I'm running Vista64 SP1. Seems like the first Memory Scan after a boot I get this Trojan.Startpage-997 FOUND. It shows a long filename made from a Guid in Local\Temp folder. Thing is none of my browsers start pages are being redirected.

Seems like it doesn't come back until reboot.

If the file comes back in memory each time you boot up (a temp file should not do that), it sounds like a real infection. ClamWin may be detecting the file before any pages are redirected. Upload the file to Jotti or Virus Total when you get it again and verify the infection. If several AVs say it is infected, it probably is a real infection In that case I suggest you get a copy of Malwarebytes Antimalware free and do a quick scan of your computer with it. ClamWin may be unable to completely remove some malware infections that involve the Windows registry or are called by another piece of undetected malware.

Regards,

Ok. I have to try to remember to check for the file before I run the scan. Otherwise it deletes it.

I'm starting to think it's somehow picking itself up. Since 97 is version of ClamWin and it has clam in the name.

clamav-84a3cff40fcc00e5d10bae31bfb0e3aa.00000efc.clamtmp: Trojan.Startpage-997 FOUND

Funny av. It reports itself as hostile?

[quote="MilesAhead"]

edit: it shows this filename in the temp directory. Seems strange. MBAM doesn't pick anything up.

clamav-84a3cff40fcc00e5d10bae31bfb0e3aa.00000efc.clamtmp: Trojan.Startpage-997 FOUND

Okay. That is a temp file from a ClamWin scan. It is not really a virus--just a ClamWin virus signature. They are usually deleted automatically by ClamWin after they are used. If they bother you, exclude "*.clamtmp" files (don't use the quotes though) in ClamWin preferences, configure clamwin, filters, exclude matching filenames.

Regards,

Thanks for the info. I checked before running the scan and it wasn't there. So it is generated by the scanner. Nothing else in the temp folder looked hostile.

Just FYI. Adding *.clamtmp to filters does not prevent the trojan notice during memory scan.

Hmmm, then perhaps ClamWin does not use the filters in the memory scan. I know that the memory scan scan was added after the program was originally written, and it is a bit different than a normal file scan.

Or, perhaps you need a more descriptive filter--try: clamav*.clamtmp

Also--upload the file from the ClamWin quarantine folder to the Jotti or Virus Total online scanners and see what other AVs say about it.

Regards,

The file is being created by ClamWin. I checked directly after booting. No file. Run ClamWin memory scan. Trojan alert is shown. No file exists after the scan. It only happens on my 64 bit machine. On my 32 bit system I don't get any Trojan notice. Looks to me like the 64 bit code is broken and it's detecting it's own temp file as a trojan.

It's only on the first run after boot this happens. Pretty strange. But I'll just chalk it up as a quirk. The 64 bit system is too much of a pita to boot to keep kicking it just to experiment. I boot up in the morning and shut down at night unless some driver uninstall forces the issue.

Aha, you found a bug! Thanks for keeping on this.

I will tell the ClamWin developers about it. Evidently no one did a bootup memory scan on X64 during beta testing of the current version. In fact, there are not many beta testers, and X64 ClamWin users may be a small group. You should consider beta testing if you have time, and it really doesn't take much time (maybe 15 minutes per version). If interested, just send email via the Contact US item on the ClamWin main web page.

You might just add a memory scan to a regular scheduled scan and see what happens.

Regards,

clamav unpacks executables/archives in temp directory, filenames are in the format you found the file, the problem is clamav is unable to remove temporary file after the scan is done, and this is somehow strange.
The fact that on win64 is not detected may be indeed a bug, can you send me the file? you need to compress with a password because antivirus on mailserver may block it.
my email is sherpya@netfarm.it, thanks
FYI there is no relevant 64bit code in clamwin, only some api call to enable scanning of 64bit system directory

I think it's a timing issue. There's no file before the run starts or after it completes. Where am I supposed to get this phantom file from? It's ephemeral during the first scan after boot.