I just made the sticky how-to post with the quarantine restore app attached, please follow the steps and let me know by posting in the thread below.

https://forums.clamwin.com/viewtopic.php?p=13147

I attempted to access my computer today only to discover theat ClamWin had detected >5000 program files as infected (including Clam Win). The only program I can get to run now is Internet Explorer. I find it hard to believe that every program file on my computer was infected last night (as I run nightly scans). I have removed Clamwin and reinstalled it, but I can not get it to run to restore the quarantined files and there is no .log file

Ok so for server, you'll find the temp log file under "administrator" "local settings" "Temp". just sort by newest date first and you'll see a very large file. Open it with notepad to confirm. This file could have any name so please check it.

Downloaded and ran the restore as stated above, 4 out of 5 servers came back up fine. One got toasted which I'll have to reimage from last night's backup. It just blue screens now and reboots when attempting to load windows files.

Any suggestions on where to look for the file on server 2003... I've searched the locations mentioned and nothing. To make matters worse, even though I got basic stuff back and running, I can't reinstall the programs that don't work because they are looking for files to uninstall what it thinks it already has installed.

Total nightmare.

I've checked c:\documents and settings\administrator\local settings\temp - nothing.

That's odd, mine were all server 2003 and I found an oddly named file in the location above on all of them. Do you have any large single files when you sort by date at the top of the list?

Maybe double check under folder options in control panel that it's set to show all files including system files

Thank you alch. I am 99% back in business and happy. No hard feelings, sh*t happens,

Levelbest, I was running 2003 server and like Deb found them in c:\documents and settings\administrator\local settings\temp my file named "tmppgkmtj" was 8,000 kb. Silly question-Were you logged in as "administrator" when the scan occurred.

Sincerely,

-no longer screwed

Same problem here.

MAy have been logged in as admin - as I am - and nothing was in the admin directory.

Where else should I look. Checking there, I only see files from today - the 19th and nothing from yesterday. My clam av log (which does not contain the moving of files) is from the 18th.

Yeah, I'm seeing all the hidden/system stuff including other temp files.

Wondering if I screwed myself this morning installing the latest clam - thinking there would be a restore files option. Unfortunately, clam quaranteened itself and wouldn't run after one of multiple reboots this morning.

I don't think you screwed yourself. I didn't install the update after this catastrophe happened and my logs had nothing useful -- no usable log in the temp directories either.

Here's to working weekend to clean up this freakin' disaster!

I really feel bad for anyone with more than one affected machine.

Well, it hit me here at home too - I had it installed on my home automation server. It will now blue screen every time on start up. Fun. At least there, it's only one program and windows to install.

Had the same thing happened on my other server, I'd have been MAJORLY screwed.

I'm done with free software and open source crap. NO accountability when something effects you.

The quarantine fix that Alch released worked for me... Well.. sort of..

I finally got a new server online.. attached the harddisk.. Searched and Replaced C: for D: in the report.txt.. and recovered things to where they were supposed to be on the original disk.. (Still wouldn't boot tho').
Then had to copy the data to the new server's hard disk.. And now I'm about to start the configuration needed to get all my SQL Databases, Email Accounts, and Websites online again.... so far 15 hours in.

There's no better way to learn, and to fix a f*ck1ng mess.
Like the previous poster said... No hard feelings.. Sh*t happens... I mean.. AS IF I'm going to swap to a paid-for AV?? Don't think so.

Might set to report only.. and not quarantine... But what will that achieve, viruses get longer to upset windows.
Maybe better disaster recovery plan.. Co-Loc servers.... running different AV...


Good luck everyone else.. Keep on.. keeping on.

It might sound of little comfort now but we will improve quarantine function in the next release so that it does not need a log file to restore to the original location. In the meanwhile - report only is recommended for those who still have the courage to keep clamwin on their machines.

Hi Graham, do you think it's possible to send me your log-file?
Could be helping me. I have set up an apache-server in the wile but want to return to my old settings...
My mailadd is info -at- pc-huber.de

Thank you (and be happy withOUT your kvm...)

I was able to find the log file in a temporary file in my temp directory: c:\Documents and Settings\userid\local settings\temp. Make sure you look under the userid which runs ClamWin.

And I wrote the following script which copied everything back into place. I couldn't use Java or Perl because their executables and dlls were quarantined by ClamWin. So JavaScript seemed like the next easiest thing to use. Copy and paste the script in to a file named RestoreClamWinFalsePositives.js and then run it like this: cscript RestoreClamWinFalsePositives.js logfilename.txt