Here is the scan report:



Scan Started Fri Sep 07 19:46:54 2007

-------------------------------------------------------------------------------





G:\Copy of Desktop.ini: Worm.VB-354 FOUND

----------- SCAN SUMMARY -----------

Known viruses: 149167

Engine version: 0.91.1

Scanned directories: 286

Scanned files: 2910

Skipped non-executable files: 1

Infected files: 1



Data scanned: 1486.76 MB

Time: 430.125 sec (7 m 10 s)

--------------------------------------

Completed

--------------------------------------

from the report I guess clamwin is configured to report only, you need to set it to quarantine

My ClamWin is configured to Remove. Still it can't clean/delete the file. Thanks any way for your reply.

You might consider upgrading to the latest lamWin version--0.91.2.

The desktop.ini file is used primarily to tell Windows how to display the contents of a folder (thumbnail view, etc.). I suggest you upload a copy of the file to Virustotal at https://www.virustotal.com/ so they can scan it for you with multiple AV programs there. If a couple of other AVs also spot malware in it, then it is proably a real infection. If Clam/ClamWin is the only AV that spots it, then it is probably a false positive, and you should upload a copy to Clam at https://cgi.clamav.net/sendvirus.cgi and them all about it, so they can update the signature database to eliminate the false positive.

Regardless, you can probably safely delete the file if it is not in the Windows directory or a subdirectory.

Regards,

Thanks Bob for your informative reply.

I have upgraded my ClamWin with the latest version and checked to delete a file if a virus is found. Still it detects but can't delete the file. Here is the test report:



Scan Started Mon Sep 10 16:20:08 2007

-------------------------------------------------------------------------------



WARNING: \\?\F:\Copy of Desktop.ini: Can't remove



F:\Copy of Desktop.ini: Worm.VB-354 FOUND

----------- SCAN SUMMARY -----------

Known viruses: 151998

Engine version: 0.91.2

Scanned directories: 286

Scanned files: 2911

Skipped non-executable files: 1

Infected files: 1



Not removed: 1

Data scanned: 1486.80 MB

Time: 720.078 sec (12 m 0 s)

--------------------------------------

Completed

--------------------------------------



I have tested the Copy of Desktop.ini file in VirusTotal. Here is the report:

Antivirus Version Last Update Result
AhnLab-V3 2007.9.8.0 2007.09.10 Win-Trojan/Xema.variant
AntiVir 7.6.0.5 2007.09.10 TR/Agent.FVL
Authentium 4.93.8 2007.09.09 W32/Downldr2.MNN
Avast 4.7.1043.0 2007.09.10 Win32:VB-JTP
AVG 7.5.0.485 2007.09.10 Generic5.IDH
BitDefender 7.2 2007.09.10 Trojan.Downloader.Vb.AZA
CAT-QuickHeal 9.00 2007.09.08 -
ClamAV 0.91.2 2007.09.10 Worm.VB-354
DrWeb 4.33 2007.09.10 -
eSafe 7.0.15.0 2007.09.04 -
eTrust-Vet 31.1.5119 2007.09.08 -
Ewido 4.0 2007.09.09 Downloader.VB.aza
FileAdvisor 1 2007.09.10 -
Fortinet 3.11.0.0 2007.09.10 VB.F
F-Prot 4.3.2.48 2007.09.09 W32/Downldr2.MNN
F-Secure 6.70.13030.0 2007.09.10 Trojan-Downloader.Win32.VB.aza
Ikarus T3.1.1.12 2007.09.10 Trojan-Downloader.Win32.VB.aza
Kaspersky 4.0.2.24 2007.09.10 Trojan-Downloader.Win32.VB.aza
McAfee 5115 2007.09.07 Generic VB.b
Microsoft 1.2803 2007.09.10 -
NOD32v2 2518 2007.09.10 probably unknown NewHeur_PE virus
Norman 5.80.02 2007.09.07 W32/AutoRun.AD
Panda 9.0.0.4 2007.09.09 Trj/Agent.FVL
Prevx1 V2 2007.09.10 -
Rising 19.40.02.00 2007.09.10 Trojan.DL.Win32.VB.aza
Sophos 4.21.0 2007.09.10 Mal/VB-F
Sunbelt 2.2.907.0 2007.09.07 -
Symantec 10 2007.09.10 W32.Mysamurai
TheHacker 6.1.10.183 2007.09.10 Trojan/Downloader.VB.aza
VBA32 3.12.2.4 2007.09.09 Trojan-Downloader.Win32.VB.aza
VirusBuster 4.3.26:9 2007.09.09 -
Webwasher-Gateway 6.0.1 2007.09.10 Trojan.Agent.FVL

I have already tried to upload the virus affected file on ClamWin's database. But they say it is already recognized.

Hope there will be a solution soon.

Thanks

do you have "unload infected programs from computer memory" selected as well?

Yes.

Shehab

Have you tried to move or delete this file manually ? It could be locked for some reason (although i think clamwin would say "cannot remove...").

So it's real virus then on your F drive which ClamWin is unable to remove. Do a search on the Web for the name of the virus and see what you can learn about it--that might help with removal. Can you manually delete it from your F drive? Does it come back after deletion?

If so, you might get into Windows Safe Mode (type F8 once a second or so when your computer boots up untl it enters Safe Mode--let the junk scroll by on your screen until it says Safe Mode) and then run ClamWin. The scan will probably take longer than usual in Safe Mode, but see if that enables removal. If it doesn't, you might try a scan with a good antispyware program--some of them are pretty good at removing trojans. If that doesn't work, try an online scan with Trend Micro, NOD32, or Bitdefender. I would try them in that order.

If all that fails and you still have the virus critter, go to CastleCops at https://wiki.castlecops.com/Main_Page which has malware self-removal advice for you to try first. After that, you can also ask for help from one of their HiJack This experts if you still need it. It might take a day or so, but they are pretty good.

Regards,

Yes, I can delete the Copy of Desktop.ini file manually. I have now trying a disk scan with ClamWin. It can remove some other infected files by this virus. It seems it cannot delete only Copy of Desktop.ini.

Here is the present report:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AdobeGama.pif: Worm.VB-354 FOUND
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AdobeGama.pif: Removed
C:\Documents and Settings\Shehab\Local Settings\Temp\Ngsys.exe: Worm.VB-354 FOUND
C:\Documents and Settings\Shehab\Local Settings\Temp\Ngsys.exe: Removed
C:\Documents and Settings\Shehab\Local Settings\Temp\runer.exe: Worm.VB-354 FOUND
C:\Documents and Settings\Shehab\Local Settings\Temp\runer.exe: Removed
C:\Documents and Settings\Shehab\Local Settings\Temp\rvshost.exe: Worm.VB-354 FOUND
C:\Documents and Settings\Shehab\Local Settings\Temp\rvshost.exe: Removed
C:\Documents and Settings\Shehab\Local Settings\Temp\system31.exe: Worm.VB-354 FOUND
C:\Documents and Settings\Shehab\Local Settings\Temp\system31.exe: Removed
C:\Documents and Settings\Shehab\Local Settings\Temp\userint.exe: Worm.VB-354 FOUND
C:\Documents and Settings\Shehab\Local Settings\Temp\userint.exe: Removed
C:\Documents and Settings\Shehab\Local Settings\Temp\Vel.exe: Worm.VB-354 FOUND
C:\Documents and Settings\Shehab\Local Settings\Temp\Vel.exe: Removed
C:\Documents and Settings\Shehab\Local Settings\Temp\winzipt.exe: Worm.VB-354 FOUND
C:\Documents and Settings\Shehab\Local Settings\Temp\winzipt.exe: Removed
WARNING: Can't open file \\?\C:\Documents and Settings\Shehab\Local Settings\Temp\~DF3080.tmp, Permission denied
C:\Documents and Settings\Shehab\My Documents\My Completed Downloads\vmspec.2nded.html.zip: [|]

Try the windows scandisk and check the first option. Maybe the file system is corrupt. I have something similar one day.

Very great~!
Keep up the great work~~
https://www.pqdvd.com/dvd-to-ipod-movie-video-converter.html ipod movie converter
https://www.pqdvd.com ipod movie converter

It appears that Worm.VB-354 might be a variant of Warezov malware. Go to https://www.misec.net/forum/board/RulesetUpdates/1173067909 for information. Some of the other AV programs may have additional information/help.

Regards,

try unlocker
https://ccollomb.free.fr/unlocker/ https://ccollomb.free.fr/unlocker/
it's able to delete in-use files