May I come in to this topic.
I run win7 64 ultimate and I got the following message from ESET Internet Security a little while ago (see attachment).
Any ideas ?
May I come in to this topic.
I run win7 64 ultimate and I got the following message from ESET Internet Security a little while ago (see attachment).
Any ideas ?
9 hours ago, sotiris said:<div class="ipsQuote_contents ipsClearfix" data-gramm="false"> <p> I run win7 64 ultimate and I got the following message from ESET Internet Security a little while ago (see attachment). </p> </div>
@sotiris: AV engines often copy each other's homework so it is quite possible that is related. Looks like that was from the original release though (judging by the age 1 week part). What happens when you try the new repack build https://download.ccleaner.com/ccsetup569.exe ?
Just tested it. It is still rejecting it as PUA.
32 minutes ago, sotiris said:<div class="ipsQuote_contents ipsClearfix" data-gramm="false"> <p> Just tested it. It is still rejecting it as PUA. </p> </div>
Windows Defender has some false positive issues lately, for instance it will detect a custom HOSTS file that's clean as a hijack.
Not talking about windows Defender. Using ESET.
This was originally posted in a thread about Windows Defender - I've split it, and the relevant replies out into it's own ESET thread.
I'd tell ESET to 'Ignore' it for now, and be careful with ESET settings: Untick 'Copy to Quarantine' and tick both 'Exclude from detections'.
Another user reports that ESET removed all his Piriform apps:
21 hours ago, sotiris said:<div class="ipsQuote_contents"> <p> I run win7 64 ultimate and I got the following message from ESET Internet Security a little while ago (see attachment)....Any ideas ? </p> </div>
Hi sotiris:
See the FileInfo description of .PART files at https://fileinfo.com/extension/part, which states "A PART file is a partially downloaded file from the Internet used for downloads that are in progress or have been stopped. Some PART files can be resumed at a later time using the same program that started the download. PART files are typically used by Mozilla Firefox...".
Just a guess, but that .exe.part file extension could indicate that Firefox was interrupted while downloading the CCleaner installer, and now ESET doesn't recognize the partial file that was saved in AppData\Local\Temp (i.e., the SHA-256 hash of the partial file doesn't match the expected SHA-256 hash of the full installer). If you use CCleaner or Windows Disk Cleanup to clear the temporary system files on your hard drive that partial file (and the ESET detection) might simply disappear. If not, click the blue CLEAN button shown <here> in the your image of the ESET detection (or try clearing your Firefox Browsing & Download history - press Ctrl-Shift-Delete while Firefox is open) and that should remove that partial file from your hard drive.
-------------
64-bit Win 10 Pro v1909 build 18363.900 * Windows Defender v4.18.2006.10 * Firefox ESR v68.11.0 * CCleaner Free Portable v5.69.7865
Hi Imacri,
This time I downloaded ccleaner exe file using Chrome (which doesn't use .part files) and ESET did not react at all when checked it.
Not sure if the ccleaner authors have taken any action on their exe file, or it was a .part issue.
Thanks anyway,
Sotiris.
Good spot on the filename @lmacri.
That also seems an odd location to be downloading .exe files to. (But I guess some browsers may put '.part' files there?)
Just what 'WQchxgI+.exe' is I don't know, and can't find anything on google.
So why ESET thinks that file is CCleaner is also an odd one?
An in-progress CCleaner installer download would be called 'ccsetup569.exe.part'.
File Explorer shows it like this while it is downloading to your Downloads folder (this is a download from Firefox):
Once the download is completed the '.part' file disappears and 'ccsetup.exe' will show the full filesize. (26,320 KB for ccsetup569.exe).
PS. I'd still be careful at the moment with ESET and CCleaner or other already installed Piriform apps, as seen from my link above ESET may remove them unless you have made them exceptions.
2 hours ago, nukecad said:<div class="ipsQuote_contents"> <p> ...That also seems an odd location to be downloading .exe files to. (But I guess some browsers may put '.part' files there?) Just what 'WQchxgI+.exe' is I don't know, and can't find anything on google. So why ESET thinks that file is CCleaner is also an odd one? </p> <p> An in-progress CCleaner installer download would be called 'ccsetup569.exe.part'... </p> </div>
Hi nukecad:
I have no idea, but the File.org article at https://file.org/extension/part states:
Quote<div class="ipsQuote_contents"> <p> ...<em>Certain download managers will <strong>break large downloads up into smaller downloads</strong>, giving each portion of the download the .part extension. The download manager will then combine all of the .part files into the complete file after the download has finished. At this time, the combined .part files will be renamed with the proper file extension</em>... </p> </div>
Perhaps the CCleaner installer OP sotiris downloaded was bundled with bloatware (e.g., Avast Free Antivirus, Chrome browser, etc) that triggered Firefox to break the download into multiple .part files with seemingly random filenames before the partial downloads were recombined. Perhaps ESET threw a false positive detection because the ESET virus definition set was out of date and hadn't whitelisted the CCleaner installer yet (OP sotiris notes they saw that detection "a while ago" and the image <here> shows the Reputation was "Discovered 1 week ago").
It's even possible OP sotiris downloaded the CCleaner installer from a third-party download site (e.g., CNET's download.com) that bundled the installer with suspicious software. See bjm_'s example in the Norton thread False Norton "Threat" PUA.Drivereasy Uninstalls Legitimate Windows Program !! where a DriverEasy installer downloaded directly from the DriverEasy site was not flagged as a PUA. However, the DriverEasy installer downloaded from a third-party download site (the download link in that thread was removed by a Norton Forum Mod as being potentially dangerous) had one of these odd file names (qfflb92n.exe.part) and SHA-2 hash that did not match the "safe" installer and was flagged as a PUA.
This is all speculation on my part, and why Firefox would begin the download of a CCleaner installer into a folder called C:\Users\User\AppData\Local\Temp (I also thought that path looked odd - I don't have a C:\Users\User folder on my own machine, hidden or otherwise) and assign that odd WQchxgI name to the partial .exe.part file will probably remain a mystery unless the OP sotiris can recreate that PUA detection with a fresh download.
-------------
64-bit Win 10 Pro v1909 build 18363.900 * Windows Defender v4.18.2006.10 * Firefox ESR v68.11.0 * CCleaner Free Portable v5.69.7865
Yes it's all a bit odd.
PS. I've just been fixing up a laptop for a friend and after reinstalling Windows set the user account name to 'User' so they could change it to what they want later.
So for now that one does have "C:\Users\User\....." as a valid pathname.