Win32:Agent-HAI[Trj] in “C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\profiles\occw7uxq.default\cache_CACHE_002_” file.
This trojan has been detected on my computer over the last three days.
First when avast detects it is should give you options, move to chest, etc.
However it is a little strange as it is pointing to a cache rather than a file. This may be to do with how firefox caches files, it doesn’t use extensions (see image1) and the cache is a weird collection of information (see image2). I believe it could just be a false detection where a virus signature happens to match a string of text/characters in the cache.
It still needs to be dealt with and by far the easiest is to clear the cache in firefox.
Hi David,
When you say “clear the cache in firefox”…do you mean: Firefox, Tools>Options>Privacy tab> under Private Data click Clear now option.
I have gone that way just now. And performed the above actions.
Is there another way to clear the cache in Firefox?
Regards,
Winxp
Hi essexboy,
How do I go about uninstalling the all old versions of java and updating to the new.
What is the procedure for doing this?
Could you give directions.
Regards
Winxp
That is correct, the only quicker way is by installing a tool to clear temporary files, browser cache, cookies, etc. or you could just delete them in explorer (assuming you can find where they are stored).
This is one of the trojans found by Avast when CCleaner is running - see the thread below.
Win32:Agent-HAI [Trj] is the last of a number of trojans picked up by Avast when CCleaner is overwriting. The others were false positives, but this is still being detected.
I have just had a brief look into the (long) thread cited above.
I also use Crap Cleaner and Lavasoft Ad-Aware SE Personal.
I think that use of these tools (Crap Cleaner and Lavasoft Ad-Aware SE Personal) in conjuction with Avast
may somehow possibly be related to this trojan virus problem.
I am not an expert.
The same virus popped up again yesterday and is recorded on the Avast Log Viewer under Warning tab as:
Win32:Agent-HAI[Trj] in “C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\profiles\occw7uxq.default\cache\25A17607d01” file.
I do run the Crap Cleaner and Lavasoft Ad-Aware regularly.
Whether these systems were running when Avast detected the virus I am not 100%
certain. I think it may be probable.
The next time I run Crap Cleaner/ Lavasoft Ad-Aware, I will check the Avast Log Viewer for signs of the trojan,
to determine a possible link.
This matter is an ongoing issue, however my computer and operating system appear to be functioning perfectly, and
most importantly, Avast is effectively filtering the trojan (if in fact it is a trojan horse virus? and not some other issue?)
If you loaded up the file that is flagged by avast to jotti or virustotal what are the results there.
Curious to know if avast only flags this file as problematic, in that case a FP is obvious. If more av products flag it, there is more to it. Could you report here, please?
Can you check to see if CCleaner is set to run on start up? You go to options and settings.
Reading your reply, it seems that you were not using CCleaner when it was detected. All of us who had this trojan on the CCleaner thread were in the process of deleting files using CCleaner when Avast made the detection. I’ve not had an instance of detection under other circumstances. You would be running CCleaner at the time, that is why I am wondering if you have it set to run at start and Avast has detected it that way?
Can you check to see if CCleaner is set to run on start up? You go to options and settings.
Reading your reply, it seems that you were not using CCleaner when it was detected. All of us who had this trojan on the CCleaner thread were in the process of deleting files using CCleaner when Avast made the detection. I’ve not had an instance of detection under other circumstances. You would be running CCleaner at the time, that is why I am wondering if you have it set to run at start and Avast has detected it that way?
Dangerman,
You are correct.
A check of Crap Cleaner>Options>Settings, indicates that it is set to run at start up.
All the following tasks are ticked to run…
Run CCleaner when the computer starts
Add “Run CCleaner” option to Recycle Bin context menu
Add "Open CCleaner…"option to Recycle Bin context menu
Automatically check for updates to CCleaner
Secure File Deletion
DOD 5220.22-M(3 passes)
If you loaded up the file that is flagged by avast to jotti or virustotal what are the results there.
Curious to know if avast only flags this file as problematic, in that case a FP is obvious. If more av products flag it, there is more to it. Could you report here, please?
polonus
Hi polonus,
I located the virustotal tool website on the internet.
The site asks to upload the file.
Using the virustotal browse function I made my way through to the Avast4 folder, where I located a lot of displayed sub-folders .
My question is: which is the correct folder/file to upload?
I require the sub-folder name so that I can upload it for scanning.
Could you point it out.
(I am assuming the ‘flagged’ file is contained somewhere within the Avast4 folder.)
I would suggest that you untick the run CCleaner at start up option (at least for now). This should result in Avast only detecting Win32:Agent-HAI[Trj] when you are deleting the Firefox cache using the manual option. It is important to note that HAI, like the other false positives mentioned in the CCleaner thread above, is not detected every time you run the cleaner.
I would also suggest you email Avast the trojan from the chest. I have done this, as have others, but so far this remains unanswered. If enough users contact them maybe they will be able to confirm it is a false positive?
As this trojan is showing the same behaviour as the “G” series mentioned in the CCleaner thread, I am reasonably certain that this is a false positive that is just waiting to be identified as such.
@ Winxp
If the trojan is in the chest, you can’t upload it to the multi-engine scanners of virustotal or Jotti as the avast chest is a protected area. The file has to be exported (copied) not Restored, to a temporary folder outside the avast chest.
The actual location is at C:\Program Files\Alwil Software\Avast4\DATA\chest assuming you installed avast in the default location, but as I said you can’t do anything with the files inside the chest, that is its whole purpose.
DavidR: The file has to be exported (copied) not Restored, to a temporary folder outside the avast chest.
Opened avast! Log viewer>Warning section>right click on sign of Win32Agent HAI…>File>Export Current List>select File name for exported data(named file “scanwin32”>saved in My Documents folder>then uploaded file to virustotal for scanning, and received the following result…
which I have copied and pasted below:
File scanwin32.txt received on 07.26.2007 01:39:11 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2007.7.26.0 2007.07.25 no virus found
AntiVir 7.4.0.50 2007.07.25 no virus found
Authentium 4.93.8 2007.07.25 no virus found
Avast 4.7.997.0 2007.07.26 no virus found
AVG 7.5.0.476 2007.07.25 no virus found
BitDefender 7.2 2007.07.25 no virus found
CAT-QuickHeal 9.00 2007.07.25 no virus found
ClamAV 0.91 2007.07.26 no virus found
DrWeb 4.33 2007.07.26 no virus found
eSafe 7.0.15.0 2007.07.24 no virus found
eTrust-Vet 31.1.5004 2007.07.25 no virus found
Ewido 4.0 2007.07.25 no virus found
FileAdvisor 1 2007.07.26 no virus found
Fortinet 2.91.0.0 2007.07.25 no virus found
F-Prot 4.3.2.48 2007.07.25 no virus found
F-Secure 6.70.13030.0 2007.07.25 no virus found
Ikarus T3.1.1.8 2007.07.25 no virus found
Kaspersky 4.0.2.24 2007.07.26 no virus found
McAfee 5082 2007.07.25 no virus found
Microsoft 1.2704 2007.07.25 no virus found
NOD32v2 2421 2007.07.26 no virus found
Norman 5.80.02 2007.07.25 no virus found
Panda 9.0.0.4 2007.07.24 no virus found
Sophos 4.19.0 2007.07.17 no virus found
Sunbelt 2.2.907.0 2007.07.26 no virus found
Symantec 10 2007.07.26 no virus found
TheHacker 6.1.7.153 2007.07.25 no virus found
VBA32 3.12.2.1 2007.07.24 no virus found
VirusBuster 4.3.26:9 2007.07.25 no virus found
Webwasher-Gateway 6.0.1 2007.07.25 no virus found
Additional information
File size: 217 bytes
MD5: bfa0f4311a2640dc5e3c864ba07222e6
SHA1: e451b614390eb03e90fcef3555763dcfbd277906
Whilst this looks strange (see below) that even avast doesn’t detect it in virustotal, VT is frequently behind in the VPS version they use, but it certainly looks like a false positive. There have also been some VPS updates that might have corrected the FP so I would suggest you ensure you have the latest VPS and scan the file inside the chest (right click on it and select scan) you should submit to avast after checking if it is still detected as infected.
Since a copy exists in the chest, right click on it and select email to Alwil Software, enter a little information in the text window, minimum, False Positive and a link to this topic, don’t change the default IMAP send method.
I would say you did it right.
If you try to send it from the chest you end up thinking it has been uploaded but you would see a file size of 0 bytes (this is usually an indication of trying to upload from the chest). Since you exported to my documents folder, provided it wasn’t reported as a 0 byte file size it should be OK.
It is also strange that a .txt file would be flagged as infected, especially as something like Win32Agent HAI trojan, this would have made me suspicious of a possible FP in the first place.
Based on experience of these trojans as reported in the CCleaner trojans thread, I don’t find this strange as Avast has never detected any of them other than when running CCleaner, deleting files. This is why I asked Winxp to check that he had CCleaner on at start up, as I think in that case CCleaner was probably running in the background when Avast detected HAI.
As can be seen from Winxp’s return, nothing else detects these trojans, again this was the experience with the “G” series reported on the other thread. This is either one very clever stealth trojan, which basically doesn’t do anything when on your PC, or it is a false positive. Now, I doubt that anyone up to no good would go to all that trouble to produce a trojan that no one can detect other than when a specific application is running and then do nothing with it. ???
The latest Avast updates have not resolved the situation, HAI was detected when I ran CCleaner last night (UK time). The others were eventually declared FP’s, and so should this one, but as it is taking some time perhaps Avast just haven’t got around to it? It can be frustrating though.
Everyone keeps saying avast made detections, I only wish they would give the details file name, location and malware name, then we might see some patterns.
More importantly, submit the file to virustotal and then send to avast if confirmed a false positive, the more people that submit the FP the greater the likelihood of it being resolved.
The VPS Updates won’t be changed unless samples are submitted for analysis. Only yesterday there were two topics about iFrame Exploits in paypal redirects, I confirmed the detections and I believed them to be false positives. I sent an email to virus (at) avast.com giving a brief description, the offending URLs, links to the two forum topics and obviously I couldn’t submit a file.
That email was sent on 25/7/2007 at 20:09 UK local time and I was surprised by a reply to my submission confirming it was an FP on 26/7/2007 at 00:46 (just under 5 hours) stating it would be fixed on VPS 0760-3 which it was.
So there are occasions that the action is extremely quick as in this case, but the more people that submit an FP the more likely that it will be resolved.
Perhaps they only reply when they can confirm the FP? I’ve never got a reply regarding Win32:Agent-HAI [Trj]. I’ll just have to keep on sending it, as should everyone else who is getting it.