ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
Reply to topic
Removing Trojan Horses...
DebraKline


Joined: 25 Nov 2006
Posts: 5
Reply with quote
How is Clamwin with removing trojan horses?

I've been told the only way to get rid of a trojan horse is to delete the partition and reinstall.

So far I believe this may be true since my attemps have been unsuccessful. I've tried re-installing Windows telling it to delete the old copy, etc.. But I did not go down to the partition level.

I'm running a Clamwin scan and it found the trojan...now my question is will it be able to clean it? If not, I'd like to know so I can cancel the scan and proceed with the re-partition, etc..

Confused
View user's profileSend private message
Cleaning With ClamWin
GuitarBob


Joined: 09 Jul 2006
Posts: 3633
Location: USA
Reply with quote
ClamWin doesn't perform any cleaning of malware it finds. That capability would add complexity to the program, and right now the developers are primarily concerned with getting out of the current beta version(s) and into version 1.0 which will include real-time scanning capability. Until they do, you should be using ClamWin alongside another antivirus program that scans in real-time if you surf the Web a lot.

The best you can do for now is to configure ClamWin to quarantine any malware it finds. When it does so, then you can delete it from the quarantine folder, which in Windows XL is located at C:\Documents and Settings\All Users\.clamwin\quarantine. After you do so, make sure the program where you found the malware still works. If it doesn't, you'll need to restore from a backup if it was an established program.

Regards,
View user's profileSend private message
DebraKline


Joined: 25 Nov 2006
Posts: 5
Reply with quote
If Clamwin successfully guarantine's the trojan infected files that'll be great...to me that is cleaning. My question should have been - how well does Clamwin do in guaratining files supposedly infected with trojan horses?

The other scanning programs continually find the same two files supposedly infected with the same trojan horse, yet when I try to delete the files, they aren't there.

I just don't know if I should let Clamwin finish (it takes so long) and hope it can move the files for me...or maybe the files don't even exist, or maybe they do exist and I just can't get to them?? Or maybe I should just stop the scan and proceed with deleting the partition and reintstalling. That would be the best way probably at this point. What do you think?
View user's profileSend private message
DebraKline


Joined: 25 Nov 2006
Posts: 5
Reply with quote
Oh and I did have Clamwin set to quarantine files. I checked the guaratine folder and so far the 2 files are not there. It did quarantine another file but not the 2 that keep showing up.
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 3633
Location: USA
Reply with quote
If a couple of other antivirus programs find trojans and ClamWin doesn't, then ClamWin doesn't have the signature files in the signature database provided by Clam Antivirus.

Make sure you have downloaded the most recent ClamWin signature database. Then you don't have to do a full scan. If you know the folder/files where the trojans reside, access your hard drive via Windows Explorer, go to the folder/files and right click on the folder or files and select Scan With ClamWin. If ClamWin doesn't find anything and several other antivirus programs have found something, it's not in ClamWin's signature database. I suggest you help update the ClamAV database by uploading the file(s) to ClamAV for analysis at: http://cgi.clamav.net/sendvirus.cgi.

If there is/are trojans and you can't remove them, they must be embedded pretty deeply on your hard drive/system. You might try the Microsoft Malicious Software Removal Tool (MMSRT) at: http://www.microsoft.com/security/malwareremove/default.mspx. Just skip the details and Download The Tool. You don't actually have to download it--just Run it and it will check your computer, remove anything it can and report back to you. If the MMSRT doesn't help, I suggest you contact one of the other vendors of whatever antivirus software you are running for support.

You really shouldn't have more than one antivirus program scanning in real time on your computer--they can interfere with each other/slow down your scans. Although ClamWin doesn't scan in real time, when it scans, any other antivirus programs you have that do scan in real time also scans each file as ClamWin opens/scans it. So if you are using several real time scanners, no wonder ClamWin scans slowly. You can reduce ClamWin's scan time by configuring it to scan only for the 35-50 file extensions that are most likely to harbor malware. Google for "dangerous file extensions" to get a list.

Regards,
View user's profileSend private message
DebraKline


Joined: 25 Nov 2006
Posts: 5
Reply with quote
Clamwin finished and did quarantine a file (different from the 2 that keep showing up with AVG and Spybot). I deleted the file from the guarantine folder.

I then downloaded and ran MMSRT and if found nothing.

So I decided to run AVG again and it found the 2 files again! But this time, it deleted them. Ran AVG again just to be sure and all looks good. Not sure exactly what happened here but I do know AVG updated itself a couple times in the last hour - maybe the trojan just got added to the detection rules or something.

I would upload the files to the Clamwin database but I don't have the files...remember I've never been to able to get my hands on them. The scanners find them but I could never get to them.

Well Thank you for your help. I'm going to assume AVG upgraded itself to take care of the problem.

I can tell you the trojan name and the two file names: Trojan horse Downloader.Generic3.HNK. And the two files were c:\documents and settings\TEMP\My documents\?racle\notepad.exe; c:\program files\common files\?ymbols\dexplore.exe.
View user's profileSend private message
Trojan
GuitarBob


Joined: 09 Jul 2006
Posts: 3633
Location: USA
Reply with quote
Sounds like there might have been a false positive--indicating no malware was actually present. ClamAV doesn't have Trojan Downloader.Generic3.HNK in its database, and a Google search for that name doesn't turn up anything. A Generic name indicates no specific virus/malware was detected--only an indication that there might be malware-like activity. Sometimes this is just a false positive. The Microsoft Malicious Software Removal Tool didn't find anything. It doesn't recognize the real current malware, but it can find the most dangerous malware as of a couple of months ago.

AVG works well with ClamWin. It has a real-time resident scanner, but it is unable to unpack some file types that ClamWin can--such as 7Zip. So when you do an on-demand scan with ClamWin, AVG gets to scan the file when ClamWin opens it up on its on-demand scan. AVG is a couple years ahead of ClamWin, but ClamWin is coming along.

Regards,
View user's profileSend private message
DebraKline


Joined: 25 Nov 2006
Posts: 5
Reply with quote
I'm real happy with Clamwin...Thanks for all who've donated their time!
View user's profileSend private message
Removing Trojan Horses...
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 1  

  
  
 Reply to topic