Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: GrahamE on May 16, 2007, 03:08:16 AM

Title: CCleaner Trojans
Post by: GrahamE on May 16, 2007, 03:08:16 AM
Hello all,

Whenever I log off from the internet, I use CCleaner to remove any Temp Internet Files, cookies, etc. Over the past couple of weeks, when I run it, Avast finds a trace of a Trojan when the cleaning is taking place. So far I have in the Chest:
Win32:Agent GYJ[Trj]
   "         "    GKD[Trj] (twice)
   "         "    GWO[Trj]
   "         "     GHL[Trj]
Win32:Nilage-FP[Trj]

I've sent them all to Avast from the Chest with an explanation.

I've run numerous boot-time scans and normal scans which find nothing, and non of my other anti-malware stuff finds anything.

Is anyone else experiencing this? I'm not visiting any iffy sites (honestly!! ;D). One appeared after being on eBay, here and the Dell Forum.

Title: Re: CCleaner Trojans
Post by: Lisandro on May 16, 2007, 04:01:25 AM
Does avast mention the name and the path of the infected file?
Did you disable the System Restore before running avast at boot time?
Title: Re: CCleaner Trojans
Post by: GrahamE on May 16, 2007, 01:26:54 PM
Hi Tech,

This is what I've got in the log viewer:

27/04/2007 21:55:41   GE   3024   Sign of "Win32:Agent-GKD [Trj]" has been found in "C:\WINDOWS\WindowsUpdate.log" file. 
28/04/2007 00:31:12   GE   1372   Sign of "Win32:Agent-GKD [Trj]" has been found in "C:\Documents and Settings\GE\Local Settings\Temporary Internet Files\Content.IE5\WPSHGFSL\JJJJJJJJJJJJJJJJJJJJJJ.JJ" file. 
07/05/2007 00:25:26   GE   1484   Sign of "Win32:Agent-GKD [Trj]" has been found in "C:\WINDOWS\Internet Logs\VVVVVVVVV.VV.VV.VVV" file. 
09/05/2007 11:17:35   GE   1488   Sign of "Win32:Agent-GHL [Trj]" has been found in "C:\Documents and Settings\GE\Local Settings\Temporary Internet Files\Content.IE5\86CTQTEM\YYYYYYYYYYYY.YYY" file. 
14/05/2007 14:37:05   GE   1512   Sign of "Win32:Agent-GYJ [Trj]" has been found in "C:\Documents and Settings\GE\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat" file. 
15/05/2007 12:07:32   GE   1384   Sign of "Win32:Nilage-FP [Trj]" has been found in "C:\WINDOWS\TEMP\{19EC4B5E-F950-4F72-ADB6-DEFB2148866C}\{EFB7D050-CAD2-11D4-B34D-00105A1C23DD}\XXXXXXXX.XXX" file. 
15/05/2007 20:28:29   GE   1412   Sign of "Win32:Agent-GWO [Trj]" has been found in "C:\Documents and Settings\GE\Local Settings\Temporary Internet Files\Content.IE5\NTNMGHTF\LoJack%20ReRevised_400k[1].flv" file. 
16/05/2007 03:14:09   GE   1412   Sign of "Win32:Agent-GWO [Trj]" has been found in "C:\Documents and Settings\GE\Local Settings\Temporary Internet Files\Content.IE5\9RLOOSBW\IIIIIIII.III" file. 
16/05/2007 03:14:26   GE   1412   Sign of "Win32:Agent-GVO [Trj]" has been found in "C:\Documents and Settings\GE\Local Settings\Temporary Internet Files\Content.IE5\HNJH4TJO\IIIIIIIIIIII.III" file. 

I didn't disable System Restore before doing the boot scan. Since it didn't find anything, would disabling it have made any difference? I'll try it anyway, as my logic has let me down too many times before!!
Title: Re: CCleaner Trojans
Post by: Lisandro on May 16, 2007, 01:43:45 PM
Since it didn't find anything, would disabling it have made any difference?
No. Disabling is a way to avoid reinfection by replication of the virus. If you don't have any, don't worry.

Can you submit the files to virus@avast.com and inform a link to this thread in the email body? Thanks.
Title: Re: CCleaner Trojans
Post by: GrahamE on May 16, 2007, 03:17:29 PM
I did it anyway and it found nothing again.

I've sent them all off, linking to this thread, as you said. One of them (#7 in the list) was a biggy (3588096KB).

Just wait and see, I guess. Thanks Tech.
Title: Re: CCleaner Trojans
Post by: Lisandro on May 16, 2007, 03:54:34 PM
One of them (#7 in the list) was a biggy (3588096KB).
You can use Alwil FTP server as a second way to transfer only big files. Upload them to ftp://ftp.avast.com/incoming (please, note that you won't have READ access to the ftp server, just write - so you won't even be able to see what you've just uploaded).
Hope they monitor the ftp server and see this thread...
Title: Re: CCleaner Trojans
Post by: GrahamE on May 16, 2007, 03:57:30 PM
The big one was sent from the chest after I increased the 'file size to be sent' thingy.
Title: Re: CCleaner Trojans
Post by: Lisandro on May 16, 2007, 04:45:01 PM
The big one was sent from the chest after I increased the 'file size to be sent' thingy.
Better... 8)
Title: Re: CCleaner Trojans
Post by: GrahamE on May 16, 2007, 08:46:59 PM
Just found another one. That's after being on here and nowhere else.

16/05/2007 19:24:32   SYSTEM   1428   Sign of "Win32:Agent-GWO [Trj]" has been found in "C:\WINDOWS\TEMP\DDDDDDD.DDD" file. 

I've sent it off again.
Title: Re: CCleaner Trojans
Post by: calcu007 on May 17, 2007, 12:35:58 AM
Wow, you have a lot viruses..where you browse.  ;D :P
Title: Re: CCleaner Trojans
Post by: GrahamE on May 17, 2007, 01:14:47 AM
Oh well that's really great! I'm infested with traces of Trojans and I'm a pervert!!  ;D
Title: Re: CCleaner Trojans
Post by: mauserme on May 17, 2007, 02:23:08 AM
Do you have any idea when this started (the malware, not the pervert thing)?  Let's try this:

Download Deckard's System Scanner (DSS) (http://deckard.geekstogo.com/dss.exe) to your Desktop.Extra Note: When running DSS, some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so. Also, it may happen that your Antivirus flags DSS as suspicious. Please allow the  Deckard's System Scanner  to run and don't let your Antivirus delete it. (In this case, it may be better to temporary disable your Antivirus)

Post the  main.txt from the C:\Deckard\System Scanner folder into your next reply.



non of my other anti-malware stuff finds anything.
What other programs have you tried?
Title: Re: CCleaner Trojans
Post by: GrahamE on May 17, 2007, 04:48:00 AM
It started on 27th April (see log viewer in earlier post).

It'll be in the log below I guess, but I use Zone Alarm free, Avast, Counterspy (real-time protection and scanner), Adaware SE (real-time and scanner), WinPatrol, SpywareBlaster, SuperAntispyware (scanner only), Spyware Terminator (real-time and scanner), Spybot (scanner only), AVG antispyware (scanner only). Nothing has been found doing scans with any of them, including Avast.

Here is the main.txt:

Deckard's System Scanner v20070426.43
Run by GE on 2007-05-17 at 03:10:24
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2007-05-17 02:10:35 UTC - RP1 - System Checkpoint


Backed up registry hives.

Performed disk cleanup.


-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of HijackThis v1.99.1
Scan saved at 2007-05-17 03:12:13
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.0.5730.11)

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\Program Files\SiteAdvisor\6066\SAService.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\Documents and Settings\GE\My Documents\My Utilities\Deckards System Scanner\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TClockEx] C:\Documents and Settings\GE\My Documents\Unzipped\tclockex\TCLOCKEX.EXE
O4 - Startup: Blaster.lnk = C:\Program Files\SpywareBlaster\spywareblaster.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra 'Tools' menuitem: (no name) - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: AtiExtEvent - C:\WINDOWS\system32\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\system32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - "C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"
O23 - Service: avast! Antivirus - ALWIL Software - "C:\Program Files\Alwil Software\Avast4\ashServ.exe"
O23 - Service: avast! Mail Scanner - ALWIL Software - "C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service
O23 - Service: avast! Web Scanner - ALWIL Software - "C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSVCCDA.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Microsoft Corp., Veritas Software - C:\WINDOWS\System32\dmadmin.exe /com
O23 - Service: iPod Service - Apple Inc. - "C:\Program Files\iPod\bin\iPodService.exe"
O23 - Service: NBService - Unknown owner - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - "C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe"
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6066\SAService.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service


Title: Re: CCleaner Trojans
Post by: GrahamE on May 17, 2007, 04:49:30 AM
2nd bit (too many characters for one post):
-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 AVG Anti-Spyware Driver - c:\program files\grisoft\avg anti-spyware 7.5\guard.sys
R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
R1 SASKUTIL - c:\program files\superantispyware\saskutil.sys
R1 sp_rsdrv2 (Spyware Terminator Driver 2) - c:\windows\system32\drivers\sp_rsdrv2.sys
R2 ElbyCDIO (ElbyCDIO Driver) - c:\windows\system32\drivers\elbycdio.sys <Not Verified; Elaborate Bytes AG; CDRTools>
R3 AnyDVD - c:\windows\system32\drivers\anydvd.sys <Not Verified; SlySoft, Inc.; AnyDVD>
R3 ElbyCDFL - c:\windows\system32\drivers\elbycdfl.sys <Not Verified; SlySoft, Inc.; CloneCD>
R3 ElbyDelay - c:\windows\system32\drivers\elbydelay.sys <Not Verified; Elaborate Bytes AG; CDRTools>

S3 ati2mtaa - c:\windows\system32\drivers\ati2mtaa.sys <Not Verified; ATI Technologies Inc.; ATI Rage 128 Family>
S3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 sp_rssrv (Spyware Terminator Realtime Shield Service) - c:\program files\spyware terminator\sp_rsser.exe <Not Verified; Crawler.com; Crawler Spyware Terminator>

S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe


-- Files created between 2007-04-17 and 2007-05-17 -----------------------------

2007-05-17 00:40:06         0 d-------- C:\Documents and Settings\All Users\Application Data\The Learning Company
2007-05-17 00:39:22         0 d-------- C:\Program Files\The Learning Company
2007-05-17 00:35:20         0 dr-h----- C:\Documents and Settings\GE\Recent
2007-05-16 19:16:02         0 d-------- C:\Program Files\Registrar Lite
2007-05-15 12:14:56         0 d-------- C:\NVIDIA
2007-05-08 01:42:38         0 d-------- C:\Documents and Settings\GE\Application Data\Spyware Terminator
2007-05-08 01:42:38         0 d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2007-05-08 01:42:31         0 d-------- C:\Program Files\Spyware Terminator
2007-05-08 01:39:37         0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-05-08 01:39:25         0 d-------- C:\Program Files\SUPERAntiSpyware
2007-05-08 01:38:52         0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-05-08 01:17:42         0 d-------- C:\WINDOWS\system32\appmgmt
2007-05-03 15:18:45         0 d-------- C:\Documents and Settings\GE\Application Data\ATI
2007-05-03 14:30:55         0 d-------- C:\WINDOWS\SxsCaPendDel
2007-05-02 22:19:54         0 d-------- C:\Program Files\Karen's Computer Profiler
2007-05-02 11:11:13         0 d-------- C:\Documents and Settings\Administrator\Application Data\SiteAdvisor
2007-05-02 11:09:55         0 d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2007-05-02 11:09:49         0 d-------- C:\Documents and Settings\Administrator\Application Data\WinPatrol
2007-05-02 11:08:49         0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2007-05-02 11:07:53         0 d--h----- C:\Documents and Settings\Administrator\Templates
2007-05-02 11:07:53         0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-05-02 11:07:53         0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-05-02 11:07:53         0 dr-h----- C:\Documents and Settings\Administrator\Recent
2007-05-02 11:07:53         0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2007-05-02 11:07:53         0 d--h----- C:\Documents and Settings\Administrator\NetHood
2007-05-02 11:07:53         0 dr------- C:\Documents and Settings\Administrator\My Documents
2007-05-02 11:07:53         0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2007-05-02 11:07:53         0 dr------- C:\Documents and Settings\Administrator\Favorites
2007-05-02 11:07:53         0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-05-02 11:07:53         0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2007-05-02 11:07:53         0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-05-02 11:07:53         0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-05-02 10:27:56         0 d-------- C:\WINDOWS\system32\URTTemp
2007-04-24 00:09:33         0 d-------- C:\Documents and Settings\All Users\Application Data\NVIDIA
2007-04-24 00:03:53         0 d-------- C:\WINDOWS\nview
2007-04-23 12:52:05         0 d-------- C:\WINDOWS\Sun
2007-04-23 12:52:05         0 d-------- C:\Documents and Settings\GE\Application Data\Sun
2007-04-23 12:50:39         0 d-------- C:\Documents and Settings\GE\Application Data\AdobeUM
2007-04-23 00:11:24         0 d-------- C:\Documents and Settings\GE\Application Data\OfficeUpdate12
2007-04-23 00:10:49         0 d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2007-04-22 14:40:51         0 d-------- C:\Documents and Settings\LocalService\Application Data\Spyware Terminator
2007-04-22 14:16:57         0 d-------- C:\Documents and Settings\GE\Application Data\SUPERAntiSpyware.com
2007-04-22 14:13:15         0 d-------- C:\Documents and Settings\LocalService\Desktop
2007-04-22 14:13:15         0 d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2007-04-22 14:12:48         0 d-------- C:\Program Files\SiteAdvisor
2007-04-22 14:12:40         0 d-------- C:\Documents and Settings\GE\Application Data\SiteAdvisor
2007-04-22 14:12:40         0 d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-04-22 14:12:40         0 d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2007-04-22 14:00:55         0 d-------- C:\Program Files\Common Files\xing shared
2007-04-22 13:59:57         0 d-------- C:\Program Files\Common Files\Real
2007-04-22 13:59:55         0 d-------- C:\Program Files\Real
2007-04-22 13:59:37         0 d-------- C:\Documents and Settings\GE\Application Data\Real
2007-04-22 13:56:44         0 d-------- C:\My Downloads
2007-04-22 12:17:07         0 d-------- C:\Documents and Settings\GE\Application Data\Apple Computer
2007-04-22 12:16:38         0 d-------- C:\Program Files\iPod
2007-04-22 12:16:33         0 d-------- C:\Program Files\iTunes
2007-04-22 12:15:15         0 d-------- C:\Program Files\QuickTime
2007-04-22 12:14:38         0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-04-22 12:13:37         0 d-------- C:\Documents and Settings\GE\Application Data\Roxio
2007-04-22 12:09:04         0 d-------- C:\Program Files\Common Files\Napster Shared
2007-04-22 12:08:26         0 d-------- C:\Documents and Settings\All Users\Application Data\Napster
2007-04-22 12:08:14         0 d-------- C:\Program Files\Napster
2007-04-22 03:27:15         0 d-------- C:\Documents and Settings\GE\Application Data\Macromedia
2007-04-22 02:17:56         0 d-------- C:\WINDOWS\system32\ReinstallBackups
2007-04-22 00:42:33         0 d-------- C:\WINDOWS\system32\PreInstall
2007-04-22 00:42:30         0 d--h----- C:\WINDOWS\$hf_mig$
2007-04-22 00:38:12         0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-04-22 00:37:17         0 d--hs---- C:\Documents and Settings\GE\UserData
2007-04-22 00:24:13         0 d-------- C:\Documents and Settings\GE\Application Data\Lavasoft
2007-04-22 00:23:47         0 d-------- C:\Program Files\Lavasoft
2007-04-22 00:23:01         0 d-------- C:\Documents and Settings\GE\Application Data\WinPatrol
2007-04-22 00:22:55         0 d-------- C:\Program Files\BillP Studios
2007-04-22 00:22:41         0 d-------- C:\WINDOWS\Downloaded Installations
2007-04-22 00:20:34         0 d-------- C:\Documents and Settings\All Users\Application Data\Sunbelt Software
2007-04-22 00:20:10         0 d-------- C:\Program Files\Sunbelt Software
2007-04-22 00:14:47         0 d-------- C:\Program Files\Alwil Software
2007-04-22 00:09:56         0 d-------- C:\WINDOWS\system32\ZoneLabs
2007-04-22 00:09:12         0 d-------- C:\WINDOWS\Internet Logs
2007-04-21 23:59:19         0 d-------- C:\Program Files\SAGEM
Title: Re: CCleaner Trojans
Post by: GrahamE on May 17, 2007, 04:51:17 AM
3rd bit:

2007-04-21 23:59:19         0 d-------- C:\Program Files\SAGEM
2007-04-21 23:58:36         0 d-------- C:\Program Files\Tiscali Broadband
2007-04-21 23:38:48         0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-04-21 23:36:38         0 d-------- C:\Program Files\SpywareBlaster
2007-04-21 23:34:59         0 d-------- C:\Documents and Settings\GE\Application Data\Google
2007-04-21 23:34:32         0 d-------- C:\Program Files\Google
2007-04-21 23:30:36         0 d-------- C:\Program Files\CCleaner
2007-04-21 23:29:19         0 d-------- C:\Program Files\PrivacyEraser Computing
2007-04-21 23:28:16         0 d-------- C:\Program Files\Java
2007-04-21 23:28:14         0 d-------- C:\Program Files\Common Files\Java
2007-04-21 23:27:03         0 d-------- C:\Documents and Settings\GE\Application Data\Adobe
2007-04-21 23:26:41         0 d-------- C:\Program Files\Common Files\Adobe
2007-04-21 23:26:37         0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2007-04-21 23:22:51         0 d-------- C:\Program Files\Veoh Networks
2007-04-21 20:45:30         0 d-------- C:\Program Files\Elaborate Bytes
2007-04-21 20:43:12         0 d-------- C:\Program Files\SlySoft
2007-04-21 20:41:03         0 d-------- C:\Program Files\Windows Media Connect 2
2007-04-21 20:39:53         0 d-------- C:\WINDOWS\system32\LogFiles
2007-04-21 20:39:53         0 d-------- C:\WINDOWS\system32\drivers\UMDF
2007-04-21 20:39:23         0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2007-04-21 20:38:36         0 d-------- C:\Program Files\Atomic Clock Sync
2007-04-21 20:38:01         0 d-------- C:\Program Files\IrfanView
2007-04-21 20:10:29         0 d-------- C:\Program Files\hp deskjet 3320 series
2007-04-21 20:09:06         0 d-------- C:\Program Files\Hewlett-Packard
2007-04-21 20:02:59         0 d-------- C:\Documents and Settings\GE\Application Data\Ahead
2007-04-21 20:01:37         0 d-------- C:\Program Files\Nero
2007-04-21 20:01:37         0 d-------- C:\Program Files\Common Files\Ahead
2007-04-21 10:20:00         0 d-------- C:\Documents and Settings\GE\Application Data\CyberLink
2007-04-21 10:19:24         0 d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2007-04-21 10:19:20         0 d-------- C:\Program Files\CyberLink
2007-04-21 10:13:13         0 d-------- C:\Program Files\Jasc Software Inc
2007-04-21 10:05:06         0 d-------- C:\Program Files\Common Files\L&H
2007-04-21 10:04:56         0 d-------- C:\Program Files\Microsoft ActiveSync
2007-04-21 10:04:47         0 d-------- C:\WINDOWS\SHELLNEW
2007-04-21 10:04:28         0 d-------- C:\Program Files\Microsoft Works
2007-04-21 10:03:18         0 dr-h----- C:\MSOCache
2007-04-21 10:02:50         0 d-------- C:\IUware Online
2007-04-21 09:56:30         0 d-------- C:\WINDOWS\system32\Defaults
2007-04-21 09:56:09         0 d-------- C:\WINDOWS\system32\Data
2007-04-21 09:54:12         0 d--h----- C:\Program Files\InstallShield Installation Information
2007-04-21 09:54:12         0 d-------- C:\Program Files\Creative
2007-04-21 09:54:09         0 d-------- C:\Program Files\Common Files\InstallShield
2007-04-21 08:56:58         0 d-------- C:\Documents and Settings\GE\Application Data\Identities
2007-04-21 08:56:49         0 d--h----- C:\Documents and Settings\GE\Templates
2007-04-21 08:56:49         0 dr------- C:\Documents and Settings\GE\Start Menu
2007-04-21 08:56:49         0 dr-h----- C:\Documents and Settings\GE\SendTo
2007-04-21 08:56:49         0 d--h----- C:\Documents and Settings\GE\PrintHood
2007-04-21 08:56:49         0 d--h----- C:\Documents and Settings\GE\NetHood
2007-04-21 08:56:49         0 dr------- C:\Documents and Settings\GE\My Documents
2007-04-21 08:56:49         0 d--h----- C:\Documents and Settings\GE\Local Settings
2007-04-21 08:56:49         0 dr------- C:\Documents and Settings\GE\Favorites
2007-04-21 08:56:49         0 d-------- C:\Documents and Settings\GE\Desktop
2007-04-21 08:56:49         0 d--hs---- C:\Documents and Settings\GE\Cookies
2007-04-21 08:56:49         0 dr-h----- C:\Documents and Settings\GE\Application Data
2007-04-21 08:51:40         0 d-------- C:\WINDOWS\SoftwareDistribution
2007-04-21 08:51:38         0 d---s---- C:\WINDOWS\system32\Microsoft
2007-04-21 08:51:38         0 d-------- C:\WINDOWS\Prefetch
2007-04-21 08:51:37         0 d--h----- C:\Documents and Settings\LocalService\Local Settings
2007-04-21 08:51:37         0 d--hs---- C:\Documents and Settings\LocalService\Cookies
2007-04-21 08:51:37         0 d-------- C:\Documents and Settings\LocalService\Application Data
2007-04-21 08:51:37         0 d---s---- C:\Documents and Settings\LocalService\Application Data\Microsoft
2007-04-21 08:50:47         0 d--h----- C:\Documents and Settings\NetworkService\Local Settings
2007-04-21 08:50:47         0 d---s---- C:\Documents and Settings\NetworkService\Cookies
2007-04-21 08:50:47         0 d-------- C:\Documents and Settings\NetworkService\Application Data
2007-04-21 08:50:47         0 d---s---- C:\Documents and Settings\NetworkService\Application Data\Microsoft
2007-04-21 08:46:58         0 d-------- C:\WINDOWS\system32\xircom
2007-04-21 08:46:58         0 d-------- C:\Program Files\microsoft frontpage
2007-04-21 08:46:37         0 d-------- C:\DELL
2007-04-21 08:44:58         0 d--hs---- C:\Documents and Settings\All Users\DRM
2007-04-21 08:44:44         0 dr------- C:\WINDOWS\Offline Web Pages
2007-04-21 08:44:44         0 d---s---- C:\WINDOWS\Downloaded Program Files
2007-04-21 08:44:29         0 d--h----- C:\Program Files\WindowsUpdate
2007-04-21 08:44:06         0 d-------- C:\WINDOWS\system32\DirectX
2007-04-21 08:43:33         0 d---s---- C:\WINDOWS\Tasks
2007-04-21 08:43:32         0 d-------- C:\Program Files\Common Files\MSSoap
2007-04-21 08:43:29         0 d-------- C:\WINDOWS\srchasst
2007-04-21 08:43:28         0 d-------- C:\WINDOWS\system32\Macromed
2007-04-21 08:43:21         0 d-------- C:\Program Files\Movie Maker
2007-04-21 08:43:13         0 d-------- C:\WINDOWS\system32\Restore
2007-04-21 08:42:00         0 d-------- C:\WINDOWS\Registration
2007-04-21 08:41:52         0 d-------- C:\Program Files\Online Services
2007-04-21 08:41:42         0 d-------- C:\Program Files\Messenger
2007-04-21 08:41:39         0 d-------- C:\Program Files\MSN Gaming Zone
2007-04-21 08:41:01         0 d-------- C:\Program Files\Windows NT
2007-04-21 08:40:58         0 d-------- C:\WINDOWS\system32\MsDtc
2007-04-21 08:40:57         0 d-------- C:\WINDOWS\system32\Com
2007-04-21 03:13:48         0 d--hs---- C:\WINDOWS\Installer
2007-04-21 03:13:47         0 d-------- C:\Program Files\Common Files\ODBC
2007-04-21 03:13:44         0 d-------- C:\Program Files\Common Files\SpeechEngines
2007-04-21 03:13:43         0 dr------- C:\Program Files
2007-04-21 03:13:15         0 d--h----- C:\Documents and Settings\Default User\Templates
2007-04-21 03:13:15         0 dr------- C:\Documents and Settings\Default User\Start Menu
2007-04-21 03:13:15         0 dr-h----- C:\Documents and Settings\Default User\SendTo
2007-04-21 03:13:15         0 d--h----- C:\Documents and Settings\Default User\Recent
2007-04-21 03:13:15         0 d--h----- C:\Documents and Settings\Default User\PrintHood
2007-04-21 03:13:15         0 d--h----- C:\Documents and Settings\Default User\NetHood
2007-04-21 03:13:15         0 d-------- C:\Documents and Settings\Default User\My Documents
2007-04-21 03:13:15         0 dr-h----- C:\Documents and Settings\Default User\Local Settings
2007-04-21 03:13:15         0 d-------- C:\Documents and Settings\Default User\Favorites
2007-04-21 03:13:15         0 d-------- C:\Documents and Settings\Default User\Desktop
2007-04-21 03:13:15         0 d---s---- C:\Documents and Settings\Default User\Cookies
2007-04-21 03:13:15         0 d--h----- C:\Documents and Settings\All Users\Templates
2007-04-21 03:13:15         0 dr------- C:\Documents and Settings\All Users\Start Menu
2007-04-21 03:13:15         0 d-------- C:\Documents and Settings\All Users\Favorites
2007-04-21 03:13:15         0 dr------- C:\Documents and Settings\All Users\Documents
2007-04-21 03:13:15         0 d-------- C:\Documents and Settings\All Users\Desktop
2007-04-21 03:13:00         0 d-------- C:\WINDOWS\system32\CatRoot2
2007-04-21 03:13:00         0 d-------- C:\WINDOWS\system32\CatRoot
2007-04-21 03:12:55         0 dr-h----- C:\Documents and Settings\Default User\Application Data
2007-04-21 03:12:55         0 d---s---- C:\Documents and Settings\Default User\Application Data\Microsoft
2007-04-21 03:12:54         0 dr-h----- C:\Documents and Settings\All Users\Application Data
2007-04-21 03:12:54         0 d---s---- C:\Documents and Settings\All Users\Application Data\Microsoft
Title: Re: CCleaner Trojans
Post by: GrahamE on May 17, 2007, 04:52:16 AM
Hopefully last bit!

2007-04-21 03:12:54         0 d---s---- C:\Documents and Settings\All Users\Application Data\Microsoft
2007-04-21 03:12:34         0 d-------- C:\Documents and Settings
2007-04-21 03:12:33         0 d--hs---- C:\System Volume Information
2007-04-21 03:04:32         0 d-------- C:\WINDOWS
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\WinSxS
2007-04-21 03:04:32         0 dr------- C:\WINDOWS\Web
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\twain_32
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\system32
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\system32\wins
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\system32\wbem
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\system32\usmt
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\system32\spool
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\system32\ShellExt
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\system32\Setup
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\system32\ras
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\system32\oobe
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\system32\npp
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\system32\mui
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\system32\inetsrv
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\system32\IME
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\system32\icsxml
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\system32\ias
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\system32\export
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\system32\drivers
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\system32\drivers\etc
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\system32\drivers\disdn
2007-04-21 03:04:32         0 dr-hs--c- C:\WINDOWS\system32\dllcache
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\system32\dhcp
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\system32\config
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\system32\3com_dmi
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\system32\3076
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\system32\2052
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\system32\1054
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\system32\1042
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\system32\1041
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\system32\1037
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\system32\1033
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\system32\1031
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\system32\1028
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\system32\1025
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\system
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\security
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\Resources
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\repair
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\Provisioning
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\PeerNet
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\pchealth
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\mui
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\msapps
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\msagent
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\Media
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\java
2007-04-21 03:04:32         0 d--h----- C:\WINDOWS\inf
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\ime
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\Help
2007-04-21 03:04:32         0 dr--s---- C:\WINDOWS\Fonts
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\ehome
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\Driver Cache
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\dell
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\Debug
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\Cursors
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\Connection Wizard
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\Config
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\AppPatch
2007-04-21 03:04:32         0 d-------- C:\WINDOWS\addins


-- Find3M Report ---------------------------------------------------------------

2007-04-21 20:44:10        40 ---hs---- C:\Documents and Settings\GE\Application Data\.zreglib
2007-04-21 03:13:15        62 --ahs---- C:\Documents and Settings\GE\Application Data\desktop.ini


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}   C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
{089FD14D-132B-48FC-8861-0048AE113215}   C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}   C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"adiras"="adiras.exe"
"ZoneAlarm Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"SBCSTray"="C:\\Program Files\\Sunbelt Software\\CounterSpy\\SBCSTray.exe"
"WinPatrol"="C:\\Program Files\\BillP Studios\\WinPatrol\\winpatrol.exe"
"AWMON"="\"C:\\PROGRA~1\\Lavasoft\\AD-AWA~1\\Ad-Watch.exe\""
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"nwiz"="nwiz.exe /install"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"TClockEx"="C:\\Documents and Settings\\GE\\My Documents\\Unzipped\\tclockex\\TCLOCKEX.EXE"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktop"=hex:00,00,00,00
"NoSaveSettings"=hex:00,00,00,00
"ClearRecentDocsOnExit"=hex:00,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
   Authentication Packages   REG_MULTI_SZ      msv1_0\0\0
   Security Packages   REG_MULTI_SZ      kerberos\0msv1_0\0schannel\0wdigest\0\0
   Notification Packages   REG_MULTI_SZ      scecli\0\0


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"CloneCDTray"="\"C:\\Program Files\\SlySoft\\CloneCD\\CloneCDTray.exe\" /s"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb07.exe"
"NeroFilterCheck"="C:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe"
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\"  -osboot"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
 
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter   REG_MULTI_SZ      HTTPFilter\0\0
LocalService   REG_MULTI_SZ      Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService   REG_MULTI_SZ      DnsCache\0\0
DcomLaunch   REG_MULTI_SZ      DcomLaunch\0TermService\0\0
rpcss   REG_MULTI_SZ      RpcSs\0\0
imgsvc   REG_MULTI_SZ      StiSvc\0\0
termsvcs   REG_MULTI_SZ      TermService\0\0
WudfServiceGroup   REG_MULTI_SZ      WUDFSvc\0\0

*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_SBAPIFS


-- End of Deckard's System Scanner: finished at 2007-05-17 at 03:15:14 ---------

Title: Re: CCleaner Trojans
Post by: mauserme on May 17, 2007, 06:02:00 AM
See if you locate these files

C:\WINDOWS\system32\appmgmt.dll

C:\WINDOWS\srchasst.exe

If found, upload them to Virus Total and post the analyses

http://www.virustotal.com/en/indexf.html
Title: Re: CCleaner Trojans
Post by: GrahamE on May 17, 2007, 01:42:48 PM
I can't report complete success I'm afraid.

I don't seem to have C:\WINDOWS\System32\appmgmt.dll. In System32 there is a folder named appmgmt. It contains folders called MACHINE and S-1-5-21-11.. Both are empty, so couldn't be submitted, obviously.
I did find appmgmts.dll and appmgr.dll, both of which scanned as virus free.

I don't have C:\WINDOWS\srchasst.exe. There is a folder called srchasst. It contains subfolders called 'char' and 'mui'. Also contains msgr3en.dll, nls302en.lex, srchtls.dll and srchui.dll, all of which scanned virus free. I thought I'd scan them anyway even though I didn't think it was what you were after.

I haven't posted the analyses since they all came back with no virus detected. Sorry if I haven't been able to do exactly what you asked for.

Interesting that they're using Avast 4.7.997.
Title: Re: CCleaner Trojans
Post by: GrahamE on May 17, 2007, 01:58:01 PM
As a slight side issue, I noticed when I was looking around, that some of the folders are a paler yellow colour than the others. Is this normal? Perhaps it's always been like that and I've never noticed.  :-[ Sorry, I know this isn't a general information forum!
Title: Re: CCleaner Trojans
Post by: mauserme on May 17, 2007, 02:13:49 PM
Other than those 2 possibilities DSS didn't really shed any light in this, but there is another scan I would like you to run.

Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.

Double click combofix.exe and follow the prompts.

When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply, but this time rename hijackthis.exe to hijackthat.exe before running it.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall.


As a slight side issue, I noticed when I was looking around, that some of the folders are a paler yellow colour than the others. Is this normal? Perhaps it's always been like that and I've never noticed.  :-[ Sorry, I know this isn't a general information forum!
I'm not sure about that.  Being color blind if I've ever seen that on a computer I probably wouldn't be able to discern the difference.
Title: Re: CCleaner Trojans
Post by: calcu007 on May 17, 2007, 06:28:55 PM
As a slight side issue, I noticed when I was looking around, that some of the folders are a paler yellow colour than the others. Is this normal? Perhaps it's always been like that and I've never noticed.  :-[ Sorry, I know this isn't a general information forum!

The hidden folder look paler yellow then regular folders.
Title: Re: CCleaner Trojans
Post by: GrahamE on May 17, 2007, 06:38:24 PM
 ??? I've looked at the files/folders settings, and 'show hidden ...' was ticked. I did not do that, I'd have absolutely no reason to. I've now ticked to hide them, which is how it should be, I believe. Could the Deckard scanner have done it, because I'm sure I've not noticed those paler files before. Thanks for the info.  :)

I've done the other two scans, I'll post the logs now. The ComboFix one is pretty long so it'll probably be split up.
Title: Re: CCleaner Trojans
Post by: GrahamE on May 17, 2007, 06:39:51 PM
Hijackthis (or rather 'that' in this instance):

Logfile of HijackThis v1.99.1
Scan saved at 17:03:41, on 17/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\Program Files\SiteAdvisor\6066\SAService.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\PROGRAM FILES\SITEADVISOR\6066\SITEADV.EXE
C:\PROGRAM FILES\CREATIVE\SB LIVE! 24-BIT\SURROUND MIXER\CTSYSVOL.EXE
C:\Documents and Settings\GE\Desktop\HijackThat.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TClockEx] C:\Documents and Settings\GE\My Documents\Unzipped\tclockex\TCLOCKEX.EXE
O4 - Startup: Blaster.lnk = C:\Program Files\SpywareBlaster\spywareblaster.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6066\SAService.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Title: Re: CCleaner Trojans
Post by: GrahamE on May 17, 2007, 06:42:59 PM
Combo fix #1

"GE" - 2007-05-17 17:07:19    Service Pack 2 
ComboFix 07-05.17.6.V - Running from: "C:\Documents and Settings\GE\Desktop\"


(((((((((((((((((((((((((((((((   Files Created from 2007-04-05 to 2007-05-17  ))))))))))))))))))))))))))))))))))


2007-05-17 03:09   <DIR>   d--------   C:\Deckard
2007-05-17 00:40   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\The Learning Company
2007-05-17 00:39   274,432   --a------   C:\WINDOWS\TLCUninstall.exe
2007-05-17 00:39   <DIR>   d--------   C:\Program Files\The Learning Company
2007-05-17 00:38   306,688   --a------   C:\WINDOWS\IsUninst.exe
2007-05-16 19:16   <DIR>   d--------   C:\Program Files\Registrar Lite
2007-05-15 12:15   208,896   --a------   C:\WINDOWS\system32\NVUNINST.EXE
2007-05-15 12:15   208,896   --a------   C:\WINDOWS\system32\nvudisp.exe
2007-05-15 12:14   <DIR>   d--------   C:\NVIDIA
2007-05-08 01:44   135,936   --a------   C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2007-05-08 01:42   <DIR>   d--------   C:\Program Files\Spyware Terminator
2007-05-08 01:42   <DIR>   d--------   C:\DOCUME~1\GE\APPLIC~1\Spyware Terminator
2007-05-08 01:42   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spyware Terminator
2007-05-08 01:39   <DIR>   d--------   C:\Program Files\SUPERAntiSpyware
2007-05-08 01:39   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-05-08 01:38   <DIR>   d--------   C:\Program Files\Common Files\Wise Installation Wizard
2007-05-08 01:17   <DIR>   d--------   C:\WINDOWS\system32\appmgmt
2007-05-03 15:18   <DIR>   d--------   C:\DOCUME~1\GE\APPLIC~1\ATI
2007-05-03 14:30   <DIR>   d--------   C:\WINDOWS\SxsCaPendDel
2007-05-02 22:19   73,216   --a------   C:\WINDOWS\ST6UNST.EXE
2007-05-02 22:19   249,856   ---------   C:\WINDOWS\Setup1.exe
2007-05-02 22:19   <DIR>   d--------   C:\Program Files\Karen's Computer Profiler
2007-05-02 11:11   <DIR>   d--------   C:\DOCUME~1\ADMINI~1\APPLIC~1\SiteAdvisor
2007-05-02 11:09   <DIR>   d--------   C:\DOCUME~1\ADMINI~1\APPLIC~1\WinPatrol
2007-05-02 11:09   <DIR>   d--------   C:\DOCUME~1\ADMINI~1\APPLIC~1\Lavasoft
2007-05-02 11:07   1,048,576   --ah-----   C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-05-02 10:27   <DIR>   d--------   C:\WINDOWS\system32\URTTemp
2007-05-01 19:24   266,360   --a------   C:\WINDOWS\system32\TweakUI.exe
2007-04-24 00:09   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\NVIDIA
2007-04-24 00:03   <DIR>   d--------   C:\WINDOWS\nview
2007-04-23 12:50   <DIR>   d--------   C:\DOCUME~1\GE\APPLIC~1\AdobeUM
2007-04-23 00:11   <DIR>   d--------   C:\DOCUME~1\GE\APPLIC~1\OfficeUpdate12
2007-04-23 00:10   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\Office Genuine Advantage
2007-04-22 14:40   <DIR>   d--------   C:\DOCUME~1\LOCALS~1\APPLIC~1\Spyware Terminator
2007-04-22 14:22   3,968   --a------   C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-04-22 14:16   <DIR>   d--------   C:\DOCUME~1\GE\APPLIC~1\SUPERAntiSpyware.com
2007-04-22 14:13   <DIR>   d--------   C:\DOCUME~1\LOCALS~1\APPLIC~1\SiteAdvisor
2007-04-22 14:12   <DIR>   d--------   C:\Program Files\SiteAdvisor
2007-04-22 14:12   <DIR>   d--------   C:\DOCUME~1\GE\APPLIC~1\SiteAdvisor
2007-04-22 14:12   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\SiteAdvisor
2007-04-22 14:12   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee
2007-04-22 14:00   <DIR>   d--------   C:\Program Files\Common Files\xing shared
2007-04-22 13:59   <DIR>   d--------   C:\Program Files\Real
2007-04-22 13:59   <DIR>   d--------   C:\Program Files\Common Files\Real
2007-04-22 13:59   <DIR>   d--------   C:\DOCUME~1\GE\APPLIC~1\Real
2007-04-22 13:56   <DIR>   d--------   C:\My Downloads
2007-04-22 12:17   <DIR>   d--------   C:\DOCUME~1\GE\APPLIC~1\Apple Computer
2007-04-22 12:16   <DIR>   d--------   C:\Program Files\iTunes
2007-04-22 12:16   <DIR>   d--------   C:\Program Files\iPod
2007-04-22 12:15   <DIR>   d--------   C:\Program Files\QuickTime
2007-04-22 12:14   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-04-22 12:13   <DIR>   d--------   C:\DOCUME~1\GE\APPLIC~1\Roxio
2007-04-22 12:09   <DIR>   d--------   C:\Program Files\Common Files\Napster Shared
2007-04-22 12:08   <DIR>   d--------   C:\Program Files\Napster
2007-04-22 12:08   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\Napster
2007-04-22 02:24   0   --a------   C:\WINDOWS\system32\SBRC.dat
2007-04-22 02:24   0   --a------   C:\WINDOWS\system32\SBFC.dat
2007-04-22 02:17   <DIR>   d--------   C:\WINDOWS\system32\ReinstallBackups
2007-04-22 01:57   262,144   --a------   C:\DOCUME~1\ALLUSE~1\ntuser.dat
2007-04-22 01:41   221,184   --a------   C:\WINDOWS\system32\wmpns.dll
2007-04-22 00:42   <DIR>   d--h-----   C:\WINDOWS\$hf_mig$
2007-04-22 00:42   <DIR>   d--------   C:\WINDOWS\system32\PreInstall
2007-04-22 00:38   18,200   --a------   C:\WINDOWS\system32\wups2.dll
2007-04-22 00:38   <DIR>   d--------   C:\WINDOWS\system32\SoftwareDistribution
Title: Re: CCleaner Trojans
Post by: GrahamE on May 17, 2007, 06:43:59 PM
Combofix #2
2007-04-22 00:37   <DIR>   d--hs----   C:\DOCUME~1\GE\UserData
2007-04-22 00:24   <DIR>   d--------   C:\DOCUME~1\GE\APPLIC~1\Lavasoft
2007-04-22 00:23   <DIR>   d--------   C:\Program Files\Lavasoft
2007-04-22 00:23   <DIR>   d--------   C:\DOCUME~1\GE\APPLIC~1\WinPatrol
2007-04-22 00:22   <DIR>   d--------   C:\WINDOWS\Downloaded Installations
2007-04-22 00:22   <DIR>   d--------   C:\Program Files\BillP Studios
2007-04-22 00:20   15,544   --a------   C:\WINDOWS\system32\drivers\sbhr.sys
2007-04-22 00:20   <DIR>   d--------   C:\Program Files\Sunbelt Software
2007-04-22 00:20   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sunbelt Software
2007-04-22 00:15   95,872   --a------   C:\WINDOWS\system32\AvastSS.scr
2007-04-22 00:15   94,552   --a------   C:\WINDOWS\system32\drivers\aswmon2.sys
2007-04-22 00:15   85,952   --a------   C:\WINDOWS\system32\drivers\aswmon.sys
2007-04-22 00:15   43,176   --a------   C:\WINDOWS\system32\drivers\aswTdi.sys
2007-04-22 00:15   26,888   --a------   C:\WINDOWS\system32\drivers\aavmker4.sys
2007-04-22 00:15   23,416   --a------   C:\WINDOWS\system32\drivers\aswRdr.sys
2007-04-22 00:14   745,600   --a------   C:\WINDOWS\system32\aswBoot.exe
2007-04-22 00:14   1,060,864   --a------   C:\WINDOWS\system32\MFC71.dll
2007-04-22 00:14   <DIR>   d--------   C:\Program Files\Alwil Software
2007-04-22 00:10   75,512   --a------   C:\WINDOWS\zllsputility.exe
2007-04-22 00:10   4,212   ---h-----   C:\WINDOWS\system32\zllictbl.dat
2007-04-22 00:10   11,264   --a------   C:\WINDOWS\system32\SpOrder.dll
2007-04-22 00:09   1,087,216   --a------   C:\WINDOWS\system32\zpeng24.dll
2007-04-22 00:09   <DIR>   d--------   C:\WINDOWS\system32\ZoneLabs
2007-04-22 00:09   <DIR>   d--------   C:\WINDOWS\Internet Logs
2007-04-22 00:00   53,248   --a------   C:\WINDOWS\setFireWall.exe
2007-04-21 23:59   50,007   --a------   C:\WINDOWS\system32\drivers\adildr.sys
2007-04-21 23:59   46,892   --a------   C:\WINDOWS\system32\adadix16.dll
2007-04-21 23:59   4,981   --a------   C:\WINDOWS\system32\adadix2k.dll
2007-04-21 23:59   22,395   --a------   C:\WINDOWS\system32\drivers\fpga.bin
2007-04-21 23:59   184   --a------   C:\setuplog.exe
2007-04-21 23:59   155,648   --a------   C:\WINDOWS\system32\adadix32.dll
2007-04-21 23:59   127,456   --a------   C:\WINDOWS\system32\ipdetect.exe
2007-04-21 23:59   127,065   --a------   C:\WINDOWS\system32\drivers\adiusbaw.sys
2007-04-21 23:59   114,688   --a------   C:\WINDOWS\system32\unaddrv.exe
2007-04-21 23:59   106,496   --a------   C:\WINDOWS\system32\coclassfast.dll
2007-04-21 23:59   <DIR>   d--------   C:\Program Files\SAGEM
2007-04-21 23:58   <DIR>   d--------   C:\Program Files\Tiscali Broadband
2007-04-21 23:38   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-04-21 23:36   <DIR>   d--------   C:\Program Files\SpywareBlaster
2007-04-21 23:34   <DIR>   d--------   C:\Program Files\Google
2007-04-21 23:34   <DIR>   d--------   C:\DOCUME~1\GE\APPLIC~1\Google
2007-04-21 23:30   <DIR>   d--------   C:\Program Files\CCleaner
2007-04-21 23:29   <DIR>   d--------   C:\Program Files\PrivacyEraser Computing
2007-04-21 23:22   <DIR>   d--------   C:\Program Files\Veoh Networks
2007-04-21 20:45   <DIR>   d--------   C:\Program Files\Elaborate Bytes
2007-04-21 20:43   <DIR>   d--------   C:\Program Files\SlySoft
2007-04-21 20:41   <DIR>   d--------   C:\Program Files\Windows Media Connect 2
2007-04-21 20:39   23,856   --a------   C:\WINDOWS\system32\spupdsvc.exe
2007-04-21 20:39   <DIR>   d--------   C:\WINDOWS\system32\LogFiles
2007-04-21 20:39   <DIR>   d--------   C:\WINDOWS\system32\drivers\UMDF
2007-04-21 20:39   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-04-21 20:38   <DIR>   d--------   C:\Program Files\IrfanView
2007-04-21 20:38   <DIR>   d--------   C:\Program Files\Atomic Clock Sync
2007-04-21 20:10   25,856   --a------   C:\WINDOWS\system32\drivers\usbprint.sys
2007-04-21 20:10   <DIR>   d--------   C:\Program Files\hp deskjet 3320 series
2007-04-21 20:09   <DIR>   d--------   C:\Program Files\Hewlett-Packard
2007-04-21 20:02   <DIR>   d--------   C:\DOCUME~1\GE\APPLIC~1\Ahead
2007-04-21 20:01   <DIR>   d--------   C:\Program Files\Nero
2007-04-21 20:01   <DIR>   d--------   C:\Program Files\Common Files\Ahead
2007-04-21 10:20   <DIR>   d--------   C:\DOCUME~1\GE\APPLIC~1\CyberLink
2007-04-21 10:19   <DIR>   d--------   C:\Program Files\CyberLink
2007-04-21 10:19   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\CyberLink
2007-04-21 10:13   <DIR>   d--------   C:\Program Files\Jasc Software Inc
2007-04-21 10:05   24,816   --a------   C:\WINDOWS\system32\mdimon.dll
2007-04-21 10:05   <DIR>   d--------   C:\Program Files\Common Files\L&H
2007-04-21 10:04   <DIR>   d--------   C:\WINDOWS\SHELLNEW
2007-04-21 10:04   <DIR>   d--------   C:\Program Files\Microsoft Works
2007-04-21 10:04   <DIR>   d--------   C:\Program Files\Microsoft ActiveSync
2007-04-21 10:03   <DIR>   dr-h-----   C:\MSOCache
2007-04-21 10:02   <DIR>   d--------   C:\IUware Online
2007-04-21 09:56   90,112   ---------   C:\WINDOWS\Updreg.EXE
2007-04-21 09:56   840,960   --a------   C:\WINDOWS\system32\drivers\P17.sys
2007-04-21 09:56   84,992   ---------   C:\WINDOWS\system32\SFCVRT32.DLL
2007-04-21 09:56   82,432   ---------   C:\WINDOWS\system32\CTWFLT32.DLL
2007-04-21 09:56   65,536   --a------   C:\WINDOWS\system32\A3d.dll
2007-04-21 09:56   60,928   --a------   C:\WINDOWS\system32\P17.dll
2007-04-21 09:56   54,784   ---------   C:\WINDOWS\system32\INETWH32.DLL
2007-04-21 09:56   53,552   ---------   C:\WINDOWS\CTCCW.DLL
2007-04-21 09:56   53,248   --a------   C:\WINDOWS\system32\P17CPI.dll
2007-04-21 09:56   49,152   --a------   C:\WINDOWS\MIDIDEF.EXE
2007-04-21 09:56   41,984   ---------   C:\WINDOWS\Ctregrun.exe
2007-04-21 09:56   40,960   ---------   C:\WINDOWS\system32\AC3API.DLL
2007-04-21 09:56   36,864   --a------   C:\WINDOWS\system32\sfman32.dll
2007-04-21 09:56   26,768   ---------   C:\WINDOWS\system32\CTL3D.DLL
Title: Re: CCleaner Trojans
Post by: GrahamE on May 17, 2007, 06:45:06 PM
Combofix #3

2007-04-21 09:56   24,976   ---------   C:\WINDOWS\CTRES.DLL
2007-04-21 09:56   24,576   --a------   C:\WINDOWS\INRES.DLL
2007-04-21 09:56   20,480   --a------   C:\WINDOWS\P17DEF.EXE
2007-04-21 09:56   178,672   --a------   C:\WINDOWS\system32\drivers\ctoss2k.sys
2007-04-21 09:56   177,488   --a------   C:\WINDOWS\system32\drivers\CTOSS9X.SYS
2007-04-21 09:56   172,032   --a------   C:\WINDOWS\system32\sfms32.dll
2007-04-21 09:56   159,744   --a------   C:\WINDOWS\system32\OPENAL32.DLL
2007-04-21 09:56   149,504   ---------   C:\WINDOWS\system32\MFCANS32.DLL
2007-04-21 09:56   139,264   --a------   C:\WINDOWS\system32\EAX.DLL
2007-04-21 09:56   136,704   --a------   C:\WINDOWS\system32\P17res.dll
2007-04-21 09:56   131,072   --a------   C:\WINDOWS\system32\CtDvInst.dll
2007-04-21 09:56   130,192   --a------   C:\WINDOWS\system32\drivers\ctsfm2k.sys
2007-04-21 09:56   108,032   ---------   C:\WINDOWS\system32\MFCUIA32.DLL
2007-04-21 09:56   1,048,576   ---------   C:\WINDOWS\system32\SFMAN.DAT
2007-04-21 09:56   <DIR>   d--------   C:\WINDOWS\system32\Defaults
2007-04-21 09:56   <DIR>   d--------   C:\WINDOWS\system32\Data
2007-04-21 09:55   62,976   --a------   C:\WINDOWS\system32\CTDetres.dll
2007-04-21 09:55   44,032   ---------   C:\WINDOWS\system32\CTSVCCDA.EXE
2007-04-21 09:55   331,776   ---------   C:\WINDOWS\system32\CTMEDENG.DLL
2007-04-21 09:55   25,088   ---------   C:\WINDOWS\system32\CTSVCCTL.EXE
2007-04-21 09:55   24,576   --a------   C:\WINDOWS\system32\CTMERes.DLL
2007-04-21 09:54   15,840   --a------   C:\WINDOWS\system32\drivers\Pfmodnt.sys
2007-04-21 09:54   <DIR>   d--h-----   C:\Program Files\InstallShield Installation Information
2007-04-21 09:54   <DIR>   d--------   C:\Program Files\Creative
2007-04-21 09:54   <DIR>   d--------   C:\Program Files\Common Files\InstallShield
2007-04-21 09:18   <DIR>   d--hs----   C:\RECYCLER
2007-04-21 09:04   377,984   --a------   C:\WINDOWS\system32\ati2dvaa.dll
2007-04-21 09:04   295,168   --a------   C:\WINDOWS\system32\drivers\ati2mtaa.sys
2007-04-21 08:56   4,718,592   --ah-----   C:\DOCUME~1\GE\NTUSER.DAT
2007-04-21 08:51   262,144   --ah-----   C:\DOCUME~1\LOCALS~1\NTUSER.DAT
2007-04-21 08:51   <DIR>   d--------   C:\WINDOWS\SoftwareDistribution
2007-04-21 08:51   <DIR>   d--------   C:\WINDOWS\Prefetch
2007-04-21 08:50   262,144   --ah-----   C:\DOCUME~1\NETWOR~1\NTUSER.DAT
2007-04-21 08:46   262,144   --ah-----   C:\DOCUME~1\DEFAUL~1\NTUSER.DAT
2007-04-21 08:46   112,128   --a------   C:\WINDOWS\system32\mapi32.dll
2007-04-21 08:46   0   -rahs----   C:\MSDOS.SYS
2007-04-21 08:46   0   -rahs----   C:\IO.SYS
2007-04-21 08:46   0   --a------   C:\CONFIG.SYS
2007-04-21 08:46   0   --a------   C:\AUTOEXEC.BAT
2007-04-21 08:46   <DIR>   d--------   C:\WINDOWS\system32\xircom
2007-04-21 08:46   <DIR>   d--------   C:\Program Files\microsoft frontpage
2007-04-21 08:46   <DIR>   d--------   C:\DELL
2007-04-21 08:44   <DIR>   dr-------   C:\WINDOWS\Offline Web Pages
2007-04-21 08:44   <DIR>   d--hs----   C:\DOCUME~1\ALLUSE~1\DRM
2007-04-21 08:44   <DIR>   d--h-----   C:\Program Files\WindowsUpdate
2007-04-21 08:44   <DIR>   d---s----   C:\WINDOWS\Downloaded Program Files
2007-04-21 08:44   <DIR>   d--------   C:\WINDOWS\system32\DirectX
2007-04-21 08:43   81,920   --a------   C:\WINDOWS\system32\isign32.dll
2007-04-21 08:43   81,920   --a------   C:\WINDOWS\system32\ils.dll
2007-04-21 08:43   8,192   --a------   C:\WINDOWS\system32\bitsprx2.dll
2007-04-21 08:43   73,728   --a------   C:\WINDOWS\system32\icwdial.dll
2007-04-21 08:43   73,472   --a------   C:\WINDOWS\system32\drivers\sr.sys
2007-04-21 08:43   7,168   --a------   C:\WINDOWS\system32\bitsprx3.dll
2007-04-21 08:43   69,632   --a------   C:\WINDOWS\system32\msconf.dll
2007-04-21 08:43   679,424   --a------   C:\WINDOWS\system32\inetcomm.dll
2007-04-21 08:43   67,584   --a------   C:\WINDOWS\system32\srclient.dll
2007-04-21 08:43   65,536   --a------   C:\WINDOWS\system32\icwphbk.dll
2007-04-21 08:43   64,512   --a------   C:\WINDOWS\system32\acctres.dll
2007-04-21 08:43   6,656   --a------   C:\WINDOWS\system32\wuauserv.dll
2007-04-21 08:43   48,128   --a------   C:\WINDOWS\system32\inetres.dll
2007-04-21 08:43   465,176   --a------   C:\WINDOWS\system32\wuapi.dll
2007-04-21 08:43   45,568   --a------   C:\WINDOWS\system32\safrslv.dll
2007-04-21 08:43   43,520   --a------   C:\WINDOWS\system32\safrcdlg.dll
2007-04-21 08:43   43,520   --a------   C:\WINDOWS\system32\racpldlg.dll
2007-04-21 08:43   41,240   --a------   C:\WINDOWS\system32\wups.dll
2007-04-21 08:43   382,464   --a------   C:\WINDOWS\system32\qmgr.dll
2007-04-21 08:43   34,560   --a------   C:\WINDOWS\system32\mnmdd.dll
2007-04-21 08:43   32,768   --a------   C:\WINDOWS\system32\mnmsrvc.exe
2007-04-21 08:43   32,768   --a------   C:\WINDOWS\system32\isrdbg32.dll
2007-04-21 08:43   29,696   --a------   C:\WINDOWS\system32\safrdm.dll
2007-04-21 08:43   28,672   --a------   C:\WINDOWS\system32\nmmkcert.dll
2007-04-21 08:43   274,944   --a------   C:\WINDOWS\system32\mstask.dll
2007-04-21 08:43   274,432   --a------   C:\WINDOWS\system32\inetcfg.dll
2007-04-21 08:43   252,928   --a------   C:\WINDOWS\system32\msoeacct.dll
2007-04-21 08:43   239,104   --a------   C:\WINDOWS\system32\srrstr.dll
2007-04-21 08:43   23,040   --a------   C:\WINDOWS\system32\fltmc.exe
2007-04-21 08:43   194,328   --a------   C:\WINDOWS\system32\wuaueng1.dll
2007-04-21 08:43   190,976   --a------   C:\WINDOWS\system32\schedsvc.dll
2007-04-21 08:43   18,944   --a------   C:\WINDOWS\system32\qmgrprxy.dll
2007-04-21 08:43   173,536   --a------   C:\WINDOWS\system32\wuweb.dll
2007-04-21 08:43   172,312   --a------   C:\WINDOWS\system32\wuauclt1.exe
2007-04-21 08:43   170,496   --a------   C:\WINDOWS\system32\srsvc.dll
2007-04-21 08:43   16,896   --a------   C:\WINDOWS\system32\fltlib.dll
2007-04-21 08:43   16,384   --a------   C:\WINDOWS\system32\icfgnt5.dll
2007-04-21 08:43   128,896   --a------   C:\WINDOWS\system32\drivers\fltmgr.sys
2007-04-21 08:43   127,256   --a------   C:\WINDOWS\system32\wucltui.dll
2007-04-21 08:43   124,184   --a------   C:\WINDOWS\system32\wuauclt.exe
2007-04-21 08:43   12,288   --a------   C:\WINDOWS\system32\nmevtmsg.dll
2007-04-21 08:43   12,288   --a------   C:\WINDOWS\system32\mstinit.exe
2007-04-21 08:43   11,264   --a------   C:\WINDOWS\system32\atrace.dll
2007-04-21 08:43   105,984   --a------   C:\WINDOWS\system32\msoert2.dll
2007-04-21 08:43   1,343,768   --a------   C:\WINDOWS\system32\wuaueng.dll
2007-04-21 08:43   <DIR>   d---s----   C:\WINDOWS\Tasks
2007-04-21 08:43   <DIR>   d--------   C:\WINDOWS\system32\Restore
2007-04-21 08:43   <DIR>   d--------   C:\WINDOWS\system32\Macromed
2007-04-21 08:43   <DIR>   d--------   C:\WINDOWS\srchasst
2007-04-21 08:43   <DIR>   d--------   C:\Program Files\Movie Maker
2007-04-21 08:43   <DIR>   d--------   C:\Program Files\Common Files\MSSoap
2007-04-21 08:42   21,640   --a------   C:\WINDOWS\system32\emptyregdb.dat
2007-04-21 08:42   <DIR>   d--------   C:\WINDOWS\Registration
2007-04-21 08:41   97,792   --a------   C:\WINDOWS\system32\comrepl.dll
2007-04-21 08:41   93,696   --a------   C:\WINDOWS\system32\tscfgwmi.dll
2007-04-21 08:41   9,728   --a------   C:\WINDOWS\system32\reset.exe
2007-04-21 08:41   80,384   --a------   C:\WINDOWS\system32\charmap.exe
2007-04-21 08:41   73,216   --a------   C:\WINDOWS\system32\avwav.dll
2007-04-21 08:41   655,360   --a------   C:\WINDOWS\system32\mstscax.dll
2007-04-21 08:41   605,696   --a------   C:\WINDOWS\system32\getuname.dll
2007-04-21 08:41   60,416   --a------   C:\WINDOWS\system32\remotepg.dll
2007-04-21 08:41   56,832   --a------   C:\WINDOWS\system32\sol.exe
2007-04-21 08:41   55,296   --a------   C:\WINDOWS\system32\freecell.exe
2007-04-21 08:41   54,272   --a------   C:\WINDOWS\system32\stclient.dll
2007-04-21 08:41   538,624   --a------   C:\WINDOWS\system32\spider.exe
2007-04-21 08:41   5,632   --a------   C:\WINDOWS\system32\write.exe
2007-04-21 08:41   5,120   --a------   C:\WINDOWS\system32\dcomcnfg.exe
2007-04-21 08:41   44,544   --a------   C:\WINDOWS\system32\hticons.dll
2007-04-21 08:41   407,552   --a------   C:\WINDOWS\system32\mstsc.exe
2007-04-21 08:41   4,096   --a------   C:\WINDOWS\system32\rdpcfgex.dll
2007-04-21 08:41   4,096   --a------   C:\WINDOWS\system32\mtxex.dll
2007-04-21 08:41   35,328   --a------   C:\WINDOWS\system32\winchat.exe
2007-04-21 08:41   347,136   --a------   C:\WINDOWS\system32\hypertrm.dll
2007-04-21 08:41   343,040   --a------   C:\WINDOWS\system32\mspaint.exe
2007-04-21 08:41   33,792   --a------   C:\WINDOWS\system32\regini.exe
2007-04-21 08:41   25,600   --a------   C:\WINDOWS\system32\comaddin.dll
2007-04-21 08:41   25,088   --a------   C:\WINDOWS\system32\mtxlegih.dll
2007-04-21 08:41   227,840   --a------   C:\WINDOWS\system32\avtapi.dll
2007-04-21 08:41   22,016   --a------   C:\WINDOWS\system32\qwinsta.exe
2007-04-21 08:41   21,896   --a------   C:\WINDOWS\system32\drivers\tdtcp.sys
2007-04-21 08:41   20,992   --a------   C:\WINDOWS\system32\msg.exe
2007-04-21 08:41   20,480   --a------   C:\WINDOWS\system32\mtxdm.dll
2007-04-21 08:41   183,808   --a------   C:\WINDOWS\system32\accwiz.exe
2007-04-21 08:41   16,896   --a------   C:\WINDOWS\system32\tsshutdn.exe
2007-04-21 08:41   16,896   --a------   C:\WINDOWS\system32\qappsrv.exe
Title: Re: CCleaner Trojans
Post by: GrahamE on May 17, 2007, 06:47:08 PM
Combofix #4

2007-04-21 08:41   16,384   --a------   C:\WINDOWS\system32\tskill.exe
2007-04-21 08:41   16,384   --a------   C:\WINDOWS\system32\avmeter.dll
2007-04-21 08:41   15,872   --a------   C:\WINDOWS\system32\rwinsta.exe
2007-04-21 08:41   15,872   --a------   C:\WINDOWS\system32\cdmodem.dll
2007-04-21 08:41   15,360   --a------   C:\WINDOWS\system32\logoff.exe
2007-04-21 08:41   147,456   --a------   C:\WINDOWS\system32\comsnap.dll
2007-04-21 08:41   14,848   --a------   C:\WINDOWS\system32\tsdiscon.exe
2007-04-21 08:41   14,848   --a------   C:\WINDOWS\system32\tscon.exe
2007-04-21 08:41   14,848   --a------   C:\WINDOWS\system32\shadow.exe
2007-04-21 08:41   139,528   --a------   C:\WINDOWS\system32\drivers\rdpwd.sys
2007-04-21 08:41   138,752   --a------   C:\WINDOWS\system32\sndvol32.exe
2007-04-21 08:41   131,584   --a------   C:\WINDOWS\system32\sndrec32.exe
2007-04-21 08:41   126,976   --a------   C:\WINDOWS\system32\mshearts.exe
2007-04-21 08:41   123,392   --a------   C:\WINDOWS\system32\mplay32.exe
2007-04-21 08:41   12,040   --a------   C:\WINDOWS\system32\drivers\tdpipe.sys
2007-04-21 08:41   119,808   --a------   C:\WINDOWS\system32\winmine.exe
2007-04-21 08:41   114,688   --a------   C:\WINDOWS\system32\calc.exe
2007-04-21 08:41   102,912   --a------   C:\WINDOWS\system32\clipbrd.exe
2007-04-21 08:41   1,161   --a------   C:\WINDOWS\system32\usrlogon.cmd
2007-04-21 08:41   <DIR>   d--------   C:\Program Files\Windows NT
2007-04-21 08:41   <DIR>   d--------   C:\Program Files\Online Services
2007-04-21 08:41   <DIR>   d--------   C:\Program Files\MSN Gaming Zone
2007-04-21 08:41   <DIR>   d--------   C:\Program Files\Messenger
2007-04-21 08:40   956,416   --a------   C:\WINDOWS\system32\msdtctm.dll
2007-04-21 08:40   91,136   --a------   C:\WINDOWS\system32\mtxoci.dll
2007-04-21 08:40   87,176   --a------   C:\WINDOWS\system32\rdpwsx.dll
2007-04-21 08:40   85,504   --a------   C:\WINDOWS\system32\catsrvps.dll
2007-04-21 08:40   67,072   --a------   C:\WINDOWS\system32\rdshost.exe
2007-04-21 08:40   625,152   --a------   C:\WINDOWS\system32\catsrvut.dll
2007-04-21 08:40   62,464   --a------   C:\WINDOWS\system32\rdpclip.exe
2007-04-21 08:40   60,416   --a------   C:\WINDOWS\system32\colbact.dll
2007-04-21 08:40   6,144   --a------   C:\WINDOWS\system32\msdtc.exe
2007-04-21 08:40   58,880   --a------   C:\WINDOWS\system32\msdtclog.dll
2007-04-21 08:40   58,880   --a------   C:\WINDOWS\system32\licwmi.dll
2007-04-21 08:40   56,320   --a------   C:\WINDOWS\system32\servdeps.dll
2007-04-21 08:40   540,160   --a------   C:\WINDOWS\system32\comuid.dll
2007-04-21 08:40   498,688   --a------   C:\WINDOWS\system32\clbcatq.dll
2007-04-21 08:40   44,544   --a------   C:\WINDOWS\system32\tscupgrd.exe
2007-04-21 08:40   426,496   --a------   C:\WINDOWS\system32\msdtcprx.dll
2007-04-21 08:40   40,840   --a------   C:\WINDOWS\system32\drivers\termdd.sys
2007-04-21 08:40   38,912   --a------   C:\WINDOWS\system32\cfgbkend.dll
2007-04-21 08:40   295,424   --a------   C:\WINDOWS\system32\termsrv.dll
2007-04-21 08:40   225,792   --a------   C:\WINDOWS\system32\catsrv.dll
2007-04-21 08:40   20,480   --a------   C:\WINDOWS\system32\qprocess.exe
2007-04-21 08:40   196,864   --a------   C:\WINDOWS\system32\drivers\rdpdr.sys
2007-04-21 08:40   19,968   --a------   C:\WINDOWS\system32\rdpsnd.dll
2007-04-21 08:40   185,344   --a------   C:\WINDOWS\system32\cmprops.dll
2007-04-21 08:40   17,408   --a------   C:\WINDOWS\system32\mmfutil.dll
2007-04-21 08:40   161,280   --a------   C:\WINDOWS\system32\msdtcuiu.dll
2007-04-21 08:40   147,968   --a------   C:\WINDOWS\system32\rdchost.dll
2007-04-21 08:40   140,800   --a------   C:\WINDOWS\system32\sessmgr.exe
2007-04-21 08:40   13,824   --a------   C:\WINDOWS\system32\rdsaddin.exe
2007-04-21 08:40   110,080   --a------   C:\WINDOWS\system32\clbcatex.dll
2007-04-21 08:40   11,776   --a------   C:\WINDOWS\system32\xolehlp.dll
2007-04-21 08:40   11,264   --a------   C:\WINDOWS\system32\icaapi.dll
2007-04-21 08:40   1,267,200   --a------   C:\WINDOWS\system32\comsvcs.dll
2007-04-21 08:40   <DIR>   d--------   C:\WINDOWS\system32\MsDtc
2007-04-21 08:40   <DIR>   d--------   C:\WINDOWS\system32\Com
2007-04-21 03:17   6,400   --a------   C:\WINDOWS\system32\drivers\splitter.sys
2007-04-21 03:17   54,272   --a------   C:\WINDOWS\system32\drivers\swmidi.sys
2007-04-21 03:17   142,464   --a------   C:\WINDOWS\system32\drivers\aec.sys
2007-04-21 03:16   82,944   --a------   C:\WINDOWS\system32\drivers\wdmaud.sys
2007-04-21 03:16   7,552   --a------   C:\WINDOWS\system32\drivers\MSKSSRV.sys
2007-04-21 03:16   60,800   --a------   C:\WINDOWS\system32\drivers\sysaudio.sys
2007-04-21 03:16   57,472   --a------   C:\WINDOWS\system32\drivers\redbook.sys
2007-04-21 03:16   52,864   --a------   C:\WINDOWS\system32\drivers\DMusic.sys
2007-04-21 03:16   5,376   --a------   C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2007-04-21 03:16   4,992   --a------   C:\WINDOWS\system32\drivers\MSPQM.sys
2007-04-21 03:16   3,072   --a------   C:\WINDOWS\system32\drivers\audstub.sys
2007-04-21 03:16   2,944   --a------   C:\WINDOWS\system32\drivers\drmkaud.sys
2007-04-21 03:16   172,416   --a------   C:\WINDOWS\system32\drivers\kmixer.sys
2007-04-21 03:15   96,256   --a------   C:\WINDOWS\system32\drivers\ac97intc.sys
2007-04-21 03:15   74,240   --a------   C:\WINDOWS\system32\usbui.dll
2007-04-21 03:15   66,591   --a------   C:\WINDOWS\system32\drivers\el90xbc5.sys
2007-04-21 03:15   60,288   --a------   C:\WINDOWS\system32\drivers\drmk.sys
2007-04-21 03:15   42,368   --a------   C:\WINDOWS\system32\drivers\AGP440.SYS
2007-04-21 03:15   4,096   --a------   C:\WINDOWS\system32\ksuser.dll
2007-04-21 03:15   145,792   --a------   C:\WINDOWS\system32\drivers\portcls.sys
2007-04-21 03:13   9,936   --a------   C:\WINDOWS\system\LZEXPAND.DLL
2007-04-21 03:13   9,008   --a------   C:\WINDOWS\system\VER.DLL
2007-04-21 03:13   85,020   --a------   C:\WINDOWS\system32\dgsetup.dll
2007-04-21 03:13   82,944   --a------   C:\WINDOWS\system\OLECLI.DLL
2007-04-21 03:13   8,704   --a------   C:\WINDOWS\system32\batt.dll
2007-04-21 03:13   8,192   -ra------   C:\WINDOWS\system32\kbdhept.dll
2007-04-21 03:13   74,752   --a------   C:\WINDOWS\system32\storprop.dll
2007-04-21 03:13   7,168   -ra------   C:\WINDOWS\system32\kbdcz.dll
2007-04-21 03:13   69,584   --a------   C:\WINDOWS\system\AVICAP.DLL
2007-04-21 03:13   69,120   --a------   C:\WINDOWS\NOTEPAD.EXE
2007-04-21 03:13   68,768   --a------   C:\WINDOWS\system\MMSYSTEM.DLL
2007-04-21 03:13   6,656   -ra------   C:\WINDOWS\system32\kbdycl.dll
2007-04-21 03:13   6,656   -ra------   C:\WINDOWS\system32\kbdsl1.dll
2007-04-21 03:13   6,656   -ra------   C:\WINDOWS\system32\kbdsl.dll
2007-04-21 03:13   6,656   -ra------   C:\WINDOWS\system32\kbdpl.dll
2007-04-21 03:13   6,656   -ra------   C:\WINDOWS\system32\kbdhu.dll
2007-04-21 03:13   6,656   -ra------   C:\WINDOWS\system32\kbdhela3.dll
2007-04-21 03:13   6,656   -ra------   C:\WINDOWS\system32\kbdcz2.dll
2007-04-21 03:13   6,656   -ra------   C:\WINDOWS\system32\kbdcz1.dll
2007-04-21 03:13   6,656   -ra------   C:\WINDOWS\system32\kbdcr.dll
2007-04-21 03:13   6,656   -ra------   C:\WINDOWS\system32\KBDAL.DLL
2007-04-21 03:13   6,144   -ra------   C:\WINDOWS\system32\kbdtuq.dll
2007-04-21 03:13   6,144   -ra------   C:\WINDOWS\system32\kbdtuf.dll
2007-04-21 03:13   6,144   -ra------   C:\WINDOWS\system32\kbdlv1.dll
Title: Re: CCleaner Trojans
Post by: GrahamE on May 17, 2007, 06:48:09 PM
Combofix #5

2007-04-21 03:13   6,144   -ra------   C:\WINDOWS\system32\kbdlv.dll
2007-04-21 03:13   6,144   -ra------   C:\WINDOWS\system32\kbdhela2.dll
2007-04-21 03:13   6,144   -ra------   C:\WINDOWS\system32\kbdgkl.dll
2007-04-21 03:13   6,144   -ra------   C:\WINDOWS\system32\kbdest.dll
2007-04-21 03:13   5,632   -ra------   C:\WINDOWS\system32\kbdro.dll
2007-04-21 03:13   5,632   -ra------   C:\WINDOWS\system32\kbdpl1.dll
2007-04-21 03:13   5,632   -ra------   C:\WINDOWS\system32\kbdmon.dll
2007-04-21 03:13   5,632   -ra------   C:\WINDOWS\system32\kbdlt1.dll
2007-04-21 03:13   5,632   -ra------   C:\WINDOWS\system32\kbdlt.dll
2007-04-21 03:13   5,632   -ra------   C:\WINDOWS\system32\kbdkyr.dll
2007-04-21 03:13   5,632   -ra------   C:\WINDOWS\system32\kbdhu1.dll
2007-04-21 03:13   5,632   -ra------   C:\WINDOWS\system32\kbdhe319.dll
2007-04-21 03:13   5,632   -ra------   C:\WINDOWS\system32\kbdhe220.dll
2007-04-21 03:13   5,632   -ra------   C:\WINDOWS\system32\kbdhe.dll
2007-04-21 03:13   5,632   -ra------   C:\WINDOWS\system32\kbdazel.dll
2007-04-21 03:13   5,120   --a------   C:\WINDOWS\system\SHELL.DLL
2007-04-21 03:13   32,816   --a------   C:\WINDOWS\system\COMMDLG.DLL
2007-04-21 03:13   24,661   --a------   C:\WINDOWS\system32\spxcoins.dll
2007-04-21 03:13   24,064   --a------   C:\WINDOWS\system\OLESVR.DLL
2007-04-21 03:13   19,200   --a------   C:\WINDOWS\system\TAPI.DLL
2007-04-21 03:13   176,157   --a------   C:\WINDOWS\system32\dgrpsetu.dll
2007-04-21 03:13   15,360   --a------   C:\WINDOWS\TASKMAN.EXE
2007-04-21 03:13   13,312   --a------   C:\WINDOWS\system32\irclass.dll
2007-04-21 03:13   126,912   --a------   C:\WINDOWS\system\MSVIDEO.DLL
2007-04-21 03:13   11,264   --a------   C:\WINDOWS\system32\drivers\irenum.sys
2007-04-21 03:13   109,456   --a------   C:\WINDOWS\system\AVIFILE.DLL
2007-04-21 03:13   103,424   --a------   C:\WINDOWS\system32\EqnClass.Dll
2007-04-21 03:13   <DIR>   dr-------   C:\Program Files
2007-04-21 03:13   <DIR>   dr-------   C:\DOCUME~1\ALLUSE~1\Documents
2007-04-21 03:13   <DIR>   d--hs----   C:\WINDOWS\Installer
2007-04-21 03:13   <DIR>   d--------   C:\WINDOWS\system32\CatRoot2
2007-04-21 03:13   <DIR>   d--------   C:\WINDOWS\system32\CatRoot
2007-04-21 03:13   <DIR>   d--------   C:\Program Files\Common Files\SpeechEngines
2007-04-21 03:13   <DIR>   d--------   C:\Program Files\Common Files\ODBC
2007-04-21 03:12   <DIR>   d--hs----   C:\System Volume Information
2007-04-21 03:12   <DIR>   d--------   C:\Documents and Settings
2007-04-21 03:04   <DIR>   dr-hsc---   C:\WINDOWS\system32\dllcache
2007-04-21 03:04   <DIR>   dr--s----   C:\WINDOWS\Fonts
2007-04-21 03:04   <DIR>   dr-------   C:\WINDOWS\Web
2007-04-21 03:04   <DIR>   d--h-----   C:\WINDOWS\inf
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\WinSxS
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\twain_32
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\system32\wins
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\system32\wbem
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\system32\usmt
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\system32\spool
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\system32\ShellExt
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\system32\Setup
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\system32\ras
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\system32\oobe
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\system32\npp
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\system32\mui
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\system32\inetsrv
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\system32\IME
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\system32\icsxml
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\system32\ias
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\system32\export
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\system32\drivers\etc
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\system32\drivers\disdn
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\system32\drivers
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\system32\dhcp
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\system32\config
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\system32\3com_dmi
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\system32\3076
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\system32\2052
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\system32\1054
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\system32\1042
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\system32\1041
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\system32\1037
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\system32\1033
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\system32\1031
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\system32\1028
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\system32\1025
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\system32
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\system
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\security
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\Resources
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\repair
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\Provisioning
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\PeerNet
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\pchealth
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\mui
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\msapps
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\msagent
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\Media
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\ime
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\Help
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\ehome
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\Driver Cache
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\dell
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\Debug
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\Cursors
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\Connection Wizard
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\Config
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\AppPatch
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS\addins
2007-04-21 03:04   <DIR>   d--------   C:\WINDOWS

Title: Re: CCleaner Trojans
Post by: GrahamE on May 17, 2007, 06:49:04 PM
Combofix #6

((((((((((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-03-17 13:43:01   292,864   ----a-w   C:\WINDOWS\system32\winsrv.dll
2007-03-15 01:57:34   267,776   ----a-w   C:\WINDOWS\system32\ati2dvag.dll
2007-03-15 01:57:15   1,986,560   ----a-w   C:\WINDOWS\system32\drivers\ati2mtag.sys
2007-03-15 01:40:10   2,820,544   ----a-w   C:\WINDOWS\system32\ati3duag.dll
2007-03-15 01:29:47   1,315,712   ----a-w   C:\WINDOWS\system32\ativvaxx.dll
2007-03-15 01:10:28   356,352   ----a-w   C:\WINDOWS\system32\ati2cqag.dll
2007-03-14 18:38:24   524,288   ----a-w   C:\WINDOWS\opuc.dll
2007-03-09 08:57:40   27,376   ----a-w   C:\WINDOWS\system32\SBBD.exe
2007-03-08 15:36:28   577,536   ----a-w   C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28   40,960   ----a-w   C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28   281,600   ----a-w   C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48   1,843,584   ----a-w   C:\WINDOWS\system32\win32k.sys
2007-03-05 12:34:28   676,224   ----a-w   C:\WINDOWS\system32\OGACheckControl.DLL
2007-02-05 20:17:02   185,344   ----a-w   C:\WINDOWS\system32\upnphost.dll


((((((((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))
 
 
*Note* empty entries & legit default entries are not shown
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2005-09-23 20:12]
{089FD14D-132B-48FC-8861-0048AE113215}=C:\Program Files\SiteAdvisor\6066\SiteAdv.dll [2007-03-30 16:41]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"adiras"="adiras.exe" []
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 00:02]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 16:42]
"SBCSTray"="C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe" [2007-03-09 10:31]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2007-04-19 18:33]
"AWMON"="C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe" [2004-10-12 11:14]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 12:22]
"nwiz"="nwiz.exe" [2006-10-22 12:22 C:\WINDOWS\system32\nwiz.exe]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 14:18]
"TClockEx"="C:\Documents and Settings\GE\My Documents\Unzipped\tclockex\TCLOCKEX.EXE" [2000-03-09 01:15]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSaveSettings"=hex:00,00,00,00
"ClearRecentDocsOnExit"=hex:00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 15:13]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages   msv1_0 
Security Packages   kerberos msv1_0 schannel wdigest 
Notification Packages   scecli 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\SBCSSvc]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"CloneCDTray"="\"C:\\Program Files\\SlySoft\\CloneCD\\CloneCDTray.exe\" /s"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb07.exe"
"NeroFilterCheck"="C:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe"
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\"  -osboot"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HTTPFilter   HTTPFilter 
LocalService   Alerter WebClient LmHosts RemoteRegistry upnphost SSDPSRV 
NetworkService   DnsCache 
DcomLaunch   DcomLaunch TermService 
rpcss   RpcSs 
imgsvc   StiSvc 
termsvcs   TermService 
WudfServiceGroup   WUDFSvc 

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*
   
*newlycreated* -PROCEXP90
*newlycreated* -SBAPIFS

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-17 17:12:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-05-17 17:16:16
C:\ComboFix-quarantined-files.txt ... 2007-05-17 17:16


   --- E O F ---
Title: Re: CCleaner Trojans
Post by: GrahamE on May 17, 2007, 06:50:21 PM
That's the lot  :P
Title: Re: CCleaner Trojans
Post by: GrahamE on May 17, 2007, 07:32:07 PM
Hi Tech,

This is what I've got in the log viewer:

27/04/2007 21:55:41   GE   3024   Sign of "Win32:Agent-GKD [Trj]" has been found in "C:\WINDOWS\WindowsUpdate.log" file. 
28/04/2007 00:31:12   GE   1372   Sign of "Win32:Agent-GKD [Trj]" has been found in "C:\Documents and Settings\GE\Local Settings\Temporary Internet Files\Content.IE5\WPSHGFSL\JJJJJJJJJJJJJJJJJJJJJJ.JJ" file. 
07/05/2007 00:25:26   GE   1484   Sign of "Win32:Agent-GKD [Trj]" has been found in "C:\WINDOWS\Internet Logs\VVVVVVVVV.VV.VV.VVV" file. 
09/05/2007 11:17:35   GE   1488   Sign of "Win32:Agent-GHL [Trj]" has been found in "C:\Documents and Settings\GE\Local Settings\Temporary Internet Files\Content.IE5\86CTQTEM\YYYYYYYYYYYY.YYY" file. 
14/05/2007 14:37:05   GE   1512   Sign of "Win32:Agent-GYJ [Trj]" has been found in "C:\Documents and Settings\GE\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat" file. 
15/05/2007 12:07:32   GE   1384   Sign of "Win32:Nilage-FP [Trj]" has been found in "C:\WINDOWS\TEMP\{19EC4B5E-F950-4F72-ADB6-DEFB2148866C}\{EFB7D050-CAD2-11D4-B34D-00105A1C23DD}\XXXXXXXX.XXX" file. 
15/05/2007 20:28:29   GE   1412   Sign of "Win32:Agent-GWO [Trj]" has been found in "C:\Documents and Settings\GE\Local Settings\Temporary Internet Files\Content.IE5\NTNMGHTF\LoJack%20ReRevised_400k[1].flv" file. 
16/05/2007 03:14:09   GE   1412   Sign of "Win32:Agent-GWO [Trj]" has been found in "C:\Documents and Settings\GE\Local Settings\Temporary Internet Files\Content.IE5\9RLOOSBW\IIIIIIII.III" file. 
16/05/2007 03:14:26   GE   1412   Sign of "Win32:Agent-GVO [Trj]" has been found in "C:\Documents and Settings\GE\Local Settings\Temporary Internet Files\Content.IE5\HNJH4TJO\IIIIIIIIIIII.III" file. 

I've just scanned everything in the Chest, and entry #2 for 28/04/2007 and entry #3 for 07/05/2007 are now showing 'no virus'. There isn't an entry in the Chest for entry #1 in the log file. This means that it's no longer finding the Win32:Agent-GKD [Trj]. Does this mean they, and possibly all of them are false-positives??
Title: Re: CCleaner Trojans
Post by: Lisandro on May 17, 2007, 07:35:36 PM
Are now showing 'no virus'. Does this mean they, and possibly all of them are false-positives??
Most probably...
Title: Re: CCleaner Trojans
Post by: GrahamE on May 17, 2007, 07:39:00 PM
Does that mean that my name, dragged through the mud as a filthy pervert, will finally be cleared?  :D
Title: Re: CCleaner Trojans
Post by: Lisandro on May 17, 2007, 07:41:50 PM
Does that mean that my name, dragged through the mud as a filthy pervert, will finally be cleared?  :D
Not yet... you must prove your innocence ;D
Title: Re: CCleaner Trojans
Post by: GrahamE on May 17, 2007, 07:47:53 PM
Damn!  :'(
Title: Re: CCleaner Trojans
Post by: mauserme on May 17, 2007, 08:11:58 PM
I'm still sifting through the combofix log (my goodness you've installed alot of software lately).  So far it looks clean, so I'm tentatively guessing false positives too.


Does that mean that my name, dragged through the mud as a filthy pervert, will finally be cleared?  :D
No, we'll keep the rumors going for a while ....



EDIT:  Did you reinstall the OS on April 21?
Title: Re: CCleaner Trojans
Post by: GrahamE on May 17, 2007, 08:22:06 PM
I'm still sifting through the combofix log (my goodness you've installed alot of software lately).

I reformatted not too long ago, that's probably what it is.

I think you're all being very unfair on the pervy business.  ::)

EDIT: Not sure of exact date of reinstall, but 21st sounds about right.
Title: Re: CCleaner Trojans
Post by: mauserme on May 17, 2007, 08:25:47 PM
Carefull - I might have to post what I really saw in those logs of yours.

Actually, you look clean but post again if you get any more alerts. :)
Title: Re: CCleaner Trojans
Post by: GrahamE on May 17, 2007, 08:36:03 PM
 :o Damn! I was sure I'd checked through them!  ;D

I've had no alerts today, so I'm hopeful.

Many thanks to Tech, mauserme and calcu007 for all the help. VERY much appreciated.

I'll try to stay away for a while, and perhaps you'll have forgotten my name.  ;D
Title: Re: CCleaner Trojans
Post by: Lisandro on May 17, 2007, 09:19:52 PM
I'll try to stay away for a while, and perhaps you'll have forgotten my name.  ;D
I usually forget names, if so, forgive me ;D
Title: Re: CCleaner Trojans
Post by: GrahamE on May 23, 2007, 07:24:53 PM
I've left a post in Gabriele 08's thread http://forum.avast.com/index.php?topic=28039.0

It's probably best if I continue here though. I'll copy what was said in the other thread and then continue. I don't know if this is how you're supposed to do it, but I can't work out how to quote from that thread in here...

I wrote:

Sadly, my problem hasn't been resolved, since I've had 2 more occurrences since my last post. The second of these came when (having used CCleaner when I came offline previously), I opened Internet Explorer, my homepage (Google) came up, and I was called away and so logged off. On using CCleaner, Avast found (traces of) a virus in the temp internet files!

Since I, and other members of this Forum with far greater knowledge than mine, had pretty well decided that these were false-positives, and since it seemed to be using CCleaner that was causing the problem to some extent, I've set Internet Explorer to empty the temp internet files when the browser is closed. I'm still using CCleaner as well, but nothing has come up so far, after 2 days of doing this.

I'm assuming that if there really was a virus/Trojan, Avast would still detect it when Windows cleared the files (?)


Tech replied:

Quote from: GrahamE on Today at 12:04:56 AM
"Sadly, my problem hasn't been resolved, since I've had 2 more occurrences since my last post".

If you still detecting any strange behavior or even you're sure you're not clean, maybe it will be good to test your machine with anti-rootkit applications (http://www.antirootkit.com/software/index.htm). I suggest AVG, Panda and/or F-Secure BlackLight.


Quote from: GrahamE on Today at 12:04:56 AM
"Since I, and other members of this Forum with far greater knowledge than mine, had pretty well decided that these were false-positives".

Do any of us said so?
Title: Re: CCleaner Trojans
Post by: GrahamE on May 23, 2007, 07:31:49 PM
Hi Tech,

Sorry, but I was assuming that there was a high probability of false positives bacause of:



Are now showing 'no virus'. Does this mean they, and possibly all of them are false-positives??
Most probably...

Quote

Actually, you look clean but post again if you get any more alerts. :)

I've run the AVG and Panda Anti-Rootkits, and they've both come up clean. I didn't fancy the F-Secure one as it was a beta...

What do you think?
Title: Re: CCleaner Trojans
Post by: Lisandro on May 24, 2007, 01:30:07 AM
GrahamE, I'll need time to see this deeply... maybe tomorrow.
Maybe some other malware expert could help you before. Sorry.
Title: Re: CCleaner Trojans
Post by: GrahamE on May 24, 2007, 01:37:13 AM
Okay, thank you.  :)
Title: Re: CCleaner Trojans
Post by: Lisandro on May 24, 2007, 02:53:56 AM
I've run the AVG and Panda Anti-Rootkits, and they've both come up clean.
Good.

Sadly, my problem hasn't been resolved, since I've had 2 more occurrences since my last post.
What about now? Any other occurrence or you're clean?
Title: Re: CCleaner Trojans
Post by: mauserme on May 24, 2007, 04:16:09 AM
Its perplexing.  On the one hand we have avast! alerting on some very suspicious looking file names in suspicious locations but then those detections disappear days later.

Then we also have

... I use Zone Alarm free, Avast, Counterspy (real-time protection and scanner), Adaware SE (real-time and scanner), WinPatrol, SpywareBlaster, SuperAntispyware (scanner only), Spyware Terminator (real-time and scanner), Spybot (scanner only), AVG antispyware (scanner only). Nothing has been found doing scans with any of them, including Avast.

and

I've run the AVG and Panda Anti-Rootkits, and they've both come up clean.

plus ComboFix found nothing to delete or quarantine and no hidden processes.


Graham, what was the reason your reformatted in April?  Was it malware or something else?

The next time you get an alert see if you can upload the file(s) to Virus Total for analysis and post the results

http://www.virustotal.com/en/indexf.html


Also, in the other thread related to this, you said you've experienced these alerts with both the current and prior version of CCleaner.   Are you sure?  I mean, I'm not doubting you but I would like to eliminate the CCleaner update as the cause.

I'm a pervert!!  ;D

Hmmmm

Still not sure we can help with that  :P
Title: Re: CCleaner Trojans
Post by: GrahamE on May 24, 2007, 10:17:16 AM
I reformat on quite a regular basis. On this occasion, I'd been having probs with a graphics card/drivers. I installed a new PSU as part of the process of upgrading and decided to start afresh.

Definitely happened with both versions of CCleaner. I actually thought, when the new version came out, that it might solve the problem, if there was a bug in the old one.

However, since I've set Internet Explorer to empty the Temporary Internet Files when I log off, the problem has stopped (no alerts since Sunday, anyway). I still use CCleaner, but it's removing virtually nothing, and there's obviously nothing in the TIF's for it to deal with.

I don't know whether this is a good way to deal with it, or why Avast would detect something when CCleaner cleans, but not when Windows does it.

I'm not sure how I'll be able to send the files to Virus Total. Actually that might not be true. Am I right in thinking that (assuming that I go back to using CCleaner), when Avast find something, move it to Chest (if I 'ignore', CCleaner will remove it) and then restore it. It should then still be in the TIF's and I'll be able to upload it.

I think I'm finally coming to terms with the pervert thing. Talking about it has obviously helped me a lot. The Avast Forum has been a lot cheaper than a psychiatrist as well, so I have a lot to thank this Forum for.  ;D
Title: Re: CCleaner Trojans
Post by: Lisandro on May 24, 2007, 11:36:38 AM
Definitely happened with both versions of CCleaner. I actually thought, when the new version came out, that it might solve the problem, if there was a bug in the old one.
The problem is that no one is relating a bug in CCleaner... I don't think there is this kind of trouble with it...

why Avast would detect something when CCleaner cleans, but not when Windows does it.
Because CCleaner cleans deeper and 'touch' much more files and folders than when just closing IE and cleaning by Windows. The mystery is which file(s) is(are) bringing trouble...

when Avast find something, move it to Chest (if I 'ignore', CCleaner will remove it) and then restore it.
Did you set avast to work on Silent Mode?
If not, avast won't move files automatically to Chest.
Definitively, avast does not 'restore' anything automatically. There isn't such an option.
Title: Re: CCleaner Trojans
Post by: mauserme on May 24, 2007, 01:32:11 PM
If you don't mind experimenting a little, go back to deleting temporary internet files with CCleaner and then do as you suggested about restoring from the chest in order to scan at Virus Total.  I would especially be interestd in non-temporary internet files.  I think you had some in c:\windows\temp in earlier posts.
Title: Multiple "real-time" antiSPYWARE programs
Post by: Spiritsongs on May 24, 2007, 07:33:43 PM
 :)  Hi All :

      As far as I know, having multiple antiSPYWARE programs providing
      "real-time" protection is undesirable, providing "conflicts" as when
      2 or more antiVIRUS programs "real-time" components run .
      So it seems wise to "disable" or "turn OFF" the "real-time" protection
      of either Counterspy, Spyware Terminator, or Ad-Aware, leaving ONLY
      1 "running" . Are any of these on "Trial" "status" ? Counterspy appears
      to be the Best of these 3 !?

      And for a Temporary Internet Files cleaner, along with other Items,
      it would be wise to consider "replacing" CCleaner with ATF Cleaner,
      developed by antiSPYWARE Expert "ATribune" and available at
      www.atribune.org/content/view/19/2/  .
Title: Re: CCleaner Trojans
Post by: Gabriele 08 on May 24, 2007, 07:42:00 PM
Because CCleaner cleans deeper and 'touch' much more files and folders than when just closing IE and cleaning by Windows. The mystery is which file(s) is(are) bringing trouble...
I think this is the central point!!
But I'm not so optimist about how to discovery this... ???
Title: Re: CCleaner Trojans
Post by: GrahamE on May 24, 2007, 07:42:51 PM
when Avast find something, move it to Chest (if I 'ignore', CCleaner will remove it) and then restore it.
Did you set avast to work on Silent Mode?
If not, avast won't move files automatically to Chest.
Definitively, avast does not 'restore' anything automatically. There isn't such an option.
[/quote]

No, sorry, I don't think I expressed what I meant very well. I meant that when I run CCleaner, if Avast finds something, I would send it to the Chest. I would then restore it from the Chest, and then send it to Virus Total. If, when Avast found something during the CCleaner process, I chose to 'ignore' it, then CCleaner would remove it, and I wouldn't have the option of sending it to VirusTotal.

If you don't mind experimenting a little, go back to deleting temporary internet files with CCleaner and then do as you suggested about restoring from the chest in order to scan at Virus Total.  I would especially be interestd in non-temporary internet files.  I think you had some in c:\windows\temp in earlier posts.

Yeah, I'll do that.

Thanks to both.

:)  Hi All :

      As far as I know, having multiple antiSPYWARE programs providing
      "real-time" protection is undesirable, providing "conflicts" as when
      2 or more antiVIRUS programs "real-time" components run .
      So it seems wise to "disable" or "turn OFF" the "real-time" protection
      of either Counterspy, Spyware Terminator, or Ad-Aware, leaving ONLY
      1 "running" . Are any of these on "Trial" "status" ? Counterspy appears
      to be the Best of these 3 !?

I can't say that I've heard that there can be a problem with running more than one anti-spyware program with real-time protection. Obviously I knew this is true for firewalls and anti-virus. I thought that unless there was a definite conflict between different programs, that it was a case of 'the more the merrier', within reason obviously. Also I've been running the same anti-spyware for quite a while now without problem (before 27th April, that is!).


      And for a Temporary Internet Files cleaner, along with other Items,
      it would be wise to consider "replacing" CCleaner with ATF Cleaner,
      developed by antiSPYWARE Expert "ATribune" and available at
      www.atribune.org/content/view/19/2/  .

I'm a bit loath to do that, since a lot of people use CCleaner without problem, as I have for a long time up until this problem. Also, it has been inferred that the problem isn't actually with CCleaner.
Title: Re: CCleaner Trojans
Post by: GrahamE on May 25, 2007, 01:49:06 AM
Okay, I'm now really confused!

I rescanned one of the most recent 'finds' in the Chest, and it's still being reported as infected. The particular Trojan is:

21/05/2007 20:52:55   SYSTEM   1456   Sign of "Win32:Agent-GTZ [Trj]" has been found in "C:\Documents and Settings\GE\Local Settings\Temporary Internet Files\Content.IE5\NR1NG8KM\SSSSSSSSSSSSSSSSSSSSSSSS.SS" file.

I restored it from the Chest.

I changed the settings to 'show hidden files and folders' and went to C:\D&S\GE\Local Settings. There is no file called Temporary Internet Files.

In C:\D&S there are 3 folders - All Users, Default User and GE. I found the TIF's in Default User. Perhaps this is normal, I don't know. Inside the TIF folder there is a folder called Content.IE5. I scanned the contents of this folder individually with Avast, and found nothing. I scanned Content.IE5 as a whole and found nothing. I scanned C:\D&S\Default\Local Settings (ie. 'scan Local Settings') and found nothing.

I turned my attention to C:\D&S\GE\Local Settings. In here there are 2 folders - Application Data and Temp. I scanned both - nothing. I scanned the contents of Temp (_Avast4_, ~DFCOA8.tmp, ~DFCO7C.tmp, ~8A56EAB7.TMP) individually and found nothing. I did the same with the Application Data folder and it's contents - nothing.

However, if I scan the folder C:\D&S\GE\Local Settings (ie. scan 'Local Settings') as a whole, Avast finds Win32:Agent-GTZ[Trj].  Having done the scan a couple of times (and pressed 'continue'), I have been able to make out that it is being found in "C:\Documents and Settings\GE\Local Settings\Temporary Internet Files\Content.IE5\NR1NG8KM\SSSSSSSSSSSSSSSSSSSSSSSS.SS", which is the file I originally restored. However, as I said before, C:\D&S\GE\Local Settings\Temporary Internet Files doesn't exist, or at least it can't be seen, even with 'show hidden files etc' ticked. How can it be found there if the file isn't there?? Also, I can't send the file to VirusTotal, because it isn't there!!

I hope I've been able to explain this ok  ???

The other thing is that C:\D&S\GE\Local Settings is 18.5MB. Of the two folders inside, Application Data is 17.7MB and Temp is 16.6KB. Again, I don't know if this is normal, but my maths says it isn't!
Title: Re: CCleaner Trojans
Post by: mauserme on May 25, 2007, 02:17:40 AM
I hope I've been able to explain this ok  ???
Yeah, I think I've got it.  Is GE a user you expect to find on your computer?  (I suppose I know the answer but I don't want to make assumptions).

Do you see any symptoms of infection other than the avast! alerts?  System slow downs, unusual firewall activity, etc?

Leaving that file where it is, do the rootkit detectors find anything?

EDIT:  Try F-Secure Blacklight this time

http://www.f-secure.com/blacklight/



Assuming there is no rootkit detection, if you clean with CCleaner does avast! alert on the same file again?


      As far as I know, having multiple antiSPYWARE programs providing
      "real-time" protection is undesirable, providing "conflicts"  ...
I think there's some truth in that, not to mention the extra overhead on your system.  But I don't think its related to the current situation.
Title: Re: CCleaner Trojans
Post by: Lisandro on May 25, 2007, 04:46:35 AM
There is no file called Temporary Internet Files.
It's not a file but a folder.

Perhaps this is normal, I don't know.
No, it's not normal. Default user is used to 'create' new users into XP. It's an 'empty' account.

I turned my attention to C:\D&S\GE\Local Settings. In here there are 2 folders - Application Data and Temp. I scanned both - nothing. I scanned the contents of Temp (_Avast4_, ~DFCOA8.tmp, ~DFCO7C.tmp, ~8A56EAB7.TMP) individually and found nothing. I did the same with the Application Data folder and it's contents - nothing.
How did you scan? Right clicking the files and folders?

I can't send the file to VirusTotal, because it isn't there!!
Do not restore the file but 'extract' it to a known folder. Submit to VirusTotal from that known folder.
Title: Re: CCleaner Trojans
Post by: GrahamE on May 25, 2007, 10:07:19 PM
Is GE a user you expect to find on your computer?

Yes, that's me. I'm the only user.

Do you see any symptoms of infection other than the avast! alerts?  System slow downs, unusual firewall activity, etc?

No.

It's not a file but a folder.

 :-[ Sorry, I meant folder.

No, it's not normal. Default user is used to 'create' new users into XP. It's an 'empty' account.

Why the hell has that happened then?

How did you scan? Right clicking the files and folders?

Yes.

Do not restore the file but 'extract' it to a known folder. Submit to VirusTotal from that known folder.

Thanks.


Right, this is what I've now done:

1) Restored files from Chest:

22/05/2007 08:12:19   GE   1492   Sign of "Win32:Agent-GWD [Trj]" has been found in "C:\Documents and Settings\GE\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat" file.

24/05/2007 23:58:50   GE   2928   Sign of "Win32:Agent-GTZ [Trj]" has been found in "C:\Documents and Settings\GE\Local Settings\Temporary Internet Files\Content.IE5\NR1NG8KM\SSSSSSSSSSSSSSSSSSSSSSSS.SS" file.

I'll refer to the first as GWD, the second as GTZ.

2) Scanned with Panda, AVG and F-Secure Anti-Rootkits - found nothing.

3) Scanned with CCleaner. Avast found GWD, but is now calling it GXN. (GTZ not found)

4) Scanned (right-click) all the files/folders detailed in my last post with Avast, found nothing.

5) Extracted files from Chest, and uploaded to VirusTotal.
    GWD - no virus found except Avast (4.7.997) found Win32:Agent-GWD
    GTZ - no virus found except Avast found Win32:Agent-GTZ.

6) Logged off from internet, ran CCleaner. Avast found GWD, but this time called it GVO.


Don't know where GTZ went to. I've done a full scan with Avast and found nothing, but then full scans have never found anything.

Title: Re: CCleaner Trojans
Post by: Lisandro on May 25, 2007, 10:43:52 PM
Why the hell has that happened then?
A new infection method (?), who knows... every new account created will be infected as far I can understand.

How did you scan? Right clicking the files and folders?
Good. The deepest scanning using ashQuick.exe.

3) Scanned with CCleaner. Avast found GWD, but is now calling it GXN. (GTZ not found)
4) Scanned (right-click) all the files/folders detailed in my last post with Avast, found nothing.
I can't explain this behavior, detecting in one case and not in the other.

5) Extracted files from Chest, and uploaded to VirusTotal.
    GWD - no virus found except Avast (4.7.997) found Win32:Agent-GWD
    GTZ - no virus found except Avast found Win32:Agent-GTZ.
Seems false positive but, you may think, what a strange name of a file...
SSSSSSSSSSSSSSSSSSSSSSSS.SS
Isn't it suspicious?
Title: Re: CCleaner Trojans
Post by: thomas01155 on May 25, 2007, 11:14:29 PM
I dunno if this helps im expernicing the same problem it only picks it up when i use ccleaner all differnt virtains of the win32:agent-GVO  virus/torjan avast only added it to the defs yestaday. If i just scan the fixefox chache nothign is picked up only when i use ccleaner.
Title: Re: CCleaner Trojans
Post by: GrahamE on May 25, 2007, 11:21:52 PM
I dunno if this helps

It certainly helps to be not the only one!!  :D

Title: Re: CCleaner Trojans
Post by: GrahamE on May 25, 2007, 11:33:25 PM
Isn't it suspicious?

That's one word for it....

A new infection method (?), who knows... every new account created will be infected as far I can understand.

The only advantage I have there is that I'm not going to create any, not that it's much of a consolation!


I've just been roaming around, right-clicking and scanning various things.
When I scan C:\D&S\GE\Local Settings, and I watch the Avast window that comes up as it scans, I can see (some of) the things it scans as it goes along. It is scanning Temporary Internet Files\Content.IE5, even though it can't be seen in there (even when 'show hidden files...' is ticked).

Things are getting weirder by the minute!
Title: Re: CCleaner Trojans
Post by: thomas01155 on May 25, 2007, 11:47:25 PM
i might eat my computer i found another torjan didnt tell me the name this was yestaday cant type much on psp :P
Title: Re: CCleaner Trojans
Post by: mauserme on May 26, 2007, 12:08:00 AM
2GrahamE - If you turn off CounterSpy's automatic updates does it help?

2thomas0115 - Do you also use CounterSpy?
Title: Re: CCleaner Trojans
Post by: thomas01155 on May 26, 2007, 12:10:38 AM
nope never used it
Title: Re: CCleaner Trojans
Post by: GrahamE on May 26, 2007, 12:18:09 AM
If you turn off CounterSpy's automatic updates does it help?

I don't have it set to update automatically. Zone Alarm and Avast are the only things I have set to auto. Everything else is done manually.
Title: Re: CCleaner Trojans
Post by: mauserme on May 26, 2007, 01:33:06 AM
So much for that theory ...

This is either the worst polymorphic root kit trojan sob ever conceived by the mind of man, or a bunch of false positives.  I think I'll stick with the latter.

Most of the detections seem to center around the 25 April and 13 May updates, both of which were quite large.  I think with that many definitions released there will be some FP's, so maybe uploading samples to avast! as false positives will be the solution to this dilemma.


2thomas01155

Don't turn your back on Graham.  I've heard he's kind of a perv.
Title: Re: CCleaner Trojans
Post by: GrahamE on May 26, 2007, 02:05:25 AM
so maybe uploading samples to avast! as false positives will be the solution to this dilemma.

I've sent everything I've detected off to them, with a link to this thread, at Tech's suggestion.

Don't turn your back on Graham.  I've heard he's kind of a perv.

I never said I was that kind of perv!  ;D
Title: Re: CCleaner Trojans
Post by: Gabriele 08 on May 26, 2007, 05:28:31 AM
I dunno if this helps im expernicing the same problem it only picks it up when i use ccleaner all differnt virtains of the win32:agent-GVO  virus/torjan avast only added it to the defs yestaday. If i just scan the fixefox chache nothign is picked up only when i use ccleaner.
Thomas, welcome to "CCleaner-Avast troubles CLUB"  :(

Quote from: GrahamE
It certainly helps to be not the only one  :D
You were just not alone...
Title: Re: CCleaner Trojans
Post by: thomas01155 on May 26, 2007, 09:56:36 AM
i just sent them some peanut butter in thomas i dont have the lastest ccleaner i have .502
Title: Re: CCleaner Trojans
Post by: GrahamE on May 26, 2007, 11:30:58 AM
i dont have the lastest ccleaner i have .502

The problem started at the end of April (27th seems about right) with version 1.39.502, and is still going strong with 1.40.520, the new version. The problem though seems to be with Avast detecting traces of viruses as CCleaner deletes things, rather than with CCleaner itself.

peanut butter in thomas

 :o I don't think I want to be in this Club!
Title: Re: CCleaner Trojans
Post by: GrahamE on May 26, 2007, 01:21:03 PM
Just been scanning with Adaware SE (Def. File SE1R172 22.05.07) and found another. I sent it to Chest but it just kept warning over and over. Sent 5 to Chest, then gave up and ignored it. I've sent them to Avast again, with link to this.

Log:

26/05/2007 11:07:30   GE   1480   Sign of "Win32:Agent-GHL [Trj]" has been found in "C:\DOCUME~1\GE\LOCALS~1\Temp\AAWTMP\C2922546\3932046" file. 
26/05/2007 11:12:01   GE   1480   Sign of "Win32:Agent-GHL [Trj]" has been found in "C:\DOCUME~1\GE\LOCALS~1\Temp\AAWTMP\C2922546\4202562" file. 
26/05/2007 11:12:21   GE   1480   Sign of "Win32:Agent-GHL [Trj]" has been found in "C:\DOCUME~1\GE\LOCALS~1\Temp\AAWTMP\C2922546\4223343" file. 
26/05/2007 11:12:34   GE   1480   Sign of "Win32:Agent-GHL [Trj]" has been found in "C:\DOCUME~1\GE\LOCALS~1\Temp\AAWTMP\C2922546\4236281" file. 
26/05/2007 11:13:06   GE   1480   Sign of "Win32:Agent-GHL [Trj]" has been found in "C:\DOCUME~1\GE\LOCALS~1\Temp\AAWTMP\C2922546\4268406" file. 
26/05/2007 11:13:32   GE   1480   Sign of "Win32:Agent-GHL [Trj]" has been found in "C:\DOCUME~1\GE\LOCALS~1\Temp\AAWTMP\C2922546\4293937" file. 

If these are false-positives, I wish someone up high would sort them out. It's been going on for a month now. I know they've got more to do than this, and they're very busy, but.....

On the other hand, if they're not FP's, it would be nice to be told, because my system is riddled with the things!
Title: Re: CCleaner Trojans
Post by: GrahamE on May 26, 2007, 01:36:04 PM
 :'(

26/05/2007 12:28:54   GE   1480   Sign of "Win32:Agent-GXN [Trj]" has been found in "C:\Documents and Settings\GE\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat" file. 

CCleaner.
Title: Re: CCleaner Trojans
Post by: Lisandro on May 26, 2007, 01:46:32 PM
I'm with CCleaner 1.40.520 and had never a problem.
It's strange that other antispywares are detecting infections, now Ad-aware  ::)
I was thinking in false positives, now I'm not so sure.

Why don't you test full computer on-line scanning:
Kaspersky (http://www.kaspersky.com/virusscannerl) (very good detection rates)
Trendmicro housecall (http://www.trendmicro.com/hc_intro/default.asp)
AVGas (http://www.ewido.net/en/onlinescan/) (does not necessary if you have AVG antispyware installed)
F-Secure (http://support.f-secure.com/enu/home/ols.shtml)
Panda ActiveScan (http://www.pandasoftware.com/products/ActiveScan.htm)
BitDefender (http://www.bitdefender.com/scan8/ie.html) (free removal of the malware)
HitmanPro (http://oms.hitmanpro.nl/) (new online scanner with multiply scanners)
Title: Re: CCleaner Trojans
Post by: thomas01155 on May 26, 2007, 03:27:18 PM
Kapersky online found Trojan-Dropper.Win32.Mudrop.z

C:\Program Files\InstallShield Installation Information\{35CB6715-41F8-4F99-8881-6FC75BF054B0}\setup.exe   Infected: Trojan-Dropper.Win32.Mudrop.z   skipped
C:\Program Files\InstallShield Installation Information\{E0DB6D6E-2317-4EAF-9896-E2DE6559EF82}\setup.exe   Infected: Trojan-Dropper.Win32.Mudrop.z   skipped
C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe   Infected: Trojan-Dropper.Win32.Mudrop.z   skipped
C:\Program Files\PeerGuardian2\history.db   Object is locked   skipped
C:\System Volume Information\MountPointManagerRemoteDatabase   Object is locked   skipped
C:\System Volume Information\_restore{80F09174-9BC6-4D4E-89E5-C2C0C0CCD4B7}\RP63\A0029831.exe   Infected: Trojan-Dropper.Win32.Mudrop.z   skipped
C:\System Volume Information\_restore{80F09174-9BC6-4D4E-89E5-C2C0C0CCD4B7}\RP82\A0059947.exe   Infected: Trojan-Dropper.Win32.Mudrop.z   skipped
C:\System Volume Information\_restore{80F09174-9BC6-4D4E-89E5-C2C0C0CCD4B7}\RP98\change.log   Object is locked   skipped
Title: Re: CCleaner Trojans
Post by: thomas01155 on May 26, 2007, 03:39:13 PM
 Scan taken on 26 May 2007 13:28:28 (GMT)
A-Squared    
Found nothing
AntiVir    
Found nothing
ArcaVir    
Found nothing
Avast    
Found nothing
AVG Antivirus    
Found nothing
BitDefender    
Found nothing
ClamAV    
Found nothing
Dr.Web    
Found nothing
F-Prot Antivirus    
Found nothing
F-Secure Anti-Virus    
Found nothing
Fortinet    
Found nothing
Kaspersky Anti-Virus    
Found Trojan-Dropper.Win32.Mudrop.z
NOD32    
Found nothing
Norman Virus Control    
Found nothing
Panda Antivirus    
Found nothing
Rising Antivirus    
Found nothing
VirusBuster    
Found nothing
VBA32    
Found nothing
Title: Re: CCleaner Trojans
Post by: mauserme on May 26, 2007, 03:45:11 PM
Are those the results of a Virus Total or Jotti scan of one of the setup.exe's?
Title: Re: CCleaner Trojans
Post by: thomas01155 on May 26, 2007, 03:46:59 PM
Are those the results of a Virus Total or Jotti scan of one of the setup.exe's?

yes
Title: Re: CCleaner Trojans
Post by: mauserme on May 26, 2007, 03:54:10 PM
I still feel 98% certain these are false positives (by Kasperski too, in this  case).  At least in Graham's case.  But it's troublng that we can't find an explanation for this odd behaviour. 

Please post a log from Deckard's System Scanner, but start a new thread of your own as it will be too confusing to work on two in the same thread

Download Deckard's System Scanner (DSS) (http://deckard.geekstogo.com/dss.exe) to your Desktop.Extra Note: When running DSS, some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so. Also, it may happen that your Antivirus flags DSS as suspicious. Please allow the  Deckard's System Scanner  to run and don't let your Antivirus delete it. (In this case, it may be better to temporary disable your Antivirus)

Post the  main.txt from the C:\Deckard\System Scanner folder into your next replies (the log will be long and will require multiple posts).

Title: Re: CCleaner Trojans
Post by: mauserme on May 26, 2007, 05:46:55 PM
Just been scanning with Adaware SE (Def. File SE1R172 22.05.07) and found another. I sent it to Chest but it just kept warning over and over. Sent 5 to Chest, then gave up and ignored it.
Just to confirm, do you mean AdAware threw alerts or avast! alerted when AdAware touched the files.
Title: Re: CCleaner Trojans
Post by: DavidR on May 26, 2007, 05:58:54 PM
My guess would be avast detecting files that adaware unpacks in the temp folder. I have previously recommended that the standard shield should be paused when running other security scans as any file opened by adaware, etc. will also be scanned by avast and alert making it look like an alert on adaware temp.

I tried this running adaware whilst standard shield was still running and I got an alert from avast on one of the archive files in my exclusions folder as it was unpacked in the adaware temp folder. Whilst avast is able to exclude these files from my folder but when unpacked in a different location, there will obviously be an alert.
Title: Re: CCleaner Trojans
Post by: Gabriele 08 on May 26, 2007, 08:31:49 PM
I'm thinking that me, like GrahamE and now Thomas, we performed various scans with several programs, and online scans too. All seems to indicate FP in avast detection running CCleaner. It's not "totally" sure but this is what appeare.
So I'm considering that (like just said by Tech I think) the cause of this situation have to be a "strange combination" of  "?????????" when CCleaner cleans, unchaining avast detection!
We are supposing an avast problem during CCleaner's clean, but equally about this, we have not "absolute" certainty. (Other users don't experience the same)
Not easy to understand this situation, that is happening as GrahamE says, just from 1 month  :(

@GrahamE, @Thomas:
did you try uninstall/reinstall CCleaner? I did it, but without results
did you try flagging separetely CCleaner's voices? Always no results in my case
do you use Firefox browser like me? Or IE, Opera,...? If you use Firefox, which extensions do you have on it?


Title: Re: CCleaner Trojans
Post by: GrahamE on May 27, 2007, 12:16:14 AM
Just to confirm, do you mean AdAware threw alerts or avast! alerted when AdAware touched the files.

Avast alerted when Adaware was scanning, as DavidR suggested. Sorry I must be more specific.

It's strange that other antispywares are detecting infections, now Ad-aware

Again, sorry for not being specific!

Why don't you test full computer on-line scanning

Thanks for the links. I've run Kasperski and BitDefender so far, both clean. I have AVGas, and I'll run a couple more tomorrow, but I think everyone is starting to think that this is an Avast problem, so I'm hopeful that nothing will be found.


1) did you try uninstall/reinstall CCleaner? I did it, but without results
2) did you try flagging separetely CCleaner's voices? Always no results in my case
3) do you use Firefox browser like me? Or IE, Opera,...? If you use Firefox, which extensions do you have on it?

1) uninstalled 1.39.502 and installed 1.40.520, so yes I did.
2) sorry, I don't understand.
3) IE7

Title: Re: CCleaner Trojans
Post by: GrahamE on May 27, 2007, 04:22:14 PM
The F-Secure online scanner came up with:

Result: 2 malware found
NetworkWorm.UZ (virus)
  C:\DOCUMENTS AND SETTINGS\GE\MY DOCUMENTS\MY UTILITIES\VIRUS\AVAST.EXE
 
  C:\DOCUMENTS AND SETTINGS\GE\DESKTOP\AVAST.EXE

Since these were found in the Avast Virus/Worm Cleaner (the actual program in My Documents, and another on the Desktop), I'm guessing that it's just detected some sort of definition in the Avast program (?)

Should I remove them from the PC and scan again?
Title: Re: CCleaner Trojans
Post by: GrahamE on May 27, 2007, 04:34:27 PM
Just tried to install the Panda Online Scanner and Avast warned on:
27/05/2007 15:29:37   SYSTEM   1468   Sign of "Win32:CTX" has been found in "http://acs.pandasoftware.com/activescan/as5free/motor.cab\pskavs.DLL" file. 

so I decided against using it and aborted.  :P
Title: Re: CCleaner Trojans
Post by: Lisandro on May 27, 2007, 04:44:45 PM
Just tried to install the Panda Online Scanner and Avast warned on:
27/05/2007 15:29:37   SYSTEM   1468   Sign of "Win32:CTX" has been found in "http://acs.pandasoftware.com/activescan/as5free/motor.cab\pskavs.DLL" file. 
so I decided against using it and aborted.  :P
These are false detections due to Panda active scan.
Unfortunatelly, a well-known problem of Panda not encrypting its signatures  :P
Quote
Every virus can be identified, because it contains some unique signatures. Antiviral programs have their own database of that signatures. We call this database the "virus definition file". When an antiviral program scans a file for viruses, it compares all the signatures (of all viruses) in the database with the signatures in that file. If the signatures match (they are the same), the file is marked as infected. For an antivirus program, it is important to hide this database of signatures somehow - e.g. by encrypting it. Panda Antivirus does not encrypt its virus database - the signatures inside are clearly "visible" to other antiviral programs, so they detect this file as infected (but there is actually no virus inside - only the signatures are the same).
Title: Re: CCleaner Trojans
Post by: GrahamE on May 27, 2007, 04:53:35 PM
I see, thanks. What do you think about the F-Secure findings?
Title: Re: CCleaner Trojans
Post by: curious! on May 27, 2007, 04:56:19 PM
The F-Secure online scanner came up with:

Result: 2 malware found
NetworkWorm.UZ (virus)
  C:\DOCUMENTS AND SETTINGS\GE\MY DOCUMENTS\MY UTILITIES\VIRUS\AVAST.EXE
 
  C:\DOCUMENTS AND SETTINGS\GE\DESKTOP\AVAST.EXE

Since these were found in the Avast Virus/Worm Cleaner (the actual program in My Documents, and another on the Desktop), I'm guessing that it's just detected some sort of definition in the Avast program (?)

Should I remove them from the PC and scan again?

Just for your information:

F-secure, eSafe, Norman and Panda don't like aswclear, see attached screenshot:

EDIT: No Avast.exe here either, this is aswclnr just downloaded.

Title: Re: CCleaner Trojans
Post by: mauserme on May 27, 2007, 05:00:40 PM
The F-Secure online scanner came up with:

Result: 2 malware found
NetworkWorm.UZ (virus)
  C:\DOCUMENTS AND SETTINGS\GE\MY DOCUMENTS\MY UTILITIES\VIRUS\AVAST.EXE
 
  C:\DOCUMENTS AND SETTINGS\GE\DESKTOP\AVAST.EXE

Since these were found in the Avast Virus/Worm Cleaner (the actual program in My Documents, and another on the Desktop), I'm guessing that it's just detected some sort of definition in the Avast program (?)

Should I remove them from the PC and scan again?
Are you sure of the file name (avast.exe)?  I just installed the avast! virus cleaner and do not have that on my computer.
Title: Re: CCleaner Trojans
Post by: GrahamE on May 27, 2007, 05:07:38 PM
F-secure, eSafe, Norman and Panda don't like aswclear, see attached screenshot:

Thank you.

Are you sure of the file name (avast.exe)?  I just installed the avast! virus cleaner and do not have that on my computer.

I can't honestly remember, because I downloaded it a while ago, but I suspect I changed the name to 'avast' when I saved it, which I think would account for that.
Title: Re: CCleaner Trojans
Post by: Lisandro on May 27, 2007, 05:32:06 PM
I can't honestly remember, because I downloaded it a while ago, but I suspect I changed the name to 'avast' when I saved it, which I think would account for that.
If you change the name of the downloaded file, it will be ok.
Title: Re: CCleaner Trojans
Post by: GrahamE on May 27, 2007, 08:48:56 PM
If you change the name of the downloaded file, it will be ok.

I deleted it and redownloaded it, not changing the name this time, just to be sure, and F-Secure still finds the same things:

Result: 2 malware found
NetworkWorm.ACJ (virus)
  C:\DOCUMENTS AND SETTINGS\GE\MY DOCUMENTS\MY UTILITIES\VIRUS\ASWCLNR.EXE
  C:\DOCUMENTS AND SETTINGS\GE\DESKTOP\ASWCLNR.EXE

Apart from that then, all online scans have come up clean. Surely this must mean that the findings to do with CCleaner are false-positives. I just wish Alwil would do something. You'd think it'd be worth their while, if only to stop me sending stuff to them!  ;D
Title: Re: CCleaner Trojans
Post by: DavidR on May 27, 2007, 09:37:43 PM
And was explained by hlecter in reply # 85 above http://forum.avast.com/index.php?topic=28377.msg233536#msg233536 (http://forum.avast.com/index.php?topic=28377.msg233536#msg233536), this is simply a bad detection by f-secure.
Title: Re: CCleaner Trojans
Post by: GrahamE on May 27, 2007, 09:48:05 PM
Yes I know. I wasn't suggesting that the explanation wasn't correct. I was just checking that the reason for 'avast.exe' was because I'd changed the name, and was confirming my earlier response to mauserme's query.  :)
Title: Re: CCleaner Trojans
Post by: mauserme on May 27, 2007, 10:21:52 PM
Apart from that then, all online scans have come up clean. Surely this must mean that the findings to do with CCleaner are false-positives. I just wish Alwil would do something. You'd think it'd be worth their while, if only to stop me sending stuff to them!  ;D
Usually they're pretty quick to correct false positives. These may be a bit more invlolved that normal, however.  What with detection names changing, etc it may take a little more time.

Still, a word from "the team" would be nice ...
Title: Re: CCleaner Trojans
Post by: GrahamE on May 28, 2007, 02:22:25 AM
Usually they're pretty quick to correct false positives. These may be a bit more invlolved that normal, however.  What with detection names changing, etc it may take a little more time.

Yeah, I'm sure you're right.

While this thread is still near the top of the list, I really would like to thank Tech and mauserme especially, but also everyone else who's helped me with this. Not only am I feeling far more confident that I'm not infected, I've also learnt a few things, and have had my arsenal of protection increased by a number of recommendations. I'm always amazed when I come on here by the amount of effort that is put in to give help and support. Even DavidR's 'can you really be that stupid, the question's already been answered' approach has a certain warmth to it!  ;D Really - thank you.  :)
Title: Re: CCleaner Trojans
Post by: mauserme on May 28, 2007, 03:04:11 AM
Glad to help, Graham.

But lets not completely walk away from this.  Rather, give it a couple more days and we'll see if false positives are fixed.  If not, I'm certainly willing to give this more thought (actually I have been even though I haven't been posting much today).  I'm just not comfortable with assumptions and leaving things unexplained.

Let us know, OK?
Title: Re: CCleaner Trojans
Post by: Lisandro on May 28, 2007, 03:14:00 AM
I really would like to thank Tech and mauserme especially
I did nothing... all deep info here belongs to mauserme 8)

I'm always amazed when I come on here by the amount of effort that is put in to give help and support.
That is what makes us almost a 'real' family 8)
Title: Re: CCleaner Trojans
Post by: GrahamE on May 28, 2007, 03:36:53 AM
I'm just not comfortable with assumptions and leaving things unexplained.

Well, no, I can't say I'm completely comfortable with it. I dislike it when things happen that can't be explained by either my actions or my incompetence! While I feel far more assured, I'll only be fully convinced when I can scan the items in the Chest and 'no virus' is reported, and when cleaning with CCleaner stops provoking Avast alerts.

It goes without saying that if that happens, I'll let you know. And if it doesn't, this thread will be back at the top of the list again!  ;D

I did nothing...

I don't think so...

That is what makes us almost a 'real' family 8)

I can feel myself going into a Gwynneth Paltrow-type speech here ( :'(), but yeah, you're right. Thank you.
Title: Re: CCleaner Trojans
Post by: mauserme on May 28, 2007, 02:26:00 PM
I really would like to thank Tech and mauserme especially
Each piece of the puzzle is as important as the next ...  8)


[I can feel myself going into a Gwynneth Paltrow-type speech here ...
Part of that "other problem"? ;D
Title: Re: CCleaner Trojans
Post by: GrahamE on May 28, 2007, 02:38:55 PM
Part of that "other problem"? ;D

That keeps coming back to haunt me!  ;D

They're still coming:

28/05/2007 03:18:52   GE   1456   Sign of "Win32:Agent-GXN [Trj]" has been found in "C:\Documents and Settings\GE\Local Settings\Temporary Internet Files\Content.IE5\JB3KZWS5\RRRRRRRRRRRR.RRR" file. 
Title: Re: CCleaner Trojans
Post by: mauserme on May 28, 2007, 02:59:43 PM
Just been scanning with Adaware SE (Def. File SE1R172 22.05.07) and found another. I sent it to Chest but it just kept warning over and over. Sent 5 to Chest, then gave up and ignored it. I've sent them to Avast again, with link to this.

Log:

26/05/2007 11:07:30   GE   1480   Sign of "Win32:Agent-GHL [Trj]" has been found in "C:\DOCUME~1\GE\LOCALS~1\Temp\AAWTMP\C2922546\3932046" file. 
26/05/2007 11:12:01   GE   1480   Sign of "Win32:Agent-GHL [Trj]" has been found in "C:\DOCUME~1\GE\LOCALS~1\Temp\AAWTMP\C2922546\4202562" file. 
26/05/2007 11:12:21   GE   1480   Sign of "Win32:Agent-GHL [Trj]" has been found in "C:\DOCUME~1\GE\LOCALS~1\Temp\AAWTMP\C2922546\4223343" file. 
26/05/2007 11:12:34   GE   1480   Sign of "Win32:Agent-GHL [Trj]" has been found in "C:\DOCUME~1\GE\LOCALS~1\Temp\AAWTMP\C2922546\4236281" file. 
26/05/2007 11:13:06   GE   1480   Sign of "Win32:Agent-GHL [Trj]" has been found in "C:\DOCUME~1\GE\LOCALS~1\Temp\AAWTMP\C2922546\4268406" file. 
26/05/2007 11:13:32   GE   1480   Sign of "Win32:Agent-GHL [Trj]" has been found in "C:\DOCUME~1\GE\LOCALS~1\Temp\AAWTMP\C2922546\4293937" file. 

If these are false-positives, I wish someone up high would sort them out. It's been going on for a month now. I know they've got more to do than this, and they're very busy, but.....

On the other hand, if they're not FP's, it would be nice to be told, because my system is riddled with the things!
I've been looking through the entire thread and found that AAWTMP is the temporary folder created by AdAware during a scan.  So this part of the mystery is solved.  Those detections were not files lurking on your computer - they were created by AdAware and immediately detected by avast!

DavidR (and others) always recommend stopping the avast! standard shield while scanning with somehing else, and this is why.
Title: Re: CCleaner Trojans
Post by: mauserme on May 28, 2007, 03:17:34 PM
:'(

26/05/2007 12:28:54   GE   1480   Sign of "Win32:Agent-GXN [Trj]" has been found in "C:\Documents and Settings\GE\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat" file. 

CCleaner.
Part of IE7's antiphishing feature.  No worries here.
Title: Re: CCleaner Trojans
Post by: GrahamE on May 28, 2007, 03:35:04 PM
DavidR (and others) always recommend stopping the avast! standard shield while scanning with somehing else, and this is why.

Yeah, I can understand that. I suppose that if I turned it off before using CCleaner, I wouldn't have the problems with that either. The only problem I see with that is - how far do you take it? If I turn Avast off completely, I'd never detect a virus, but...

I've been using Adaware since 2005, and it's never had this problem with Avast before. Similarly, I've had CCleaner on my system for ages. I've never turned Avast off before doing a scan with any other program, and there's never been a problem before now. If I go down the road of turning it off before doing certain things that have run simultaneously up until now, I'd just feel that I was hiding the problem, which should be fixed by updates to Avast. 

Part of IE7's antiphishing feature.  No worries here.

Basically, we're back to the same thing I guess - if Avast gets updated to stop these FP's... 8)
Title: Re: CCleaner Trojans
Post by: mauserme on May 28, 2007, 03:40:21 PM
This is what I've got in the log viewer:
....
....

07/05/2007 00:25:26   GE   1484   Sign of "Win32:Agent-GKD [Trj]" has been found in "C:\WINDOWS\Internet Logs\VVVVVVVVV.VV.VV.VVV" file. 

This is the path for the Zone Alarm log files but the stucture of the file name is incorrect.

Take a look in the ZA logs and see if there is anything unusual.  The extension should be .tmp
Title: Re: CCleaner Trojans
Post by: mauserme on May 28, 2007, 03:45:21 PM
Yeah, I can understand that. I suppose that if I turned it off before using CCleaner, I wouldn't have the problems with that either. The only problem I see with that is - how far do you take it? If I turn Avast off completely, I'd never detect a virus, but...
I know what you're saying.  And honestly I never turn off avast! before doing other scans either.

Right now I'm just trying to eliminate some of these detections as actual malware so we can concentrate on things that may have real significance.  Once we either find malware or eliminate all detections from consideration we'll try to figure out why the FPs started so suddenly.
Title: Re: CCleaner Trojans
Post by: GrahamE on May 28, 2007, 03:57:55 PM
Take a look in the ZA logs and see if there is anything unusual.  The extension should be .tmp

Well, I've had a look, and I wouldn't know if there was anything unusual unless it was labled 'HELLO! I'm a VIRUS!!'  ;D

I'll post it if you want, but there's quite a lot of it. (If I do post it, I assume I won't be 'publishing' anything that could be used by iffy people? - and I really don't need comments about my surfing habits please  ;D -that isn't what I'm talking about!)
Title: Re: CCleaner Trojans
Post by: mauserme on May 28, 2007, 03:59:50 PM
Instead of posting the logs navigate to that folder and let me know what files are present.
Title: Re: CCleaner Trojans
Post by: GrahamE on May 28, 2007, 04:13:30 PM
Instead of posting the logs navigate to that folder and let me know what files are present.

Hopefully if I've done it right, there'll be a jpg attached.
Title: Re: CCleaner Trojans
Post by: mauserme on May 28, 2007, 04:21:41 PM
Click on Tools > Folder Options at the top of the window and make sure "Show Hidden Files and Folders" is checked.  The change to a Details view and post a screen shot again.   I would like to see full file names.


I would also like you to try this (more because of the rising prevelenace of a certain root kit than anything I've seen in your logs):

Download - rustbfix.exe   (http://www.uploads.ejvindh.net/rustbfix.exe) ...and save it to your desktop.

Double click on rustbfix.exe to run the tool.
If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer. The reboot will probably take quite a while, and perhaps 2 reboots will be needed. But this will happen automatically.
After the reboot 2 logfiles will open (c:\avenger.txt & c:\rustbfix\pelog.txt). Post the content of these logfiles.

If rustbfix.exe finds nothing, manually check for c:\windows\system\xpdt.sys



EDIT:  I'll be back in a while ...
Title: Re: CCleaner Trojans
Post by: GrahamE on May 28, 2007, 04:28:08 PM
Click on Tools > Folder Options at the top of the window and make sure "Show Hidden Files and Folders" is checked.  The change to a Details view and post a screen shot again.   I would like to see full file names.

JPG attached. I'll try the rustbfix thing and get back to you.
Title: Re: CCleaner Trojans
Post by: DavidR on May 28, 2007, 04:28:53 PM
Yeah, I can understand that. I suppose that if I turned it off before using CCleaner, I wouldn't have the problems with that either. The only problem I see with that is - how far do you take it? If I turn Avast off completely, I'd never detect a virus, but...
I know what you're saying.  And honestly I never turn off avast! before doing other scans either.

In the past it may not have been a problem as avast specialised in virus detections with limited adware/spyware detections. However now avast is adding adware and spyware signatures like there is no tomorrow, so I think we are seeing some crossover in detections. That is why I always pause standard shield whilst running another third party security scan.
Title: Re: CCleaner Trojans
Post by: mauserme on May 28, 2007, 04:35:26 PM
If rustbfix.exe finds nothing, manually check for c:\windows\system\xpdt.sys
This should read c:\windows\system32\xpdt.sys

Sorry about the typo.
Title: Re: CCleaner Trojans
Post by: GrahamE on May 28, 2007, 04:38:41 PM
In the past it may not have been a problem as avast specialised in virus detections with limited adware/spyware detections. However now avast is adding adware and spyware signatures like there is no tomorrow, so I think we are seeing some crossover in detections. That is why I always pause standard shield whilst running another third party security scan.

I understand that could be the problem. It would be nice though to get some sort of official confirmation that the reason for all these false-positives since April 27th is because of that (assuming they are all FP's).

This should read c:\windows\system32\xpdt.sys

ok.  :)
Title: Re: CCleaner Trojans
Post by: GrahamE on May 28, 2007, 04:46:21 PM
If rustbfix.exe finds nothing, manually check for c:\windows\system\xpdt.sys

Nothing found by rustbfix.exe.

No entry for C:\Windows\System32\xpdt.sys
Title: Re: CCleaner Trojans
Post by: mauserme on May 29, 2007, 08:24:02 PM
I see the VPS history shows a second update yesterday fixing definitions and false positives.

Has there been any change on your computer?

Title: Re: CCleaner Trojans
Post by: GrahamE on May 30, 2007, 12:21:39 AM
Has there been any change on your computer?

To be honest, I'm not sure. This is the last avast alert I've had when using CCleaner:

 28/05/2007 17:06:34   SYSTEM   1480   Sign of "Win32:Agent-GWD [Trj]" has been found in "C:\Documents and Settings\GE\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat" file. 

I can't be certain whether this was before or after the update. I haven't been online much today, but I've had nothing so far (come off and used CCleaner 3 times). Everything in the Chest is still alerting as viruses. I don't know whether it's possible for the problem with CCleaner to have been sorted and for the stuff in the Chest to be still recognised and alerted upon.

Is it possible that the stuff that is in the Chest is part of the code for these viruses (coincidentally, perhaps), and because it's in the Chest, it's still recognised as such, while at the same time, when CCleaner cleans and these codes are found, the updates cause Avast to realise that they aren't part of a virus or Trojan, but just a small piece of their codes? Or should the update, if it is to do with this problem, stop the items in the Chest being recognised as well?

I guess we're back on the 'time will tell' road... :-\
Title: Re: CCleaner Trojans
Post by: GrahamE on May 30, 2007, 01:29:22 AM
Doh!!!

I've just found out that my ISP, Tiscali, is having problems with any emails sent from Tiscali accounts. This has apparently been going on since the 25th May for definite, and possibly for some time before that. I wondered why people weren't replying to me. Thank God for that - I was starting to think everyone hated me! (No thanks, I don't need a reply to that bit!  8)).

From what I gather, even though I'm sending stuff through the Avast Chest, it will still go through the Tiscali server. This means that anything I've sent to Avast from that date has not got through to them, and possibly none of it. Is it permitted to use unpleasant language on this Forum? It's hardly surprising they haven't sorted it - they probably don't know about it!!!!!!!!!!!!!!!!!  >:( >:( >:(
Title: Re: CCleaner Trojans
Post by: DavidR on May 30, 2007, 01:39:40 AM
You could use one of the file hosting sites to upload a couple of samples, I will download and forward them to avast.

Rapidshare file upload -  Host your files with RapidShare FOR FREE! http://rapidshare.com (http://rapidshare.com) useful if you haven't got an email client (or in your case a problem with your ISP email).

Once uploaded, post the URL link and any password her so they can be downloaded and forwarded.
Title: Re: CCleaner Trojans
Post by: GrahamE on May 30, 2007, 01:45:34 AM
Hey, thanks for the offer, that's really nice of you!  :)

Will I be able to upload them straight from the Chest, or do I need to do something first?
Title: Re: CCleaner Trojans
Post by: DavidR on May 30, 2007, 02:07:47 AM
No the chest is a protected area no application other than avast can do anything in there. You can certain;y point the upload location there but when done, you will find a 0KB file size.

Right click on the files you want to upload and select extract, select a temporary location, create one, call it SuspectFiles (or use an existing one), you could add that to the exclusions when you extract the file standard shield will alert.
That is why I suggest creating the suspect folder and adding that to the exclusions or you will have to pause standard shield for the extraction and possibly the upload, having an exclusions suspect folder is probably the easiest option.
Title: Re: CCleaner Trojans
Post by: GrahamE on May 30, 2007, 02:25:34 AM
Sorry, I sort of figured it out while I was waiting, although I didn't add them to the exclusion list, and there was no alert. Odd? They are still being alerted on in the Chest if I scan them.

I uploaded them as single files, so there are a few URLs. Easier if you log in as me I suppose. User name is *******, password is ******** (original to the end!)


EDIT: Thanks again.  :)
Title: Re: CCleaner Trojans
Post by: DavidR on May 30, 2007, 03:32:33 AM
It would probably be better to up load them together in a zip file, which will make it easier to download the collection.

I have just downloaded 1 and it is 2:32 a.m. here so I'm calling it a night. If you upload them together in a zip I can collect them later today and submit to avast.
Title: Re: CCleaner Trojans
Post by: GrahamE on May 30, 2007, 12:22:18 PM
It would probably be better to up load them together in a zip file

Yeah, sorry, I should have done that. It's done now. Could you let me know when you've done it please, so I can change the password.
Title: Re: CCleaner Trojans
Post by: DavidR on May 30, 2007, 02:54:14 PM
OK, done now, probably best if you remove the user name and password from the previous post, so it isn't hanging in the wind.

I will upload them shortly.
Title: Re: CCleaner Trojans
Post by: GrahamE on May 30, 2007, 03:03:23 PM
OK, done now, probably best if you remove the user name and password from the previous post, so it isn't hanging in the wind.
I will upload them shortly.

I've done that. Thanks very much again for your trouble.
Title: Re: CCleaner Trojans
Post by: DavidR on May 30, 2007, 03:08:23 PM
Your welcome, lets hope there is a quick correction.
Title: Re: CCleaner Trojans
Post by: Dangerman on May 31, 2007, 03:27:36 PM
I had the same problem with these trojans using the latest version of CCleaner.  I found that reverting back to an older version, CCleaner, 1.31, Avast no longer picked them up while cleaning.  You may want to try an older version and see if they are still picked up on your system.  False positives?

You can download older versions here.

http://www.filehippo.com/download_ccleaner/

Title: Re: CCleaner Trojans
Post by: Lisandro on May 31, 2007, 08:22:26 PM
False positives?
Indeed it seems so.
What is strange is that the old versions of CCleaner seems to have the same procedure, cleaning temporary files the same way, but do not affect avast ???
It's not a solution, going to old versions, but a workaround. I hope Alwil team could reproduce this in their lab... Maybe it will be good to ask CCleaner team to know if they have something to explain/correct.
Title: Re: CCleaner Trojans
Post by: Dangerman on May 31, 2007, 09:07:06 PM
My problems with these trojans began when I installed CCleaner V1.39.502.  Below are the "Whats new" in that version.

v1.39.502 - [17th April 2007]
- Rewritten secure deletion code, now over 2x faster.
- Performance improvements deleting Internet Cache.
- Fixed bug in Recycle Bin cleaning.
- Fixed overflow error with a large number of temp files.
- Added AntiVir PE Classic and Premium cleaning.
- Removed PerfectDisk 8.0 cleaning.
- Optimized file size for language DLLs.
- Added Bosnian translation.
- Added Macedonian translation.
- Updated several translations.
- Minor bug fixes.

http://ccleaner.com/

Note - Added AntiVir PE Classic and Premium cleaning.

So, does CCleaner now run an Anti Virus built in when cleaning? If so, I suspect it conflicts with Avast running and throws up the false positives?

This is the Avira AntiVir website (I assume this is the AntiVir PE Classic mentioned).

http://www.free-av.com/

Title: Re: CCleaner Trojans
Post by: GrahamE on May 31, 2007, 09:24:06 PM
You may want to try an older version

The only problem I have with that is that 1.39.502 was fine until the end of April. Updating to 1.40.520 made no difference, Avast still detected stuff. The fact that 1.39.502 was ok for quite a while tends to suggest that the problem is with Avast detecting things that CCleaner is disturbing, rather than a problem with the newer versions of CCleaner. Possibly, the older versions weren't cleaning as deeply as the newer versions, I don't know.

It's not a solution, going to old versions, but a workaround.

Yeah, it's a bit like stopping using CCleaner, and using something else instead.

What is strange is that the old versions of CCleaner seems to have the same procedure, cleaning temporary files the same way, but do not affect avast ???

It's also strange that not everyone (you included) is experiencing this problem when using the latest CCleaner  ???

On a brighter note, I've had no alerts from Avast when using CCleaner since the one on 28th at 5.06pm which I detailed in an earlier post. Fingers crossed, I guess! Avast still sees Trojans in the stuff in the Chest though.

So, does CCleaner now run an Anti Virus built in when cleaning? If so, I suspect it conflicts with Avast running and throws up the false positives?

Unfortunately, this doesn't explain why it ran successfully for a while. Coming out on 17th April, I installed it on 21st (I'd already downloaded it before reformatting on 21st, which is how I'm pretty sure of the date), and so it therefore ran for a week before problems arose.
Title: Re: CCleaner Trojans
Post by: mauserme on May 31, 2007, 09:34:05 PM
It's also strange that not everyone (you included) is experiencing this problem when using the latest CCleaner  ???
That's confusing to me too, though not everyone has the same software, drivers, etc installed beyond the avast!/CCleaner combination.  Sometimes its the not-so-obvious things that cause the conflict.

On a brighter note, I've had no alerts from Avast when using CCleaner since the one on 28th at 5.06pm which I detailed in an earlier post.
Well that's a good sign ...

Avast still sees Trojans in the stuff in the Chest though.
though I don't get that at all.



Still, 3 days with no further alerts does indicate false positives.
Title: Re: CCleaner Trojans
Post by: Lisandro on May 31, 2007, 09:41:42 PM
Rewritten secure deletion code, now over 2x faster.
Performance improvements deleting Internet Cache.
Fixed overflow error with a large number of temp files.
Maybe something here...

Note - Added AntiVir PE Classic and Premium cleaning.
So, does CCleaner now run an Anti Virus built in when cleaning? If so, I suspect it conflicts with Avast running and throws up the false positives?
I don't think so... cleaning of their files I suppose (logs, temp files, etc.).
Title: Re: CCleaner Trojans
Post by: Dangerman on May 31, 2007, 11:13:41 PM
You may want to try an older version

The only problem I have with that is that 1.39.502 was fine until the end of April. Updating to 1.40.520 made no difference, Avast still detected stuff. The fact that 1.39.502 was ok for quite a while tends to suggest that the problem is with Avast detecting things that CCleaner is disturbing, rather than a problem with the newer versions of CCleaner. Possibly, the older versions weren't cleaning as deeply as the newer versions, I don't know.

I did not update to 1.39.502 until the end of April so do not know what happened before then.  First trojan picked up on 28th, Win32:agent-GKD.  From then on they were not picked up everyday, until I did several scans on the 19th May, when 5 trojans were picked up.  Avast picked up nothing in the browser cache prior to each clean either.  Then I reverted back to the older version of CCleaner and nothing was picked up.

I've also used other cleaners and Avast picked up nothing when they were cleaning (perhaps they don't clean as deeply as CCleaner?). 

I've just re-installed CCleaner 1.40.520, ran it twice and all clear so far, so we will see what happens.
Title: Re: CCleaner Trojans
Post by: GrahamE on June 01, 2007, 01:15:44 AM
First trojan picked up on 28th

Ties in with my first find (and Gabriele08's) on the 27th.

Maybe it will be good to ask CCleaner team to know if they have something to explain/correct.

And Lavasoft. In reply #69 I posted details of Avast alerting during an Adaware scan. This has never happened again, but must surely prove that the problem doesn't originate from CCleaner.


Avast still sees Trojans in the stuff in the Chest though.
though I don't get that at all.


The whole thing is weird though. The other day, when I found that Tiscali were having problems, and DavidR kindly offered to upload some of my Chest contents to Avast, he said that I should add the files to the exclusion list before extracting them from the Chest, so that Avast wouldn't alert on them when I was preparing to upload them to Rapidshare.com (which obviously, makes complete sense).
I didn't do this, and yet Avast didn't alert. I extracted 8 files from the Chest to a folder, zipped the folder and uploaded it. No alerts at all. I then dragged the zip file to the recycle bin, still nothing. Only when I emptied the recycle bin did Avast alert. Surely DavidR was right, and Avast should have alerted as soon as I started 'playing' with the files, especially when I zipped them, and if not then, when I uploaded them? Could zipping them have masked them? Well, I'd already uploaded them individually, unzipped, before DavidR suggested zipping the whole lot together.
Why has Avast suddenly stopped alerting? I'm going to exactly the same sites, doing the same things, and yet it's suddenly stopped (I hope I'm not tempting fate here!). If it's an Avast update, why are the files in the Chest still being alerted on?

Title: Re: CCleaner Trojans
Post by: DavidR on June 01, 2007, 01:56:28 AM
It may be that because some of the files were from the firefox cache, they are extensionless file types and depending on your standard shield sensitivity it may not scan those files. Though the web shield should have scanned them on initial download as it doesn't care about file type or extensions.

Though by CCleaner moving or opening them would cause avast to scan them, but it is certainly weird. They would be alerted on outside the chest if you used the ashQuick.exe scan as that is the most sensitive of scans.
Title: Re: CCleaner Trojans
Post by: GrahamE on June 01, 2007, 02:14:31 AM
It may be that because some of the files were from the firefox cache, they are extensionless file types and depending on your standard shield sensitivity it may not scan those files. Though the web shield should have scanned them on initial download as it doesn't care about file type or extensions.

Sorry, was that reply to my last post? If it was, sorry, I don't use Firefox. Standard Shield is set to 'High', incidentally.

but it is certainly weird.

Yep!  ;D
Title: Re: CCleaner Trojans
Post by: DavidR on June 01, 2007, 02:23:57 AM
Yes it was, it was an assumption that the numeric file names without a file type was from the firefox browser cache as that is how they are stored. Even though the assumption about firefox was wrong, the bit about extensionless files may have been correct.

Though with the standard shield on high that really shouldn't have been the case I would have though virtually everything would be scanned on activity, created, modified, etc.
Title: Re: CCleaner Trojans
Post by: GrahamE on June 01, 2007, 02:28:34 AM
So we're back on:
but it is certainly weird.

Yep!  ;D

 ;D
Title: Re: CCleaner Trojans
Post by: Dangerman on June 01, 2007, 08:01:57 AM
It may be that because some of the files were from the firefox cache, they are extensionless file types and depending on your standard shield sensitivity it may not scan those files. Though the web shield should have scanned them on initial download as it doesn't care about file type or extensions.


I am using Firefox, and that is where the trojans were found when running CCleaner, Firefox cache, documents and settings.
Title: Re: CCleaner Trojans
Post by: Dangerman on June 01, 2007, 10:12:47 AM
Ran CCLeaner this morning and Avast picked up Win32:agent-GVO, which is a new one.  I visited 2 sites while on the internet, this one and a streaming radio site (have used it for a couple of years) which I would consider to be safe and is a green site according to MacAfee SiteAdvisor.  I cleaned just 0.9mb from the cache and Avast picked this one up as soon as the cleaning started.
Title: Re: CCleaner Trojans
Post by: GrahamE on June 01, 2007, 12:32:31 PM
I am using Firefox, and that is where the trojans were found when running CCleaner, Firefox cache, documents and settings.

Yeah, you're finding stuff in the same place as Gabriele08 I think.

Ran CCLeaner this morning and Avast picked up Win32:agent-GVO, which is a new one.  I visited 2 sites while on the internet, this one and a streaming radio site (have used it for a couple of years) which I would consider to be safe and is a green site according to MacAfee SiteAdvisor.  I cleaned just 0.9mb from the cache and Avast picked this one up as soon as the cleaning started.

It doesn't seem to matter where you go. On one occasion, detailed in an earlier post, I connected to the internet and my homepage (Google) loaded. I then I logged off again without doing any searches or going anywhere else. Avast then alerted when I ran CCleaner.
Title: Re: CCleaner Trojans
Post by: Gabriele 08 on June 02, 2007, 12:07:24 AM
I am using Firefox, and that is where the trojans were found when running CCleaner, Firefox cache, documents and settings.

Yeah, you're finding stuff in the same place as Gabriele08 I think.
Yes GrahamE, absolutely same situation!

Quote from: GrahamE
It doesn't seem to matter where you go.
I think after one month, we can say, that "for sure it's not"! I've tried (as your example) running CCleaner after more various possible surfing sessions!!! And always with same "random" results.
So, "what" does unchain Avast detection during CCleaner cleaning? A 1 million $ question at the moment!  :(
Title: Re: CCleaner Trojans
Post by: GrahamE on June 03, 2007, 02:02:23 AM
Damn it! Five days with nothing, and I thought it was over! However:

02/06/2007 20:02:15   GE   1484   Sign of "Win32:Agent-HAI [Trj]" has been found in "C:\Recycler\S-1-5-21-790525478-688789844-725345543-1003\Dc16.jpg" file.

This one is a bit unusual in that the place where the 'Trojan' was found was easy (for me) to identify.

Basically it's a wallpaper which I saved for my son from the internet (Google Images). I didn't download it, just right clicked and saved the picture. I copied it to a usb pen and put it on his PC. I then deleted the picture from my PC. Nothing so far. With the picture in the Recycle bin, I ran CCleaner and Avast found the above, which I placed in the Chest.

I've since gone back to my son's PC, copied the wallpaper back to the USB pen and put it back on my PC. Scanning it with the right click gives no alert. I then deleted it, ran CCleaner, no alert this time.

Surely, if the picture actually did contain a Trojan, it would have still have been there on the second occasion, since it was copied, wouldn't it?  ???

Also, if I restore the file from the Chest, Avast now alerts as soon as it's deleted to the Recycle bin, which it didn't do before.  ???
Title: Re: CCleaner Trojans
Post by: Lisandro on June 03, 2007, 04:07:54 PM
GrahamE, how many users do you have configurated in your computer?
Can you check if there are more than one account with Administrator rights?

Surely, if the picture actually did contain a Trojan, it would have still have been there on the second occasion, since it was copied, wouldn't it?  ???
Which is your Standard Shield sensitivity? High? Normal?

Also, if I restore the file from the Chest, Avast now alerts as soon as it's deleted to the Recycle bin, which it didn't do before.  ???
CCleaner is *changing* somehow the file while deleting it... and avast is only detecting it after CCleaner puts its hands over it... Did you try a CCleaner installation from the scratch?
Title: Re: CCleaner Trojans
Post by: GrahamE on June 03, 2007, 04:19:31 PM
GrahamE, how many users do you have configurated in your computer?
Can you check if there are more than one account with Administrator rights?

I'm the only user/Administrator

Which is your Standard Shield sensitivity? High? Normal?

High

Did you try a CCleaner installation from the scratch?

Yes, I explained before that I'd uninstalled 1.39.502 (which also gave the same problems), cleaned the registry and then installed 1.40.520.
Title: Re: CCleaner Trojans
Post by: Lisandro on June 03, 2007, 04:26:57 PM
I'm the only user/Administrator
Good.

High
That is what makes me thing the 'problem' is on CCleaner... it seems to be corrupting the files...

Yes, I explained before...
Sorry... too long thread to follow.
I'll take a look into the CCleaner settings to see if I can get anything.

By the way, did you already tested antirootkits?
Title: Re: CCleaner Trojans
Post by: GrahamE on June 03, 2007, 04:40:05 PM
Sorry... too long thread to follow.
I'll take a look into the CCleaner settings to see if I can get anything.

By the way, did you already tested antirootkits?

Sorry, Tech, it wasn't a 'why don't you read the thread' comment!  ;D

I've run AVG and Panda Antirootkits, and done online scans with F-Secure, Kaspersky and BitDefender (your recommendations). All ok.
Title: Re: CCleaner Trojans
Post by: Lisandro on June 03, 2007, 04:55:06 PM
Maybe you can drop a question for them here: http://www.ccleaner.com/contact.aspx
Maybe you can find something searching their forum (http://forum.piriform.com/index.php?act=idx) for avast. The number of hits is high, so we must dig a little bit more to find anything related to our problem.
I was browsing their forum but I found nothing related to this...
Title: Re: CCleaner Trojans
Post by: GrahamE on June 03, 2007, 05:07:58 PM
Maybe you can drop a question for them here: http://www.ccleaner.com/contact.aspx
Maybe you can find something searching their forum (http://forum.piriform.com/index.php?act=idx) for avast. The number of hits is high, so we must dig a little bit more to find anything related to our problem.
I was browsing their forum but I found nothing related to this...

I don't believe that - I've just been doing the same thing! Great minds... ;D I've sent a message to them, with a link to this thread.

The only thing on their forum that I could find relating to Avast was someone suggesting that it is included in Windows as a firewall. Hmm, ok.  ??? ;D
Title: Re: CCleaner Trojans
Post by: Gabriele 08 on June 03, 2007, 09:11:05 PM
GrahamE, which type of deletion do you use with CCleaner?
normal (quick - 1 passage)?
secure (slow - 3 passages)?
NSA (7 passages)?
Title: Re: CCleaner Trojans
Post by: GrahamE on June 03, 2007, 09:26:59 PM
Usually secure (3 passes).
Title: Re: CCleaner Trojans
Post by: Gabriele 08 on June 03, 2007, 09:41:53 PM
Mmh...me too!
So I think may be interesting this hypothesis..
CCleaner is *changing* somehow the file while deleting it... and avast is only detecting it after CCleaner puts its hands over it...
Title: Re: CCleaner Trojans
Post by: GrahamE on June 03, 2007, 09:50:37 PM
Mmh...me too!
So I think may be interesting this hypothesis..
CCleaner is *changing* somehow the file while deleting it... and avast is only detecting it after CCleaner puts its hands over it...

I don't know what effect using the secure delete has. Obviously I know that it over-writes 3 times, but what it's doing to the actual file that's being deleted to cause Avast a problem, I don't know. Still can't explain my one Avast alert while using Adaware either. Also can't explain how I was able to use 1.39.502 for a week with no problem. Also can't explain ( :P) why, if you go to exactly the same websites again that you visited when CCleaner caused an alert, Avast doesn't alert second time.
Title: Re: CCleaner Trojans
Post by: Gabriele 08 on June 03, 2007, 11:03:38 PM
Mmh...me too!
So I think may be interesting this hypothesis..
CCleaner is *changing* somehow the file while deleting it... and avast is only detecting it after CCleaner puts its hands over it...

I don't know what effect using the secure delete has. Obviously I know that it over-writes 3 times, but what it's doing to the actual file that's being deleted to cause Avast a problem, I don't know...
I don't know too!
But is during this action that something not good happens!
So I was considering Tech's hypothesis, because I'm thinking we need hypothesis...
We should discover the "culprit" before transforming this topic in an "ever ending history"
Title: Re: CCleaner Trojans
Post by: Lisandro on June 03, 2007, 11:17:55 PM
Still can't explain my one Avast alert while using Adaware either.
This is a little bit different and easier: while ad-aware is working with a file (scanning) avast could 'detect' the file on the memory and warns about a virus. Some users suggest that when you scan with an application, you should disable the other residents (specially the antivirus in this case).

why, if you go to exactly the same websites again that you visited when CCleaner caused an alert, Avast doesn't alert second time.
Can you explain a little more? What do you mean with "you visited when CCleaner caused an alert"?
Title: Re: CCleaner Trojans
Post by: GrahamE on June 04, 2007, 01:13:38 AM
This is a little bit different and easier: while ad-aware is working with a file (scanning) avast could 'detect' the file on the memory and warns about a virus. Some users suggest that when you scan with an application, you should disable the other residents (specially the antivirus in this case).

Yeah, DavidR said about that earlier. I just find it odd that Avast alerted while I was doing an Adaware scan at this time - i.e. while there is the same problem with CCleaner. It has never happened before with Adaware, even though I've never disabled Avast before doing any scan. Because I've never done it before, it does seem a bit like masking the problem, like using something else instead of CCleaner - it would stop the problem, but wouldn't explain the 'why?' bit.

Can you explain a little more? What do you mean with "you visited when CCleaner caused an alert"?

I'll give a hypothetical example. I log on to the internet. My homepage, Google, loads. I go to the Download.com home page. I then log off and run CCleaner. Avast pops up with an alert, which I send to the Chest. I then reconnect to the internet, Google, Download.com, log off. I use CCleaner and this time there is no alert. Why an alert the first time and not the second? One would imagine that the files being deleted would be identical, the way CCleaner deals with them would be identical, so why not an identical alert?

We should discover the "culprit" before transforming this topic in an "ever ending history"

Since this is reply #154 in this thread, it might be a little late for that!  ;D

They're still coming, by the way:

03/06/2007 20:51:25   GE   1488   Sign of "Win32:Agent-GWD [Trj]" has been found in "C:\Documents and Settings\GE\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat" file.

@ Gabriele 08:
Are you still getting alerts?

Title: Re: CCleaner Trojans
Post by: GrahamE on June 04, 2007, 01:31:57 AM
Sorry, been thinking,

This is a little bit different and easier: while ad-aware is working with a file (scanning) avast could 'detect' the file on the memory and warns about a virus.

How does this differ to what happens when CCleaner is working with a file and Avast 'detects' something? Doesn't that point towards Avast being at fault? We (you) felt in earlier posts that it wasn't CCleaner that was at fault:

Definitely happened with both versions of CCleaner. I actually thought, when the new version came out, that it might solve the problem, if there was a bug in the old one.
The problem is that no one is relating a bug in CCleaner... I don't think there is this kind of trouble with it...

why Avast would detect something when CCleaner cleans, but not when Windows does it.
Because CCleaner cleans deeper and 'touch' much more files and folders than when just closing IE and cleaning by Windows. The mystery is which file(s) is(are) bringing trouble...
Title: Re: CCleaner Trojans
Post by: Lisandro on June 04, 2007, 02:47:06 AM
I'll take your words... Sorry, been thinking... and then guessing, not in a linear way but in circles...
Did you run HijackThis, can you post it here after all you've scanned and cleaned?
Title: Re: CCleaner Trojans
Post by: Gabriele 08 on June 04, 2007, 06:15:36 AM
@ Gabriele 08:
Are you still getting alerts?
Yes! (don't worry I don't you leave alone  ;D )
As usual, in "random mode". I mean, one time yes, 2-3 times no, and so on...
Title: Re: CCleaner Trojans
Post by: Dangerman on June 04, 2007, 10:48:07 AM
@ Gabriele 08:
Are you still getting alerts?
Yes! (don't worry I don't you leave alone  ;D )
As usual, in "random mode". I mean, one time yes, 2-3 times no, and so on...

I have also had several more alerts this weekend of the Win32:Agent"G" series variety, but like GrahamE, not on every scan even after visiting the same site.

Also to note, I have run AdAware and have Avast running at the same time and nothing has been picked up.  However, I have not run AdAware every day or before each CCleaner scan. I also use the secure option(3 passes)for cleaning.

The trojans are only ever picked up in Firefox, documents and settings.  On the rare occasion that I use IE, and clean afterwards nothing has been found.

It has also been mentioned before that no other anti-virus/spyware/malware, etc, picks these up and I can confirm that as I've tried many of them and everything comes up clean.

I am also the only Administrator on my pc.

Title: Re: CCleaner Trojans
Post by: GrahamE on June 04, 2007, 12:55:30 PM
I'll take your words... Sorry, been thinking... and then guessing, not in a linear way but in circles...

I think that's what we're all doing, as there doesn't seem to be a simple answer to this. Perhaps if the people at CCleaner respond, or someone at Alwil......
HijackThis:

Logfile of HijackThis v1.99.1
Scan saved at 11:44:26, on 04/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\Program Files\SiteAdvisor\6066\SAService.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\PROGRAM FILES\CREATIVE\SB LIVE! 24-BIT\SURROUND MIXER\CTSYSVOL.EXE
C:\Documents and Settings\GE\My Documents\My Utilities\Virus\Virus Scanners\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
O4 - HKCU\..\Run: [TClockEx] C:\Documents and Settings\GE\My Documents\Unzipped\tclockex\TCLOCKEX.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Blaster.lnk = C:\Program Files\SpywareBlaster\spywareblaster.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6066\SAService.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

Title: Re: CCleaner Trojans
Post by: GrahamE on June 04, 2007, 01:02:31 PM
@ Gabriele 08:
Are you still getting alerts?
Yes! (don't worry I don't you leave alone  ;D )

Yeah, don't leave me alone with this!  ;D

I have also had several more alerts this weekend of the Win32:Agent"G" series variety, but like GrahamE, not on every scan even after visiting the same site.

It's the random nature of this that's making it difficult for anyone to pinpoint the problem, I guess. Perhaps if the people at CCleaner respond, or someone at Alwil... ;D
Title: Re: CCleaner Trojans
Post by: Lisandro on June 04, 2007, 07:38:40 PM
Check the automatic analysis of your HijackThis log here:
http://www.4shared.com/file/17245185/6e105f2c/GrahamE.html

You can find more info in the links of the last column of this table.
That info could guide you on the cleaning process.
Anyway, if you have doubts, just post here.
Also, take a careful look at the first column of the table:

1. If you don't recognize a legit program in one of the items marked as FIX IF UNKNOWN, please post it back here and maybe we can help you. Or, if you're sure it's a malware item, you can remove it as posted bellow.

2. If you agree with the automatic classification of the infected items marked as FIX (CHECK NOTES!), you can turn back to HijackThis program, check the box of this item and then remove it using the button 'Fix checked'.

Other automatic analysis - which is never as having an experienced human operator around - could be done by the following sites: http://hijackthis.de/index.php, http://www.tomcoyote.org/hjt/ and http://hjt.networktechs.com/.
Title: Re: CCleaner Trojans
Post by: Gabriele 08 on June 04, 2007, 10:14:51 PM
Well, there is a little threat in GrahamE's pc, but I think there is no relation with CCleaner-Avast troubles.
In everycase after removing it, we'll see.
But...I'm really surprised, that avast don't recognize this not new "little trojan", altough is described like a very low risk trojan. 
Title: Re: CCleaner Trojans
Post by: GrahamE on June 05, 2007, 12:55:48 AM
Check the automatic analysis of your HijackThis log here:
http://www.4shared.com/file/17245185/6e105f2c/GrahamE.html

Ok, I'm not sure what to do here (just for a change!)

I'm pretty sure that the 'FIX IF UNKNOWN' items are okay.

The red FIX one - 011 Options group [INTERNATIONAL] international*. Hmmmm......

According to this, "currently only the 'CommonName' Hijacker uses this"

But, using the other analyser (http://hijackthis.de/Index.php), this entry is listed as 'safe'

A Google search reveals it to be the "Internationalized Domain Name Support in Internet Explorer 7" and is therefore legitimate.

On the other hand, hijackthis.de/... lists
"RO HKCU\Software\Microsoft\Internet Explorer\Main, Local Page =" as "Nasty"
and yet this is ok on the other one. I'm pretty sure that this was changed to 'blank' when IE7 was installed, so again, I'm pretty sure it's ok (though not certain, I must admit).

I think I'm ok on the 'undetermined' bits except for the large window with Spywareblaster.exe. Are the entries here to do with entries in the SpywareBlaster definitions? I hope so. If not, what is yahoo_toolbar.exe, or surfer.exe? What the hell is penis32.exe?


Well, there is a little threat in GrahamE's pc, but I think there is no relation with CCleaner-Avast troubles.
In everycase after removing it, we'll see.
But...I'm really surprised, that avast don't recognize this not new "little trojan", altough is described like a very low risk trojan. 

Which 'threat' are you referring to?
Title: Re: CCleaner Trojans
Post by: Lisandro on June 05, 2007, 03:24:22 AM
I'm pretty sure that the 'FIX IF UNKNOWN' items are okay.
The red FIX one - 011 Options group [INTERNATIONAL] international*. Hmmmm......
But, using the other analyser (http://hijackthis.de/Index.php), this entry is listed as 'safe'
I'm pretty sure it's ok (though not certain, I must admit
Indeed... that does not seem to be the problem with CCleaner & avast. Never mind, was just a precaution to know if any other thing could be interfering with avast.

If not, what is yahoo_toolbar.exe, or surfer.exe? What the hell is penis32.exe?
POSSIBLE THREATS as stated.
Why do you have C:\Program Files\SpywareBlaster\spywareblaster.exe at the startup items? For what?
Title: Re: CCleaner Trojans
Post by: Gabriele 08 on June 05, 2007, 08:59:19 AM
Which 'threat' are you referring to?
Ehm...Sorry GrahamE,terribile mistake!
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe I confused this good voice related to OfficeXP alternative languages with a trojan  :-X 
Log seems ok, IMHO. Just to get away the thought, you could fix voice R0.

Title: Re: CCleaner Trojans
Post by: GrahamE on June 05, 2007, 08:37:17 PM
If not, what is yahoo_toolbar.exe, or surfer.exe? What the hell is penis32.exe?
POSSIBLE THREATS as stated.

Sorry, I don't understand. Does that mean I have those items on my PC? If so, where have they come from? Or are they in the SpywareBlaster defs? Or are they just a random list of possible threats?

Why do you have C:\Program Files\SpywareBlaster\spywareblaster.exe at the startup items? For what?

When I first got SpywareBlaster, I was told that it didn't load automatically at startup, and that you had to double-click the desktop icon each time, to load it. I got round this by sticking it in my startup folder, so the program loads at startup. Is this not right?

Ehm...Sorry GrahamE,terribile mistake!

PLEEASE!!!! don't do that to me!!!!  ;D
Title: Re: CCleaner Trojans
Post by: DavidR on June 06, 2007, 12:06:37 AM
SpywareBlaster is a passive device, you download it run it once and apply the protection.. Periodically you run it and check for updates and download them if present, you then apply any new protection.

So it doesn't need to start on boot.
Title: Re: CCleaner Trojans
Post by: GrahamE on June 06, 2007, 12:54:57 AM
SpywareBlaster is a passive device. So it doesn't need to start on boot.

Oh, right, thank you. I'll take it out of the startup folder then!

Do you know anything about the 'things' (surfer.exe, yahoo_toolbar.exe, etc) I mentioned in reply #163?
Title: Re: CCleaner Trojans
Post by: DavidR on June 06, 2007, 02:27:26 AM
I have heard of the yahoo toolbar, in the same way as there is a google toolbar, though I have never used either of them, so I wouldn't know if yahoo_toolbar.exe was legit or in the correct location, so I would suggest a google search for that and surfer.exe.

However, that said, the ccleaner installs the yahoo toolbar if you don't uncheck it as an install option, that may be how you got it.

You should be able to see it in your browser as a selectable toolbar option. If you don't want it try - ToolbarCop http://www.snapfiles.com/get/toolbarcop.html (http://www.snapfiles.com/get/toolbarcop.html)
Title: Re: CCleaner Trojans
Post by: Lisandro on June 06, 2007, 02:50:18 AM
Sorry, I don't understand. Does that mean I have those items on my PC? If so, where have they come from? Or are they in the SpywareBlaster defs? Or are they just a random list of possible threats?
Not a random list, but a possible list, not an actual list, but only possibilities. Most probably you're not infected as the other antivirus and antispyware did not detect any infection.

When I first got SpywareBlaster, I was told that it didn't load automatically at startup, and that you had to double-click the desktop icon each time, to load it. I got round this by sticking it in my startup folder, so the program loads at startup. Is this not right?
I think they already answered it... SpywareBlaster is for immunization, don't need to be started.
Title: Re: CCleaner Trojans
Post by: GrahamE on June 06, 2007, 08:27:25 AM
I have heard of the yahoo toolbar, in the same way as there is a google toolbar, though I have never used either of them, so I wouldn't know if yahoo_toolbar.exe was legit or in the correct location, so I would suggest a google search for that and surfer.exe.

However, that said, the ccleaner installs the yahoo toolbar if you don't uncheck it as an install option, that may be how you got it.

You should be able to see it in your browser as a selectable toolbar option.

No, I don't have any additional tolbars except McAfee SiteAdvisor, that's why I was bothered. I always untick the option to have CCleaner install it. From what Tech has now said though, the list given wasn't necessarily stuff that was found on my PC anyway.  :P Thanks.

Not a random list, but a possible list, not an actual list, but only possibilities. Most probably you're not infected as the other antivirus and antispyware did not detect any infection.

This automated analysis can be frightening!  ;D Thanks.


I think they already answered it... SpywareBlaster is for immunization, don't need to be started.

Thanks again.
Title: Re: CCleaner Trojans
Post by: Dangerman on June 07, 2007, 11:43:50 PM
Anyone still getting these trojans?  I haven't had any for a couple of days now, although in the past there have been gaps of 4 days. 

Scanning inside the virus chest still warns all of these Win32:Agent-"G" series as virus detected, only a couple now being classed as no virus.
Title: Re: CCleaner Trojans
Post by: GrahamE on June 08, 2007, 12:19:05 AM
Found one on the 5th and one on the 6th. Haven't had one today. Everything in the Chest is still alerted on when scanned.
Title: Re: CCleaner Trojans
Post by: Gabriele 08 on June 08, 2007, 05:36:09 AM
Anyone still getting these trojans?.....
Here no news. Usual trend, sometimes yes, sometimes no...
During last days I didn't scan inside the chest, but I suppose to know results. Altough in the past, 4 of them changed status to 'no virus'.
Title: Re: CCleaner Trojans
Post by: philly12 on June 13, 2007, 05:31:44 PM
I've been getting on-access reports of trojans too while running ccleaner.  Both of my computers are reporting Win32:Agent-"G" series trojans while cleaning with ccleaner and one of my computers is brand new with great protection* and i have only been to legit sites with it.  I have a good feeling that these are all false positives.  I hope something gets fixed soon though.  All the files that get detected are either temp or cache files.  On my new comp, I moved the temp files that were detected while cleaning with ccleaner (over the course of a few days) to the virus chest, and the strange thing is, right after i moved each one into the chest, I scanned each one in the chest and it reported "no virus".  That's very strange considering that avast! JUST said less than a minute ago with its on-access scanner that these files were infected.

I guess these are false positives.  It sure seems like it anyway.

*for protection I use: SUPERantispyware professional or Spyware Terminator (depending on what i'm doing because ST gives a lot of warnings when trying to setup software), PC tools firewall, Avast! free, Spybot, Adaware 2007, a-squared free, Spyware Blaster, AdvancedWindows Care, Ccleaner, and Clamwin (only for scanning) so you can see that my computer is pretty well protected.  I also haven't been to any bad sites on my new comp and always use Mcafee Siteadvisor to make sure a site is safe.
Title: Re: CCleaner Trojans
Post by: GrahamE on June 13, 2007, 08:42:53 PM
I also haven't been to any bad sites on my new comp and always use Mcafee Siteadvisor to make sure a site is safe.

That doesn't seem to matter (although no one has admitted going to anywhere iffy to completely test the theory!  ;D) which is another reason to support the idea of false results.

and the strange thing is, right after i moved each one into the chest, I scanned each one in the chest and it reported "no virus".  That's very strange considering that avast! JUST said less than a minute ago with its on-access scanner that these files were infected.

That's certainly different to what anyone else who's posted on here has been reporting. As you say, how it can detect something and literally a minute later not detect it is very strange. If it happened once with an update in-between, you could understand it, but if it's happening every time...


On the subject of Avast updating, I've just rescanned everything in the Chest, and have 'no virus' on 41 out of 44 of the items in there, including a couple it found last night. I'm guessing this is update 748-5 from earlier today. The only things I'm left with at the moment are a few of:

13/06/2007 00:56:17   SYSTEM   1492   Sign of "Win32:Agent-HAI [Trj]" has been found in "C:\Documents and Settings\GE\Application Data\Sun\Java\Deployment\cache\6.0\19\1246cf13-76fb977b" file.

which I've 'found' a few times. Hopefully, if Avast are now on to this, they'll soon be gone as well, and this matter will finally be sorted out.

EDIT:
And they keep coming...
13/06/2007 19:58:24   GE   1464   Sign of "Win32:Agent-HAI [Trj]" has been found in "C:\Recycler\S-1-5-21-790525478-688789844-725345543-1003\Dc2.jpg" file. 

First 'G' and then 'H', I just hope we're not going to go all the way through the alphabet!
Title: Re: CCleaner Trojans
Post by: Dangerman on June 14, 2007, 01:23:18 AM
Hopefully good news.  I've just scanned all the Trojans in the chest and all of the "G" series now come up as "no virus".  Only one, Win32:Agent-HAI [Trj] is still showing as a virus.  False positives it would seem.  Still, thanks to Avast for sorting them out.  I expect HAI will come up as false soon enough.

Title: Re: CCleaner Trojans
Post by: philly12 on June 14, 2007, 04:42:07 AM
I'm having the same experience as dangerman now.  I scanned every trojan in the chest that was detected during ccleaner cleaning and they all now come up as "no virus" except the  Win32:Agent-HAI [Trj]  trojans (three in my chest).  And Grahame mentioned earlier that avast might have updated between the ~30 seconds that it took me to move the suspicious on-access trojan to the chest and scan it in the chest (where it turned up no virus) but avast! did not update between that time, so it is very strange indeed. 
Title: Re: CCleaner Trojans
Post by: Dangerman on June 14, 2007, 07:45:34 AM
I only have one instance of finding Win32:Agent-HAI [Trj] on 1st June, so hopefully we are not going to go through the alphabet on this!
Title: Re: CCleaner Trojans
Post by: GrahamE on June 14, 2007, 10:17:21 AM
Still, thanks to Avast for sorting them out.  I expect HAI will come up as false soon enough.

Yes, many thanks to Avast for getting on to this. It's taken a while, but then they do have one or two other things to do as well, I suppose... ;D

Hopefully, if we all continue to email every instance of these FP's to them, they will soon be able to sort this out completely.
Title: Re: CCleaner Trojans
Post by: Dangerman on June 14, 2007, 11:58:41 AM
On my new comp, I moved the temp files that were detected while cleaning with ccleaner (over the course of a few days) to the virus chest, and the strange thing is, right after i moved each one into the chest, I scanned each one in the chest and it reported "no virus".  That's very strange considering that avast! JUST said less than a minute ago with its on-access scanner that these files were infected.

I guess these are false positives.  It sure seems like it anyway.


Yes, it has been very strange even if they are false positives.  On my pc these have only ever been found when cleaning Firefox/documents and settings.  If I use Opera or the dreaded IE, nothing was ever picked up.  GrahamE seems to have found them in different places.  It's a strange false positive alright.
Title: Re: CCleaner Trojans
Post by: Lisandro on June 14, 2007, 02:37:15 PM
It's becoming an endless story  :-[
Right now, if you (all users with CCleaner problems) submit the suspect files to Virustotal (http://www.virustotal.com/en/indexf.html) will any of them appear to be infected?

If you run full computer on-line scanning:

Kaspersky (http://www.kaspersky.com/virusscannerl)
Trendmicro housecall (http://www.trendmicro.com/hc_intro/default.asp)
Ewido (http://www.ewido.net/en/onlinescan/)
F-Secure (http://support.f-secure.com/enu/home/ols.shtml)
Panda ActiveScan (http://www.pandasoftware.com/products/ActiveScan.htm)
BitDefender (http://www.bitdefender.com/scan8/ie.html) (free removal of the malware)

will anything be detected?
Title: Re: CCleaner Trojans
Post by: Dangerman on June 14, 2007, 04:19:38 PM
It's becoming an endless story  :-[

Actually, I hope we are getting close to the end.  I now only have one trojan as previously mentioned and that has only been picked up once since this all began.  We will have to see how we go from here, but all the "no virus" responses to the "G" series of trojans was good to see yesterday.
Title: Re: CCleaner Trojans
Post by: GrahamE on June 14, 2007, 08:05:21 PM

Right now, if you (all users with CCleaner problems) submit the suspect files to Virustotal (http://www.virustotal.com/en/indexf.html) will any of them appear to be infected?

If you run full computer on-line scanning will anything be detected?


I, as you know, have already done that, and the answer is 'no', nothing else comes up with a detection.

What we all want now is for Avast to recognise these as false positives and update the definitions accordingly. Thankfully, they have made a major attempt to do this now, with all of the 'G' series now showing 'no virus', as Dangerman pointed out. Hopefully they'll soon deal with the 'H' series, and the endless story, again misquoting Dangerman, will be at an end.  :D
Title: Re: CCleaner Trojans
Post by: Gabriele 08 on June 14, 2007, 11:16:08 PM
Hi,
I've just scanned all files in my chest and now there is only one recognized as virus, while all series of '-G' now aren't more.
Thanks to Alwil's team

What we all want now is for Avast to recognise these as false positives and update the definitions accordingly. Thankfully, they have made a major attempt to do this now, with all of the 'G' series now showing 'no virus', as Dangerman pointed out. Hopefully they'll soon deal with the 'H' series, and the endless story, again misquoting Dangerman, will be at an end.  :D
I agree of course, but I want to join that I hope in the future will be found the heart's matter regarding avast's alerts during CCleaner's job. And now I'm optimist about this day will be not so far  :)
Title: Re: CCleaner Trojans
Post by: Lisandro on June 14, 2007, 11:39:06 PM
What we all want now is for Avast to recognise these as false positives and update the definitions accordingly.
Me too...

while all series of '-G' now aren't more.
Seems they're answering silently...
Title: Re: CCleaner Trojans
Post by: GrahamE on June 15, 2007, 12:45:25 AM
I agree of course, but I want to join that I hope in the future will be found the heart's matter regarding avast's alerts during CCleaner's job. And now I'm optimist about this day will be not so far  :)

While it's hopeful that, for the time being at least, the problem seems to be calming down, it's difficult to see the definitions updates as an explanation of why this has been happening. The fact that the new definitions stop the alerts points towards a problem with the definitions in the first place, but if that's the case, why haven't there been more people than us few having a problem with it? Surely you would expect everyone who uses CCleaner and Avast to have experienced the same thing, and as we know from Tech, that isn't the case.  ???

This has certainly been a weird one!


Title: Re: CCleaner Trojans
Post by: Lisandro on June 15, 2007, 01:01:15 AM
Why haven't there been more people than us few having a problem with it? Surely you would expect everyone who uses CCleaner and Avast to have experienced the same thing, and as we know from Tech, that isn't the case.  ???
I won't expect that... each computer, one behavior...
By the way, which is your file system, NTFS or FAT32?
Title: Re: CCleaner Trojans
Post by: GrahamE on June 15, 2007, 01:07:04 AM
By the way, which is your file system, NTFS or FAT32?

NTFS
Title: Re: CCleaner Trojans
Post by: Lisandro on June 15, 2007, 01:21:33 AM
NTFS
Same here... It was just a guess...
I'm still jumping in the dark with your problem. It will be good if at anytime Alwil team jump here, and read at least the last posts and help us...
Title: Re: CCleaner Trojans
Post by: jet-doc on June 15, 2007, 02:21:48 AM
I need a little help here and from reading this forum it looks like people who have installed avast are getting hit hard with these viruses does anyone know what is going on what was described here is exactly what just started happeneing on my nieces computer shortly after the AVAST install. She got her home page changed and tons of porn on the screen and she is only 10 so I am not a happy camper about all of this I need some help I have Avast, Super Spyware Detector, Spybot and Adaware in the computer with this combination she should be on easy street however it appears she is on 42nd street instead.

Thank You
Jet

Oh well that's really great! I'm infested with traces of Trojans and I'm a pervert!!  ;D
Title: Re: CCleaner Trojans
Post by: Lisandro on June 15, 2007, 02:57:33 AM
jet-doc, it will be good if you start a new thread and not use CCleaner one as your (her) problem does not seem related to this one. Anyway, please post more info about the problem and her computer, helping us to help you:

We will need more information to be able to help you:
- Which OS are you using? Is it up to date?
- What avast! version and VPS file (virus database) number?
- What was the filename and path where the virus was found?
- Which actions have you taken to try solving the problem?
- Do you use a firewall? Which one?

Oh, don't forget to start a new thread.
Title: Re: CCleaner Trojans
Post by: Gabriele 08 on June 15, 2007, 05:40:36 AM
Why haven't there been more people than us few having a problem with it? Surely you would expect everyone who uses CCleaner and Avast to have experienced the same thing, and as we know from Tech, that isn't the case.  ???
I won't expect that... each computer, one behavior...
Like humans...there are not two absolutely alike  :P

I think (or I suppose) that also other people may have experienced same situation, but without come here and partecipate. After you and me, for instance we have seen Dangerman-Thomas (then disappeared)-Philly.
Well, not enormous numbers...but there are! And I suppose that "in background" there are more.
By the way, if now things are changing about files in our chests, I believe that avast is working at this regard (otherwise...? ? ?), and if the matter was not to ascribe in some way or other, to avast OR to CCleaner OR to a combination of the two mentioned, I think we should never seen this changes!

Aah GrahamE, another thing I'm thinking is, that you and me we have habit to clean temp-cache-etc. daily. How many people do you know making the same?
Example: if I run CCleaner only one time a month (and I know people...) and avast give me a warning for trojans, I may see the situation from a different prospective, thinking that avast works good, and no more. So viewing situation like an absolutely normal situation. (Just an idea, an hypothesis, of course)

NTFS me too.

P.S. Tomorrow I have to go away from my city, for some days. So please, no bad news on my return  ;D
Greetings
Title: Re: CCleaner Trojans
Post by: GrahamE on June 15, 2007, 09:57:19 AM
It will be good if at anytime Alwil team jump here, and read at least the last posts and help us...

Well I'll certainly second that!

Example: if I run CCleaner only one time a month (and I know people...) and avast give me a warning for trojans, I may see the situation from a different prospective, thinking that avast works good, and no more. So viewing situation like an absolutely normal situation. (Just an idea, an hypothesis, of course)

Yeah, you could well be right. And as you also say, others have appeared with the same problem, so there will probably be others as well.

Tomorrow I have to go away from my city, for some days. So please, no bad news on my return  ;D

We'll have it all sorted out by the time you get back!  ;D Have a good trip.
Title: Re: CCleaner Trojans
Post by: Dangerman on June 15, 2007, 10:25:07 AM
Aah GrahamE, another thing I'm thinking is, that you and me we have habit to clean temp-cache-etc. daily. How many people do you know making the same?
Example: if I run CCleaner only one time a month (and I know people...) and avast give me a warning for trojans, I may see the situation from a different prospective, thinking that avast works good, and no more. So viewing situation like an absolutely normal situation. (Just an idea, an hypothesis, of course)

NTFS me too.

P.S. Tomorrow I have to go away from my city, for some days. So please, no bad news on my return  ;D
Greetings
And remember, if you are using the older version of CCleaner prior to around 28/04, Avast won't pick them up.  I reverted to an older version at one stage and everything came up clean after each scan.  I'm sure there are many users of CCleaner who probably haven't upgraded, or who may be using another anti-virus application as on access which wouldn't pick them up (as experience has shown that nothing else detects these trojans).
Title: Re: CCleaner Trojans
Post by: Lisandro on June 15, 2007, 01:45:21 PM
And remember, if you are using the older version of CCleaner prior to around 28/04, Avast won't pick them up.  I reverted to an older version at one stage and everything came up clean after each scan.  I'm sure there are many users of CCleaner who probably haven't upgraded, or who may be using another anti-virus application as on access which wouldn't pick them up (as experience has shown that nothing else detects these trojans).
Another reason to correct the false positive detection.
Title: Re: CCleaner Trojans
Post by: mauserme on June 15, 2007, 02:00:23 PM
GrahamE and Gabriel08 mentioned that they use the secure deletion option, but what about the others?  And if you turn this option off does the problem persist?
Title: Re: CCleaner Trojans
Post by: GrahamE on June 15, 2007, 05:44:44 PM
GrahamE and Gabriel08 mentioned that they use the secure deletion option, but what about the others?  And if you turn this option off does the problem persist?

Very difficult to tell, since there is no pattern to the alerts anyway. I haven't had anything for 2 days now, deleting in secure mode. If I turn it off, I may still not get alerts, but I won't know if that's because I've gone to single-overwrite, or whether there's been nothing to alert on (or, Avast have finally sorted this!  ;D), and I wouldn't have got alerts with 3-overwrite as well (if you see what I mean!). The only way I'd know is if I revert to single-write deletion and I get an alert.
Title: Re: CCleaner Trojans
Post by: Rick F on June 15, 2007, 06:35:38 PM
Quote from: Gabriele 08
Aah GrahamE, another thing I'm thinking is, that you and me we have habit to clean temp-cache-etc. daily. How many people do you know making the same?

I use CCleaner almost every day to clean out temp files, typed URLs, & cookies (don't trust reg cleaner), and I've not had this trouble with avast detecting any trojans.

BUT, I'm still on an older version of avast! (4.7.942). It's because of this thread and the one with 'reboot @ every update' that's kept me from updating the program.

Quote from: Dangerman
I'm sure there are many users of CCleaner who probably haven't upgraded,


Yep, that's me as well.  I haven't upgraded CCleaner either.

Hope this helps.
Title: Re: CCleaner Trojans
Post by: Lisandro on June 15, 2007, 07:39:49 PM
or, Avast have finally sorted this!  ;D
For this reason it will be good an official word... we're loosing time trying to help and not a word from them... I don't like these Alwil silences...
Title: Re: CCleaner Trojans
Post by: GrahamE on June 15, 2007, 08:27:59 PM
I'm still on an older version of avast! (4.7.942). It's because of this thread and the one with 'reboot @ every update' that's kept me from updating the program.

I suppose the only problem with that is that you could be leaving yourself open to whatever the update protects you from. Also, as Tech and Gabriele 08 pointed out, each PC is different, and there's no reason why you should suffer the same problems as others. While I hate to tempt fate, I have had no problems with having to reboot after updates after upgrading to 4.7.1001, yet I have suffered the problems with CCleaner, while others haven't.

For this reason it will be good an official word... we're loosing time trying to help and not a word from them... I don't like these Alwil silences...

But then to be fair, this thread's only been going for a month, and with only 200 posts, perhaps it hasn't been noticed yet... 8)
Title: Re: CCleaner Trojans
Post by: Lisandro on June 15, 2007, 09:13:09 PM
But then to be fair, this thread's only been going for a month, and with only 200 posts, perhaps it hasn't been noticed yet... 8)
Maybe a grin would be better than a cool smile ;D
Title: Re: CCleaner Trojans
Post by: GrahamE on June 15, 2007, 09:20:08 PM
Maybe a grin would be better than a cool smile ;D

I was using the shades to hide the tears welling up in the eyes!  ;D
Title: Re: CCleaner Trojans
Post by: Lisandro on June 15, 2007, 10:45:39 PM
I was using the shades to hide the tears welling up in the eyes!  ;D
There is not a reason to be ashamed of the tears  :'( :'( :'(
Title: Re: CCleaner Trojans
Post by: philly12 on June 16, 2007, 12:47:39 AM
I have been using the very latest versions of avast (fully updated every day) and the latest version of ccleaner.  I have a feeling that many people do not upgrade ccleaner very often because the update feature isnt that noticeable and there really isn't an autoupdate feature (that I notice).  Maybe this has something to do with the fact that not many people are complaining.
Title: Re: CCleaner Trojans
Post by: Dangerman on June 16, 2007, 09:22:49 PM
GrahamE and Gabriel08 mentioned that they use the secure deletion option, but what about the others?  And if you turn this option off does the problem persist?
I use the secure deletion option, 3 passes. 

Nothing detected since 11th June, so it's looking good so far, but the HAI{Trj} still comes up as a virus when scanned in the chest.
Title: Re: CCleaner Trojans
Post by: Dangerman on June 28, 2007, 10:18:56 AM
Very strange.  16 days totally clean, nothing picked up having used CCleaner deleting Firefox cache many times and then last night Win32:Agent-HAI [Trj] turns up again.  Only had this one once before on 1st June when it was picked up with a "G" {Trj}. 

As others on this thread have also had Win32:Agent-HAI [Trj] turn up alongside the "G" series trojans, I'm still convinced that this is another false positive and Avast haven't got around to it yet, but really strange the time period lag of this being picked up.

Anyone else still having this problem?
Title: Re: CCleaner Trojans
Post by: GrahamE on June 28, 2007, 11:19:11 PM
Yeah, it's certainly strange that it's suddenly appeared after all this time. I've also been clean for 16 days. The HAI 'Trojans' in the Chest are still being alerted on.

In the absence of any response from 'the team' or updates to sort this out, I think I've stumbled across what I hope is a solution, for me at any rate. Both Tech and Gabriele 08 pointed out that every PC is unique, and what happens to one may well not happen to another with the same software installed. My solution (ok, I was going to buy one anyway!) arrived by courier today, in the shape of a swishy new(ish) PC!! It's lovely!  ;D ;D

If I come back to this thread because I've had alerts, there'll be tears!
Title: Re: CCleaner Trojans
Post by: Lisandro on June 29, 2007, 02:51:16 PM
Very strange.  16 days totally clean, nothing picked up having used CCleaner deleting Firefox cache many times and then last night Win32:Agent-HAI [Trj] turns up again.  Only had this one once before on 1st June when it was picked up with a "G" {Trj}.
Did you try to remove CCleaner completely, removing it's folder. Booting, installing CCleaner again (last version)?
If this does not work, can you uninstall Firefox and start the installation of it all over again?
Title: Re: CCleaner Trojans
Post by: GrahamE on June 29, 2007, 03:03:44 PM
Did you try to remove CCleaner completely, removing it's folder. Booting, installing CCleaner again (last version)?
If this does not work, can you uninstall Firefox and start the installation of it all over again?

Sorry Tech, but how will this help with Avast false-positives? Surely we've all been waiting for Avast to update it's definitions to stop these 'alerts', haven't we??
Title: Re: CCleaner Trojans
Post by: Lisandro on June 29, 2007, 03:16:13 PM
Sorry Tech, but how will this help with Avast false-positives?
I was absolutely sure you'll ask this question... Like playing Chess.
My mind is: if we have a 15 page issue not solved, non reproducible in all computers, avast isn't being corrected... I'm just guessing the problem could be into CCleaner/Firefox files. I know to uninstall Firefox is a pain (install all extensions again, etc.) but, after all, it's a test. I suggest an installation from the scratch in a non-previous existing folder.

Surely we've all been waiting for Avast to update it's definitions to stop these 'alerts', haven't we??
Sure... but why we're not seeing that... Maybe Alwil team is not working hard, maybe they can't manage this (as it is not reproducible...).
Title: Re: CCleaner Trojans
Post by: GrahamE on June 29, 2007, 05:03:06 PM
I'm just guessing the problem could be into CCleaner/Firefox files. I know to uninstall Firefox is a pain (install all extensions again, etc.) but, after all, it's a test. I suggest an installation from the scratch in a non-previous existing folder.

Except my 'Trojans' weren't found in the Firefox files (I don't, and never have had Firefox).

Maybe Alwil team is not working hard, maybe they can't manage this (as it is not reproducible...).

They did manage to deal with the 'G' series of alerts though, and they certainly took their time doing that!! Maybe Alwil team is not working hard.......

Like playing Chess.

I was always better at draughts myself.  ;D
Title: Re: CCleaner Trojans
Post by: Lisandro on June 29, 2007, 08:36:49 PM
Maybe Alwil team is not working hard...
I don't even want to think about this... :'(
Title: Re: CCleaner Trojans
Post by: GrahamE on June 29, 2007, 09:07:56 PM
I don't even want to think about this... :'(

It's a little difficult to think anything else really. If only there was some sort of response from them, these doubts wouldn't arise. After this amount of time, this amount of pages and posts,.......
Title: Re: CCleaner Trojans
Post by: Lisandro on June 29, 2007, 09:54:33 PM
If only there was some sort of response from them
I wont expect this in a 15 page thread... maybe we need to start a new one, with the problems that we have right now, forgot the past...
Title: Re: CCleaner Trojans
Post by: GrahamE on June 29, 2007, 10:47:24 PM
Trouble is, that while I'm continuing to post in this thread, I don't have the problem anymore. As detailed above, I inadvertently found a solution by buying a different PC. So unless it starts with this one as well, I'm now in the same boat as you - I'm using CCleaner with no problems (Tempting fate?  ;D).

Obviously you know far more about the inner workings of Alwil than I do (it wouldn't be difficult to know more than me, I must admit!  ;D), but if they've failed to take notice of a thread that's been going this long, what chance does a new thread have? This thread has been hovering near the top of the forum list for well over a month now, and yet there's been no input at all. >:(
Title: Re: CCleaner Trojans
Post by: Lisandro on June 30, 2007, 01:20:22 AM
But if they've failed to take notice of a thread that's been going this long, what chance does a new thread have?
Well, it's hard to follow a so long thread... I think IF we have a problem, posting in a new thread would help.
Maybe we should stop posting in a solved thread ;D

This thread has been hovering near the top of the forum list for well over a month now, and yet there's been no input at all. >:(
Now it difficult than ever...
Title: Re: CCleaner Trojans
Post by: GrahamE on June 30, 2007, 02:04:30 PM
Well, it's hard to follow a so long thread... I think IF we have a problem, posting in a new thread would help.
Maybe we should stop posting in a solved thread ;D

Well, yes, I agree that it would be a bit mind-numbing to read throught the whole thing. It's a pity that they haven't responded to the files that I (and I assume others) have sent to them from the Chest, and resolved it long ago. We wouldn't really need a comment from them if they'd done that, since this thread would have stopped weeks ago. If it is assumed (and I think it now is) that these are false results, then in a way there isn't a problem, it's more an irritation. Like most people, I'd prefer that irritation to be stopped, because it's.....irritating.

I don't feel that I can really start the new thread, since my problem/irritation has been (hopefully) solved. There is also no guarantee that they'll respond to the new thread anyway - they certainly didn't bother when this thread began, all those years ago.  ;D Perhaps I should start a thread entitled "ALWIL - LOOK AT THREAD http://forum.avast.com/index.php?topic=28377.0 OR DIE THE DEATH OF A THOUSAND CUTS"  8)

Title: Re: CCleaner Trojans
Post by: Lisandro on June 30, 2007, 02:35:33 PM
Well, yes, I agree that it would be a bit mind-numbing to read throught the whole thing. It's a pity that they haven't responded to the files that I (and I assume others) have sent to them from the Chest, and resolved it long ago. We wouldn't really need a comment from them if they'd done that, since this thread would have stopped weeks ago.
Yeah. Their fault on not correcting the false positives... Shame...

If it is assumed (and I think it now is) that these are false results, then in a way there isn't a problem, it's more an irritation. Like most people, I'd prefer that irritation to be stopped, because it's.....irritating.
Nobody likes a false positive...
Title: Re: CCleaner Trojans
Post by: Dangerman on July 02, 2007, 10:40:55 AM
Very strange.  16 days totally clean, nothing picked up having used CCleaner deleting Firefox cache many times and then last night Win32:Agent-HAI [Trj] turns up again.  Only had this one once before on 1st June when it was picked up with a "G" {Trj}.
Did you try to remove CCleaner completely, removing it's folder. Booting, installing CCleaner again (last version)?
If this does not work, can you uninstall Firefox and start the installation of it all over again?
While I agree with GrahamE that this is not about Firefox, I had been having a problem for a while with a Java Null Pointer exception, so completely un-installed FF last night as I needed to see if I could resolve that.  Well, the good thing is that the null pointer exception problem seems to have been resolved by doing this.  I ran CCleaner afterwards and nothing showed up.  However, as we know these trojans are not picked up every time.  I had the HAI {trj} 3 times on Saturday, which was most unusual as I have only had it twice before since this began.  I may well do a complete uninstall of CCleaner later today just to see what happens.  I still think however that this is something that rests with Avast to sort out.

Well done to GrahamE for solving his problem by getting a "relatively" new PC. That's a novel way to sort it out.  ;)

Title: Re: CCleaner Trojans
Post by: Dangerman on August 03, 2007, 12:19:37 AM
For everyone who was following this thread, Win32:Agent-HAI [Trj] is now showing as no virus in the virus chest.  I think this one can finally be put to rest.
Title: Re: CCleaner Trojans
Post by: GrahamE on August 03, 2007, 01:03:58 AM
And after less then 3 months as well! I'm just glad they were false positives......... ;D
Title: Re: CCleaner Trojans
Post by: Lisandro on August 03, 2007, 04:13:19 PM
Uff... finally the false positives were corrected.
Title: Re: CCleaner Trojans
Post by: GrahamE on August 30, 2007, 09:11:22 PM
While I'm waiting for the completed version of CCleaner 2.0 to come out before using it, it's interesting that the Beta version has " new installer routines to prevent false positives by anti-virus programs".

Perhaps they did listen!! :D
Title: Re: CCleaner Trojans
Post by: Lisandro on August 30, 2007, 09:22:26 PM
While I'm waiting for the completed version of CCleaner 2.0 to come out before using it, it's interesting that the Beta version has " new installer routines to prevent false positives by anti-virus programs".
Did you install the beta? Test it?
Is it stable? Can we 'upgrade' from version 1 to 2 Beta?
Title: Re: CCleaner Trojans
Post by: GrahamE on August 30, 2007, 09:50:32 PM
No, I haven't, I'm waiting for the completed version. With all my past problems with CCleaner, I thought this was wise!!  ;D
Title: Re: CCleaner Trojans
Post by: GrahamE on September 01, 2007, 01:51:33 AM
Changed my mind and installed it anyway, Christ, you only live once...

Seems ok. I use ZA Free firewall, and the old CCleaner couldn't remove the ZA log files except after a restart for some reason, and so I always had a certain number of bytes 'to be removed', but the 'bytes removed' would be '0' after a couple of runs, which told me that the only things not removed were the ZA logs.

With version 2.0 however, I can never get to '0 bytes removed'. No matter how many times I run the cleaner, it shows '201 bytes removed' (made up of 134 bytes from 'IE Temporary Internet Files', and 67 bytes from 'Doc & Settings\.......\History.IE5\desktop.ini'.

Whether this is a fault with the Beta, or something that the earlier versions should have been doing, I have no idea, although I'm sure people on here with more computer knowledge than myself will know!   
Title: Re: CCleaner Trojans
Post by: Lisandro on September 01, 2007, 03:32:06 AM
Changed my mind and installed it anyway, Christ, you only live once...
I'm testing it too. Today we have an update of it.
CCleaner (Crap Cleaner) (Beta) 2.00.495 RC: http://fileforum.betanews.com/detail/CCleaner_Crap_Cleaner_Beta/1100194579/2
Title: Re: CCleaner Trojans
Post by: GrahamE on September 01, 2007, 11:16:45 AM
I'm testing it too. Today we have an update of it.

This latest update has removed the problem I described in my last post. I'm now just left with the ZA log files 'to be removed', with '0 bytes removed' after a couple of runs.

From the 'change log' (http://www.filehippo.com/download_ccleaner/changelog/) details ('scan now filters out desktop.ini files'), it's almost as if they're reading my posts and acting on them! Just in case they are, I really do feel that a cash reward should be given to everyone who uses CCleaner.....