Infected cache files

For first: Hi all forum!
I’m an avast user (an happy avast user!) of home free Edition. I’m new here and before beginning i want to give my congratulations to avast staff, and to the users that make this forum a very good place for competence and courtesy!!
Please, be patients with my english that’s nothing good…or terrible.

During the cleaning of mozilla cache internet with CCleaner, (3,9mb for a session of only 2 hours) avast stopped 2 times the operation and warning for → Win32:Agent-GHL[tRJ] and then for -->Win32:Agent-GKD[Trj]. So, i moved the 2 cache files to the chest. Just first i thought for a false positive because I received no advice from avast surfing. But after seeing in my temp folder, there was a random.temp and in normal mode I was not able eliminate it, so I reboot in safe mode and finally removed random.temp file!
Today I performed: Avast boot scan [nothing]

  • SpywareTerminator complete scan, safe mode [nothing]
  • SUPERantyspyware free, complete scan, safe mode [nothing]
  • A-squared, deep scan [nothing]
  • Spybot, safe mode, that detected a voice of Carima Enterprises in Firefox(default) bookmarks…
    I checked it, perform a new scan of Spybot and nothing result.
    What may be happened? What do you think about?

You’ve done the wiser and better thing.

Which is your Standard Shield sensitivity?
If you right click the files into Chest and scan them again, are they marked as infected?

Hi Tech,
Standard Shield sensivity is high.
I just examine file in the chest, and YES avast says virus found. (I didn’t know the option of scan the file in the chest, so thanks for let me learn one thing more. Well I have to say that a part the false positive of avast with notepad some months ago that perhaps you remember, I have not experience of virus 8))

Hmmm… Standard Shield at High should be scanned the files first… at least they’re into an archive file (.zip, .arj, etc.).

So is also your opinion that is strange what happened?
I changed sensivity to high I think one month ago, and generally nothing changed, only 2 times, I received advice. One time saying that: in “name site” there are traces of “name malware”; and another when in a page forum, avast recognized a zip infected file that an user have to send to be examinated or something similar, I don’t remember exactly now.
One question, perhaps stupid…!! Being the Avast chest a protect and lock zone of pc, I suppose is not possible submit the 2 files I have there, for example to VirusTotal, is correct?

Strange? Yes. To be worried that much? Not really.

Yes. You can only submit them to VirusTotal is you right click them, extract to an USB drive for instance and submit to VirusTotal from there. Take care.

Well…probably I give a wrong appearence at the matter. As I hear, is not a question to be worry. I’m not so worry Tech :wink: ,but (if and when possible) I like understand, or try it! :slight_smile:

Hi,
I begin again this topic, with some updates.
After more or less one month from my first post (28 April) I think that may be there is a problem…

I saw in forum that there was a “similar” problem posted by the user GrahamE, here → CCleaner Trojans. There the question was above all about temporary files, while for me is about cache files.
A common circumstance is that for me too, problems begun the 27 April like GrahamE
But while for him problems seem to be solved, for me no :frowning:

The matter is that from that day, many many times (but not all times) using CCleaner for cache,temporary,etc. avast give me alerts, for Trojans various…
I regulary moved these files in chest, and so now, I have a big chest…!!

System has been checked with many programs, those mentioned in my first post with more F-Secure BlackLight and Gmer. And analized by Kaspersky online and Ewido online, so I think that I may believe that system is absolutely clean!!

Yesterday I checked another time with avast all files in chest, but only 3 of them changed status in “no virus”.
Some Others changed name (example: Win32:Agent-GYJ → …-GXN), and for the others nothing changed (always recognized like trojans).
Well, then I tried a little test.
I navigate a few and then:
a)I checked separately the files of folder cache (20 more or less) with avast control from contextual menù
b)I checked always with ashquick, the entire folder cache
c)I opened avast and I selected a custom scan of folder cache (selecting after “standard” and then “Thorough” sensivity)
All OK for avast in all 3 controls!
Immediatly I opened CCleaner and go for a claening cache, and avast noticed for Win32:agent-GYJ; …-GWD;…-GXN
??? :frowning: :frowning:
So, really a troublesome situation, especially if you clean very often like me!

Does avast may try to solve this situation please?
May I have to send files in my chest to avast? Or I have to wait if they ask me for this?

P.S. Sorry for so long post but I would try explain the situation as much better I can…

What were the full filenames of those files detected after opening CCleaner?

Well it’s nice to know I’m not alone in my surfing habits! 8)

Sadly, my problem hasn’t been resolved, since I’ve had 2 more occurrences since my last post. The second of these came when (having used CCleaner when I came offline previously), I opened Internet Explorer, my homepage (Google) came up, and I was called away and so logged off. On using CCleaner, Avast found (traces of) a virus in the temp internet files!

Since I, and other members of this Forum with far greater knowledge than mine, had pretty well decided that these were false-positives, and since it seemed to be using CCleaner that was causing the problem to some extent, I’ve set Internet Explorer to empty the temp internet files when the browser is closed. I’m still using CCleaner as well, but nothing has come up so far, after 2 days of doing this.

I’m assuming that if there really was a virus/Trojan, Avast would still detect it when Windows cleared the files (?)

If you still detecting any strange behavior or even you’re sure you’re not clean, maybe it will be good to test your machine with anti-rootkit applications (http://www.antirootkit.com/software/index.htm). I suggest AVG, Panda and/or F-Secure BlackLight.

Do any of us said so?

Hi Igor,
Here an example:
Location file = C:\Documents and Settings\Gabri\Impostazioni locali\Dati Applicazioni\Mozilla\Firefox\profiles\xxxxxx.default\cache
Name = CACHE_003
All files in chest about I’m speaking have the same “location”, change only the “cache file name”.

For instance this file just yesterday was named by avast “Win32:Agent-GVO”, then after I controlled it in the chest (like I said in the post above), the definition changed for “Win32:Agent-GTZ”.
I would also remember, that 3 files after yesterday’s check changed in “no virus”.

Thanks for your reply. For any question, here I am!

EDIT
Mmh… :-X… sorry Igor, but I realized with delay, that you are asking me for 3 yesterday’s files, after “the little test”.
CACHE_003 → Win32:Agent-GWD
CACHE_MAP → " -GXN
2C66457Dd01 → " -GYJ

Hi Tech, I’ve gone back to my own thread (http://forum.avast.com/index.php?topic=28377.30) to reply to you, as it didn’t seem fair to take over Gabriele 08’s thread. I’d be grateful if you’d go there and have a look. Thank you.

What version of CCleaner do each of you have?

Hi mauserme,
CCleaner’s version is 1.40.520 (latest). Last month at begin of the history was 1.39.502

Yeah, same with me. The problem has shown with both versions.

I’ve gone there but I can’t find what is your actual problem… I thought it was solved…

Well, I thought it was as well, that between you and mauserme it had been pretty well decided that I was okay, and that they were just FP’s, but…

From this I took it that you didn’t think that the problem was resolved.

Sorry if you think I’ve been wasting people’s time on this - I get confused quite easily nowadays.

Indeed… to be sure you’re clean, you need to run more than just one anti-malware tool. Not one software is perfect, neither because the false positives nor the miss-detection. So, that was my advice.

I never think you’re wasting our (or anybody else) time. Maybe just misunderstandings from my side.
It’s all right, if we rise the doubt we must solve them.

So, after all, why don’t you run other security scanning and post the results? :wink:

2Gabriele

Just for the heck of it why don’t you post a HijackThis log. I’m not really expecting to find anything but it can’t hurt to check:

Click here to download HJTsetup.exe

[*]Save HJTsetup.exe to your desktop.
[*]Doubleclick on the HJTsetup.exe icon on your desktop.
[*]By default it will install to C:\Program Files\Hijack This.
[*]Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
[*]Put a check by Create a desktop icon then click Next again.
[*]Continue to follow the rest of the prompts from there.
[*]At the final dialogue box click Finish and it will launch Hijack This.
[*]Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
[*]Click on “Edit > Select All” then click on “Edit > Copy” to copy the entire contents of the log.
[*]Come back here to this thread and Paste the log in your next reply.
[*]DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.