Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: Gabriele 08 on April 27, 2007, 10:52:11 PM
-
For first: Hi all forum!
I'm an avast user (an happy avast user!) of home free Edition. I'm new here and before beginning i want to give my congratulations to avast staff, and to the users that make this forum a very good place for competence and courtesy!!
Please, be patients with my english that's nothing good..or terrible.
During the cleaning of mozilla cache internet with CCleaner, (3,9mb for a session of only 2 hours) avast stopped 2 times the operation and warning for --> Win32:Agent-GHL[tRJ] and then for -->Win32:Agent-GKD[Trj]. So, i moved the 2 cache files to the chest. Just first i thought for a false positive because I received no advice from avast surfing. But after seeing in my temp folder, there was a random.temp and in normal mode I was not able eliminate it, so I reboot in safe mode and finally removed random.temp file!
Today I performed: Avast boot scan [nothing]
- SpywareTerminator complete scan, safe mode [nothing]
- SUPERantyspyware free, complete scan, safe mode [nothing]
- A-squared, deep scan [nothing]
- Spybot, safe mode, that detected a voice of Carima Enterprises in Firefox(default) bookmarks....
I checked it, perform a new scan of Spybot and nothing result.
What may be happened? What do you think about?
-
So, i moved the 2 cache files to the chest.
You've done the wiser and better thing.
What may be happened? What do you think about?
Which is your Standard Shield sensitivity?
If you right click the files into Chest and scan them again, are they marked as infected?
-
Which is your Standard Shield sensitivity?
If you right click the files into Chest and scan them again, are they marked as infected?
Hi Tech,
Standard Shield sensivity is high.
I just examine file in the chest, and YES avast says virus found. (I didn't know the option of scan the file in the chest, so thanks for let me learn one thing more. Well I have to say that a part the false positive of avast with notepad some months ago that perhaps you remember, I have not experience of virus 8))
-
Standard Shield sensivity is high.
Hmmm... Standard Shield at High should be scanned the files first... at least they're into an archive file (.zip, .arj, etc.).
-
Hmmm... Standard Shield at High should be scanned the files first... at least they're into an archive file (.zip, .arj, etc.).
So is also your opinion that is strange what happened?
I changed sensivity to high I think one month ago, and generally nothing changed, only 2 times, I received advice. One time saying that: in "name site" there are traces of "name malware"; and another when in a page forum, avast recognized a zip infected file that an user have to send to be examinated or something similar, I don't remember exactly now.
One question, perhaps stupid...!! Being the Avast chest a protect and lock zone of pc, I suppose is not possible submit the 2 files I have there, for example to VirusTotal, is correct?
-
So is also your opinion that is strange what happened?
Strange? Yes. To be worried that much? Not really.
Being the Avast chest a protect and lock zone of pc, I suppose is not possible submit the 2 files I have there, for example to VirusTotal, is correct?
Yes. You can only submit them to VirusTotal is you right click them, extract to an USB drive for instance and submit to VirusTotal from there. Take care.
-
Well...probably I give a wrong appearence at the matter. As I hear, is not a question to be worry. I'm not so worry Tech ;) ,but (if and when possible) I like understand, or try it! :)
-
Hi,
I begin again this topic, with some updates.
After more or less one month from my first post (28 April) I think that may be there is a problem...
I saw in forum that there was a "similar" problem posted by the user GrahamE, here --> CCleaner Trojans (http://forum.avast.com/index.php?PHPSESSID=5aadcb787623256080978cf9dd1dcf88&topic=28377.0). There the question was above all about temporary files, while for me is about cache files.
A common circumstance is that for me too, problems begun the 27 April like GrahamE
But while for him problems seem to be solved, for me no :(
The matter is that from that day, many many times (but not all times) using CCleaner for cache,temporary,etc. avast give me alerts, for Trojans various...
I regulary moved these files in chest, and so now, I have a big chest...!!
System has been checked with many programs, those mentioned in my first post with more F-Secure BlackLight and Gmer. And analized by Kaspersky online and Ewido online, so I think that I may believe that system is absolutely clean!!
Yesterday I checked another time with avast all files in chest, but only 3 of them changed status in "no virus".
Some Others changed name (example: Win32:Agent-GYJ --> ......-GXN), and for the others nothing changed (always recognized like trojans).
Well, then I tried a little test.
I navigate a few and then:
a)I checked separately the files of folder cache (20 more or less) with avast control from contextual menĂ¹
b)I checked always with ashquick, the entire folder cache
c)I opened avast and I selected a custom scan of folder cache (selecting after "standard" and then "Thorough" sensivity)
All OK for avast in all 3 controls!
Immediatly I opened CCleaner and go for a claening cache, and avast noticed for Win32:agent-GYJ; ....-GWD;....-GXN
????? :( :(
So, really a troublesome situation, especially if you clean very often like me!
Does avast may try to solve this situation please?
May I have to send files in my chest to avast? Or I have to wait if they ask me for this?
P.S. Sorry for so long post but I would try explain the situation as much better I can...
-
What were the full filenames of those files detected after opening CCleaner?
-
Well it's nice to know I'm not alone in my surfing habits! 8)
Sadly, my problem hasn't been resolved, since I've had 2 more occurrences since my last post. The second of these came when (having used CCleaner when I came offline previously), I opened Internet Explorer, my homepage (Google) came up, and I was called away and so logged off. On using CCleaner, Avast found (traces of) a virus in the temp internet files!
Since I, and other members of this Forum with far greater knowledge than mine, had pretty well decided that these were false-positives, and since it seemed to be using CCleaner that was causing the problem to some extent, I've set Internet Explorer to empty the temp internet files when the browser is closed. I'm still using CCleaner as well, but nothing has come up so far, after 2 days of doing this.
I'm assuming that if there really was a virus/Trojan, Avast would still detect it when Windows cleared the files (?)
-
Sadly, my problem hasn't been resolved, since I've had 2 more occurrences since my last post.
If you still detecting any strange behavior or even you're sure you're not clean, maybe it will be good to test your machine with anti-rootkit applications (http://www.antirootkit.com/software/index.htm). I suggest AVG (http://www.grisoft.com/doc/download-free-anti-rootkit/us/crp/0), Panda (http://research.pandasoftware.com/blogs/research/archive/2007/04/27/New-Panda-Anti_2D00_Rootkit-_2D00_-Version-1.07.aspx) and/or F-Secure BlackLight (http://www.f-secure.com/blacklight/try_blacklight.html).
Since I, and other members of this Forum with far greater knowledge than mine, had pretty well decided that these were false-positives
Do any of us said so?
-
What were the full filenames of those files detected after opening CCleaner?
Hi Igor,
Here an example:
Location file = C:\Documents and Settings\Gabri\Impostazioni locali\Dati Applicazioni\Mozilla\Firefox\profiles\xxxxxx.default\cache
Name = _CACHE_003_
All files in chest about I'm speaking have the same "location", change only the "cache file name".
For instance this file just yesterday was named by avast "Win32:Agent-GVO", then after I controlled it in the chest (like I said in the post above), the definition changed for "Win32:Agent-GTZ".
I would also remember, that 3 files after yesterday's check changed in "no virus".
Thanks for your reply. For any question, here I am!
EDIT
Mmh... :-X... sorry Igor, but I realized with delay, that you are asking me for 3 yesterday's files, after "the little test".
_CACHE_003_ --> Win32:Agent-GWD
_CACHE_MAP_ --> " -GXN
2C66457Dd01 --> " -GYJ
-
Sadly, my problem hasn't been resolved, since I've had 2 more occurrences since my last post.
If you still detecting any strange behavior or even you're sure you're not clean, maybe it will be good to test your machine with anti-rootkit applications (http://www.antirootkit.com/software/index.htm). I suggest AVG (http://www.grisoft.com/doc/download-free-anti-rootkit/us/crp/0), Panda (http://research.pandasoftware.com/blogs/research/archive/2007/04/27/New-Panda-Anti_2D00_Rootkit-_2D00_-Version-1.07.aspx) and/or F-Secure BlackLight (http://www.f-secure.com/blacklight/try_blacklight.html).
Since I, and other members of this Forum with far greater knowledge than mine, had pretty well decided that these were false-positives
Do any of us said so?
Hi Tech, I've gone back to my own thread (http://forum.avast.com/index.php?topic=28377.30) to reply to you, as it didn't seem fair to take over Gabriele 08's thread. I'd be grateful if you'd go there and have a look. Thank you.
-
What version of CCleaner do each of you have?
-
Hi mauserme,
CCleaner's version is 1.40.520 (latest). Last month at begin of the history was 1.39.502
-
Yeah, same with me. The problem has shown with both versions.
-
Hi Tech, I've gone back to my own thread (http://forum.avast.com/index.php?topic=28377.30) to reply to you, as it didn't seem fair to take over Gabriele 08's thread. I'd be grateful if you'd go there and have a look. Thank you.
I've gone there but I can't find what is your actual problem... I thought it was solved...
-
Well, I thought it was as well, that between you and mauserme it had been pretty well decided that I was okay, and that they were just FP's, but...
Sadly, my problem hasn't been resolved, since I've had 2 more occurrences since my last post.
If you still detecting any strange behavior or even you're sure you're not clean, maybe it will be good to test your machine with anti-rootkit applications (http://www.antirootkit.com/software/index.htm). I suggest AVG (http://www.grisoft.com/doc/download-free-anti-rootkit/us/crp/0), Panda (http://research.pandasoftware.com/blogs/research/archive/2007/04/27/New-Panda-Anti_2D00_Rootkit-_2D00_-Version-1.07.aspx) and/or F-Secure BlackLight (http://www.f-secure.com/blacklight/try_blacklight.html).
Since I, and other members of this Forum with far greater knowledge than mine, had pretty well decided that these were false-positives
Do any of us said so?
From this I took it that you didn't think that the problem was resolved.
Sorry if you think I've been wasting people's time on this - I get confused quite easily nowadays.
-
From this I took it that you didn't think that the problem was resolved.
Indeed... to be *sure* you're clean, you need to run more than just one anti-malware tool. Not one software is perfect, neither because the false positives nor the miss-detection. So, that was my advice.
Sorry if you think I've been wasting people's time on this - I get confused quite easily nowadays.
I never think you're wasting our (or anybody else) time. Maybe just misunderstandings from my side.
It's all right, if we rise the doubt we must solve them.
So, after all, why don't you run other security scanning and post the results? ;)
-
2Gabriele
Just for the heck of it why don't you post a HijackThis log. I'm not really expecting to find anything but it can't hurt to check:
Click here (http://www.thespykiller.co.uk/files/HJTsetup.exe) to download HJTsetup.exe
- Save HJTsetup.exe to your desktop.
- Doubleclick on the HJTsetup.exe icon on your desktop.
- By default it will install to C:\Program Files\Hijack This.
- Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
- Put a check by Create a desktop icon then click Next again.
- Continue to follow the rest of the prompts from there.
- At the final dialogue box click Finish and it will launch Hijack This.
- Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
- Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
- Come back here to this thread and Paste the log in your next reply.
- DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
-
Hi mauserme,
Thanks for your interest, that I assure you is apreciated!
I know HijackT and his use, sorry for not have included it in the list of things that I tried!!
In everycase Hijacklog can't help us, because it seems "pure like a new-born"!
None of the other scans I performed (mentioned in my previous posts), have detected something. I tried too anti-rootkit scan with F-Secure BlackLight and with Gmer.
So, before many tries, (not last analysis of cached files with avast after running CCleaner) thinking that my system is clean, I posted another time, to see if there is a possibility that the question depending to avast.
If no the case, the other option may be a threat very very capable to hide in my system. Or what else...?
Concluding with a "smile", I'm not much worry at the moment, because I'm not a pervert like GrahamE says of himself ;D [Of course I'm joking GrahamE ;)].
So I consider that my surfing habitudes are almost secure, but sure, all is possible in Web-Jungle.
-
Update:
This evening I rescanned all files in my chest, and 4 of them changed status in "no virus". All these 4 files were recognized by avast like Win32:Nilage-FP.
Always today I used two times CCleaner, one time all ok, another "usual" avast's alert.
I imagine that change status of these 4 cached files in my chest, take relation with avast's updates.
I'm too optimist thinking this...??
-
I imagine that change status of these 4 cached files in my chest, take relation with avast's updates.
I'm too optimist thinking this...??
You're right.
Most probably that files are safe to be restored, although I don't think they need to be restored.
Can you post the original file name and path?
-
Most probably that files are safe to be restored, although I don't think they need to be restored.
Can you post the original file name and path?
Oh yes, for sure I'll not restore them, there is no reason for this. I'm expecting for the end of "the mistery" and then I'll get out them!
Name cached file: C5099E6Dd01 20may=Win32:Nilage-FP - today= no virus
D7A152ABd01 21may= " "
7BBD4A69d01 22may= " "
_CACHE_001_ 27april=Win32:Agent-GKD - then transformed in Win32:Nilage-FP -
today= no virus
Location is always the same: C:\Documents and Settings\Gabri\Impostazioni locali (local settings in English?)\Dati Applicazioni\Mozilla\Firefox\profiles\random name.default\cache
-
Hi,
I've attached image of my avast chest. What you can see is situation at today, to be absolutely exact, there are more 4. I Think is not so important to join another attachement for them, considering that 3 of them are "the same familiy", and the lastone is related to an old avast's FP with Windows notepad.
Well, finally I've extracted all Firefox cached files from avast chest, and I've submited all them to multi-engine scanners, like VirusTotal and Jotti (the greater part on Jotti).
A part avast, NOTHING!
-
A part avast, NOTHING!
Well... you're trying to prove ad nauseam a false positive episode...
I think we can conclude this way...
-
Well... you're trying to prove ad nauseam a false positive episode...
:) :) absolutely correct Tech! I tried this last one, just because I'm a sort of "maniac" ;D
Now seriously, nothing more than wait to see if Alwil team will find the solution. Always if, what is happening to me, GrahamE and Thomas depends to avast.
In every contrary case, I'll take in consideration differents methods for cleaning my browser's cache.
In the meantime, thanks to you and other users, for your replies in this topic.
-
if Alwil team will find the solution.
The most difficult thing for me right now is to reproduce any kind of similar behavior.
I have browsers, CCleaner and avast. Never have a false positive using CCleaner.
So, it's weird. Or CCleaner or avast or browsers installation aren't good...