Author Topic: CCleaner Trojans  (Read 162094 times)

0 Members and 1 Guest are viewing this topic.

thomas01155

  • Guest
Re: CCleaner Trojans
« Reply #75 on: May 26, 2007, 03:46:59 PM »
Are those the results of a Virus Total or Jotti scan of one of the setup.exe's?

yes

mauserme

  • Guest
Re: CCleaner Trojans
« Reply #76 on: May 26, 2007, 03:54:10 PM »
I still feel 98% certain these are false positives (by Kasperski too, in this  case).  At least in Graham's case.  But it's troublng that we can't find an explanation for this odd behaviour. 

Please post a log from Deckard's System Scanner, but start a new thread of your own as it will be too confusing to work on two in the same thread

Download Deckard's System Scanner (DSS) to your Desktop.
  • Close all applications and windows.
  • Double-click on DSS.exe to run it, and follow the prompts.
  • The scan may take a minute. When the scan is complete, a text file will open - Main.txt
Extra Note: When running DSS, some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so. Also, it may happen that your Antivirus flags DSS as suspicious. Please allow the  Deckard's System Scanner  to run and don't let your Antivirus delete it. (In this case, it may be better to temporary disable your Antivirus)

Post the  main.txt from the C:\Deckard\System Scanner folder into your next replies (the log will be long and will require multiple posts).

« Last Edit: May 26, 2007, 04:02:20 PM by mauserme »

mauserme

  • Guest
Re: CCleaner Trojans
« Reply #77 on: May 26, 2007, 05:46:55 PM »
Just been scanning with Adaware SE (Def. File SE1R172 22.05.07) and found another. I sent it to Chest but it just kept warning over and over. Sent 5 to Chest, then gave up and ignored it.
Just to confirm, do you mean AdAware threw alerts or avast! alerted when AdAware touched the files.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: CCleaner Trojans
« Reply #78 on: May 26, 2007, 05:58:54 PM »
My guess would be avast detecting files that adaware unpacks in the temp folder. I have previously recommended that the standard shield should be paused when running other security scans as any file opened by adaware, etc. will also be scanned by avast and alert making it look like an alert on adaware temp.

I tried this running adaware whilst standard shield was still running and I got an alert from avast on one of the archive files in my exclusions folder as it was unpacked in the adaware temp folder. Whilst avast is able to exclude these files from my folder but when unpacked in a different location, there will obviously be an alert.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Gabriele 08

  • Guest
Re: CCleaner Trojans
« Reply #79 on: May 26, 2007, 08:31:49 PM »
I'm thinking that me, like GrahamE and now Thomas, we performed various scans with several programs, and online scans too. All seems to indicate FP in avast detection running CCleaner. It's not "totally" sure but this is what appeare.
So I'm considering that (like just said by Tech I think) the cause of this situation have to be a "strange combination" of  "?????????" when CCleaner cleans, unchaining avast detection!
We are supposing an avast problem during CCleaner's clean, but equally about this, we have not "absolute" certainty. (Other users don't experience the same)
Not easy to understand this situation, that is happening as GrahamE says, just from 1 month  :(

@GrahamE, @Thomas:
did you try uninstall/reinstall CCleaner? I did it, but without results
did you try flagging separetely CCleaner's voices? Always no results in my case
do you use Firefox browser like me? Or IE, Opera,...? If you use Firefox, which extensions do you have on it?



GrahamE

  • Guest
Re: CCleaner Trojans
« Reply #80 on: May 27, 2007, 12:16:14 AM »
Just to confirm, do you mean AdAware threw alerts or avast! alerted when AdAware touched the files.

Avast alerted when Adaware was scanning, as DavidR suggested. Sorry I must be more specific.

It's strange that other antispywares are detecting infections, now Ad-aware

Again, sorry for not being specific!

Why don't you test full computer on-line scanning

Thanks for the links. I've run Kasperski and BitDefender so far, both clean. I have AVGas, and I'll run a couple more tomorrow, but I think everyone is starting to think that this is an Avast problem, so I'm hopeful that nothing will be found.


1) did you try uninstall/reinstall CCleaner? I did it, but without results
2) did you try flagging separetely CCleaner's voices? Always no results in my case
3) do you use Firefox browser like me? Or IE, Opera,...? If you use Firefox, which extensions do you have on it?

1) uninstalled 1.39.502 and installed 1.40.520, so yes I did.
2) sorry, I don't understand.
3) IE7


GrahamE

  • Guest
Re: CCleaner Trojans
« Reply #81 on: May 27, 2007, 04:22:14 PM »
The F-Secure online scanner came up with:

Result: 2 malware found
NetworkWorm.UZ (virus)
  C:\DOCUMENTS AND SETTINGS\GE\MY DOCUMENTS\MY UTILITIES\VIRUS\AVAST.EXE
 
  C:\DOCUMENTS AND SETTINGS\GE\DESKTOP\AVAST.EXE

Since these were found in the Avast Virus/Worm Cleaner (the actual program in My Documents, and another on the Desktop), I'm guessing that it's just detected some sort of definition in the Avast program (?)

Should I remove them from the PC and scan again?

GrahamE

  • Guest
Re: CCleaner Trojans
« Reply #82 on: May 27, 2007, 04:34:27 PM »
Just tried to install the Panda Online Scanner and Avast warned on:
27/05/2007 15:29:37   SYSTEM   1468   Sign of "Win32:CTX" has been found in "http://acs.pandasoftware.com/activescan/as5free/motor.cab\pskavs.DLL" file. 

so I decided against using it and aborted.  :P

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: CCleaner Trojans
« Reply #83 on: May 27, 2007, 04:44:45 PM »
Just tried to install the Panda Online Scanner and Avast warned on:
27/05/2007 15:29:37   SYSTEM   1468   Sign of "Win32:CTX" has been found in "http://acs.pandasoftware.com/activescan/as5free/motor.cab\pskavs.DLL" file. 
so I decided against using it and aborted.  :P
These are false detections due to Panda active scan.
Unfortunatelly, a well-known problem of Panda not encrypting its signatures  :P
Quote
Every virus can be identified, because it contains some unique signatures. Antiviral programs have their own database of that signatures. We call this database the "virus definition file". When an antiviral program scans a file for viruses, it compares all the signatures (of all viruses) in the database with the signatures in that file. If the signatures match (they are the same), the file is marked as infected. For an antivirus program, it is important to hide this database of signatures somehow - e.g. by encrypting it. Panda Antivirus does not encrypt its virus database - the signatures inside are clearly "visible" to other antiviral programs, so they detect this file as infected (but there is actually no virus inside - only the signatures are the same).
The best things in life are free.

GrahamE

  • Guest
Re: CCleaner Trojans
« Reply #84 on: May 27, 2007, 04:53:35 PM »
I see, thanks. What do you think about the F-Secure findings?

hlecter

  • Guest
Re: CCleaner Trojans
« Reply #85 on: May 27, 2007, 04:56:19 PM »
The F-Secure online scanner came up with:

Result: 2 malware found
NetworkWorm.UZ (virus)
  C:\DOCUMENTS AND SETTINGS\GE\MY DOCUMENTS\MY UTILITIES\VIRUS\AVAST.EXE
 
  C:\DOCUMENTS AND SETTINGS\GE\DESKTOP\AVAST.EXE

Since these were found in the Avast Virus/Worm Cleaner (the actual program in My Documents, and another on the Desktop), I'm guessing that it's just detected some sort of definition in the Avast program (?)

Should I remove them from the PC and scan again?

Just for your information:

F-secure, eSafe, Norman and Panda don't like aswclear, see attached screenshot:

EDIT: No Avast.exe here either, this is aswclnr just downloaded.

« Last Edit: May 27, 2007, 05:08:56 PM by hlecter »

mauserme

  • Guest
Re: CCleaner Trojans
« Reply #86 on: May 27, 2007, 05:00:40 PM »
The F-Secure online scanner came up with:

Result: 2 malware found
NetworkWorm.UZ (virus)
  C:\DOCUMENTS AND SETTINGS\GE\MY DOCUMENTS\MY UTILITIES\VIRUS\AVAST.EXE
 
  C:\DOCUMENTS AND SETTINGS\GE\DESKTOP\AVAST.EXE

Since these were found in the Avast Virus/Worm Cleaner (the actual program in My Documents, and another on the Desktop), I'm guessing that it's just detected some sort of definition in the Avast program (?)

Should I remove them from the PC and scan again?
Are you sure of the file name (avast.exe)?  I just installed the avast! virus cleaner and do not have that on my computer.

GrahamE

  • Guest
Re: CCleaner Trojans
« Reply #87 on: May 27, 2007, 05:07:38 PM »
F-secure, eSafe, Norman and Panda don't like aswclear, see attached screenshot:

Thank you.

Are you sure of the file name (avast.exe)?  I just installed the avast! virus cleaner and do not have that on my computer.

I can't honestly remember, because I downloaded it a while ago, but I suspect I changed the name to 'avast' when I saved it, which I think would account for that.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: CCleaner Trojans
« Reply #88 on: May 27, 2007, 05:32:06 PM »
I can't honestly remember, because I downloaded it a while ago, but I suspect I changed the name to 'avast' when I saved it, which I think would account for that.
If you change the name of the downloaded file, it will be ok.
The best things in life are free.

GrahamE

  • Guest
Re: CCleaner Trojans
« Reply #89 on: May 27, 2007, 08:48:56 PM »
If you change the name of the downloaded file, it will be ok.

I deleted it and redownloaded it, not changing the name this time, just to be sure, and F-Secure still finds the same things:

Result: 2 malware found
NetworkWorm.ACJ (virus)
  C:\DOCUMENTS AND SETTINGS\GE\MY DOCUMENTS\MY UTILITIES\VIRUS\ASWCLNR.EXE
  C:\DOCUMENTS AND SETTINGS\GE\DESKTOP\ASWCLNR.EXE

Apart from that then, all online scans have come up clean. Surely this must mean that the findings to do with CCleaner are false-positives. I just wish Alwil would do something. You'd think it'd be worth their while, if only to stop me sending stuff to them!  ;D