.93.8 2007.09.09 W32/Downldr2.MNN
Avast 4.7.1043.0 2007.09.10 Win32:VB-JTP
AVG 7.5.0.485 2007.09.10 Generic5.IDH
BitDefender 7.2 2007.09.10 Trojan.Downloader.Vb.AZA
CAT-QuickHeal 9.00 2007.09.08 -
ClamAV 0.91.2 2007.09.10 Worm.VB-354
DrWeb 4.33 2007.09.10 -
eSafe 7.0.15.0 2007.09.04 -
eTrust-Vet 31.1.5119 2007.09.08 -
Ewido 4.0 2007.09.09 Downloader.VB.aza
FileAdvisor 1 2007.09.10 -
Fortinet 3.11.0.0 2007.09.10 VB.F
F-Prot 4.3.2.48 2007.09.09 W32/Downldr2.MNN
F-Secure 6.70.13030.0 2007.09.10 Trojan-Downloader.Win32.VB.aza
Ikarus T3.1.1.12 2007.09.10 Trojan-Downloader.Win32.VB.aza
Kaspersky 4.0.2.24 2007.09.10 Trojan-Downloader.Win32.VB.aza
McAfee 5115 2007.09.07 Generic VB.b
Microsoft 1.2803 2007.09.10 -
NOD32v2 2518 2007.09.10 probably unknown NewHeur_PE virus
Norman 5.80.02 2007.09.07 W32/AutoRun.AD
Panda 9.0.0.4 2007.09.09 Trj/Agent.FVL
Prevx1 V2 2007.09.10 -
Rising 19.40.02.00 2007.09.10 Trojan.DL.Win32.VB.aza
Sophos 4.21.0 2007.09.10 Mal/VB-F
Sunbelt 2.2.907.0 2007.09.07 -
Symantec 10 2007.09.10 W32.Mysamurai
TheHacker 6.1.10.183 2007.09.10 Trojan/Downloader.VB.aza
VBA32 3.12.2.4 2007.09.09 Trojan-Downloader.Win32.VB.aza
VirusBuster 4.3.26:9 2007.09.09 -
Webwasher-Gateway 6.0.1 2007.09.10 Trojan.Agent.FVL

I have already tried to upload the virus affected file on ClamWin's database. But they say it is already recognized.

Hope there will be a solution soon.

Thanks Sad
View user's profileSend private message
alch
Site Admin

Joined: 27 Nov 2005
Posts: 1751
Reply with quote
do you have "unload infected programs from computer memory" selected as well?
View user's profileSend private message
omarshehab


Joined: 08 Sep 2007
Posts: 6
Location: Dhaka
Reply with quote
Yes. Sad

Shehab
View user's profileSend private message
budtse


Joined: 14 Jan 2006
Posts: 372
Location: Belgium
Reply with quote
Have you tried to move or delete this file manually ? It could be locked for some reason (although i think clamwin would say "cannot remove...").
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4359
Location: USA
Reply with quote
So it's real virus then on your F drive which ClamWin is unable to remove. Do a search on the Web for the name of the virus and see what you can learn about it--that might help with removal. Can you manually delete it from your F drive? Does it come back after deletion?

If so, you might get into Windows Safe Mode (type F8 once a second or so when your computer boots up untl it enters Safe Mode--let the junk scroll by on your screen until it says Safe Mode) and then run ClamWin. The scan will probably take longer than usual in Safe Mode, but see if that enables removal. If it doesn't, you might try a scan with a good antispyware program--some of them are pretty good at removing trojans. If that doesn't work, try an online scan with Trend Micro, NOD32, or Bitdefender. I would try them in that order.

If all that fails and you still have the virus critter, go to CastleCops at http://wiki.castlecops.com/Main_Page which has malware self-removal advice for you to try first. After that, you can also ask for help from one of their HiJack This experts if you still need it. It might take a day or so, but they are pretty good.

Regards,
View user's profileSend private message
omarshehab


Joined: 08 Sep 2007
Posts: 6
Location: Dhaka
Reply with quote
Yes, I can delete the Copy of Desktop.ini file manually. I have now trying a disk scan with ClamWin. It can remove some other infected files by this virus. It seems it cannot delete only Copy of Desktop.ini.

Here is the present report:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AdobeGama.pif: Worm.VB-354 FOUND
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AdobeGama.pif: Removed
C:\Documents and Settings\Shehab\Local Settings\Temp\Ngsys.exe: Worm.VB-354 FOUND
C:\Documents and Settings\Shehab\Local Settings\Temp\Ngsys.exe: Removed
C:\Documents and Settings\Shehab\Local Settings\Temp\runer.exe: Worm.VB-354 FOUND
C:\Documents and Settings\Shehab\Local Settings\Temp\runer.exe: Removed
C:\Documents and Settings\Shehab\Local Settings\Temp\rvshost.exe: Worm.VB-354 FOUND
C:\Documents and Settings\Shehab\Local Settings\Temp\rvshost.exe: Removed
C:\Documents and Settings\Shehab\Local Settings\Temp\system31.exe: Worm.VB-354 FOUND
C:\Documents and Settings\Shehab\Local Settings\Temp\system31.exe: Removed
C:\Documents and Settings\Shehab\Local Settings\Temp\userint.exe: Worm.VB-354 FOUND
C:\Documents and Settings\Shehab\Local Settings\Temp\userint.exe: Removed
C:\Documents and Settings\Shehab\Local Settings\Temp\Vel.exe: Worm.VB-354 FOUND
C:\Documents and Settings\Shehab\Local Settings\Temp\Vel.exe: Removed
C:\Documents and Settings\Shehab\Local Settings\Temp\winzipt.exe: Worm.VB-354 FOUND
C:\Documents and Settings\Shehab\Local Settings\Temp\winzipt.exe: Removed
WARNING: Can't open file \\?\C:\Documents and Settings\Shehab\Local Settings\Temp\~DF3080.tmp, Permission denied
C:\Documents and Settings\Shehab\My Documents\My Completed Downloads\vmspec.2nded.html.zip: [|]
View user's profileSend private message
travma


Joined: 27 Oct 2007
Posts: 2
Reply with quote
Try the windows scandisk and check the first option. Maybe the file system is corrupt. I have something similar one day.
View user's profileSend private message
LauDauns
Guest

Reply with quote
omarshehab wrote:
Yes, I can delete the Copy of Desktop.ini file manually. I have now trying a disk scan with ClamWin. It can remove some other infected files by this virus. It seems it cannot delete only Copy of Desktop.ini.

Here is the present report:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AdobeGama.pif: Worm.VB-354 FOUND
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AdobeGama.pif: Removed
C:\Documents and Settings\Shehab\Local Settings\Temp\Ngsys.exe: Worm.VB-354 FOUND
C:\Documents and Settings\Shehab\Local Settings\Temp\Ngsys.exe: Removed
C:\Documents and Settings\Shehab\Local Settings\Temp\runer.exe: Worm.VB-354 FOUND
C:\Documents and Settings\Shehab\Local Settings\Temp\runer.exe: Removed
C:\Documents and Settings\Shehab\Local Settings\Temp\rvshost.exe: Worm.VB-354 FOUND
C:\Documents and Settings\Shehab\Local Settings\Temp\rvshost.exe: Removed
C:\Documents and Settings\Shehab\Local Settings\Temp\system31.exe: Worm.VB-354 FOUND
C:\Documents and Settings\Shehab\Local Settings\Temp\system31.exe: Removed
C:\Documents and Settings\Shehab\Local Settings\Temp\userint.exe: Worm.VB-354 FOUND
C:\Documents and Settings\Shehab\Local Settings\Temp\userint.exe: Removed
C:\Documents and Settings\Shehab\Local Settings\Temp\Vel.exe: Worm.VB-354 FOUND
C:\Documents and Settings\Shehab\Local Settings\Temp\Vel.exe: Removed
C:\Documents and Settings\Shehab\Local Settings\Temp\winzipt.exe: Worm.VB-354 FOUND
C:\Documents and Settings\Shehab\Local Settings\Temp\winzipt.exe: Removed
WARNING: Can't open file \\?\C:\Documents and Settings\Shehab\Local Settings\Temp\~DF3080.tmp, Permission denied
C:\Documents and Settings\Shehab\My Documents\My Completed Downloads\vmspec.2nded.html.zip: [|]


Very great~!
Keep up the great work~~
http://www.pqdvd.com/dvd-to-ipod-movie-video-converter.html ipod movie converter
http://www.pqdvd.com ipod movie converter
GuitarBob


Joined: 09 Jul 2006
Posts: 4359
Location: USA
Reply with quote
It appears that Worm.VB-354 might be a variant of Warezov malware. Go to http://www.misec.net/forum/board/RulesetUpdates/1173067909 for information. Some of the other AV programs may have additional information/help.

Regards,
View user's profileSend private message
sherpya


Joined: 22 Mar 2006
Posts: 898
Location: Italy
Reply with quote
try unlocker
http://ccollomb.free.fr/unlocker/ http://ccollomb.free.fr/unlocker/
it's able to delete in-use files
View user's profileSend private message
ClamWin cannot delete Copy of Desktop.ini
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 2  

  
  
 Reply to topic