ClamWin Free Antivirus :: View topic - Found infected file, but it wasn't moved to quarantine

Posted: Wed Sep 06, 2006 1:04 pm

Hello,

I ran a virus scan overnight and an infected file was found. The file was not moved to the quarantine folder (I checked the folder and it was empty). Here's the scan report:
------------------------------------------------

Scan started: Tue Sep 05 16:07:23 2006

C:/Documents and Settings/All Users.WINDOWS/.clamwin/quarantine/hiberfil.sys: Exploit.HTML.MHTRedir-8 FOUND
File excluded 'C:/Documents and Settings/All Users.WINDOWS/.clamwin/quarantine/hiberfil.sys'
ERROR: Can't open file C:/Documents and Settings/Cornelia Carey/Local Settings/Application Data/Microsoft/Windows Defender/FileTracker/{81579199-7CDB-46E3-8A70-0F5016235871}
ERROR: Can't open file C:/pagefile.sys
ERROR: Can't open file C:/RECYCLER/NPROTECT/00005446.exe
ERROR: Can't open file C:/RECYCLER/NPROTECT/00005447.exe
ERROR: Can't open file C:/WINDOWS/system32/CatRoot2/tmp.edb

-- summary --
Known viruses: 67730
Engine version: 0.88.4
Scanned directories: 5503
Scanned files: 60845
Infected files: 1
Not moved: 1
Data scanned: 20460.26 MB
Time: 25842.230 sec (430 m 42 s)

Do you have any recommendations for me? Just to warn you, I'm not the most computer-savvy person, so be gentle.

Thanks,
Elissa

Posted: Wed Sep 06, 2006 2:10 pm

look in file exclusions, normally this file is on the drive root and it's used for software suspend, so the virus
is using the same name

Posted: Wed Sep 06, 2006 2:16 pm

sherpya wrote:

look in file exclusions, normally this file is on the drive root and it's used for software suspend, so the virus
is using the same name

Thanks so much for your help. I'll probably sound stupid for asking, but how do I look in file exclusions? I don't know where to begin.

Thanks,
Elissa

Posted: Wed Sep 06, 2006 2:17 pm

most likely you can ignore this message. Hiberfile.sys is the file used to save your computer's memory for hibernation and may contain something that clamwin identifies as a virus.

The virus name implies that it is a webpage that has some code deemed potentially harmful, which can happen when you do your normal browsing. This does not mean that your computer is infected.

To be absolutely sure please open Windows Explorer and make sure you have "Show Hidden Files" option turned on in "Tools->Folder OPtions->View" menu, then navigate to
"C:/Documents and Settings/All Users.WINDOWS/.clamwin/quarantine/" folder and check the size of hiberfile.sys file. If it is large and corresponds to the amount of memory your computer has, then don't worry and simply delete it.

Posted: Wed Sep 06, 2006 2:21 pm

P.S. The scan report says that the file is already in quarantine:
C:/Documents and Settings/All Users.WINDOWS/.clamwin/quarantine/hiberfil.sys

That is why it says Excluded next to the file as it cannot move the file to itself. The reason why you don't see it in Windows Expolorer is most likely because the file has "Hidden" attribute. In order to display hidden files open Windows Explorer and go to "Tools->Folder Options->View" in the menu, then locate and tick "Show Hidden Files" option

Posted: Wed Sep 06, 2006 5:07 pm

alch wrote:

P.S. The scan report says that the file is already in quarantine:
C:/Documents and Settings/All Users.WINDOWS/.clamwin/quarantine/hiberfil.sys

That is why it says Excluded next to the file as it cannot move the file to itself. The reason why you don't see it in Windows Expolorer is most likely because the file has "Hidden" attribute. In order to display hidden files open Windows Explorer and go to "Tools->Folder Options->View" in the menu, then locate and tick "Show Hidden Files" option

I went into the folder options and discovered that "Show hidden files & folders" is already checked - any other ideas?

Thanks,
Elissa

Posted: Wed Sep 06, 2006 11:39 pm

go to start-run, then type cmd.exe and open the command prompt.

In the command prompt type:
cd "C:/Documents and Settings/All Users.WINDOWS/.clamwin/quarantine/"
then DIR

it should list all files

if the file is not there run the full scan again

Posted: Thu Sep 14, 2006 2:08 am

Hi

I got the below

C:/Documents and Settings/All Users/.clamwin/quarantine/912mm[1].htm: Trojan.Downloader.Istbar-207 FOUND
File excluded 'C:/Documents and Settings/All Users/.clamwin/quarantine/912mm[1].htm'

C:/WINDOWS/system32/o: Trojan.Downloader.Bat.Ftp.gen-1 FOUND
C:/WINDOWS/system32/o: moved to 'C:/Documents and Settings/All Users/.clamwin/quarantine/o'

-- summary --
Known viruses: 69032
Engine version: 0.88.4
Scanned directories: 5275
Scanned files: 73736
Infected files: 2
Not moved: 1
Data scanned: 17418.82 MB
Time: 13019.625 sec (216 m 59 s)

MY questions are

i) Those viruses moved to quarantine, does it means "safe" and i do not need physically delete it from the above quarantine folder ?

ii) Those viruses moved to quarantine, does it means "heal" ?

iii) Why the summay shows "Not moved : 1" ?

iv) any virus removal tool i can download from ClamWin ?

v) Trojan.Downloader.Bat.Ftp.gen-1 normally coming from where ? Bitcomet ?

please advise

Posted: Thu Sep 14, 2006 5:29 am

Please find answers below:
i) usually yes,. however it is recommended to remove viruses from quarantine once you are sure that it was not an important system file and everything works as expected
ii) no, moving to quarantine means siomply moving file to another folder. By moving it elsewhere the file will not be loaded at start time etc, becuase it is not in the expected location
iii) Because that file was already in quarantine
iv) unfortunately no
v) not sure