12 replies to this topic

[Kenward]

Earlier today, my Sophos anti virus software warned me that it had detected a virus in the "uninstall" bit of CCleaner.

I suspect a false positive, so I came here to see what is happening. I see a new version and try to download it, but Sophos tells me that it is infected.

Checking the archives here, I find an earlier hot tempered report of this behaviour that went round in circles and did not end up in a satisfactory resolution.

As I say, I suspect a false positive. These things happen, but not usually with Sophos, which is better than the usual cowboy stuff from Norton/Symantec. But I am not inclined to install something that is going to deliver these messages.

In this case, maybe a "bought in" component, the uninstaller, is responsible.

Here is the bit of the AV log that matters:

20061112 093251 Virus 'Troj/Zlob-VU' has been detected in "C:\Program Files\CCleaner\uninst.exe"

20061112 093251 Infected file "C:\Program Files\CCleaner\uninst.exe" has been moved to "C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\uninst.exe.000".

20061112 101711 Virus 'Troj/Zlob-VU' has been detected in "C:\Documents and Settings\{username}\Local Settings\Temp\vq4xpv7i.exe"

20061112 101711 Infected file "C:\Documents and Settings\{username}\Local Settings\Temp\vq4xpv7i.exe" has been moved to "C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\vq4xpv7i.exe.000".

The second half is the result of trying to download the latest version of CCleaner.

You might like to tell Sophos that you are good guys.

[jgjgjg]

Similar thing happened to me this morning - but not during a download.

Sophos just reported this virus in c:\programfiles\ccleaner\uninst.exe troj/zlob-VU

I am running ccleaner 1.34.407 (downloaded a while back)
Sophos 6.0.5 last updated this morning.

I've never had A/V problems with the ccleaner before so I assume it is the latest Sophos update that has triggered a false positive.

[rridgely]

Yes, its just false positive. MrG will have to contact sophos and have the issue fixed. Thanks for the information.

[Kenward]

rridgely, on Nov 12 2006, 05:48 PM, said:

Yes, its just false positive. MrG will have to contact sophos and have the issue fixed. Thanks for the information.

While it isn't good for you folks, for me at least it is a relief to know that I am not the only one in the same boat!

It is, of course, typical that this happened at the weekend!

[Kenward]

Kenward, on Nov 12 2006, 06:48 PM, said:

While it isn't good for you folks, for me at least it is a relief to know that I am not the only one in the same boat!

It is, of course, typical that this happened at the weekend!

May have been fixed in a new Sophos update. It did not object to today's download.

[TheOdds]

http://forum.ccleane...?showtopic=7521

[TonyKlein]

I'll report this to Sophos for you.

[hazelnut]

Already done Tony and sorted by Sophos with an update.

Sophos also flagged AVG antispyware's installer as having the same trojan this morning.

[TonyKlein]

Ah, thank you - I was just about to report it...

[MrG]

Great work reporting this to Sophos!

[KBG]

MrG, on Nov 13 2006, 08:35 PM, said:

Great work reporting this to Sophos!

Hi i've had the same experience twice now and am using cox security suite which I think uses authentium for antivirus.
Hopefully you can e-mail them as well. Thank you for your time.

[ampex]

Saturday - 30 June. Attempted to check for CCleaner update and Eset NOD32 virus scanner reported the following:

ARCHIVE http://ds.serving-sys.com/BurstingCachedSc...erMain_62_36.js
THREAT us/Tivso.14a.gen Trojan

I've never had a problem with CCleaner before and wonder if this is what is already being discussed/reported here.

[fireryone]

I have the latest NOD32 & CCleaner and have not had that problem,
You may want to submit a hijack this log in that section of the forum to be sure it wasn't some other hidden malware not just a false positive!