CCleaner Trojans

[Gabriele 08]

Which 'threat' are you referring to?

Ehm...Sorry GrahamE,terribile mistake!
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe I confused this good voice related to OfficeXP alternative languages with a trojan   
Log seems ok, IMHO. Just to get away the thought, you could fix voice R0.

[GrahamE]

If not, what is yahoo_toolbar.exe, or surfer.exe? What the hell is penis32.exe?

POSSIBLE THREATS as stated.

Sorry, I don't understand. Does that mean I have those items on my PC? If so, where have they come from? Or are they in the SpywareBlaster defs? Or are they just a random list of possible threats?

Why do you have C:\Program Files\SpywareBlaster\spywareblaster.exe at the startup items? For what?

When I first got SpywareBlaster, I was told that it didn't load automatically at startup, and that you had to double-click the desktop icon each time, to load it. I got round this by sticking it in my startup folder, so the program loads at startup. Is this not right?

Ehm...Sorry GrahamE,terribile mistake!

PLEEASE!!!! don't do that to me!!!! 

[DavidR]

SpywareBlaster is a passive device, you download it run it once and apply the protection.. Periodically you run it and check for updates and download them if present, you then apply any new protection.

So it doesn't need to start on boot.

[GrahamE]

SpywareBlaster is a passive device. So it doesn't need to start on boot.

Oh, right, thank you. I'll take it out of the startup folder then!

Do you know anything about the 'things' (surfer.exe, yahoo_toolbar.exe, etc) I mentioned in reply #163?

[DavidR]

I have heard of the yahoo toolbar, in the same way as there is a google toolbar, though I have never used either of them, so I wouldn't know if yahoo_toolbar.exe was legit or in the correct location, so I would suggest a google search for that and surfer.exe.

However, that said, the ccleaner installs the yahoo toolbar if you don't uncheck it as an install option, that may be how you got it.

You should be able to see it in your browser as a selectable toolbar option. If you don't want it try - ToolbarCop http://www.snapfiles.com/get/toolbarcop.html

[Lisandro]

Sorry, I don't understand. Does that mean I have those items on my PC? If so, where have they come from? Or are they in the SpywareBlaster defs? Or are they just a random list of possible threats?

Not a random list, but a possible list, not an actual list, but only possibilities. Most probably you're not infected as the other antivirus and antispyware did not detect any infection.

When I first got SpywareBlaster, I was told that it didn't load automatically at startup, and that you had to double-click the desktop icon each time, to load it. I got round this by sticking it in my startup folder, so the program loads at startup. Is this not right?

I think they already answered it... SpywareBlaster is for immunization, don't need to be started.

[GrahamE]

I have heard of the yahoo toolbar, in the same way as there is a google toolbar, though I have never used either of them, so I wouldn't know if yahoo_toolbar.exe was legit or in the correct location, so I would suggest a google search for that and surfer.exe.

However, that said, the ccleaner installs the yahoo toolbar if you don't uncheck it as an install option, that may be how you got it.

You should be able to see it in your browser as a selectable toolbar option.

No, I don't have any additional tolbars except McAfee SiteAdvisor, that's why I was bothered. I always untick the option to have CCleaner install it. From what Tech has now said though, the list given wasn't necessarily stuff that was found on my PC anyway.  Thanks.

Not a random list, but a possible list, not an actual list, but only possibilities. Most probably you're not infected as the other antivirus and antispyware did not detect any infection.

This automated analysis can be frightening!  Thanks.

I think they already answered it... SpywareBlaster is for immunization, don't need to be started.

Thanks again.

[Dangerman]

Anyone still getting these trojans?  I haven't had any for a couple of days now, although in the past there have been gaps of 4 days. 

Scanning inside the virus chest still warns all of these Win32:Agent-"G" series as virus detected, only a couple now being classed as no virus.

[GrahamE]

Found one on the 5th and one on the 6th. Haven't had one today. Everything in the Chest is still alerted on when scanned.

[Gabriele 08]

Anyone still getting these trojans?.....

Here no news. Usual trend, sometimes yes, sometimes no...
During last days I didn't scan inside the chest, but I suppose to know results. Altough in the past, 4 of them changed status to 'no virus'.

[philly12]

I've been getting on-access reports of trojans too while running ccleaner.  Both of my computers are reporting Win32:Agent-"G" series trojans while cleaning with ccleaner and one of my computers is brand new with great protection* and i have only been to legit sites with it.  I have a good feeling that these are all false positives.  I hope something gets fixed soon though.  All the files that get detected are either temp or cache files.  On my new comp, I moved the temp files that were detected while cleaning with ccleaner (over the course of a few days) to the virus chest, and the strange thing is, right after i moved each one into the chest, I scanned each one in the chest and it reported "no virus".  That's very strange considering that avast! JUST said less than a minute ago with its on-access scanner that these files were infected.

I guess these are false positives.  It sure seems like it anyway.

*for protection I use: SUPERantispyware professional or Spyware Terminator (depending on what i'm doing because ST gives a lot of warnings when trying to setup software), PC tools firewall, Avast! free, Spybot, Adaware 2007, a-squared free, Spyware Blaster, AdvancedWindows Care, Ccleaner, and Clamwin (only for scanning) so you can see that my computer is pretty well protected.  I also haven't been to any bad sites on my new comp and always use Mcafee Siteadvisor to make sure a site is safe.

[GrahamE]

I also haven't been to any bad sites on my new comp and always use Mcafee Siteadvisor to make sure a site is safe.

That doesn't seem to matter (although no one has admitted going to anywhere iffy to completely test the theory!  ) which is another reason to support the idea of false results.

and the strange thing is, right after i moved each one into the chest, I scanned each one in the chest and it reported "no virus".  That's very strange considering that avast! JUST said less than a minute ago with its on-access scanner that these files were infected.

That's certainly different to what anyone else who's posted on here has been reporting. As you say, how it can detect something and literally a minute later not detect it is very strange. If it happened once with an update in-between, you could understand it, but if it's happening every time...


On the subject of Avast updating, I've just rescanned everything in the Chest, and have 'no virus' on 41 out of 44 of the items in there, including a couple it found last night. I'm guessing this is update 748-5 from earlier today. The only things I'm left with at the moment are a few of:

13/06/2007 00:56:17   SYSTEM   1492   Sign of "Win32:Agent-HAI [Trj]" has been found in "C:\Documents and Settings\GE\Application Data\Sun\Java\Deployment\cache\6.0\19\1246cf13-76fb977b" file.

which I've 'found' a few times. Hopefully, if Avast are now on to this, they'll soon be gone as well, and this matter will finally be sorted out.

EDIT:
And they keep coming...
13/06/2007 19:58:24   GE   1464   Sign of "Win32:Agent-HAI [Trj]" has been found in "C:\Recycler\S-1-5-21-790525478-688789844-725345543-1003\Dc2.jpg" file. 

First 'G' and then 'H', I just hope we're not going to go all the way through the alphabet!

[Dangerman]

Hopefully good news.  I've just scanned all the Trojans in the chest and all of the "G" series now come up as "no virus".  Only one, Win32:Agent-HAI [Trj] is still showing as a virus.  False positives it would seem.  Still, thanks to Avast for sorting them out.  I expect HAI will come up as false soon enough.

[philly12]

I'm having the same experience as dangerman now.  I scanned every trojan in the chest that was detected during ccleaner cleaning and they all now come up as "no virus" except the  Win32:Agent-HAI [Trj]  trojans (three in my chest).  And Grahame mentioned earlier that avast might have updated between the ~30 seconds that it took me to move the suspicious on-access trojan to the chest and scan it in the chest (where it turned up no virus) but avast! did not update between that time, so it is very strange indeed. 

[Dangerman]

I only have one instance of finding Win32:Agent-HAI [Trj] on 1st June, so hopefully we are not going to go through the alphabet on this!