I installed clamwin version 0.92 yesterday on an NT4 SP6a box yesterday. I manually ran file scans on C: and D: with no issues. Today I had the following error on the screen

The Application or DLL
C:\Program Files\ClamWin\lib\BalloonTip.pyd is not a valid windows NT image. Please check this against your installation diskette.

I went to that location and inspected the file and it has a size of (zero) 0KB. The date of the file is 1/24/08 10:37AM.

Ran a manual download of the virus database and the log did not have any errors but the same error message popped up on a window. I tried the download again and it indicated I was up to date and the error window did not pop up again.

The only changes I made were on my Preferences to schedule two scans (C: and D:) for Saturdays and Sundays and to send me emails upon virus detections. I did not make any other changes.

I searched the forums and from Google and found no information on this specific issue. Any suggestions or work arounds would be appreciated.

NT4 is not supported in full clamwin and it should not have installed. You may try to copy Balloontip.pyd to C:\Program Files\ClamWin\lib\ from here:
https://files.clamwin.com/BalloonTip.pyd

Also there is a small GUI that works with NT:
https://oss.netfarm.it/clamav/

I found the NT4 specific kit ( clamwin-legacy-nt4-0.92.exe ) that I installed at

https://sourceforge.net/project/showfiles.php?group_id=105508&package_id=113616 https://sourceforge.net/project/showfiles.php?group_id=105508&package_id=113616

This kit installed just fine and its simple gui seems to work fine. The scans on my NT4 box ran fine. No viruses were found on either C: or D:. Tonight I will know if the automatic scheduler works since the weekly scan for C: runs close to midnight. The email notification works fine since I tested it. So far I have had no other problems with this kits except the BolloonTip.pyd showing up as zero-KB size (empty).

One question... is the kit at sourceforge.net not recommended ? Please advise.

Thanks for the pointers to the BalloonTip.pyd file. I have released it to the \lib subdirectory and will wait for the automatic update today past noon to see if fixes the error I am reporting.

I have also downloaded the gui wrapper you pointed me to and will explore its use once I hopefully fix the BalloonTip.pyd issue.

Will follow up with any updates on my situation.

The automatic database update fired up fine but this time I got a different error message window:

The procedure entry point GetMonitorInfoA could not be located in dynamic link library USER32.dll

This is a Windows OS DLL so the code calling that function was built under a later version of Windows. Thats my best guess. When I forced a virus database update, it displayed the following log contents

ClamAV update process started at Sat Mar 22 14:44:13 2008
Reading CVD header (main.cvd): OK (IMS)
main.cvd is up to date (version: 45, sigs: 169676, f-level: 21, builder: sven)
Reading CVD header (daily.cvd): OK
daily.inc is up to date (version: 6329, sigs: 64031, f-level: 26, builder: ccordes)
Please check if ClamAV tools are linked against the proper version of libclamav

The last line might be describing the issue. It appears downloading the virus database and running scans manually work. But using the tools like the scheduler does not. I tested a C: scheduled scan and got the same error message for USER32.dll.

So my guess is that I have to manually use clamwin on NT4 making sure I update the virus library before I do a manual scan of C: and D:. I'll live with that unless anyone has any other suggestions or work around techniques.

GetMonitorInfo is called by ballontip but the nt4 build should not have it, can you try to manually remove BalloonTip.pyd
from Clamwin\lib directory?

I removed the bolloontip file and the error message windows stopped. The automatic daily updates of the virus database do not run and the scheduled scans for C: and D: do not run either. There are no signs of executions for any of these in the logs. I was close to the box and am sure the virus scans did not execute either Saturday or Sunday nights. I am assuming the internal scheduler might be the culprit. The manually forced virus database updates and forced scans do execute. Like I said, I can live with that level of manual functionality. NT4 might not be worth the effort of fixing the clamwin tools under that ancient environment. Thanks for all the help and suggestions.

Did you manually de-select the show popup notifications in the Reports tab of ClamWin's Configurations?

Regards,

I followed your advise on de-selecting popups and in addition added the BalloonTip.pyd file back to \lib. From the Administrator account I was able to schedule a virus database load and a scan of C:\.

I updated a scheduled scan to run in the immediate future and logged out from Administrator. The time elapsed and nothing triggered. So I am assuming the code will attempt executing in the context of the account logged into the box. During the investigation of my issues I saw some topic header titles related to running clamwin as a service. I'll try to research this next since I need to force the scheduled executions to run under Administrator and I do not see any obvious way to do this but being logged into the Administrator account when the scheduled runs are to execute. Please advise if what I am trying to accomplish is doable. Like I said, I am perfectly content with manually forcing a virus db download before manually running a scan for C: and D: once a week. I do not want to waste anyones time or effort in this ancient OS environment.

it's clamtray that schedules scans, if no one is logged on, clamtray is not started, this is a known limitation

you may schedule an unattended scan using Windows Task Scheduler. Use this command line:

"C:\Program Files\ClamWin\bin\clamscan.exe" --keep-mbox --stdout --database="C:\Documents and Settings\All Users\.clamwin\db" --log="c:\clamscan.log" --no-phishing-sigs --no-phishing-scan-urls --no-mail --infected --recursive --exclude="[^\]*\.dbx$" --exclude="[^\]*\.tbb$" --exclude="[^\]*\.pst$" --exclude="[^\]*\.dat$" --exclude="[^\]*\.log$" --exclude="[^\]*\.evt$" --exclude="[^\]*\.nsf$" --exclude="[^\]*\.ntf$" --exclude="[^\]*\.chm$" --kill "C:\"

you may also schedule database updates:
save this text as "C:\Program Files\ClamWin\bin\freshclam.conf":

and run this command:
"C:\Program Files\ClamWin\bin\freshclam.exe" --stdout --datadir="C:\Documents and Settings\All Users\.clamwin\db" --config-file="C:\Program Files\ClamWin\bin\freshclam.conf" --quiet --log="c:\freshclam.log"

I followed your advise, and after tailoring the commands to my specific case and a bit of hassles with the WinNT4 scheduler, I was able to get three different events implemented and debugged to run under Administrator. One for the virus db download, one for the C: scan, and another one for the D: scan. They all seemed to execute fine and I found out that if nobody is logged in, the event runs fine. But if anyone logs in and then logs out (any account) while the event is executing, the event gets canceled by the WinNT4 scheduler. I don't want to take any chances. Even running the events during really odd hours. I left all three events disabled and will go with the weekly manual download followed by a scan of C: and D:. I don't want to waste any more time from anyone else on this.

Thanks for all your help and support. This is a great forum !

Hi all

I tried this on a Win Server and it works. But in the LogFile there isn't a date of the scan.
How can i see, when the scan was?

Thanks for answer
Daniel

use system commands:
date /t >>c:\clamscan.log
time /t >>c:\clamscan.log

thanks for the tip.