CCleaner Trojans

[DavidR]

And was explained by hlecter in reply # 85 above http://forum.avast.com/index.php?topic=28377.msg233536#msg233536, this is simply a bad detection by f-secure.

[GrahamE]

Yes I know. I wasn't suggesting that the explanation wasn't correct. I was just checking that the reason for 'avast.exe' was because I'd changed the name, and was confirming my earlier response to mauserme's query. 

[mauserme]

Apart from that then, all online scans have come up clean. Surely this must mean that the findings to do with CCleaner are false-positives. I just wish Alwil would do something. You'd think it'd be worth their while, if only to stop me sending stuff to them! 

Usually they're pretty quick to correct false positives. These may be a bit more invlolved that normal, however.  What with detection names changing, etc it may take a little more time.

Still, a word from "the team" would be nice ...

[GrahamE]

Usually they're pretty quick to correct false positives. These may be a bit more invlolved that normal, however.  What with detection names changing, etc it may take a little more time.

Yeah, I'm sure you're right.

While this thread is still near the top of the list, I really would like to thank Tech and mauserme especially, but also everyone else who's helped me with this. Not only am I feeling far more confident that I'm not infected, I've also learnt a few things, and have had my arsenal of protection increased by a number of recommendations. I'm always amazed when I come on here by the amount of effort that is put in to give help and support. Even DavidR's 'can you really be that stupid, the question's already been answered' approach has a certain warmth to it!  Really - thank you. 

[mauserme]

Glad to help, Graham.

But lets not completely walk away from this.  Rather, give it a couple more days and we'll see if false positives are fixed.  If not, I'm certainly willing to give this more thought (actually I have been even though I haven't been posting much today).  I'm just not comfortable with assumptions and leaving things unexplained.

Let us know, OK?

[Lisandro]

I really would like to thank Tech and mauserme especially

I did nothing... all deep info here belongs to mauserme

I'm always amazed when I come on here by the amount of effort that is put in to give help and support.

That is what makes us almost a 'real' family

[GrahamE]

I'm just not comfortable with assumptions and leaving things unexplained.

Well, no, I can't say I'm completely comfortable with it. I dislike it when things happen that can't be explained by either my actions or my incompetence! While I feel far more assured, I'll only be fully convinced when I can scan the items in the Chest and 'no virus' is reported, and when cleaning with CCleaner stops provoking Avast alerts.

It goes without saying that if that happens, I'll let you know. And if it doesn't, this thread will be back at the top of the list again! 

I did nothing...

I don't think so...

That is what makes us almost a 'real' family

I can feel myself going into a Gwynneth Paltrow-type speech here ( :'(), but yeah, you're right. Thank you.

[mauserme]

I really would like to thank Tech and mauserme especially

Each piece of the puzzle is as important as the next ... 

[I can feel myself going into a Gwynneth Paltrow-type speech here ...

Part of that "other problem"?

[GrahamE]

Part of that "other problem"?

That keeps coming back to haunt me! 

They're still coming:

28/05/2007 03:18:52   GE   1456   Sign of "Win32:Agent-GXN [Trj]" has been found in "C:\Documents and Settings\GE\Local Settings\Temporary Internet Files\Content.IE5\JB3KZWS5\RRRRRRRRRRRR.RRR" file. 

[mauserme]

Just been scanning with Adaware SE (Def. File SE1R172 22.05.07) and found another. I sent it to Chest but it just kept warning over and over. Sent 5 to Chest, then gave up and ignored it. I've sent them to Avast again, with link to this.

Log:

26/05/2007 11:07:30   GE   1480   Sign of "Win32:Agent-GHL [Trj]" has been found in "C:\DOCUME~1\GE\LOCALS~1\Temp\AAWTMP\C2922546\3932046" file. 
26/05/2007 11:12:01   GE   1480   Sign of "Win32:Agent-GHL [Trj]" has been found in "C:\DOCUME~1\GE\LOCALS~1\Temp\AAWTMP\C2922546\4202562" file. 
26/05/2007 11:12:21   GE   1480   Sign of "Win32:Agent-GHL [Trj]" has been found in "C:\DOCUME~1\GE\LOCALS~1\Temp\AAWTMP\C2922546\4223343" file. 
26/05/2007 11:12:34   GE   1480   Sign of "Win32:Agent-GHL [Trj]" has been found in "C:\DOCUME~1\GE\LOCALS~1\Temp\AAWTMP\C2922546\4236281" file. 
26/05/2007 11:13:06   GE   1480   Sign of "Win32:Agent-GHL [Trj]" has been found in "C:\DOCUME~1\GE\LOCALS~1\Temp\AAWTMP\C2922546\4268406" file. 
26/05/2007 11:13:32   GE   1480   Sign of "Win32:Agent-GHL [Trj]" has been found in "C:\DOCUME~1\GE\LOCALS~1\Temp\AAWTMP\C2922546\4293937" file. 

If these are false-positives, I wish someone up high would sort them out. It's been going on for a month now. I know they've got more to do than this, and they're very busy, but.....

On the other hand, if they're not FP's, it would be nice to be told, because my system is riddled with the things!

I've been looking through the entire thread and found that AAWTMP is the temporary folder created by AdAware during a scan.  So this part of the mystery is solved.  Those detections were not files lurking on your computer - they were created by AdAware and immediately detected by avast!

DavidR (and others) always recommend stopping the avast! standard shield while scanning with somehing else, and this is why.

[mauserme]

:'(

26/05/2007 12:28:54   GE   1480   Sign of "Win32:Agent-GXN [Trj]" has been found in "C:\Documents and Settings\GE\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat" file. 

CCleaner.

Part of IE7's antiphishing feature.  No worries here.

[GrahamE]

DavidR (and others) always recommend stopping the avast! standard shield while scanning with somehing else, and this is why.

Yeah, I can understand that. I suppose that if I turned it off before using CCleaner, I wouldn't have the problems with that either. The only problem I see with that is - how far do you take it? If I turn Avast off completely, I'd never detect a virus, but...

I've been using Adaware since 2005, and it's never had this problem with Avast before. Similarly, I've had CCleaner on my system for ages. I've never turned Avast off before doing a scan with any other program, and there's never been a problem before now. If I go down the road of turning it off before doing certain things that have run simultaneously up until now, I'd just feel that I was hiding the problem, which should be fixed by updates to Avast. 

Part of IE7's antiphishing feature.  No worries here.

Basically, we're back to the same thing I guess - if Avast gets updated to stop these FP's...

[mauserme]

This is what I've got in the log viewer:
....
....

07/05/2007 00:25:26   GE   1484   Sign of "Win32:Agent-GKD [Trj]" has been found in "C:\WINDOWS\Internet Logs\VVVVVVVVV.VV.VV.VVV" file. 

This is the path for the Zone Alarm log files but the stucture of the file name is incorrect.

Take a look in the ZA logs and see if there is anything unusual.  The extension should be .tmp

[mauserme]

Yeah, I can understand that. I suppose that if I turned it off before using CCleaner, I wouldn't have the problems with that either. The only problem I see with that is - how far do you take it? If I turn Avast off completely, I'd never detect a virus, but...

I know what you're saying.  And honestly I never turn off avast! before doing other scans either.

Right now I'm just trying to eliminate some of these detections as actual malware so we can concentrate on things that may have real significance.  Once we either find malware or eliminate all detections from consideration we'll try to figure out why the FPs started so suddenly.

[GrahamE]

Take a look in the ZA logs and see if there is anything unusual.  The extension should be .tmp

Well, I've had a look, and I wouldn't know if there was anything unusual unless it was labled 'HELLO! I'm a VIRUS!!' 

I'll post it if you want, but there's quite a lot of it. (If I do post it, I assume I won't be 'publishing' anything that could be used by iffy people? - and I really don't need comments about my surfing habits please  -that isn't what I'm talking about!)