ClamWin reports finding Trojan.Buzus-4860 (yes, I saw that thread) in all copies of the two most recent versions of a program called "StartUp Inspector" (https://www.windowsstartup.com/startupinspector.php) that it could locate on my system or in archives. SI is a program which I have used for years and rely upon to try to keep some control of Windoz startups.

I did submit the file to VirusTotal where 6/41 reported finding 'something' (persistent link: https://www.virustotal.com/analisis/fbede8ecda93a864b28657da5fb4b1e16dadd81938c4d9538f3fd7e516dd35f9-1255460247).

Am just trying out ClamWin as it was the only program I could find for a Win-98 machine I was resurrecting and it seemed a solid piece of work and so am trialing it on an XPP system.

At this point, am left wondering if SI is infected or not. The SI forum has been down for a long while (may be defunct?) so cannot see if anyone else there might have had the same issue.

Running ClamWin with default settings - which must be to either delete or quarantine a positive, as have not been asked to confirm/deny/report any of the positives (I am a backup believer, so far ClamWin has found 6 instances of the relevant files & is only about 1/2 way through the live hard-drives on the system). The only notifications I have had is that periodically Avast pops up a warning about what seem to be ClamWin temp files.

Thoughts?

this job is not for clamwin, you should upload to clamav team as false positive specifying the virustotal result link, but the decision is up to clamav team

When I can't really tell if something is malicious or not (even by executing it), I upload Windows binaries to Anubis at https://anubis.iseclab.org/ or Threat Expert at https://www.threatexpert.com/submit.aspx on the web. If the file is a PDF, JS, Flash or a HTML page, I upload it to Wepawet at https://wepawet.iseclab.org/ on the web. These sites will try to execute a file and give you a report. You might try this before uploading to Clam.

Regards,

Thanks,

Will try sending it on to the suggested sites, as it does make me uneasy BUT i want to keep using the program.

Of note, ClamWin is still churning along on my system (will be starting on the last 3 hard-drives soon - one with a 1.5 TB compressed partition and so that might be both interesting and slow) anyhow - so far the only other positives have been for Trojan.Zlob-11817 in Imagenomic's RealGrainPluginSetup1010.exe (a photoshop filter) which got "0/40" on VirusTotal.

Perhaps when ClamWin gets done it will ask what I want to do. If not, can rescan the individual files and send them to ClamWin at that point.

On other threads mention has been made of a ClamWin log file being under %allusersprofile% The only log file I can find under any account is ClamUpdateLog.txt ( %allusersprofile%/.clamwin/log) and so am wondering if ClamWin keeps all in memory until completion (which seems contrary to the spirit of a log file) and the writes out what was found and done?

Once again - thank you for the help.

The Reports tab (under Tools, Preferences) will tell you where the normal reports/logs are. At the end of a scan, you can choose to save a detailed report, so my guess is, you won't get a report until a scan is finished, although you can see what's going on as the scan progresses. The default infected file option (General tab) is to Report Only, but you can choose to Remove or Quarantine); however, I would only Remove/Quarantine after you have verified an infection as real and not a false positive--you don't want to lose access to your system because it removes/quarantines an important Windows file that is a false positive. You can speed up scans if you configure ClamWin (Filters tab) to only scan for the extensions that are most likely to hide viruses. Everyone has their own list--google for "dangerous file extensions," and be sure to include Office extensions (.doc, .xls, .ppt), .zip, .pdf, .rtf, and .swf. I scan for about 35 extensions, and it does speed things up.

Regards,