Infected cache files

[GrahamE]

Yeah, same with me. The problem has shown with both versions.

[Lisandro]

Hi Tech, I've gone back to my own thread (http://forum.avast.com/index.php?topic=28377.30) to reply to you, as it didn't seem fair to take over Gabriele 08's thread. I'd be grateful if you'd go there and have a look. Thank you.

I've gone there but I can't find what is your actual problem... I thought it was solved...

[GrahamE]

Well, I thought it was as well, that between you and mauserme it had been pretty well decided that I was okay, and that they were just FP's, but...

Sadly, my problem hasn't been resolved, since I've had 2 more occurrences since my last post.

If you still detecting any strange behavior or even you're sure you're not clean, maybe it will be good to test your machine with anti-rootkit applications (http://www.antirootkit.com/software/index.htm). I suggest AVG, Panda and/or F-Secure BlackLight.

Since I, and other members of this Forum with far greater knowledge than mine, had pretty well decided that these were false-positives

Do any of us said so?

From this I took it that you didn't think that the problem was resolved.

Sorry if you think I've been wasting people's time on this - I get confused quite easily nowadays.

[Lisandro]

From this I took it that you didn't think that the problem was resolved.

Indeed... to be *sure* you're clean, you need to run more than just one anti-malware tool. Not one software is perfect, neither because the false positives nor the miss-detection. So, that was my advice.

Sorry if you think I've been wasting people's time on this - I get confused quite easily nowadays.

I never think you're wasting our (or anybody else) time. Maybe just misunderstandings from my side.
It's all right, if we rise the doubt we must solve them.

So, after all, why don't you run other security scanning and post the results? 

[mauserme]

2Gabriele

Just for the heck of it why don't you post a HijackThis log.  I'm not really expecting to find anything but it can't hurt to check:

Click here to download HJTsetup.exe

• Save HJTsetup.exe to your desktop.
• Doubleclick on the HJTsetup.exe icon on your desktop.
• By default it will install to C:\Program Files\Hijack This.
• Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
  
• Put a check by Create a desktop icon then click Next again.
  
• Continue to follow the rest of the prompts from there.
• At the final dialogue box click Finish and it will launch Hijack This.
  
• Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  
• Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
• Come back here to this thread and Paste the log in your next reply.
• DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
  

[Gabriele 08]

Hi mauserme,
Thanks for your interest, that I assure you is apreciated!

I know HijackT and his use, sorry for not have included it in the list of things that I tried!!
In everycase Hijacklog can't help us, because it seems "pure like a new-born"!
None of the other scans I performed (mentioned in my previous posts), have detected something. I tried too anti-rootkit scan with F-Secure BlackLight and with Gmer.

So, before many tries, (not last analysis of cached files with avast after running CCleaner) thinking that my system is clean, I posted another time, to see if there is a possibility that the question depending to avast.
If no the case, the other option may be a threat very very capable to hide in my system. Or what else...?

Concluding with a "smile", I'm not much worry at the moment, because I'm not a pervert like GrahamE says of himself  [Of course I'm joking GrahamE ].
So I consider that my surfing habitudes are almost secure, but sure, all is possible in Web-Jungle.

[Gabriele 08]

Update:

This evening I rescanned all files in my chest, and 4 of them changed status in "no virus". All these 4 files were recognized by avast like Win32:Nilage-FP.
Always today I used two times CCleaner, one time all ok, another "usual" avast's alert.

I imagine that change status of these 4 cached files in my chest, take relation with avast's updates.
I'm too optimist thinking this...??

[Lisandro]

I imagine that change status of these 4 cached files in my chest, take relation with avast's updates.
I'm too optimist thinking this...??

You're right.
Most probably that files are safe to be restored, although I don't think they need to be restored.
Can you post the original file name and path?

[Gabriele 08]

Most probably that files are safe to be restored, although I don't think they need to be restored.
Can you post the original file name and path?

Oh yes, for sure I'll not restore them, there is no reason for this. I'm expecting for the end of "the mistery" and then I'll get out them!

Name cached file: C5099E6Dd01    20may=Win32:Nilage-FP - today= no virus
                         D7A152ABd01    21may=        "                      "
                         7BBD4A69d01    22may=        "                      "
                         _CACHE_001_   27april=Win32:Agent-GKD - then transformed in Win32:Nilage-FP -                                   
                                               today= no virus

Location is always the same: C:\Documents and Settings\Gabri\Impostazioni locali (local settings in English?)\Dati Applicazioni\Mozilla\Firefox\profiles\random name.default\cache

[Gabriele 08]

Hi,
I've attached image of my avast chest. What you can see is situation at today, to be absolutely exact, there are more 4. I Think is not so important to join another attachement for them, considering that 3 of them are "the same familiy", and the lastone is related to an old avast's FP with Windows notepad.

Well, finally I've extracted all Firefox cached files from avast chest, and I've submited all them to multi-engine scanners, like VirusTotal and Jotti (the greater part on Jotti).
A part avast, NOTHING!

[Lisandro]

A part avast, NOTHING!

Well... you're trying to prove ad nauseam a false positive episode...
I think we can conclude this way...

[Gabriele 08]

Well... you're trying to prove ad nauseam a false positive episode...

absolutely correct Tech! I tried this last one, just because I'm a sort of "maniac"

Now seriously, nothing more than wait to see if Alwil team will find the solution. Always if, what is happening to me, GrahamE and Thomas depends to avast.
In every contrary case, I'll take in consideration differents methods for cleaning my browser's cache.
In the meantime, thanks to you and other users, for your replies in this topic.

[Lisandro]

if Alwil team will find the solution.

The most difficult thing for me right now is to reproduce any kind of similar behavior.
I have browsers, CCleaner and avast. Never have a false positive using CCleaner.
So, it's weird. Or CCleaner or avast or browsers installation aren't good...