Hi All

First timer to clamwin. And first time ever seeking online help. Total noob. Ran clamwin in and got the following report. It may be of use to clam win. Need help here:

1. How to send this report to clamwin team. My small effort to announce if there are new bugs.
2. How to clean my system.

I have asked questions side by side along the error report. Most of the questions would have been answered. Please guide me to the thread atleast.

Thanks in advance

----------------------------------------------
Scan Started Mon Sep 21 14:52:09 2009

-------------------------------------------------------------------------------



C:\WINDOWS\system32\config\SECURITY: Permission denied - WHY THIS???????

C:\WINDOWS\system32\config\SAM: Permission denied - WHY THIS???????


C:\WINDOWS\system32\config\SYSTEM: Permission denied - WHY THIS???????


C:\WINDOWS\system32\config\SOFTWARE: Permission denied - WHY THIS???????


C:\WINDOWS\system32\config\DEFAULT: Permission denied - WHY THIS???????


C:\WINDOWS\system32\drivers\sptd.sys: Permission denied - WHY THIS???????


C:\WINDOWS\system32\rvliv.dll: Permission denied - WHY THIS???????


C:\Documents and Settings\house\Application Data\Mozilla\Firefox\Profiles\lgoy0wi1.default\cookies.sqlite-journal: Permission denied - WHY THIS???????


C:\pagefile.sys: Permission denied - WHY THIS???????


D:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Data\master.mdf: Permission denied - WHY THIS???????


D:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Data\mastlog.ldf: Permission denied - WHY THIS???????


D:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Data\model.mdf: Permission denied - WHY THIS???????


D:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Data\modellog.ldf: Permission denied - WHY THIS???????


D:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Data\tempdb.mdf: Permission denied - WHY THIS???????


D:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Data\templog.ldf: Permission denied - WHY THIS???????

There Trojan worm and other malware affected. How to remove it?


C:\WINDOWS\system32\firefox.exe: Trojan.Mybot-8436 FOUND - WHY THIS AND HOW TO REMOVE ???????


C:\WINDOWS\system32\01.tmp: Trojan.Rootkit-1503 FOUND - WHY THIS AND HOW TO REMOVE ???????

C:\WINDOWS\system32\02.tmp: Trojan.Rootkit-1503 FOUND - WHY THIS AND HOW TO REMOVE ???????

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\OL6NOPEZ\rjfibdmu[1].jpg: Worm.Agent-200 FOUND - WHY THIS AND HOW TO REMOVE ???????

C:\Program Files\VVSN\VVSN.exe: Adware.WhenU-6 FOUND - WHY THIS AND HOW TO REMOVE ???????

C:\System Volume Information\_restore3F4523DC-71E4-41AF-8245-0D11E977E179\RP111\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-1757981266-602609370-839522115-1003: Worm.Autorun-1838 FOUND - WHY THIS AND HOW TO REMOVE ???????

C:\System Volume Information\_restore3F4523DC-71E4-41AF-8245-0D11E977E179\RP113\snapshot\_REGISTRY_USER_NTUSER_S1-5-21-1757981266-602609370-839522115-1003: Worm.Autorun-1838 FOUND - WHY THIS AND HOW TO REMOVE ???????

C:\System Volume Information\_restore3F4523DC-71E4-41AF-8245-0D11E977E179\RP114\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-1757981266-602609370-839522115-1003: Worm.Autorun-1838 FOUND - WHY THIS AND HOW TO REMOVE ???????

C:\System Volume Information\_restore3F4523DC-71E4-41AF-8245-0D11E977E179\RP116\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-1757981266-602609370-839522115-1003: Worm.Autorun-1838 FOUND - WHY THIS AND HOW TO REMOVE ???????

C:\System Volume Information\_restore3F4523DC-71E4-41AF-8245-0D11E977E179\RP117\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-1757981266-602609370-839522115-1003: Worm.Autorun-1838 FOUND - WHY THIS AND HOW TO REMOVE ???????

C:\System Volume Information\_restore3F4523DC-71E4-41AF-8245-0D11E977E179\RP119\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-1757981266-602609370-839522115-1003: Worm.Autorun-1838 FOUND

C:\System Volume Information\_restore3F4523DC-71E4-41AF-8245-0D11E977E179\RP120\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-1757981266-602609370-839522115-1003: Worm.Autorun-1838 FOUND

C:\System Volume Information\_restore3F4523DC-71E4-41AF-8245-0D11E977E179\RP121\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-1757981266-602609370-839522115-1003: Worm.Autorun-1838 FOUND

C:\System Volume Information\_restore3F4523DC-71E4-41AF-8245-0D11E977E179\RP122\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-1757981266-602609370-839522115-1003: Worm.Autorun-1838 FOUND

C:\System Volume Information\_restore3F4523DC-71E4-41AF-8245-0D11E977E179\RP123\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-1757981266-602609370-839522115-1003: Worm.Autorun-1838 FOUND

C:\System Volume Information\_restore3F4523DC-71E4-41AF-8245-0D11E977E179\RP124\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-1757981266-602609370-839522115-1003: Worm.Autorun-1838 FOUND

C:\System Volume Information\_restore3F4523DC-71E4-41AF-8245-0D11E977E179\RP125\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-1757981266-602609370-839522115-1003: Worm.Autorun-1838 FOUND

C:\System Volume Information\_restore3F4523DC-71E4-41AF-8245-0D11E977E179\RP126\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-1757981266-602609370-839522115-1003: Worm.Autorun-1838 FOUND

F:\MEDAL OF HONOUR\DAEMON Tools\SetupDTSB.exe: Adware.WhenU-6 FOUND

F:\MEDAL OF HONOUR\SPEARHEAD\DAEMON Tools\SetupDTSB.exe: Adware.WhenU-6 FOUND

----------- SCAN SUMMARY -----------

Known viruses: 572138

Engine version: 0.95.2

Scanned directories: 10840

Scanned files: 136114

Infected files: 20



Data scanned: 51153.75 MB

Data read: 104357.68 MB (ratio 0.49:1)

Time: 7991.609 sec (133 m 11 s)

--------------------------------------

Completed

--------------------------------------

Welcome to ClamWin! Permission to scan certain files is normal during a scan--due to files/programs already in use during a scan, Windows system files denied, or applications that restrict access. Once in a while, a virus/malware can also deny access but that's not very often. I wouldn't worry about it if you scan regularly.

All AVs are subject to false positives. That's why you should leave ClamWin's infected files option to Report Only and don't use Quarantine or Remove. If you remove a system file that has a false positive detection, you could lose access to your operating system. You should verify all ClamWin detections (to Windows and Office files at least) with Jotti or VirusTotal, two scanning services on the web. If several other AVs (I like to see at least 5) on one of them (besides Clam) say a file is infected, it probably is and then you can remove/clean it. If you are sure a file is malware, you can set ClamWin's infected files option to Quarantine or Remove and scan that file or it's directory, and ClamWin will quarantine/remove it. You can also go to the directory and manually delete it. Be sure to revert to Report Only when you are finished. You may also be able to remove/clean a file by running the Windows Malicious Removal Tool (already installed in Windows\System32 directory) or these free tools: Dr. Web's Cureit or Malwarebytes' free Antimalware.


Temporarily disable WindowsSystem Restore to remove a virus there. Start it again after 10 seconds or so. You might want to run Windows Diskcleaner (Start, All Programs, Accessories) before doing a scan or at least once a day or so.

You can post scan reports here on the ClamWin Forum just like you did--not too big though. Keep in mind that development and support for ClamWin is provided by volunteers.

ClamWin is only an on-demand scanner (manual or scheduled scans),. It is not a real-time scanner. It should be used as a backup to a real-time scanner. Here are some good free scanners: AntiVir from Avira, Avast from Alwil, or Threatfire from PC Tools. If you knowwhatyou are doing, you could probably use ClamWin and maybe Mlwarebytes or Cureit occasionally , but don't take a chance Thanks for using ClamWin!

Regards,

Thanks a lot for the immediate reply.

I very much appreciate the volunteer work. I am giving detailed report only to give a bigger picture and may be to resolve similar issues which may crop up in future. Please take your time in answering. Just reply "shall come back to you shortly" or not even that. Shall wait. In my part of world I cant even imagine this kind of volunteer service!!!.

OK. I went through several websites like Dr. Web. and even one of your posts while I googled for solutions, to remove malware. (As a strong supporter of open source I use only firefox and just for your "cursory glance" i tried opening all the sites given below, through firefox -

-----

" Free Rescue Scanners (For Use When Malware Has Disabled A Computer)

Get one of these and learn to use it before you need it!

� Avira's bootable CD scanner program (daily manual signature updates) is at https://www.brothersoft.com/avira-antivir-rescue-system-197951.html
� Dr. Web's capable bootable CD scanner program (do a manual signature update before scanning) is at https://www.freedrweb.com/livecd
� F-Secure's bootable CD scanner program (updates when run) is at https://www.brothersoft.com/f-secure-rescue-cd-198321.html
� Kaspersky's bootable CD scanner program (occasional manual updates) is at https://www.brothersoft.com/kaspersky-rescue-disk-197959.html
� Sunbelt's Vipre rescue program (download and put on computer or USB drive--a bootable CD is in the works) is at https://live.sunbeltsoftware.com/

----------

I pasted the URL in firefox but none of these sites opened through firefox. Think the malware is preventing it. Is there a way I can access these sites?

2. I tried to update Clamwin. It didnt update and I have given the error report.


ClamAV update process started at Wed Sep 23 09:55:10 2009
main.cvd is up to date (version: 51, sigs: 545035, f-level: 42, builder: sven)
WARNING: Can't get information about database.clamav.net: No IP address
WARNING: getpatch: Can't download daily-9463.cdiff from database.clamav.net
WARNING: Can't get information about database.clamav.net: No IP address
WARNING: getpatch: Can't download daily-9463.cdiff from database.clamav.net
WARNING: Can't get information about database.clamav.net: No IP address
WARNING: getpatch: Can't download daily-9463.cdiff from database.clamav.net
WARNING: Can't get information about database.clamav.net: No IP address
WARNING: Can't download daily.cvd from database.clamav.net
Trying again in 5 secs...
ERROR: Can't get information about database.clamav.net: No IP address
ERROR: Can't get information about database.clamav.net: No IP address
ERROR: Can't download daily.cvd from database.clamav.net
Giving up on database.clamav.net...
Update failed. Your network may be down or none of the mirrors listed in c:\docume~1\house\locals~1\temp\tmplf8tbs is working. Check https://www.clamav.net/support/mirror-problem for possible reasons.

--------------------------------------
Completed
--------------------------------------

when i "clicked" on "support" link given in the report firefox is not able to access it.

3. I am getting this report when i start my computer, for the first time in the day

"Your SQL system is either corrupt or has been tampered with 9unable load (SQLBOOT.DLL). Please uninstall and then re-run set up to correct the problem"

Please advice.

Thanks in advance

Okay. Let's see what we can do. Get into Windows Safe Mode (hit F8 every second or so until things slow down). Choose Safe Mode With Networking. I don't know if FireFox works in Safe Mode, but Internet Explorer will, although you lose your Favorites. Anyway, see if you can update ClamWin and other security software and if you can visit Malwarebytes and Dr. Web to get their security software I mentioned. Do a complete scan with ClamWin and then Malwarebytes and Dr. Web (one of them at least). If something can't be removed, you can sometimes navigate to it in Windows Explorer, rename it , and then remove it. Don't remove Windows files, unless they are temporary stuff--you don't want to lose the OS. If this doesn't work, try to download Microsoft's Security Essentials Antimalware available at https://www.mydigitallife.info/2009/06/18/microsoft-security-essentials-1-0-morro-mse-free-anti-virus-leaked-download/ on the web. Reboot and install/configure/update Security Essentials and run a scan.

See if you can visit the NOD32 or Trend Micro web site and run a scan with their online scanner.

If you can, get a rescue CD from either Kaspersky or Dr. Web. You download it and then burn it to CD--as an ISO file. Run it, but be careful when faced with choices--think them through. You want to update the program first of all. If you can't do this, get a friend to get a rescue CD for you.

Last resort: see if you can get information from one of the help places mentioned on the ClamWin Antimalware Page.

Good luck and let us know how it comes out.

Regards,

Thanks once again for the immediate reply.

It never ceases to amaze me how you guys (I mean from developed countries in general) manage to respond so fast and are so diligent. Any way. Keep it up guys. Guess that's why you are "developed"

I am a total noob (that the word right!! ) and plus I have taken to tinkering computers only a week back. It will take some time. Please bear with me. I shall send my reports when I run the checks as advised by you.

Thanks a lot once again.

Okay. In that case, things might not be so bad--perhaps part of the problem is due to your inexperience. First make sure that Clamwin's Internet Update preferences is set to Enable Automatic Updates at least daily (I set it for hourly, but I'm paranoid!). The default General preference for Infected Files is Report Only--that's probably why nothing can be removed. Perhaps these two steps will solve everything. You can access the configuration options by right clicking on the ClamWin icon in the system tray (bottom right of screen).

I think some creative programming is coming from the undeveloped world now.

Regards,