About two hours ago, a lot of our PCs suddenly started detecting Trojan.Win32.StartPage.adh in System Restore. I'm buried under e-mail notifications such as this:

Event Virus detected has happened on computer COMPUTER in the domain WORKGROUP at Thu Dec 15 17:50:53 2005 Object C:\System Volume Information\_restore{A46BC5D3-CE03-43E6-917B-D9C353550BAD}\RP41\A0128342.exe is infected with the virus Trojan.Win32.StartPage.adh

This is followed by notification that the file cannot be disinfected and has been deleted.

Is anyone else seeing this? My reading on the web shows that this is an IE start page hijack trojan. Since it's now in System Restore (I'm seeing no detections anywhere outside System Restore) it must have been present on the PCs at one time and has been removed by now. However, I find it hard to believe that dozens of PCs in our network had their IE start page hijacked and we at the IT dept didn't hear about this. The users certainly would have complained.

Also I should clarify that this mass detection started after office hours, so it cant be the case that the users are actively surfing the web right now. Also, there should be no scheduled scan running tonight.

I don't feel like we are in some kind of serious danger, I'm just curious.

It was a FP which is fixed already, please update your bases.

http://forum.kaspersky.com/index.php?showtopic=7314.

Click to view attachment

My experience with this was that several variations of notepad.exe ended up in the KAV backup. Can I restore these from backup, or do I need to approach this some other way. As it is now, I can't use Notepad.

KL should definitly improve their tests for false positives before releasing new signatures... there are quite a few false positives in the last time and a false positive with an common program like the notpad.exe should IMO defenitly be detected _before_ the release of the new signature.

Yes, just use "View backup" for the restore.