Hi,

I am on Win XP; with ClamWin 0.93.1. I left the system unscanned for 2 weeks and now ClamWin tells me that I 'm infected. I think the virus is bois32.exe. ClamWin shows W32.Sality_Q-1 FOUND or W32.Sality.Q-1 FOUND against every .exe file scanned so far.

I searched all ClamWin forums for this issue and found none.

Please tell me how to cleanup my hard-disk.

Thank you,
Murali

Hoo Boy! This sounds like a good commercial for regular scans!

It may not be possible to entirely clean your computer, but you can try before you "reformat and reinstall." First, make sure that a couple of those infected files are really infected. Upload a couple of them (one at a time) to Jotti at https://virusscan.jotti.org/ on the Web. Jotti will do a free scan for you against 20 antivirus programs, including Clam. If more than three of them besides Clam find a file is infected, it is probably a real infection and not a false positive. If you have a false positive, tell Clam about it at https://cgi.clamav.net/sendvirus.cgi on the Web.

Assuming you have a real infection, my first suggestion is to run a memory scan with Threat Expert's free memory scanner. Download it at https://www.threatexpert.com/memoryscanner.aspx on the Web and install it. Delete anything it finds.

Next, I would download Dr. Web's free Cure It cleaning program at https://www.freedrweb.com/cureit/ on the Web. Download it on your Desktop--it doesn't really install anywhere as a program. It's an on-demand application. Run it, and the first scan will be fairly quick. Let it clean what it finds. Then do not quit the program. Click on the little green arrow and let it do a complete scan. Let it clean what it finds.

Then run Microsoft's free Malicious Removal Too. It's probably already installed on your computer. On my XP machine, it's at C:\WINDOWS\system32\MRT.exe. The first run will be fairly quick. Afterwards, it will tell you if it has found and cleaned anything. If it hasfound something, do not quit the program. Tell it to run a complete scan--there may be more infections buried somewhere.

Then download and run F-Secure's Blacklight antirootkit program. It's a free download at https://www.antirootkit.com/software/F-Secure-BlackLight-Beta.htm on the Web. Download it on your Desktop--it doesn't really install anywhere as a program. It's an on-demand application. It says it is a beta program, but it's been around a couple of years now and is updated as needed. It doesn't actually remove rootkits it finds. It will ask you if it can rename the rootkit file(s). Tell it okay. It will give you a report (fsbl) on the desktop listing any rootkits it finds. Once the rootkit is renamed, you can then go to where it is on your computer and delete the renamed file.

Next, run another memory scan again with the Threat Expert tool.

Finally, run another scan with ClamWin. Be sure to update the database first. If it finds an infection(s), delete/quarantine it and start this whole process over again--ending with another ClamWin scan. If it still finds an infection, you will need some professional help. The ClamWin Antimalware Page may be of some assistance.

Once everything is cleared up, I suggest you run either the WinPatrol or Threatfire behavior blockers alongside ClamWin in the future. Both are free. WinPatrol can be found at https://www.winpatrol.com/ on the Web, and Threatfire is at https://www.threatfire.com/ on the Web. Both are low on resource requirements and are not too intrusive. My favorite is WinPatrol. It is not as comprehensive as Threatfire, but it will notify you of any major infections, and it very informative. Set each monitoring clock for 1 minute, and you have nearly real-time monitoring. Threatfire does monitor in real-time.

Good luck!

Regards,

Hi Bob,

Thanks for the reply. I 'll try it next week, and update here once I have the results.

Thanks again,
Murali

Good luck! Dr. Web claims they can cure infections or quarantine them if not. Also, here's a link to McAfee's workup on a recent version of Sality. Your verision is probably similar. It's a bad one! https://vil.nai.com/vil/content/v_147094.htm

Regards,

Hi Bob,

Here's a summary of what I did, and what happened as a result:

I didn't try jotti because I was 100% sure it's not a false positive. There were strange apps showing up in the task manager, and msconfig started showing unknown apps in the startup progs list even after I disabled them a couple of times.

ThreatExpert gave a clean chit to my memory; and I badly want to believe that's true. Other partitions on my hard disk run Ubuntu and Debian. I don't want them affected. The only reason I use XP is for compatibility with other people, and for Skype. Whatever I did, I just couldn't get Skype to work on any Debian based distro.

It was Cure It that found 700+ infections and cured most of them; others it quarantined. But I 'm doing a second scan while I 'm writing this, it scanned 38k odd files (of the 406k files) and cured 67 more infections.

MRT found nothing wrong with the system. A true blue MS tool.

fsbl reported no rootkits.

I 'll install WinPatrol once I am through with the second scan.

Thank you,
Murali

Sounds like CureIt is doing a good job. Be sure you let it run a full scan. MSRT has signatures for prevalent stuff and is a month or two behind, but I suggested it because it's free, and it can find some new variants of the old stuff if it hasn't been changed too much. After you're through with CureIt, keep it around and run it occasionally--it will tell you when you need to update it.

The free version of WinPatrol will alert you a lot of bad stuff just after it's placed on your compute, and you can kill it. About the only thing you'll have to configure is to set each function's monitoring clock to 1 minute to approximate real-time monitoring.

Regards,