Need help restoring deleted files mistakenly dectected as virus by clamwin. It took out my internet access by identifying my TCP/IP driver as the "virtomunde" trojan, along with varoius system32 drivers and i386 drivers. Tried the restore function in Qrecover but it said files could not be found, yet they appear in report. I did have scanner set to remove. ,
I did find one post by guitarbob on subject, where he suggested removing the word "infected" off file then restoring. How is this done and is this still possible with me? I did try this but it will not allow me delete, how do i recover and restore these drivers and files please advise, thx, Ed.
I have been using clamwin up to this pont for the last 2 years without issues.

What is clamwin configured to do - quarantine or delete infected files?
If it is set to delete then the only way to restore them would be through an undelete utility

If Windows system files are involved, see if you can use system restore to revert back to a point in time before the ClamWin scan that deleted them. Please set the infected files option to Quarantine to prevent problems like this in the future. There is a reason why you have the "Use carefully" remark beside the Remove option.

The way that Sourcefire now prepares their automated virus signatures seems to result in more false positives on Windows system files. They have retained the bias of the old ClamWin team toward email attachments on Linux email servers on which false positives do no harm. Unfortunately, we have to use ClamWin (with the Clam AV scan engine) on real, operating Windows machines.

Regards,

. It was set to delete, not anymore. can i find a reliable undelete utility on majorgeeks? my system restore for some reason will not recognize any past restore points?

I did try that quitarbob but system restore is not functioning properly, no restore points saved and it is on, puzzling. you mentioned in a previous post how to remove "infected" from the removed file and then using qrecovery to restore, how is that done please? Ed.

All I was talking about re: removing the "infected" from the name in quarantine was so the user could do a manual transfer of the quarantined file back to where it was originally located before being quarantined. The file has to be in quarantine, of course, and you have to know the folder where it belongs, which you can get from the associated text file in quarantine that tells the original location. I would use copy instead of a drag and drop--I sometimes lose a file when I drag/drop. Once the file is copied back to the original folder, you can delete it from quarantine.

Keep in mind that a false positive will be quarantined again at the next scan until Clam AV corrects their signature, so I suggest you exclude the file from ClamWin's scans (via Configuration, Filters, Exclude Matching Filenames). Give Clam AV several days to correct things after you report the false positive, and then you can remove it from Filters.

Regards,

Strange, but perhaps you need to have administrator authority of the computer in order to do it. Look into Start, Control Panel, User Accounts to see if you are set up as an admin or change it if not.

Regards,