Author Topic: CCleaner Trojans  (Read 150424 times)

0 Members and 1 Guest are viewing this topic.

Offline DavidR

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 87055
  • No support PMs thanks
Re: CCleaner Trojans
« Reply #90 on: May 27, 2007, 09:37:43 PM »
And was explained by hlecter in reply # 85 above http://forum.avast.com/index.php?topic=28377.msg233536#msg233536, this is simply a bad detection by f-secure.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.10.6038 (build 22.10.7633.734) UI 1.0.733/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

GrahamE

  • Guest
Re: CCleaner Trojans
« Reply #91 on: May 27, 2007, 09:48:05 PM »
Yes I know. I wasn't suggesting that the explanation wasn't correct. I was just checking that the reason for 'avast.exe' was because I'd changed the name, and was confirming my earlier response to mauserme's query.  :)

mauserme

  • Guest
Re: CCleaner Trojans
« Reply #92 on: May 27, 2007, 10:21:52 PM »
Apart from that then, all online scans have come up clean. Surely this must mean that the findings to do with CCleaner are false-positives. I just wish Alwil would do something. You'd think it'd be worth their while, if only to stop me sending stuff to them!  ;D
Usually they're pretty quick to correct false positives. These may be a bit more invlolved that normal, however.  What with detection names changing, etc it may take a little more time.

Still, a word from "the team" would be nice ...

GrahamE

  • Guest
Re: CCleaner Trojans
« Reply #93 on: May 28, 2007, 02:22:25 AM »
Usually they're pretty quick to correct false positives. These may be a bit more invlolved that normal, however.  What with detection names changing, etc it may take a little more time.

Yeah, I'm sure you're right.

While this thread is still near the top of the list, I really would like to thank Tech and mauserme especially, but also everyone else who's helped me with this. Not only am I feeling far more confident that I'm not infected, I've also learnt a few things, and have had my arsenal of protection increased by a number of recommendations. I'm always amazed when I come on here by the amount of effort that is put in to give help and support. Even DavidR's 'can you really be that stupid, the question's already been answered' approach has a certain warmth to it!  ;D Really - thank you.  :)

mauserme

  • Guest
Re: CCleaner Trojans
« Reply #94 on: May 28, 2007, 03:04:11 AM »
Glad to help, Graham.

But lets not completely walk away from this.  Rather, give it a couple more days and we'll see if false positives are fixed.  If not, I'm certainly willing to give this more thought (actually I have been even though I haven't been posting much today).  I'm just not comfortable with assumptions and leaving things unexplained.

Let us know, OK?
« Last Edit: May 28, 2007, 03:06:03 AM by mauserme »

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67235
Re: CCleaner Trojans
« Reply #95 on: May 28, 2007, 03:14:00 AM »
I really would like to thank Tech and mauserme especially
I did nothing... all deep info here belongs to mauserme 8)

I'm always amazed when I come on here by the amount of effort that is put in to give help and support.
That is what makes us almost a 'real' family 8)
The best things in life are free.

GrahamE

  • Guest
Re: CCleaner Trojans
« Reply #96 on: May 28, 2007, 03:36:53 AM »
I'm just not comfortable with assumptions and leaving things unexplained.

Well, no, I can't say I'm completely comfortable with it. I dislike it when things happen that can't be explained by either my actions or my incompetence! While I feel far more assured, I'll only be fully convinced when I can scan the items in the Chest and 'no virus' is reported, and when cleaning with CCleaner stops provoking Avast alerts.

It goes without saying that if that happens, I'll let you know. And if it doesn't, this thread will be back at the top of the list again!  ;D

I did nothing...

I don't think so...

That is what makes us almost a 'real' family 8)

I can feel myself going into a Gwynneth Paltrow-type speech here ( :'(), but yeah, you're right. Thank you.

mauserme

  • Guest
Re: CCleaner Trojans
« Reply #97 on: May 28, 2007, 02:26:00 PM »
I really would like to thank Tech and mauserme especially
Each piece of the puzzle is as important as the next ...  8)


[I can feel myself going into a Gwynneth Paltrow-type speech here ...
Part of that "other problem"? ;D

GrahamE

  • Guest
Re: CCleaner Trojans
« Reply #98 on: May 28, 2007, 02:38:55 PM »
Part of that "other problem"? ;D

That keeps coming back to haunt me!  ;D

They're still coming:

28/05/2007 03:18:52   GE   1456   Sign of "Win32:Agent-GXN [Trj]" has been found in "C:\Documents and Settings\GE\Local Settings\Temporary Internet Files\Content.IE5\JB3KZWS5\RRRRRRRRRRRR.RRR" file. 

mauserme

  • Guest
Re: CCleaner Trojans
« Reply #99 on: May 28, 2007, 02:59:43 PM »
Just been scanning with Adaware SE (Def. File SE1R172 22.05.07) and found another. I sent it to Chest but it just kept warning over and over. Sent 5 to Chest, then gave up and ignored it. I've sent them to Avast again, with link to this.

Log:

26/05/2007 11:07:30   GE   1480   Sign of "Win32:Agent-GHL [Trj]" has been found in "C:\DOCUME~1\GE\LOCALS~1\Temp\AAWTMP\C2922546\3932046" file. 
26/05/2007 11:12:01   GE   1480   Sign of "Win32:Agent-GHL [Trj]" has been found in "C:\DOCUME~1\GE\LOCALS~1\Temp\AAWTMP\C2922546\4202562" file. 
26/05/2007 11:12:21   GE   1480   Sign of "Win32:Agent-GHL [Trj]" has been found in "C:\DOCUME~1\GE\LOCALS~1\Temp\AAWTMP\C2922546\4223343" file. 
26/05/2007 11:12:34   GE   1480   Sign of "Win32:Agent-GHL [Trj]" has been found in "C:\DOCUME~1\GE\LOCALS~1\Temp\AAWTMP\C2922546\4236281" file. 
26/05/2007 11:13:06   GE   1480   Sign of "Win32:Agent-GHL [Trj]" has been found in "C:\DOCUME~1\GE\LOCALS~1\Temp\AAWTMP\C2922546\4268406" file. 
26/05/2007 11:13:32   GE   1480   Sign of "Win32:Agent-GHL [Trj]" has been found in "C:\DOCUME~1\GE\LOCALS~1\Temp\AAWTMP\C2922546\4293937" file. 

If these are false-positives, I wish someone up high would sort them out. It's been going on for a month now. I know they've got more to do than this, and they're very busy, but.....

On the other hand, if they're not FP's, it would be nice to be told, because my system is riddled with the things!
I've been looking through the entire thread and found that AAWTMP is the temporary folder created by AdAware during a scan.  So this part of the mystery is solved.  Those detections were not files lurking on your computer - they were created by AdAware and immediately detected by avast!

DavidR (and others) always recommend stopping the avast! standard shield while scanning with somehing else, and this is why.

mauserme

  • Guest
Re: CCleaner Trojans
« Reply #100 on: May 28, 2007, 03:17:34 PM »
:'(

26/05/2007 12:28:54   GE   1480   Sign of "Win32:Agent-GXN [Trj]" has been found in "C:\Documents and Settings\GE\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat" file. 

CCleaner.
Part of IE7's antiphishing feature.  No worries here.

GrahamE

  • Guest
Re: CCleaner Trojans
« Reply #101 on: May 28, 2007, 03:35:04 PM »
DavidR (and others) always recommend stopping the avast! standard shield while scanning with somehing else, and this is why.

Yeah, I can understand that. I suppose that if I turned it off before using CCleaner, I wouldn't have the problems with that either. The only problem I see with that is - how far do you take it? If I turn Avast off completely, I'd never detect a virus, but...

I've been using Adaware since 2005, and it's never had this problem with Avast before. Similarly, I've had CCleaner on my system for ages. I've never turned Avast off before doing a scan with any other program, and there's never been a problem before now. If I go down the road of turning it off before doing certain things that have run simultaneously up until now, I'd just feel that I was hiding the problem, which should be fixed by updates to Avast. 

Part of IE7's antiphishing feature.  No worries here.

Basically, we're back to the same thing I guess - if Avast gets updated to stop these FP's... 8)

mauserme

  • Guest
Re: CCleaner Trojans
« Reply #102 on: May 28, 2007, 03:40:21 PM »
This is what I've got in the log viewer:
....
....

07/05/2007 00:25:26   GE   1484   Sign of "Win32:Agent-GKD [Trj]" has been found in "C:\WINDOWS\Internet Logs\VVVVVVVVV.VV.VV.VVV" file. 

This is the path for the Zone Alarm log files but the stucture of the file name is incorrect.

Take a look in the ZA logs and see if there is anything unusual.  The extension should be .tmp

mauserme

  • Guest
Re: CCleaner Trojans
« Reply #103 on: May 28, 2007, 03:45:21 PM »
Yeah, I can understand that. I suppose that if I turned it off before using CCleaner, I wouldn't have the problems with that either. The only problem I see with that is - how far do you take it? If I turn Avast off completely, I'd never detect a virus, but...
I know what you're saying.  And honestly I never turn off avast! before doing other scans either.

Right now I'm just trying to eliminate some of these detections as actual malware so we can concentrate on things that may have real significance.  Once we either find malware or eliminate all detections from consideration we'll try to figure out why the FPs started so suddenly.

GrahamE

  • Guest
Re: CCleaner Trojans
« Reply #104 on: May 28, 2007, 03:57:55 PM »
Take a look in the ZA logs and see if there is anything unusual.  The extension should be .tmp

Well, I've had a look, and I wouldn't know if there was anything unusual unless it was labled 'HELLO! I'm a VIRUS!!'  ;D

I'll post it if you want, but there's quite a lot of it. (If I do post it, I assume I won't be 'publishing' anything that could be used by iffy people? - and I really don't need comments about my surfing habits please  ;D -that isn't what I'm talking about!)