I keep getting the following results in scan:

C:\Documents and Settings\All Users\.clamwin\quarantine\infected.wrlzma.dll: Trojan.Clicker-1344 FOUND
C:\Documents and Settings\All Users\.clamwin\quarantine\infected.wrlzma.dll not moved/copied since already in quarantine.

Is this a true virus? Where does this virus come from? Can I prevent it from infecting my computer again?

Hello,
Before removing verify if the file is a real threat by uploading it at http://www.virustotal.com/ thus to get your file scanned by multiple AV engines,
If several AV's detect the file as malware it is better to get rid of the file deleting it from the quarantine folder.
If only Clam (or few) AV's report it is malware it is likely to be a false positive. In case notify Clam team by using the form at http://cgi.clamav.net/sendvirus.cgi. Generally the issue is fixed in short time and file should not be detected as threat in further scans (this way you will also help Clam to improve its efficiency).

As per what I could find on the web by its name the file should be a part of the Spy Sweeper package , which is commonly located in %PROGRAMFILES%\WEBROOT\SPY SWEEPER\
If you have installed Spy Sweeper on your machine it is likely the file detcted by Clamwin is a false positive. If the check with Virustotal confirms it is a false positive you will have to restore the file manually to the original location (copy+paste. Attention: you will have to rename the file deleting the 'infected.').

I would also recommend to set Clamwin General Preferences to 'Report Only' option instead of Quarantine. Clamwin will tell where the suspect file is located without moving it. It would then be easier to do further checks via Virustotal before moving/deleting the file.

Hope this helps,
Antonio

Antonio,

I have been reading this thread because I have a similar problem, but I wanted to ask you about my specific situation.

Just over the last two days I've been getting a lot of pop-ups about various things. I will confess that I hadn't downloaded updates to ClamWin like I should. When I realized I had a problem, I downloaded the updates and ran a scan. It found three Trojan viruses. There's really no question in my mind that they are what the scan says they are because of the performance of my computer in the last couple of days. I am unable to figure out which files or folders or where they are located in order to remove them. This is what the scan says and it repeats this three times with minor variations:

C:\System Volume Information1\_restoreB6387AD4-48E1-4511-AA40-A245D4C401AE\RP250\A0020880.EXE: Trojan.Agent-17899 FOUND

Can you help me try to figure out where this is on my computer and what I can do to get rid of this? I am very nervous that this is going to cause a big problem for me and I don't know anything about what to do in this situation. I really appreciate your help with this. Thanks!

LeslieP

Hello LeslieP,

If you're having strange/unexpected behaviours on your machine it is likely that the detections found by Clamwin are correct. About a week ago my resident AV found a couple of files which name was quite similar to the one quoted below and was located on the same path listed below.
However I am quite cautious about deleting files so I would go through following steps:
1- Make a copy of your personal/important files on a CD or USB drive to avoid data loss (in case system files are deleted computer could not work properly, so it's better to have important files saved before taking any action).
2-Make a scan of your hard drive using an on line scanner (some of them are listed on Clamwin's Anti Malware Resources page, just choose one of them) at least to have a counterproof that another antivirus is marking the same files as suspect.
3-If the online scan finds some positives you can set Clamwin preferences to 'Move to quarantine' option and run a scan. Clamwin should move the files in a protected area where the files cannot interact with the system. Restart the computer and check if it works properly. Then if you wish to remove the quarantined files just navigate with windows explorer till you reach the Clamwin Quarantine folder and delete file manually.
Coming back to my case, I deleted the quarantined files and restarted the machine. Luckily, machine is still working properly.

Some more hints I think are useful:
1-Update Clamwin Virus DB regularly (you can set Preferences for automatic updates) and run periodic scans of your hard drive.
2-Install a resident Antivirus (Clamwin is only on demand so it will activate only when you instruct it to do so, the good is that it won't conflict with other AV tool) and update it regularly. This is mandatory especially if you regularly surf the web. There are several free options available for personal use (Avira Antivir, AVG Free, Avast, amongst others).
3-Option: timely you can choose to make checks with online scanners.
4-Mandatory (): spread ClamWin to people who keep paying for commercial AV's.

Hope this helps,
Antonio

last night i update my antivirus and the scan my whole system.
I was shocked i had a list of hundreds of infected files in my system.
And then i click clean infected file..
After that my system is again and again restarting..
it's very much irritating.
can you tell me what type of virus is this.
And where does it comes from.
And how can i cure it?

http://www.geocities.com/jimmy.pharma/ Jimmy

Hello,
From your post I cannot tell if you have made a full scan with Clamwin. Usually Clamwin scan preferences are set to 'Report only' which means that after the scan the programme will only notify you about which files have been found as infected and where they are located in the system. If preferences were set to 'Remove' or 'Move to Quarantine folder' infected files are completely removed or put to Quarantine folder. There is no no 'clean infected file' button in Clamwin.

My suggestion would be to repeat the scan with Clamwin (be careful that Preferences are set to 'Report only' option and post the result of the scan here. Online scanners may help you to have a doublecheck on your machine (some of them are listed on the Anti Malware Links page on Clamwin's website).
If system keeps restarting it could be that some system files have been corrupted/missing or some malware is making some trouble to your machine so best option in my opinion would be installing the system once again (before doing that make sure you are making a backup of your personal/important files on a CD or USB Drive).

Anyway, before going to extreme you may think to try a free tool to fix up this kind of issues which can be downloaded at http://www.freedrweb.com/cureit/. You just have to put it on your desktop and run it (no installation) and follow instructions.

For best protection keep in mind to make regular virus DB updates and regular scans on your machine (both tasks can be managed automatically by ClamWin when properly configured).

Hope this helps,
Antonio

All,

If you suspect or find you have viruses or adware malware on your computer then I recommend that you use a free tool 'Hijack This'
http://www.trendsecure.com/portal/en-US/_download/HiJackThis.exe http://www.trendsecure.com/portal/en-US/_download/HiJackThis.exe
This was developed by someone else then bought by Trend. It is free at the moment, I wonder when they'll start charging for it...

You will need to read the documentation but basically what it allows you to do is to look at all the processes currently running and kill off those that you suspect. It will also stop them running again the next time you boot. It identifies all those processes / services whether run from the registry, startup etc. and also plugins / add-ons to progams like Internet Explorer.

I'm sure we've all tried to delete suspect programs only to find that it is "in use" then have to boot in safe mode etc. etc.

This program means you can just kill / delete / clean in seconds.

I have found it to be an invaluable tool, I hope it is of help to others.

I have scanned my computer for viruses and I can't get to the window behind it to proceed to remove the infected files. Can someone please let me know what to do to get past this? Thanks.

Hi. I'm not sure what you mean by " can't get to the window behind it to proceed to remove the infected files." ClamWin comes configured with the Infected Files option of Report Only (in General Preferences). This is the safest option, but you can also set the scan option to either Remove or Move To Quarantine Folder. In either case, you should know how to use Windows Explorer to acces the files on your hard drive.

You should probably not use Remove--in case ClamWin registers a "false positive" on an important system file during a scan. A false positive occurs when ClamWin detects a virus in a file but it is not really a virus--the file just shares some common code with a certain virus. If ClamWin removes an important system file, you could lose access to Windows--and to your computer.

If you set the Infected Files option to Move To Quarantine Folder, you will not have to delete infected files yourself because ClamWin will remove the file to the Quarantine folder. The location of that folder on your computer is shown right below the Move To Quarantine Folder option for infected files. This option is usually pretty safe (but you have been warned above about the small danger of removing an important system file). If you select the Quarantine option, every month or two you should manually remove the files in quarantine via Windows Explorer.

If you set the Infected Files option to Report Only, you should first verify that any Windows system file is really infected when ClamWin says it is. You can do this by uploading the file to either Jotti at http://virusscan.jotti.org/ on the Web or to VirusTotal at http://www.virustotal.com/ on the Web. Either service will scan your files (one at a time) with multiple antivirus scanners. If three or more other antiviruses besides Clam find a file is infected, it is probably not a false positive, and you can safely delete/remove it from your computer--either manually or temporarily set the Quarantine option and run another scan to have ClamWin put the file in Quarantine. However, if the file is a Windows file and doesn't have a .tmp extension, you should just replace it with an uninfected copy (via System File Checker/SFC, but that's another story).

Regards,