win32.trojandownloader.Zlob

CCleaner for Windows
21

To try and sort this out I have e-mailed f-secure.

It may be of interest for people to read this thread particularly the Sept 13 entries near the bottom

http://portableapps.com/node/2939

Thank you for your response. It is interesting to me that several days ago I loaded AVG. It started to corrupt my OS. Once stopped it was easy to remove. I do not believe that this is coincedence. I have seen the same thing happen with freeware downloads spyware and hijacking claims. For some reason I always end up with spyware or hijacks after I uninstall these programs.

f secure positively identified the malware immediately after the keystroke to run ccleaner install from the ccleaner menu.

yelloweye

22

20oct06

error using reply.

23

It occurs to me to ask if the OP knows that the distribution file ccsetup133.exe is the one that contains Yahoo toolbar. He could check by downloading ccsetup133_slim.exe and trying that instead. It would be quaint if the issue were actually in that toolbar!

24

Yelloweye.

I have just had an email from the f-secure virus people. They have fully examined the setup.exe and opened the files and can find NO trace of any trojan or virus, and are using all the latest definitions.

They have asked if I would pass on their advice which is to make sure you have all the latest f-secure virus definitions installed. Also if you try again and anything happened to send them a screenshot of the alert or a scanning report

file FSAV_REP.HTM.

I think yelloweye we have done all we can to try and assure you that this problem is not one caused by ccleaner. I honestly think you would benefit from posting a Hijackthis Log on the relevant part of this forum as some of the problems you seem to have encountered ( such as AVG causing corruptions) can be caused by malware.

Instructions can be found here.

http://forum.ccleaner.com/index.php?showtopic=1720

25

Greetings

I don't know what the hostility was about BUT, I have the same problem. I rcvd my notication from ccleaner regarding the update. Downloaded it as I have previous updates, and I received the same warning and that the Zlob is now quarantined. HOWEVER IT CAME DURING THE DOWNLOAD PROCEDURE. F-Secure jumped all over it. But to tell someone it didn't happen is no help at all.

So now that I got this crap, do I go back and download my upgrade again etc. This is not giving me a whole lot of confidence at this time.

Iamjumpinjeff

26

yelloweye,

If you don't want to accept the advice that this is a false positive, you can:

Contact F-Secure yourself and get their advice.

- or -

Wait and try to install CCleaner next week. In the meantime F-Secure will probably fix their problem.

- or -

Go away.

27

You should be able to contact F-Secure through this link:

http://www.f-secure.com/f-secure/contact_information.html

28

I have been a user of ccleaner for many years, and now use it in a secure work environment where everything has to pass through many scanners, and an install watcher to check for any back doors.

I am happy to say that the slim package we use is 100% free of vermin, back doors, and animals that pose as horses.

Sample of the Scanner list

Nod32

F-secure

NAV (2000/2006)

AVG

Spybot

[edit]Typos/

29

Hi All

Well... I don't like "flames" when it?s about false/positives :o

Users in Sweden reported exactly the same.

The file involved is InstallOptions.dll, this file is created during setup in a

temporarily folder.

From F-Secures logfile:

Win32.Trojandownloader.Zlob (Malware)

FILE:C:\DOCUME~1\GRAN~1\LOKALA~1\Temp\nsh216.tmp\InstallOptions.dll

I have scanned this file yesterday evening with Virustotal and also today with F-Secures scanner

without any alarm.

This must be challenge for F-Secure to solve.

regards

plun

Complete scanning result of "InstallOptions.dll", received in VirusTotal at 10.19.2006, 23:01:47 (CET).

Antivirus Version Update Result

AntiVir 7.2.0.31 10.19.2006 no virus found

Authentium 4.93.8 10.19.2006 no virus found

Avast 4.7.892.0 10.19.2006 no virus found

AVG 386 10.19.2006 no virus found

BitDefender 7.2 10.19.2006 no virus found

CAT-QuickHeal 8.00 10.19.2006 no virus found

ClamAV devel-20060426 10.19.2006 no virus found

eTrust-InoculateIT 23.73.29 10.19.2006 no virus found

eTrust-Vet 30.3.3143 10.19.2006 no virus found

DrWeb 4.33 10.19.2006 no virus found

Ewido 4.0 10.19.2006 no virus found

Fortinet 2.82.0.0 10.19.2006 no virus found

F-Prot 3.16f 10.19.2006 no virus found

F-Prot4 4.2.1.29 10.19.2006 no virus found

Ikarus 0.2.65.0 10.19.2006 no virus found

Kaspersky 4.0.2.24 10.19.2006 no virus found

McAfee 4877 10.19.2006 no virus found

Microsoft 1.1603 10.19.2006 no virus found

NOD32v2 1.1817 10.19.2006 no virus found

Norman 5.80.02 10.19.2006 no virus found

Panda 9.0.0.4 10.19.2006 no virus found

Sophos 4.10.0 10.15.2006 no virus found

TheHacker 6.0.1.101 10.19.2006 no virus found

UNA 1.83 10.19.2006 no virus found

VBA32 3.11.1 10.19.2006 no virus found

VirusBuster 4.3.7:9 10.19.2006 no virus found

Aditional Information

File size: 12800 bytes

MD5: 444e1109d960c307df0ca2b33a24731b

SHA1: 55e3b57d06128911ed4af44858d199d9b1945edc

http://support.f-secure.com/enu/home/ols.shtml

Citat:

Scanning Report

Friday, October 20, 2006 12:01:44 - 12:02:22

Computer name:

Scanning type: Scan target for viruses

Target: C:\Documents and Settings\MrX\Lokala inst?llningar\Temp\nsb95.tmp

--------------------------------------------------------------------------------

Result: 0 malware found

--------------------------------------------------------------------------------

Statistics

Scanned:

Files: 6

System: 0

Not scanned: 0

Actions:

Disinfected: 0

Renamed: 0

Deleted: 0

None: 0

Submitted: 0

Files not scanned:

--------------------------------------------------------------------------------

Options

Scanning engines:

F-Secure AVP: 6.0.171, 2006-10-20

F-Secure Libra: 2.4.1, 2006-10-20

F-Secure Orion: 1.2.37, 2006-10-20

F-Secure Blacklight: 1.0.31, 0000-00-00

F-Secure Pegasus: 1.19.0, 2006-08-29

F-Secure Draco: 1.0.35, 2006-10-18

Scanning options:

Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX

Use Advanced heuristics

30

F-Secure behaviour confirmed; when I tried to install the latest CCleaner I got that warning. After a little wondering I disabled the anti-virus software first after having checked the installer package with no reaction. Then after CCleaner install I checked the system with no reaction, so it's the first time I got a false positive with F-Secure. But what have you changed to mislead F-Secure - or perhaps F-Secure definitions have changed to give that false positive. I have had CCleaner installed perhaps 2 years as well as F-Secure but it's the first time I got that warning. And I regard both softwares as highly recommended!

31

I have sent another email to f-secure with a link to this thread.

32

I have sent another email to f-secure with a link to this thread.

Hi hazelnut

This is probably a better entrance for a f/P trouble and also for all F-Secure users with this "challenge".

http://support.f-secure.com/enu/home/virusproblem/sample/

Undetected viruses

If you have a virus sample that is not detected or it causes a false alarm with F-Secure Virus Protection, please submit a sample of such file to F-Secure.

Direct:

http://support.f-secure.com/enu/home/virus...ex_sample.shtml

F-Secure operates one office in Helsinki and also one in Malaysia, Kuala Lumpur so someone

is for sure awake... :)

regards

plun

33

This has gotten out of hand. The level of respect that is usually kept on this forum is nowhere to be found in this topic. <_<

The bottom line is that the only problem is a false positive detection from fsecure. All that will have to be done is MrG will have to contact F-Secure and have them correct their detections.

This topic will be locked and an update will be posted in the future when this issue has been resolved.

34

F-Secure have responded with the following email:

We have verified the claim and isolated the cause of the false alarm.

We are already fixing the problem and will release an update as soon as

possible.

Thank you for bringing this to our attention.