Hi.

This morning, ClamWin tells me there is a virus (Trojan.Startpage-746) in C:\i386\KB913433.exe.

I find tonnes of similar emails on da web telling me that C:\i386 holds important stuff, and none of the files should be deleted.

How then, should I treat this occurrence, and optionally, how might the virus have gotten there in the first place?

Thanks,

Owen.

Evidently Microsoft thinks the i386 directory is important, but all I see in there are files dated 2004, 2005, 2006. I haven't seen any viruses that take advantage of the directory, so you might have a false positive there--it looks like you might have a Microsoft Knowledge Base update in that file. They sometimes show a false positive as they can use code similar to trojan downloaders.

You should upload the file to Jotti at https://virusscan.jotti.org/ on the Web and have them scan it for you with 20 or so antiviruses, including Clam. If several other AVs find an infection, it is probably for real. If only one or two other AVs find an infection, it's probably a false positive. For false positives, go to the Clam submission page at https://cgi.clamav.net/sendvirus.cgi on the web and fill out the form--be sure to indicate it is a false positive and put the name of the false positive virus detected in the virus name block. You can request to be notified by email when Clam finds out something.

Regards,

Hi GuitarBob.

Thanks for the advice and prompt reply. I'll get back to you on my travels.

Owen.

Hmmm... was going to have a go at addressing the issue now, but it isn't showing up any more.

Must have been a false positive(?)...

Clam is a user-driven antivirus. Of course, all false positives are addressed, but if several users report the same false positive, they will have an extra incentive to address it--especially if it is an important system file.

Regards,