Likely false positive - F-Secure AV 2007 and CCleaner

Discussion in 'other anti-virus software' started by optigrab, Oct 25, 2006.

Thread Status:
Not open for further replies.
  1. optigrab

    optigrab Registered Member

    Joined:
    Nov 6, 2002
    Posts:
    624
    Location:
    Brooklyn/NYC USA
    Installing the latest version of CCleaner (v1.34.407), F-Secure warned of
    Win32.Trojandownloader.Zlob
    in a Temp folder.

    After aborting the install, F-Secure cannot clean or quarantine the file, because it's no longer there. I'm pretty certain this is a false positive.

    I've managed to grab and zip the file, and have submiited the sample to F-Secure.

    Just wanted to give a head's up to my Wilders peers.
     

    Attached Files:

  2. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
    it wont be a temp from your cc....... but it will be just in your temp.

    the temp file containing the virus is definatly NOT from ccleaner.

    your lucky f-secure has found it, so no need to send it to them for analysis.
     
  3. optigrab

    optigrab Registered Member

    Joined:
    Nov 6, 2002
    Posts:
    624
    Location:
    Brooklyn/NYC USA
    Please convince me this file (actually, it's a folder called nsk2d82.tmp) is NOT related to the CCleaner install, because I'm still pretty confident it is.

    (1) I can make the shown F-Secure warning pop up by double-clicking the CCleaner install executable. I've done it half a dozen times now.

    (2) nsk2d82.tmp only appears when I run the CCleaner install, and disappears when I abort the install.

    (3) F-Secure was unable to quarantine the file, yet after the install, a full F-Secure scan shows my machine is clean.
     
  4. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    Hi,

    I don't have F-Secure, but I know that it's a known issue.
    See for example the main site of CCleaner:
    http://www.ccleaner.com/

    There was also a discussion about it at CCleaner-forum.

    And going off-topic now:
    Recently TrojanHunter gave a FP about CCLeaner-slim.
    But that one was very quickly fixed.
    See the TH-forum:
    http://www.misec.net/forum/board/TrojanHunter/1161628828
     
  5. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
    my f-secure didnt detect it .... so i figured it was something else in the temp. :eek:

    if it is a false positive and ccleaner already knows about it, feel free to send to f-secure for testing. :D
     
  6. optigrab

    optigrab Registered Member

    Joined:
    Nov 6, 2002
    Posts:
    624
    Location:
    Brooklyn/NYC USA
    Thanks to both of you for the information. It is puzzling that C.S.J's F-Secure didn't detect it.

    I've already submitted the FP report, but I see now I didn't need to go through the trouble.
     
  7. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    Hi,

    Something similar (well, more or less...) happened with TH.
    Some folks got it detected in normal mode; others in safe mode.
    It was indeed also about a Zlob detection.
    But it's clean. If you want to have second opinions, let it check for example at the KAV and DR.WEB online file-scanners.
    And my BOClean and NOD32 didn't give a warning about it.
     
  8. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006

    i dont why i missed this post but when i install avg antispyware some thing happerns direct from grisoft.com so theres just quite a few fp's atm. same trojan fp as well.
     
  9. JerryM

    JerryM Registered Member

    Joined:
    Aug 31, 2003
    Posts:
    4,221
    I am using CCleaner and F-Secure AV. There have been no problems, but I seem to recall that CCleaner and some AVs do conflict. I think there was a conflict in the past with KAV, but I also have that combination on a computer with no problems.

    Jerry
     
Loading...
Thread Status:
Not open for further replies.