Hi... I'm more than just a noob, I'm a super noob...


I've never really used virus scanning before, beyond AdAware, but knew that I most likely has some baddies on my computer, so I ran ClamWin. I set it to quarantine (mayyyyyyyyybe not the best idea) and it quarantined Known viruses: 275229
Infected files: 2562
Not copied: 4


However, I realize now that these files, all 2000 of them, many of which I can't readily replace are probably needed... O_O I know if I let my computer shut down I will probably have to restore the whole shebang....

Is there a way just to tell clam to throw those files back where they belong even if they are infected?

I realize I have gotten myself in a bit of a pickle here...

Whew! Two thousand files is quite a few! ClamWin doesn't do any cleaning (just Notify/Remove/Quarantine), and it doesn't have a Restore function. When you have an infection, it's usually just a few files that are affected, and, if needed, you can restore them manually if you have placed them in quarantine with just a little work.

The scan logs will tell you the source of an infection, and you can use Windows Explorer to move the file back to where it was. You will have to remove the "infectedDOT" and "DOTren" from the name that ClamWin inserts in the filename when it is quarantined before you can use it again. The Windows directory files are the most important, of course, but many infectons just put a file in the Windows directory and the system32 subdirectory.

I used to Quarantine, but I once had a false positive in the Windows logon file, and I lost my system. Since then, I set ClamWin to Notify me of infections.

I hope this helps. I think you need some heavy duty help.

Regards,

eek! so I have to move all 2000 files back whence they came manually?

oh boy...

I'm afraid that's correct--unless there is a guru (Alch/Sherpya/Budtse) that says otherwise. I would concentrate upon the C:\Windows stuff first.

This could alert the Clamwin programmers to implement some Restore function in a later updated version.

Some/many/all of the infections, however, are bound to be real, so they will still be around if restored. You might run an antivirus cleaner--like Dr. Web's Cureit or Norman's tool once restoration is done.

Can you post a page or two of your scan log here? Let's see what sort of files it found.

Regards,

Yikes, that's gonna be a nightmare! Hahaha...
I don't have my computer with me (at work on the East Coast) so I won't be able to paste the log here... but I am fairly certain it was 32.lud the wormy thats been propagating itself throughout my system.

I never really wised up to the whole virus thing. I still run my computer like I always have and keep forgetting that I've had the internet for the past ten years hahaha.

That would be a good feature to add to the program, seeing as intuitively, I think most people click Quarantine at the get-go and can easily lose things in there, just as you had mentioned.

I downloaded AVAST. I don't know if this is the correct cleaning type thing, because all it seemed to want to do was also quarantine my files.

I said a prayer to the computer gods and restarted before I headed out to work, and the system booted alright, so at least that's a relief.


I should be able to post a log in 6 hrs or so... I hope you're around then~


Thanks a billion for your help.

This will be quite a project

Well, if the PC works, that doesn't sound too bad. I'm no expert--just wanted to see what sort of infection/files were involved. If there's only one malware involved, 2000 infections is quite a bit. Perhaps you could restore from quarantine what is really important and just delete the rest and then run one of the "cleaner" tools. There may be a specific tool for it.

Avast is pretty good--they've really improved it lately with rootkit protection and some other stuff.

I should be around in six hours--for whatever help I can provide.

Regards,

You are a great great man, Guitar Bob--- Thanks!

Here's my (nonexpert) suggestion:

First, see if you can find out something about the virus/worm/malware--
you might find something that will help.

If you have to go the manual route, see if Windows is working okay as it is--
make sure you can get around in Windows Explorer and copy/move/delete
(use dummy files, of course) and access all programs from the desktop--make sure
all programs that are important to you are working. Then see what types
of files have been quarantined. If everything works okay, those files probably
aren't important to you--delete them from quarantine, but first set a
System Restore Point just in case. If everything works as it should
after some further testing, run Disk Cleanup and then run another virus scan.
If all is okay, disable System Restore to prevent later restoring any infection,
and then Enable it again and set a new System Restore point.

If something important to you is "broken" and won't work (especially
Windows), try a System Restore back to some point in time--see if that helps.
If that doesn't help, see if you can Restore further (back a couple of times if needed).
If that still doesn't help, I guess you'll have to reinstall Windows. Run
another scan afterwards.

Until version 1.0 is released (when ???), ClamWin works best as a backup scanner
to a real-time, on-access scanner. AntiVir, AVG, and Avast are all free,
and they are pretty good.

Regards,

Hi,

If you would like to know the details of the 32.lud worm, than I highly recommend navigating to www.threatexpert.com and searching for the 32.lud worm.

ThreatExpert is an advanced automated threat analysis system that trawls the Internet for all sorts of threats. Then, it grabs a copy of the threat and executes it in a virtual environment, before generating an automatic report based on the results of the threat.

using this information, you can then see whether and of the registry keys (or anything else) in your system match that of 32.lud worm, and if so you can take the necessary steps to remove it.

Sincerely,

Nathaniel.

heres a bit of the log: C:\WINDOWS\system32\gqjju.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\gsxvs.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\guawo.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\gwago.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\gydpc.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\gymea.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\Hdaudpropshortcut.exe: W32.Luder FOUND

C:\WINDOWS\system32\hhxzj.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\hvvpf.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\ietve.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\igfxcfg.exe: W32.Luder FOUND

C:\WINDOWS\system32\igfxtray.exe: W32.Luder FOUND

C:\WINDOWS\system32\igfxzoom.exe: W32.Luder-1 FOUND

C:\WINDOWS\system32\iiqim.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IJRMF.exe: W32.Luder FOUND

C:\WINDOWS\system32\imapi.exe: W32.Luder FOUND

C:\WINDOWS\system32\IME\aaaaa.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\altat.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\arrar.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\asaaw.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\aseay.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\auyac.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\ayeaa.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\cgyac.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\chnef.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\ciyae.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\cpfar.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\csiae.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\ctpiv.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\cumas.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\cvnax.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\cxhar.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\ehlef.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\elnal.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\emiew.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\emyay.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\eouay.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\exdav.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\eysay.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\gcoim.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\ghpel.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\gksai.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\gkwak.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\gplaz.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\gplgx.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\gprah.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\gykam.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\ibxad.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\igmiu.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\iguag.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\ihtad.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\iiuai.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\ikcig.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\imcak.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\imiew.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\iugaq.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\kayak.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\kdfax.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\kiqak.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\kjjab.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\kjnad.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\kmway.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\ksweo.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\kzbah.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\maqac.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\mieae.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\mvnab.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\mykas.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\oftav.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\ohvap.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\ojhev.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\olhil.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\onhav.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\opjad.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\oqkaw.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\otbap.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\oweac.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\oxpef.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\PINTLGNT\IMSCINST.EXE: W32.Luder FOUND

C:\WINDOWS\system32\IME\qbvav.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\qbzat.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\qgiaa.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\qllad.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\qtbez.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\sfjax.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\sgoac.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\shjan.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\snhav.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\snzav.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\stxan.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\susak.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\svjil.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE: W32.Luder FOUND

C:\WINDOWS\system32\IME\uiwaa.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\ukyag.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\ulfib.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\upxah.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\uqeeu.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\uscaw.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\uywag.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\waqia.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\wcsao.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\wdnif.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\wdxaf.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\wfral.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\wjnax.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\wkaew.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\wqkas.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\wqoaw.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\wqsaw.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\wsceg.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\wtjad.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\wwuae.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\wzzel.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\yhpal.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\yicag.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\yjvah.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\ynhep.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\yuoao.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\yvfaj.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\IME\yxlat.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\iocos.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\ioese.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\ipconfig.exe: W32.Luder-1 FOUND

C:\WINDOWS\system32\iqawe.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\iqxpq.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\isqic.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\iueug.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\iwmsa.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\iyemc.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\iyuuy.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\java.exe: W32.Luder FOUND

C:\WINDOWS\system32\javaws.exe: W32.Luder FOUND

C:\WINDOWS\system32\jdxjh.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\jjfbz.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\jlxxh.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\jrtxp.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\jvfjj.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\jxpjb.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\jzfpd.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\kgptc.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\kkcog.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\kmamg.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\kmisa.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\kuscs.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\kuzfu.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\kwfhk.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\lbfjf.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\lhfdl.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\lnjvx.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\logagent.exe: W32.Luder FOUND

C:\WINDOWS\system32\logman.exe: W32.Luder FOUND

C:\WINDOWS\system32\lpykrp.exe: W32.Luder FOUND

C:\WINDOWS\system32\lxjpf.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\lzzbd.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\Macromed\Flash\GetFlash.exe: W32.Luder FOUND

C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe: W32.Luder FOUND

C:\WINDOWS\system32\Macromed\Flash\UninstFl.exe: W32.Luder FOUND

C:\WINDOWS\system32\mcbtg.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\mctdu.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\mgldk.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\mgsao.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\migpwd.exe: W32.Luder FOUND

C:\WINDOWS\system32\mkqam.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\mmywk.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\mnmsrvc.exe: W32.Luder FOUND

C:\WINDOWS\system32\momuw.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\mqcke.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\MRT.exe: W32.Luder FOUND

C:\WINDOWS\system32\msdtc.exe: W32.Luder FOUND

C:\WINDOWS\system32\mshearts.exe: W32.Luder FOUND

C:\WINDOWS\system32\msiexec.exe: W32.Luder-1 FOUND

C:\WINDOWS\system32\mspaint.exe: W32.Luder-1 FOUND

C:\WINDOWS\system32\mstsc.exe: W32.Luder FOUND

C:\WINDOWS\system32\msyow.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\myrty.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\myuao.exe: Trojan.Agent-4439 FOUND

C:\WINDOWS\system32\netsetup.exe: W32.Luder FOUND

C:\WINDOWS\system32\netsh.exe: W32.Luder FOUND







joy

All I see is two malwares--Trojan 4439 and the Ludder thingie. The infected files all seemed to be found in the Windows\System32 subdirectory. Most of the files look like "manufactured" names, and I don't think they are real system files. A few could be genuine system files: MRT is the Microsoft Malicious Software Removal Tool (which you can download from MS), MSIE is Microsoft Internet Explorer, and there is MSPAINT (Paint Program) and NETSH (network shares).

If Windows (including Internet Explorer and other important functions) still operates okay(check it out good), I would delete everything in quarantine, disable System Restore (so you don't restore any of the infections in the future), and then run Disk Cleanup (Start, All Programs, Accessories, System Tools), and then run System File Checker (Start, Run, type: sfc /scannow, OK). Note there is a space between sfc and the slash. The system check will take a long time--maybe 45 minutes or so. If something needs restoring, you will need your Windows installation CD. When done, re-enable System Restore and set a new restore point. Finally, set ClamWin General Infected File preferences to to Report Only. You can check the scan log after a scan to locate any infections. If you want, you can select Pop Up Notifications in Reports
Preferences. All this assumes you have a Windows XP machine.

Good luck!

Regards,

Great! thanks for the tips!
I will try that when I get home!

And yes, XP is my OS. My brain is still hanging out with 98 though.