another trojan detection in ccleaner

[cooker]

have latest version of ccleaner installed and kaspersky found lately:

- trojan.win32.vilsel.btlm -

in ccleaner, in the installed prog and in the ccleaner setup-file as well. system was then

disinfected, but doubt about as still so many times(9x) svchost.exe is loaded at system-startup.

[DennisD]

Have a read here ...

 

http://forum.piriform.com/index.php?showtopic=39022entry237092

 

And welcome to the forum by the way cooker.

[Alan_B]

system was then disinfected, but doubt about as still so many times(9x) svchost.exe is loaded at system-startup.

Kaspersky is to blame for EVERYTHING that is wrong, including excessive loading of svchost.exe.

When it "disinfected" your system it deleted or by other means obstructed the operation of CCleaner.

 

If I was in your situation I would ensure that Kaspersky had got its act together and fixed its false detection issue,

and then totally un-install CCleaner and get a fresh download of the setup-file and then re-install CCleaner,

and repeat until Kaspersky stops Crying Wolf.and crippling CCleaner.

[hazelnut]

Alan no need to go over the top, all av's have False Positives at some time.

 

This has been fixed so poster just needs to make sure his definitions are up to date.

 

Anyone interested can read here

 

https://www.zonealarm.com/forums/showthread.php/79863-Ccĺeaner-4-03-identified-as-Trojan-by-ZA-11-0-768-000-lt-False-Positive/page2

[Alan_B]

all av's have False Positives at some time.

Agreed.

 

BUT

 

Not only was the detection false,,

but in addition the A.V. was invited to "disinfect" the system which suggests that the "virus" named CCleaner has been crippled and is no longer working as designed,

and I would ONLY depend upon CCleaner after a fresh download and installation that is free from A.V. aggravation.

 

I admit that I have no knowledge of exactly what "disinfection" does when perform by Kaspersky or any other tool,

but I always assume that what I do not know can hurt me, so I take preventative action.

 

Furthermore, if the poster has observed a significant increase in svchost instances following this incident, this might indicate that damage remains.

But 9 instances could be normal - I have never looked at this at startup but I have 12 instances of svchost running at the moment.

[Nergal]

psst alan Hazelnut's got a point and the moderator was asking you to moderate your extreme statement, might be advisable not to argue with her/me

 

the false positive in these cases are caused by the installer containing a very powerful data eraser (and now one that contains a skip uac routine).

 

Kaspersky and MOST other Malware scanners look for code signatures and not what program is contained in the zip/exe/MSI/etc they then contain (likely something like) a sha or md5 based white list, thus when the installer changes, lets say with a version, or the signatures detected change ("oh look we found this new way Malware X acts lets look for that in files now") good programs have a chance of being caught up in the wake, until a user like the OP reports the false positive.

We can't expect AV companies to be able to test all existing software before releasing something that comes out AT LEAST once-a-day.

[Alan_B]

Please allow me to explain my point of view.

 

Throughout this topic my position has been, and remains, that ANY anti-malware product,

(including but not restricted to Kaspersky,)

may suffer with a False Positive and wrongly finger an innocent item as "malware",

and if this same "protective" product is then invited to delete or "disinfect" the so called "malware" then some truly beneficial feature will have been destroyed.

 

The consequence of that destruction could range from the loss of some cleaning capability or the removal of some needed protection,

specifically it could remove :-

the contents of CCleaner / Options / Include, thus reducing the cleansing capabilities;

the contents of CCleaner / Options / Exclude, thus endangering the protection required for continued correct operation of some installed software;

OR removal of Piriform defined capabilities that are built into CCleaner.EXE regardless of any WinApp2.ini or User GUI customisation.

 

I am quite certain that any reputable "protective product" has the ability to put out of action some feature of CCleaner,

and in so doing will blunt its surgical precision in "Junk removal".

 

In view of Nergal's post I would suggest that amongst thousands of other possibilities,

perhaps the "protective product" has damaged the capability of "Complex overwrite (7 pass)" deletion or one all of the other options.

 

Rather than take pot-shots at many possibilities,

I advocate a fresh install of CCleaner whilst the "protective product" is free from False Positives,

and I never consider any product installation to be clean and free from the effects of previous False Positive actions,

unless the previous damaged installation is totally un-installed.

 

N.B. I cannot remember the name of the AntiVirus product,

but there was one in the last few years which had a bad signature update,

and many people lost total functionality until they re-installed and re-registered applications or system files.

[hazelnut]

This thread will be closed now. Alan you must really stop going into so much detail and stick to the thread subject.

 

Thread starter's issue was fixed by new av definitions.

 

Any questions regarding how Kaspersky deals with quarantined items etc can be asked about on their forum.