Hi,
I'm new to the site, and new to clamwin. I was having troubles yesterday with a worm on my computer as well as another bad virus, a friend of mine remote accessed my computer and helped me out, also installing clamwin.

He advised me to do a scan tomorrow (which is today).

I wasn't sure if I had to do anything, so I just ran it on the D and C drives, and it came up with:



Scan Started Fri Oct 31 08:15:09 2008

-------------------------------------------------------------------------------
C:\Boot\BCD: Permission denied
C:\hiberfil.sys: Permission denied
C:\pagefile.sys: Permission denied
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\tmp.edb: Permission denied
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb: Permission denied
C:\Users\Alex\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1: Permission denied
C:\Users\Alex\ntuser.dat.LOG1: Permission denied
C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\tmp.edb: Permission denied
C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Windows.edb: Permission denied
C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1: Permission denied
C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1: Permission denied
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0: Permission denied
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0: Permission denied
C:\Windows\System32\catroot2\127D0A1D-4EF2-11D1-8608-00C04FC295EE\catdb: Permission denied
C:\Windows\System32\catroot2\F750E6C3-38EE-11D1-85E5-00C04FC295EE\catdb: Permission denied
C:\Windows\System32\config\COMPONENTS: Permission denied
C:\Windows\System32\config\COMPONENTS.LOG1: Permission denied
C:\Windows\System32\config\DEFAULT: Permission denied
C:\Windows\System32\config\DEFAULT.LOG1: Permission denied
C:\Windows\System32\config\RegBack\COMPONENTS: Permission denied
C:\Windows\System32\config\RegBack\DEFAULT: Permission denied
C:\Windows\System32\config\RegBack\SAM: Permission denied
C:\Windows\System32\config\RegBack\SECURITY: Permission denied
C:\Windows\System32\config\RegBack\SOFTWARE: Permission denied
C:\Windows\System32\config\RegBack\SYSTEM: Permission denied
C:\Windows\System32\config\SAM: Permission denied
C:\Windows\System32\config\SAM.LOG1: Permission denied
C:\Windows\System32\config\SECURITY: Permission denied
C:\Windows\System32\config\SECURITY.LOG1: Permission denied
C:\Windows\System32\config\SOFTWARE: Permission denied
C:\Windows\System32\config\SOFTWARE.LOG1: Permission denied
C:\Windows\System32\config\SOFTWARE.LOG2: Permission denied
C:\Windows\System32\config\SYSTEM: Permission denied
C:\Windows\System32\config\SYSTEM.LOG1: Permission denied
C:\Windows\System32\drivers\sptd.sys: Permission denied
C:\Windows\Temp\TMP00000040A8265902CD7DB29B: Permission denied

C:\$RECYCLE.BIN\S-1-5-21-725849995-107745728-2306587698-1000\$R2YQF4X\daemon403-x86.exe: Adware.WhenU-6 FOUND
C:\Program Files\Airport Mania - First Flight\bbsftgw.exe: Trojan.Mybot-10203 FOUND
C:\Users\Alex\AppData\Local\VirtualStore\Windows\System32\epzbm6r346.ini: Trojan.Ciadoor.13.A FOUND
C:\Users\Alex\Desktop\Adobe\Photoshop CS3\Adobe PhotoShop CS3 Extended Patch By P!mPdOG.ExE: Trojan.Agent-29999 FOUND
C:\Users\Alex\Desktop\Adobe\Photoshop CS3\KG + Patch\Extended Version\Option 3\Adobe_PhotoShop_CS3_Extended_Patch_By_P!mPdOG.zip: Trojan.Agent-29999 FOUND
C:\Users\Alex\Desktop\daemon 403-x86.rar: Trojan.Ciadoor.13.A FOUND
C:\Users\Alex\Desktop\Sketchup\Google.SketchUp.Pro.v6.4.112.-DobbInBR\Keymaker.exe: Trojan.LdPinch-3524 FOUND
C:\Windows\System32\epzbm6r346.ini: Trojan.Ciadoor.13.A FOUND
C:\Windows\System32\wsock32.sys: Trojan.Ciadoor.13.C FOUND

----------- SCAN SUMMARY -----------

Known viruses: 452828

Engine version: 0.94

Scanned directories: 19306

Scanned files: 142080

Infected files: 9



Data scanned: 36543.45 MB

Time: 11956.332 sec (199 m 16 s)

--------------------------------------

Completed

--------------------------------------

Having not used Clamwin myself, I wasn't sure if this did anything but tell me what virii I have on my laptop, or if it quaratined it, or deleted it.

Could anyone help?

Much obliged,
Alex.

ClamWin has Preferences that you can configure for various scanning options. The General Preferences are probably the most important for you. One of them is the Infected Files preference which tells ClamWin what to do when it finds an infection. The default is Report Only, although you can select Remove or Move to quarantine. ClamWin comes configured to Report Only, which I like to keep. If you Remove or Move/Quarantine, you could lose Really Important Files if ClamWin has a "false positive" detection--when it detects a virus when there really isn't one (it happens once in a while because viruses can use similar code to "good" software). A Really Important File would be a Windows system file or one for which you don't have a backup.

If you aren't very computer literate, in most cases, the Move/Quarantine option is okay, but you've been warned about false positives. Right beside the Move/Quarantine option, you will see the location of ClamWin's quarantine folder on your computer--if you do decide to use it.

What a lot of people do when ClamWin finds an infected file is to upload it to Jotti at https://virusscan.jotti.org/ on the Web or VirusTotal at https://www.virustotal.com/ on the Web. Either service will scan your infected files for free (one at a time) with multiple antivirus programs. If more than a couple of antivirus programs besides Clam say a nonsystem file is infected, it probably is, and if you use Report Only, you should manulally remove it from your computer (go to the directory on your computer where the file is, right click on the file, and delete it).

It looks like you have several viruses--probably mainly password stealers. ClamWin can only Report, Remove or Move. In this particular case, I think you could set your preferences to Quarantine to move the infected files to the quarantine folder. They will stay there until you manually delete them.

Regards,

Thank you!
They're all deleted now, but there still is one problem;

Whenever I turn on the computer, a box pops up saying:

"Could not load or run 'C:\windows\system32\scvhost.exe' specified in the regestry. Make sure that the file exists on your computer or remove the reference to it in your regestry"

I've checked in the system 32 folder, and like I thought I didn't find it.

I thought I may be able to find it using hijack this, or remove the traces of it that are causing the computer to say that. Opening Hijack this, I ran it with a logfile, but it said that it couldn't scan all areas unless I was administrator. Closing it, I tried to open it again with the 'run as admin' but it said HJT was already running.
Alt + ctrl + del'ing, there was no task manager option, so I can't close it. D:

If you get that message and everything is running okay, you may still have a trace of one of those malwares in your system registry. Go to Microsoft's Clean Up Center at https://onecare.live.com/site/en-us/center/cleanup.htm on the Web and run all three of their free scans--safety, cleanup and tuneup. This may help. If it doesn't, you might get a trial version of one of the commercial registry cleaners--try the one from PC Tools at their website. Some registry cleaners are scams, but theirs is s safe/reliable one. If these two approaches don't help, I guess Plan C would be to get professional help.

Malware frequently gets lots of hooks into your system, and ClamWin may not be able to clean up everything if you are already infected. That's why you need to scan regularly--before any infections. You should also use ClamWin as a backup scanner until the developers release a real-time/on-access version (no release date yet). There are some good free ones available from Avira, and Alwil, but if you use Threatfire (free from PC Tools), you are already covered.

Regards,