csinject.exe TROJAN Horse Virus found!

[lakrsrool]

When I launch Avast I get this message when the MEMORY is scanned:

A Trojan Horse Was Found!!! - Avast Warning message box with the following info:

File name: c:\program files\norton cleansweep\csinject.exe
Malware name: Win34:Small-CAA[Tfj]
Malware Type: Trojan Horse
VPS version: 0640-6, 10/08/06

It is recommended to "Move to chest"

When I do this I get a message box stating:
ACCESS DENIED
"Cannot Access csinject.exe"

So at this point everytime I launch Avast I get this same warning which tells me that nothing is done by Avast to resolve this.

I have a question, Why didn't Avast STOP this Virus before it found it as a result of the memory scan when launching Avast?

I have all of the protection running on Avast at all times.

Could this be a false alarm (since I do have the most current database) and be a VALID executible that Nortan Clean Sweep uses?

Why is Avast unable to do what is recommended and move the file to the chest?

What is my solution at this time?

Thanks in advance.

[DavidR]

By its name and location alone this csinject.exe (CleanSweep Inject) I suspect can inject code into processes which in itself could be malicious, but I suspect just a part of Norton (spit) CleanSweep. It may also being protected by Norton/CleanSweep, etc.

avast is montioring proceses and when this injects code it is being detected as a trojan rather than a tool, IMHO.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner
Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. You can't do this with the file in the chest, you will need to move it out.

If it is indeed a false positive, add it to the exclusions lists (Standard Shield, Customize, Advanced and Program Settings, Exclusions) and periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the Standard Shield and Program Settings, exclusions.
Also see (Mini Sticky) False Positives, how to report and what to do to exclude them until the problem is corrected.

[lakrsrool]

Thanks David for the help. It certainly does look like a false positive.

I will email Alwil & report as a suspected false positive.

Joti results:
File: csinject.exe

Status: POSSIBLY INFECTED/MALWARE (Note: this file was only classified as malware by scanners known to generate more false positives than the average scanner. Do not consider these results definately accurate. Also, because of this, results of this scan will not be recorded in the database.)

MD5 805e51d699563c5b0229279d0f8dfa3d

Packers detected: -

Scanner results
AntiVir  Found nothing
ArcaVir  Found nothing
Avast Found Win32:Small-CAA
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VirusBuster Found nothing
VBA32 Found nothing

I also scanned locally with my Clamwin scanner with updated Virus database.

Thanks again, I hope your "hang" problem is solved, wish I could help.   

I had such a problem awhile back with a Avast software upgrade that would just not work with WIN98SE that I have just been sticking with 7.7.827 because I know it works without any problems with my O.S. 

[lakrsrool]

I have added the following to Avast in the advanced tab of the Standard Shield:

C:\Program Files\Norton CleanSweep\csinject.exe

It doesn't help.

I cannot send emails with even the name "csinject.exe" in the email (file not attached), which I don't understand at all, to send the email to Alwil.

Maybe it is because the file is in memory, I have no idea.

I am thinking that I cannot add a path with spaces in it.

Like "Program Files\Norton Cleansweep..." which has spaces in the name.

But this is the path, this is something I don't understand about more current computers as there was no problem with the old DOS systems that didn't allow spaces.

I am just not up on all of the newer concepts.

How do I add the path properly so Avast will ignore this file that resides in a path as I have described?

[Lisandro]

I have added the following to Avast in the advanced tab of the Standard Shield:
C:\Program Files\Norton CleanSweep\csinject.exe
It doesn't help.

Maybe you have to boot before... or disable/enable the Standard Shield...

I cannot send emails with even the name "csinject.exe" in the email (file not attached), which I don't understand at all, to send the email to Alwil.

Which is your email program and your server (I mean, @what?).

I am thinking that I cannot add a path with spaces in it.
Like "Program Files\Norton Cleansweep..." which has spaces in the name.

You can use spaces there, but you can use the short path too, something like: C:\Progra~1\Norton~2\csinject.exe

[lakrsrool]

So you CAN use spaces, well in that case I should not have a problem.

As far as the email is concerned I am using Outlook Express.  I was unable to send with the file attached becasue Avast would block it, so I created an email without the attachement & was just trying to send that one email but apparently even though I was only sending the email without the attachement Avast was finding the other file with the attachment in the "outbox" and stopping my email program. I conclude this because as soon as I removed the attachment from the email in the outbox then I was able to sent the email.

As far as setting Avast to ignore the file it doesn't seem to work as I placed the path "C:\Program Files\Norton CleanSweep\csinject.exe" in the advance tab area for Avast to ignore the file.

I have tried first turning the Standard Shield OFF & then back ON by "terminating" it & then "activating" it again.

Avast still finds the file in memory as a Virus when I launch Avast to scan my computer.

I then tried rebooting...

Avast still finds the file in memory as a Virus when I launch Avast.

I guess I can ignore Avast and go ahead and scan my computer which is all I want to do before I run my backup to my secondary hard drive.

I guess since I was now able to send the email to Alwil @ virus@avast.com; Alwil will fix the Virus database on the next update and so in the mean time I can just ignore the Avast warning for now.

But I still would like to know why Avast ignores my entry in the Standard Shield to ignore the file.

Maybe this is just for ignoring the file if encountered but not in the case of 'MEMORY SCAN" when Avast is launched....

[Lisandro]

As far as the email is concerned I am using Outlook Express.  I was unable to send with the file attached becasue Avast would block it, so I created an email without the attachement & was just trying to send that one email but apparently even though I was only sending the email without the attachement Avast was finding the other file with the attachment in the "outbox" and stopping my email program. I conclude this because as soon as I removed the attachment from the email in the outbox then I was able to sent the email.

I see no trouble in this behavior, I mean, with avast home version, the first email detected as being infected will block all the 'others' that weren't sent yet...

As far as setting Avast to ignore the file it doesn't seem to work as I placed the path "C:\Program Files\Norton CleanSweep\csinject.exe" in the advance tab area for Avast to ignore the file.

But this file, when attached, is not that one... it's the outbox of OE and not the original file...
You need to add the outbook.dbx

[lakrsrool]

Tech wrote:

Quote from: lakrsrool on October 08, 2006, 08:11:08 PM

As far as setting Avast to ignore the file it doesn't seem to work as I placed the path "C:\Program Files\Norton CleanSweep\csinject.exe" in the advance tab area for Avast to ignore the file.

Quote from: Tech on October 08, 2006, 08:46:09 PM
But this file, when attached, is not that one... it's the outbox of OE and not the original file...
You need to add the outbook.dbx

Thanks Tech but...

What I meant was that when I launch Avast and do a scan the file is still found by Avast as a virus even though I have placed the path & file name in the Standard Shield to ignore.

Refer to my post:

I have tried first turning the Standard Shield OFF & then back ON by "terminating" it & then "activating" it again.

Avast still finds the file in memory as a Virus when I launch Avast to scan my computer.

I then tried rebooting...

Avast still finds the file in memory as a Virus when I launch Avast.

I guess I can ignore Avast and go ahead and scan my computer which is all I want to do before I run my backup to my secondary hard drive.

As you can see I am speaking about when "launching" Avast not about the email.

I realized that apparently Avast is blocking the email based on what I posted:

... trying to send that one email but apparently even though I was only sending the email without the attachement Avast was finding the other file with the attachment in the "outbox" and stopping my email program.

As far as starting Avast and running a scan I would expect Avast to ignore the file rather than STILL finding the file as a Virus when I have told Avast to ignore the following:
"C:\Program Files\Norton CleanSweep\csinject.exe"

But instead Avast still finds the file at that location as a Virus both on startup in MEMORY and when scanning the hard drive.

Any reason why Avast would still alert me that my computer is infected if Avast is told to ignore it?

[igor]

It's actually quite simple - the memory scan in avast! splash screen has nothing to do with Standard Shield, it's an ordinary on-demand scan (because you started it).
So, exclusions from program settings should apply here, not the Standard Shield ones.

[Lisandro]

So, exclusions from program settings should apply here, not the Standard Shield ones.

For the other providers (on-demmand scanning):
Right click the 'a' blue icon, click Program Settings.
Go to Exclusions tab and click on Add button...