Hi ppl!
i run Avast as standard virusscanner, but once a while i do a full scann with Avira:free.
avira found a trojan “Gorshok.A” in the file “clnr0.dll” in my Avast folder. Avast doesen’t detect it.
couldn’t find anything about this one either here or google.
anyone can give me any info about this one, if its a legimate threat or a flase positive?
any help is appreciated, and thanks!
greetings
Of course avast! doesn’t detect it - it’s one of avast!'s own files.
So, it’s a false positive from Avira.
Why do you say it’s a false positive? Just because avast! doesn’t pick up the trojan doesn’t automatically mean there is no trojan.
I have the same problem as cybersurfer. When I run Avast it says the system is clean but I also did an online scan today using Kaspersky’s online scanner and it detected the following:
C:\Program Files\Alwil Software\Avast4\DATA\clnr0.dll Infected: Trojan.Win32.Gorshok.a
We can’t simply assume it’s a false positive just because Avast doesn’t pick it up. It is after all an Avast file that was infected.
I also Googled that trojan but didn’t have any luck getting sufficient info.
How do I remove the Trojan.Win32.Gorshok.a virus?
Where can I get info on this specific Trojan?
(I obviously don’t want to permanently remove the Avast! software from my computer because it is my primary anti-virus software)
Read again what I wrote, please.
This file is part of avast! - so I know it’s not a trojan.
Sorry, there’s a misunderstanding here. I’m not saying the clnr0.dll file is a trojan. I know clnr0.dll is an avast file because I read your reply. I’m saying the file appears to be infected by a trojan. Can’t a normal .dll file be infected by a trojan? Or is a trojan always a separate file on its own? (I don’t know how Trojans work, that’s why I ask)
all unauthorised modifications of this file are watched by setup afaik…
I’m not sure if that file were tampered with it might well report unauthorised modification.
You could also check the suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here.
A trojan generally doesn’t infect other files, that is done by a virus, etc. and a trojan file is usually completely malicious, not a legit file with a small piece of code inserted into it.
Thanks for the link David. I uploaded the avast file clnr0.dll to VirusTotal; see results below. As you can see, 3 detections for Trojan.Win32.Gorshok.a 
Maybe this is a brand new trojan so the others can’t check for it yet? What do I do?
Can you perhaps upload your own clnr0.dll file to VirusTotal to see if you get the same results? Maybe if you get it too, and you know your system is clean, we can confirm that these are false positives indeed?
File clnr0.dll received on 12.18.2007 15:46:46 (CET)
Current status: Finished
Result: 3/32 (9.38%)
Antivirus Version Last Update Result
AhnLab-V3 2007.12.18.11 2007.12.18 -
AntiVir 7.6.0.45 2007.12.18 TR/Gorshok.A
Authentium 4.93.8 2007.12.18 -
Avast 4.7.1098.0 2007.12.17 -
AVG 7.5.0.503 2007.12.17 -
BitDefender 7.2 2007.12.18 -
CAT-QuickHeal 9.00 2007.12.17 -
ClamAV 0.91.2 2007.12.18 -
DrWeb 4.44.0.09170 2007.12.18 -
eSafe 7.0.15.0 2007.12.17 -
eTrust-Vet 31.3.5385 2007.12.18 -
Ewido 4.0 2007.12.18 -
FileAdvisor 1 2007.12.18 -
Fortinet 3.14.0.0 2007.12.18 -
F-Prot 4.4.2.54 2007.12.18 -
F-Secure 6.70.13030.0 2007.12.18 -
Ikarus T3.1.1.15 2007.12.18 -
Kaspersky 7.0.0.125 2007.12.18 Trojan.Win32.Gorshok.a
McAfee 5187 2007.12.17 -
Microsoft 1.3109 2007.12.18 -
NOD32v2 2730 2007.12.18 -
Norman 5.80.02 2007.12.17 -
Panda 9.0.0.4 2007.12.18 -
Prevx1 V2 2007.12.18 -
Rising 20.23.12.00 2007.12.18 -
Sophos 4.24.0 2007.12.18 -
Sunbelt 2.2.907.0 2007.12.18 -
Symantec 10 2007.12.18 -
TheHacker 6.2.9.162 2007.12.17 -
VBA32 3.12.2.5 2007.12.17 -
VirusBuster 4.3.26:9 2007.12.17 -
Webwasher-Gateway 6.6.2 2007.12.18 Trojan.Gorshok.A
Additional information
File size: 391216 bytes
MD5: 2846c04a98727a06e792fb26abc50916
SHA1: 293483aff50ec74e22450c46c6929b2d0ad2a8b4
PEiD: -
first, thanks for everyone whos helping out, i know everyones busy before xmas 
i did an onlinescan on the above mentioned site, heres the results:
since thers only 3 programms finding anything in this file i thought that i would assume its safe for now and just to continue watching it, but as Globetrotter thinks it might be a new troja, i am not so sure anymore…
. if anyone finds anythign else i will be gratefull for any info!
thanxs again, greets cybersurfer
File clnr0.dll received on 12.18.2007 15:53:40 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2007.12.18.11 2007.12.18 -
AntiVir 7.6.0.45 2007.12.18 TR/Gorshok.A
Authentium 4.93.8 2007.12.18 -
Avast 4.7.1098.0 2007.12.17 -
AVG 7.5.0.503 2007.12.17 -
BitDefender 7.2 2007.12.18 -
CAT-QuickHeal 9.00 2007.12.17 -
ClamAV 0.91.2 2007.12.18 -
DrWeb 4.44.0.09170 2007.12.18 -
eSafe 7.0.15.0 2007.12.17 -
eTrust-Vet 31.3.5385 2007.12.18 -
Ewido 4.0 2007.12.18 -
FileAdvisor 1 2007.12.18 -
Fortinet 3.14.0.0 2007.12.18 -
F-Prot 4.4.2.54 2007.12.18 -
F-Secure 6.70.13030.0 2007.12.18 -
Ikarus T3.1.1.15 2007.12.18 -
Kaspersky 7.0.0.125 2007.12.18 Trojan.Win32.Gorshok.a
McAfee 5187 2007.12.17 -
Microsoft 1.3109 2007.12.18 -
NOD32v2 2730 2007.12.18 -
Norman 5.80.02 2007.12.17 -
Panda 9.0.0.4 2007.12.18 -
Prevx1 V2 2007.12.18 -
Rising 20.23.12.00 2007.12.18 -
Sophos 4.24.0 2007.12.18 -
Sunbelt 2.2.907.0 2007.12.18 -
Symantec 10 2007.12.18 -
TheHacker 6.2.9.162 2007.12.17 -
VBA32 3.12.2.5 2007.12.17 -
VirusBuster 4.3.26:9 2007.12.17 -
Webwasher-Gateway 6.6.2 2007.12.18 Trojan.Gorshok.A
Additional information
File size: 391216 bytes
MD5: 2846c04a98727a06e792fb26abc50916
SHA1: 293483aff50ec74e22450c46c6929b2d0ad2a8b4
Well if it is any help the file size, MD5 and SHA1 on my file are identical. So I do think it is an FP by the three as I know for a fact mine isn’t infected, as no globe-trotting or visits to suspect sites.
File Size - 382 KB (391,216 bytes)
MD5 - 2846c04a98727a06e792fb26abc50916
SHA1 - 293483aff50ec74e22450c46c6929b2d0ad2a8b4
Kaspersky is picking it up on a few of my PC’s aswell but i do think it is a false positive. As a few of my PC’s haven’t been used at all since I last scanned them with kaspersky so there is no way they could have got infected.
Really, guys, since this dll is part of the cleaner (clnr) don’t you think it is there for detection of such?
Well i’m 99.9% sure it is an FP now anyway just wiped my one of my PC’s did a fresh install of XP installed Avast and kaspersky still found it.
EDIT.
Looks like it was a FP kaspsky no longer detects it in that file.
If Kaspersky still detects it after a clean install, then it’s clearly a false positive. But if Kaspersky no longer detects it, as you said above, then the infection was simply removed by the clean install? I’m confused. 
Yesterday it still detected it on a clean install, today i have scanned both computers and it doesn’t find it on the new install PC or the old install PC.
So it was clearly an FP, and since yesterday kaspersky have updated there definitions to sort the problem out.
OK cool, thanks for the feedback.
Is clnr0.dll supposed to recreate itself after deletion?
Same thing happened to me when using Antivir as a second scanner and I deleted it before realising that it was an Avast file. clnr0.dll reappeared again after I rebooted my laptop.
It has the same MD5 number as the original poster.
avast has an integrity checker so I’m not sure if that particular file is included but it would seem so.
If you are still using antivir as a second scanner, there could be conflict as it too is a resident scanner unless you hack it about so it isn’t resident.
Yes, clnr0.dll is extracted from the VPS file on every start (maybe even after every VPS update).