step 1. I un installed Photoimpact x3 and deleted the dir.
step1b. I ran an Advanced search for CommonUI.dll on drive C: with include non-indexed, hidden and system files. The CommonUI.dll file was not found at all.

step 2. I ran Clamwin and the computer was clean.

step 3. Then I reinstalled Photoimpact x3 with default settings.

step 4. Then immediately I ran Clamwin again and it found the Trojan again in the same folder
C:\Program Files\Corel\Ulead PhotoImpact X3\CommonUI.dll: Trojan.Swizzor.Gen FOUND
step 4b. I ran an Advanced search for CommonUI.dll on drive C: with include non-indexed, hidden and system files. The only place there is a CommonUI.dll on the whole of C: is in the Photoimpact X3 dir.

How is it that the only thing I did was install Photoimpact and the trojan shows up? I did not open a browser at all during the process of un installing or installing, I did not go to the internet, I did not check email( I don't even have email setup on that computer), I did not run any other programs except the Photoimpact 3x installer from it's CD and Clamwin immediately after the install. Where is it coming from if not the install?

the generic detections get a certain amount of false positive detections, and that is probably what you have--a false detection. viruses can use the same code that is used by legitimate programs. after all, a virus is just a program.

verify the file by submitting it to free the jotti online scanning service. if less than 5 av on jotti spot an infection, submit it to clam as a false positive. tell them it is a false positive and the jotti results. they will test the file and adjust their signature.

regards,

I also found TROJAN.SWIZZOR.GEN in one .CAB file --C:\windows\options\cabs\videodriver-810-2\language\plk\diaglang.dll. The Windows .CAB files come loaded on the CD as well.

I don't know how to extract a single file from a .CAB file, and not sure what 'jotti' is, and if it would even run on WinME. Any ideas? Thanks in advance!

Jotti is a free service on the web for scanning files to verify an infection. They use 21 anti virus programs to scan a file when you upload it to them. Jotti is at https://virusscan.jotti.org/en on the web. The AVs they use are high quality.

You might be interested in the ClamSentinel "front end" for ClamWin at https://sourceforge.net/projects/clamsentinel/ on the web.

Regards,

I'm having a similar problem. When I run clamwin it shows a file found with trojan.swizzor.gen, and states that it has been removed (see below). If I run the scan again however, it says the same thing. I've also tried using Dr Web Live CD and Malwarebytes, which both show nothing. The problem is that the full file path is too long to be fully displayed by the scanner results (it misses a bit out in the middle). I've tried searching for some part of the file name but nothing comes up. So I don't know the file name or exactly where it is to send a copy to jotti, so I can't be sure if it's a false positive. Any suggestions?

From the scanner log:

C:\Windows\winsxs\x86_microsoft-windows-e..-ehepgres.resources_31bf3856ad364e35_6.1.1000.18273_tk-tm_4c7254e9677fa605\ehepgres.dll.mui: Trojan.Swizzor.Gen FOUND

Do a search on your computer for ehepgres.dll.mui and copy/paste to your desktop. From there you can go to VirusTotal and upload it for a scan. In fact, VirusTotal has a nice little program you can download that will give you the ability to send a file to them by right clicking on the file in Windows Explorer.

The filename ehepgres.dll.mui has a double extension--always suspicious, but I haven't seen many viruses hiding out in the winsxs directory. The Generic signatures sometimes have a problem with false positives though. Funny the file keeps coming back on you, however.

Shame on you though for setting ClamWin's infected files option to Remove, instead of Report only. You could have a problem if there is a false positive on Winlogon or someother important system file. You certainly want to be conservative when ClamWin version .96 comes out (maybe in February) with PE file heurisitcs, which can be touchy!

Regards,

For some reason scanning for ehepgres.dll.mui didn't produce any results, and there were hundreds of folders with very similar lengthy paths. Eventually after some trial and error, I managed to spot the file, and sent it to VirusTotal. This has been tested before and it seems ok. So thanks for the help. Also thanks for the advice re. not having Clamwin set to remove, although in my defence I didn't install it! Advice taken though.

Both Jotti and VirusTotal are free services on the web for scanning files with multiple antivirus programs, including Clav AV, which furnishes the scan engine and signatures used by ClamWin. Jotti is at https://virusscan.jotti.org/en and VirusTotal is at https://www.virustotal.com/ on the web. You can also upload a file to Threat Expert at https://www.threatexpert.com/submit.aspx on the web, where they will actually run the file on their computer and give you a report of what happened via email. They usually provide a threat rating--if they don't the file is probably okay.

Regards,