ClamWin Free Antivirus :: View topic

Posted: Wed Dec 20, 2006 8:40 pm

Well a family friend told me about Clamwin and how good it is so I downloaded it and tried it out, seems to work great but had few quests, listed below.

1 - So I ran a scan and when it finished i had 10 infected files...gah. Well does it get rid of them or how do I get rid of these infected files...?
2 - Do I set it to Report only or Remove or Quarentine...or what's a recommendation.

Thanks very much!
David

Posted: Wed Dec 20, 2006 8:51 pm

We mostly advise to set to Quarantine. This also answers your first question: infected files are moved to the quarantine folder, where you can delete them if everything is ok or restore them from if they appear to be false positives.

Posted: Wed Dec 20, 2006 8:54 pm

Wait...so when they get quarintined what do you mean restore them from if they appear to be false positives?

Posted: Wed Dec 20, 2006 9:32 pm

Well, these are exceptions, but sometimes a file that is indicated as infected is not (this is called a false positive). The log file will tell you which files are moved to quarantine (from folder x to quarantine folder y). In the case of a false positive, you can manually move the file back using windows explorer.

As i said, these are exceptions, so normally you shouldn't worry about it. It is just the main difference between "Quarantine" and "Remove". Remove does not give you the possibility to restore the file if needed.

Posted: Wed Dec 20, 2006 10:06 pm

You can upload a quarantined item to https://www.virustotal.com/en/virustotalf.html on the Web to see if other antivirus scanners recognize it as a virus. The service is free, usually fast (depending upon work load), and they check the file with 10 or more antivirus programs.

If a couple of the other scanners also recognize it as a virus, it probably is one, so just delete it from the quarantine file on your hard drive.

Regards,

Posted: Wed Dec 20, 2006 11:28 pm

ok, and to remove infected ifle in quarentine folder do i just right clikc --> delete --> delete forever?

Posted: Thu Dec 21, 2006 12:10 am

Yes, right click/delete will work. Be certain that it is a virus/malware before you Delete will put the virus in your Recycle Bin, so you will have to also delete it from there at some point (right click on the file in the Recycle Bin folder or use Windows Disk Cleanup to clean up lots of stuff).

Regards,

Posted: Thu Dec 21, 2006 12:32 am

Semi problem...well I ran a scan first thing I got it (last night at 9:00 PM and finished at 10:00 AM) so took a bit but anyways I never had it save to a quarentine folder...there was 10 infected files...so do I have to rescan lol?

Posted: Thu Dec 21, 2006 12:45 am

just check the infected file locations from the scan report and if you are in doubt scan them on https://www.virustotal.com. Then delete the infected files from their original locations.

Posted: Thu Dec 21, 2006 3:30 am

Also, when they get moved to quarentine folder, if it turns out safe what do i do with it? Put it back where it belongs......?

also out of the 10 infected files only 2 came up infected, so that site did help so thanks!

Posted: Thu Dec 21, 2006 11:20 am

yes, you should copy them back if these are important files (not your browser cache for instance)

can you paste the false positive reports here?

Posted: Thu Dec 21, 2006 8:38 pm

Sure, false positive = the safe one's? If so they are below.

This was the whole list.
-----------------------------------
C:\Documents and Settings\Daniel\Local Settings\Application Data\Mozilla\Firefox\Profiles\ebcsvb87.default\Cache\0AFB9CCFd01: HTML.Phishing.Gold FOUND
C:\Documents and Settings\David\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv661.jar-5e55057-7f63cd29.zip: Java.ClassLoader.24564 FOUND
C:\Documents and Settings\David\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv771.jar-7730088f-41bcf564.zip: Java.ClassLoader.24564 FOUND
C:\Documents and Settings\David\Local Settings\Application Data\Mozilla\Firefox\Profiles\t9nbe6nj.default\Cache\0AFB9CCFd01: HTML.Phishing.Gold FOUND
C:\Documents and Settings\David\Local Settings\Application Data\Mozilla\Firefox\Profiles\t9nbe6nj.default\Cache\7325728Ad01: HTML.Phishing.Bank-983 FOUND
C:\Documents and Settings\David\Local Settings\Application Data\Mozilla\Firefox\Profiles\t9nbe6nj.default\Cache\7354741Bd01: HTML.Phishing.Bank-983 FOUND
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\5SLLPPK5\popup[2].htm: Trojan.Clicker.HTML.Agent FOUND
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\F0MDSTEY\popup[1].htm: Trojan.Clicker.HTML.Agent FOUND
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\F0MDSTEY\popup[2].htm: Trojan.Clicker.HTML.Agent FOUND
C:\WINDOWS\SYSTEM32\SVKP.sys: Trojan.PcClient-42 FOUND

I'll try remember which one's were safe/unsafe that I found out...lemme see if i can find out.

Posted: Thu Dec 21, 2006 11:40 pm

The only one of concern is this:
C:\WINDOWS\SYSTEM32\SVKP.sys

Please scan it on https://virustotal.com

Posted: Fri Dec 22, 2006 4:12 am

ok thanks.