I used ClamWin to scan a computer (Dell w/ XP SP3) I was given. At the end of the scan I was prompted to insert my SP3 disk (ya, right) to replace deleted files. I clicked what options I could find that seemed to "undo" what ClamWin but...
Anyway, it won't boot. I now have a SP3 disc. The computer has the full MS Office suite installed. Is there an easy way to save the installation?
Here is the report of the ClamWin session:
\CardSpace.db: Permission denied
C:\Documents and Settings\Don & Betty\Local Settings\Temp\nst6F.tmp: Permission denied
C:\Documents and Settings\Don & Betty\Local Settings\Temp\WERdaf3.dir00\iexplore.exe.hdmp: Trojan.Bat.FormatC-6 FOUND
C:\Documents and Settings\Don & Betty\Local Settings\Temp\WERdaf3.dir00\iexplore.exe.hdmp: Removed
C:\pagefile.sys: Permission denied
C:\WINDOWS\ServicePackFiles\i386\userinit.exe: W32.Virut-82 FOUND
C:\WINDOWS\ServicePackFiles\i386\userinit.exe: Removed
C:\WINDOWS\system32\CatRoot2\tmp.edb: Permission denied
C:\WINDOWS\system32\config\default: Permission denied
C:\WINDOWS\system32\config\SAM: Permission denied
C:\WINDOWS\system32\config\SECURITY: Permission denied
C:\WINDOWS\system32\config\software: Permission denied
C:\WINDOWS\system32\config\system: Permission denied
C:\WINDOWS\system32\userinit.exe: W32.Virut-82 FOUND
C:\WINDOWS\system32\userinit.exe: Removed
----------- SCAN SUMMARY -----------
Known viruses: 712568
Engine version: 0.94.1
Scanned directories: 4254
Scanned files: 36743
Infected files: 3
Data scanned: 7964.82 MB
Time: 6589.547 sec (109 m 49 s)
Also, is this normal behavior? I wouldn't want to use ClamWin on a computer I really NEED.
Thank you for any suggestions.
Bob
ON EDIT: I do not have an installation disk. I have the SP3 upgrade downloaded from Microsoft. I'm not being prompted to do anything now, it just doesn't boot.
Visit the Community page
Join our forums
Subscribe to our email newsletter
Subscribe with RSS
Follow us on Facebook
Follow us on LinkedIn
Follow us on Twitter
Follow us on Mastodon
Follow us on BlueSky
If you search Google, Trojan.Bat.FormatC-6 is considered a highly generic detection and consequently may be a false positive. In addition W32.Virut-82 found in userint.exe on XP SP3 by ClamWin appears to be a false positive according to a thread on the ClamWin forums.
So it looks like ClamWin may have inadvertently deleted some files it shouldn't have so your Windows installation is probably missing files it needs. Maybe try copying them off of another working XP SP3 computer?
are you using Clamwin or Clamwin portable?
Also sounds like you are not an administrator.
I think some of the "permission denied"s are normal if that's what you're referring to. I've run ClamWinPortable before and got results like that (minus the virus warnings/removals).
i havent experienced a case where ClamWin portable would delete without user input.
Is there an easy way to save the installation?
The answer is I don't know.
The problem is that ClamWin is not system cleaner, i.e. it can't clean files that it finds to be infected. It can only Report to you what it has found [the recommended option], Remove/delete any files it thinks are infected, or Quarantine them.
It can not clean, fix, or repair them.
It appears that the default setting was changed from Report to Remove/delete.
ClamWin appears to have deleted the files it found to be infected. They may have really been infected or it could have been flase positives, but it does not matter, either way the files were important to your operating system.
There is No "undo" function for Remove/delete, that is the purpose of the Quarantine choice.
This appears to be the file that was removed that could be causing your problem:
C:\WINDOWS\system32\userinit.exe:
As you might guess from the name, it sounds important.
I would recommend trying to see if you can boot into safemode or from someone elses WindowsSystem/install CD and see if you can run System Restore.
If not, or you don't know how to do this you might want to get some help from your local geek.
I wish you luck
This is an example of why ClamWin should never be allowed to delete anything except a freshly downloaded or copied file, BEFORE that file is ever run, so if you choose to delete it no harm will be done.
Note to Everyone,
As I have said before, ClamWin is not a Virus Cleaner, you should not allow it to delete any file on your running system unless you know what that file does. Use ClamWin to gather information, then you decide what to do. Even if the file is infected it may be very important and you may need a more advanced cleaning tool.
Tim
[edit: also, so you know, 0.94.1 is an old version of Clam, it is currently at 0.95.3, though I doubt that would have made a difference ]
Things have got to get better, they can't get worse, or can they?
Thanks everybody. I must have changed the settings on ClamWin. They WERE (I just changed them back) set to "remove" and "unload infected programs".
It doesn't boot at all in any mode. It gets to a point and starts over again. I can get into the "F 8(?) & ? " menus. I've tried every combination from there. I'll try making one of those "bootable" CD's from an XP disc I have. I probably should have one of those anyway.
If I can't repair with the CD using "restore", would it likely be useful to "open" the drive with one of those "thingy's" that allow a disc to be used as an extra drive and try to replace the files piecemeal? I've got one of those. It looks like there are only 2 or 3 files to replace. It looks like one file was removed from 2 places. My XP CD is pre-SP1 so I don't think a "repair installation" would do any good.
I do have an ISO disc I made of SP3 if that would help. I just don't have another copy of the Microsoft office suite and would like to "save" it if its not a real PITA.
Thanks again. I didn't realize ClamWin wasn't a normal anti virus program. My bad. I really should try reading the instructions FIRST! I have the new version of the suite to install and some extra programs. My ClamWin is the portable version.
Bob
what you need is this:
C:\WINDOWS\ServicePackFiles\i386\userinit.exe: Remove
C:\WINDOWS\system32\userinit.exe: Removed
the copy of the file in the i386 folder is the original installation file, here it was kind of back up copy.
the one directly under system32 was the one used actually. So get it from other computer, or see if it is on the SP3 CD and copy it from there.
OK, your system doe not start at all, so you need some boot media. This might be a linux ubuntu 9.10 CD as well, it will boot and will allow you to copy a file to some place into ntfs partition. You can hold the file on a usb stick ready for that.
Other thing could be to get one of those BartPE CD. Here the the file will be probably on that CD already so copying might be just done from the boot CD.
Other things you could look for and use is UltimateBootCD or HirenCD. Both will help you to insert a file into your C: partition.
Well and yes, take the disk and connect it as secondary (usb, external sata, or similar) will help too, simply copy similar file userinit.exe to system32 and see if something spectacular happens.
You need really to replace on the userinit.exe in system32.
Otto Sykora
Basel, Switzerland
i thought this is what the program does normaly. hence my confusion on why it removed stuff.