Author Topic: Infected cache files  (Read 20289 times)

0 Members and 1 Guest are viewing this topic.

Gabriele 08

  • Guest
Infected cache files
« on: April 27, 2007, 10:52:11 PM »
For first: Hi all forum!
I'm an avast user (an happy avast user!) of home free Edition. I'm new here and before beginning i want to give my congratulations to avast staff, and to the users that make this forum a very good place for competence and courtesy!!
Please, be patients with my english that's nothing good..or terrible.

During the cleaning of mozilla cache internet with CCleaner, (3,9mb for a session of only 2 hours) avast stopped 2 times the operation and warning for --> Win32:Agent-GHL[tRJ] and then for -->Win32:Agent-GKD[Trj]. So, i moved the 2 cache files to the chest. Just first i thought for a false positive because I received no advice from avast surfing. But after seeing in my temp folder, there was a random.temp and in normal mode I was not able eliminate it, so I reboot in safe mode and finally removed random.temp file!
Today I performed: Avast boot scan [nothing]
- SpywareTerminator complete scan, safe mode [nothing]
- SUPERantyspyware free, complete scan, safe mode [nothing]
- A-squared, deep scan [nothing]
- Spybot, safe mode, that detected a voice of Carima Enterprises in Firefox(default) bookmarks....
I checked it, perform a new scan of Spybot and nothing result.
What may be happened? What do you think about?

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Infected cache files
« Reply #1 on: April 28, 2007, 03:16:52 AM »
So, i moved the 2 cache files to the chest.
You've done the wiser and better thing.

What may be happened? What do you think about?
Which is your Standard Shield sensitivity?
If you right click the files into Chest and scan them again, are they marked as infected?
The best things in life are free.

Gabriele 08

  • Guest
Re: Infected cache files
« Reply #2 on: April 28, 2007, 05:19:06 AM »
Which is your Standard Shield sensitivity?
If you right click the files into Chest and scan them again, are they marked as infected?
Hi Tech,
Standard Shield sensivity is high.
I just examine file in the chest, and YES avast says virus found. (I didn't know the option of scan the file in the chest, so thanks for let me learn one thing more. Well I have to say that a part the false positive of avast with notepad some months ago that perhaps you remember, I have not experience of virus  8))

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Infected cache files
« Reply #3 on: April 28, 2007, 05:48:29 PM »
Standard Shield sensivity is high.
Hmmm... Standard Shield at High should be scanned the files first... at least they're into an archive file (.zip, .arj, etc.).
The best things in life are free.

Gabriele 08

  • Guest
Re: Infected cache files
« Reply #4 on: April 28, 2007, 10:09:25 PM »
Hmmm... Standard Shield at High should be scanned the files first... at least they're into an archive file (.zip, .arj, etc.).
So is also your opinion that is strange what happened?
I changed sensivity to high I think one month ago, and generally nothing changed, only 2 times, I received advice. One time saying that: in "name site" there are traces of "name malware"; and another when in a page forum, avast recognized a zip infected file that an user have to send to be examinated or something similar, I don't remember exactly now.
One question, perhaps stupid...!! Being the Avast chest a protect and lock zone of pc, I suppose is not possible submit the 2 files I have there, for example to VirusTotal, is correct?

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Infected cache files
« Reply #5 on: April 28, 2007, 10:13:20 PM »
So is also your opinion that is strange what happened?
Strange? Yes. To be worried that much? Not really.

Being the Avast chest a protect and lock zone of pc, I suppose is not possible submit the 2 files I have there, for example to VirusTotal, is correct?
Yes. You can only submit them to VirusTotal is you right click them, extract to an USB drive for instance and submit to VirusTotal from there. Take care.
« Last Edit: April 28, 2007, 11:16:19 PM by Tech »
The best things in life are free.

Gabriele 08

  • Guest
Re: Infected cache files
« Reply #6 on: April 28, 2007, 10:38:11 PM »
Well...probably I give a wrong appearence at the matter. As I hear, is not a question to be worry. I'm not so worry Tech  ;) ,but (if and when possible) I like understand, or try it! :)
 

Gabriele 08

  • Guest
Re: Infected cache files
« Reply #7 on: May 22, 2007, 11:10:26 PM »
Hi,
I begin again this topic, with some updates.
After more or less one month from my first post (28 April) I think that may be there is a problem...

I saw in forum that there was a "similar" problem posted by the user GrahamE, here --> CCleaner Trojans. There the question was above all about temporary files, while for me is about cache files.
A common circumstance is that for me too, problems begun the 27 April like GrahamE
But while for him problems seem to be solved, for me no  :(

The matter is that from that day, many many times (but not all times) using CCleaner for cache,temporary,etc. avast give me alerts, for Trojans various...
I regulary moved these files in chest, and so now, I have a big chest...!!

System has been checked with many programs, those mentioned in my first post with more F-Secure BlackLight and Gmer. And analized by Kaspersky online and Ewido online, so I think that I may  believe that system is absolutely clean!!

Yesterday I checked another time with avast all files in chest, but only 3 of them changed status in "no virus".
Some Others changed name (example: Win32:Agent-GYJ --> ......-GXN), and for the others nothing changed (always recognized like trojans).
Well, then I tried a little test.
I navigate a few and then:
a)I checked separately the files of folder cache (20 more or less) with avast control from contextual menĂ¹
b)I checked always with ashquick, the entire folder cache
c)I opened avast and I selected a custom scan of folder cache (selecting after "standard" and then "Thorough" sensivity)
All OK for avast in all 3 controls!
Immediatly I opened CCleaner and go for a claening cache, and avast noticed for Win32:agent-GYJ; ....-GWD;....-GXN 
????? :( :(
So, really a troublesome situation, especially if you clean very often like me!

Does avast may try to solve this situation please?
May I have to send files in my chest to avast? Or I have to wait if they ask me for this?

P.S. Sorry for so long post but I would try explain the situation as much better I can...

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re: Infected cache files
« Reply #8 on: May 23, 2007, 12:11:08 AM »
What were the full filenames of those files detected after opening CCleaner?

GrahamE

  • Guest
Re: Infected cache files
« Reply #9 on: May 23, 2007, 01:04:56 AM »
Well it's nice to know I'm not alone in my surfing habits!  8)

Sadly, my problem hasn't been resolved, since I've had 2 more occurrences since my last post. The second of these came when (having used CCleaner when I came offline previously), I opened Internet Explorer, my homepage (Google) came up, and I was called away and so logged off. On using CCleaner, Avast found (traces of) a virus in the temp internet files!

Since I, and other members of this Forum with far greater knowledge than mine, had pretty well decided that these were false-positives, and since it seemed to be using CCleaner that was causing the problem to some extent, I've set Internet Explorer to empty the temp internet files when the browser is closed. I'm still using CCleaner as well, but nothing has come up so far, after 2 days of doing this.

I'm assuming that if there really was a virus/Trojan, Avast would still detect it when Windows cleared the files (?)

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Infected cache files
« Reply #10 on: May 23, 2007, 03:28:32 AM »
Sadly, my problem hasn't been resolved, since I've had 2 more occurrences since my last post.
If you still detecting any strange behavior or even you're sure you're not clean, maybe it will be good to test your machine with anti-rootkit applications (http://www.antirootkit.com/software/index.htm). I suggest AVG, Panda and/or F-Secure BlackLight.

Since I, and other members of this Forum with far greater knowledge than mine, had pretty well decided that these were false-positives
Do any of us said so?
The best things in life are free.

Gabriele 08

  • Guest
Re: Infected cache files
« Reply #11 on: May 23, 2007, 04:08:33 AM »
What were the full filenames of those files detected after opening CCleaner?

Hi Igor,
Here an example:
Location file = C:\Documents and Settings\Gabri\Impostazioni locali\Dati Applicazioni\Mozilla\Firefox\profiles\xxxxxx.default\cache
Name = _CACHE_003_
All files in chest about I'm speaking have the same "location", change only the "cache file name".

For instance this file just yesterday was named by avast "Win32:Agent-GVO", then after I controlled it in the chest (like I said in the post above), the definition changed for "Win32:Agent-GTZ".
I would also remember, that 3 files after yesterday's check changed in "no virus".

Thanks for your reply. For any question, here I am!

EDIT
Mmh... :-X... sorry Igor, but I realized with delay, that you are asking me for 3 yesterday's files, after "the little test".
_CACHE_003_ --> Win32:Agent-GWD
_CACHE_MAP_ -->        "        -GXN
2C66457Dd01  -->        "        -GYJ
« Last Edit: May 23, 2007, 04:59:41 AM by Gabriele 08 »

GrahamE

  • Guest
Re: Infected cache files
« Reply #12 on: May 23, 2007, 07:35:21 PM »
Sadly, my problem hasn't been resolved, since I've had 2 more occurrences since my last post.
If you still detecting any strange behavior or even you're sure you're not clean, maybe it will be good to test your machine with anti-rootkit applications (http://www.antirootkit.com/software/index.htm). I suggest AVG, Panda and/or F-Secure BlackLight.

Since I, and other members of this Forum with far greater knowledge than mine, had pretty well decided that these were false-positives
Do any of us said so?

Hi Tech, I've gone back to my own thread (http://forum.avast.com/index.php?topic=28377.30) to reply to you, as it didn't seem fair to take over Gabriele 08's thread. I'd be grateful if you'd go there and have a look. Thank you.
« Last Edit: May 23, 2007, 07:39:02 PM by GrahamE »

mauserme

  • Guest
Re: Infected cache files
« Reply #13 on: May 23, 2007, 08:17:37 PM »
What version of CCleaner do each of you have?

Gabriele 08

  • Guest
Re: Infected cache files
« Reply #14 on: May 23, 2007, 11:37:30 PM »
Hi mauserme,
CCleaner's version is 1.40.520 (latest). Last month at begin of the history was 1.39.502