Author Topic: CCleaner Trojans  (Read 140856 times)

0 Members and 1 Guest are viewing this topic.

Offline thomas01155

  • Newbie
  • *
  • Posts: 7
Re: CCleaner Trojans
« Reply #60 on: May 25, 2007, 11:47:25 PM »
i might eat my computer i found another torjan didnt tell me the name this was yestaday cant type much on psp :P

Offline mauserme

  • Massive Poster
  • ****
  • Posts: 2475
Re: CCleaner Trojans
« Reply #61 on: May 26, 2007, 12:08:00 AM »
2GrahamE - If you turn off CounterSpy's automatic updates does it help?

2thomas0115 - Do you also use CounterSpy?
"If at first you don't succeed keep on sucking 'till you do succeed" - Curley Howard in Movie Maniacs (1935)

Offline thomas01155

  • Newbie
  • *
  • Posts: 7
Re: CCleaner Trojans
« Reply #62 on: May 26, 2007, 12:10:38 AM »
nope never used it

Offline GrahamE

  • Sr. Member
  • ****
  • Posts: 232
Re: CCleaner Trojans
« Reply #63 on: May 26, 2007, 12:18:09 AM »
If you turn off CounterSpy's automatic updates does it help?

I don't have it set to update automatically. Zone Alarm and Avast are the only things I have set to auto. Everything else is done manually.

Offline mauserme

  • Massive Poster
  • ****
  • Posts: 2475
Re: CCleaner Trojans
« Reply #64 on: May 26, 2007, 01:33:06 AM »
So much for that theory ...

This is either the worst polymorphic root kit trojan sob ever conceived by the mind of man, or a bunch of false positives.  I think I'll stick with the latter.

Most of the detections seem to center around the 25 April and 13 May updates, both of which were quite large.  I think with that many definitions released there will be some FP's, so maybe uploading samples to avast! as false positives will be the solution to this dilemma.


2thomas01155

Don't turn your back on Graham.  I've heard he's kind of a perv.
"If at first you don't succeed keep on sucking 'till you do succeed" - Curley Howard in Movie Maniacs (1935)

Offline GrahamE

  • Sr. Member
  • ****
  • Posts: 232
Re: CCleaner Trojans
« Reply #65 on: May 26, 2007, 02:05:25 AM »
so maybe uploading samples to avast! as false positives will be the solution to this dilemma.

I've sent everything I've detected off to them, with a link to this thread, at Tech's suggestion.

Don't turn your back on Graham.  I've heard he's kind of a perv.

I never said I was that kind of perv!  ;D

Offline Gabriele 08

  • Jr. Member
  • **
  • Posts: 39
Re: CCleaner Trojans
« Reply #66 on: May 26, 2007, 05:28:31 AM »
I dunno if this helps im expernicing the same problem it only picks it up when i use ccleaner all differnt virtains of the win32:agent-GVO  virus/torjan avast only added it to the defs yestaday. If i just scan the fixefox chache nothign is picked up only when i use ccleaner.
Thomas, welcome to "CCleaner-Avast troubles CLUB"  :(

Quote from: GrahamE
It certainly helps to be not the only one  :D
You were just not alone...

Offline thomas01155

  • Newbie
  • *
  • Posts: 7
Re: CCleaner Trojans
« Reply #67 on: May 26, 2007, 09:56:36 AM »
i just sent them some peanut butter in thomas i dont have the lastest ccleaner i have .502

Offline GrahamE

  • Sr. Member
  • ****
  • Posts: 232
Re: CCleaner Trojans
« Reply #68 on: May 26, 2007, 11:30:58 AM »
i dont have the lastest ccleaner i have .502

The problem started at the end of April (27th seems about right) with version 1.39.502, and is still going strong with 1.40.520, the new version. The problem though seems to be with Avast detecting traces of viruses as CCleaner deletes things, rather than with CCleaner itself.

peanut butter in thomas

 :o I don't think I want to be in this Club!

Offline GrahamE

  • Sr. Member
  • ****
  • Posts: 232
Re: CCleaner Trojans
« Reply #69 on: May 26, 2007, 01:21:03 PM »
Just been scanning with Adaware SE (Def. File SE1R172 22.05.07) and found another. I sent it to Chest but it just kept warning over and over. Sent 5 to Chest, then gave up and ignored it. I've sent them to Avast again, with link to this.

Log:

26/05/2007 11:07:30   GE   1480   Sign of "Win32:Agent-GHL [Trj]" has been found in "C:\DOCUME~1\GE\LOCALS~1\Temp\AAWTMP\C2922546\3932046" file. 
26/05/2007 11:12:01   GE   1480   Sign of "Win32:Agent-GHL [Trj]" has been found in "C:\DOCUME~1\GE\LOCALS~1\Temp\AAWTMP\C2922546\4202562" file. 
26/05/2007 11:12:21   GE   1480   Sign of "Win32:Agent-GHL [Trj]" has been found in "C:\DOCUME~1\GE\LOCALS~1\Temp\AAWTMP\C2922546\4223343" file. 
26/05/2007 11:12:34   GE   1480   Sign of "Win32:Agent-GHL [Trj]" has been found in "C:\DOCUME~1\GE\LOCALS~1\Temp\AAWTMP\C2922546\4236281" file. 
26/05/2007 11:13:06   GE   1480   Sign of "Win32:Agent-GHL [Trj]" has been found in "C:\DOCUME~1\GE\LOCALS~1\Temp\AAWTMP\C2922546\4268406" file. 
26/05/2007 11:13:32   GE   1480   Sign of "Win32:Agent-GHL [Trj]" has been found in "C:\DOCUME~1\GE\LOCALS~1\Temp\AAWTMP\C2922546\4293937" file. 

If these are false-positives, I wish someone up high would sort them out. It's been going on for a month now. I know they've got more to do than this, and they're very busy, but.....

On the other hand, if they're not FP's, it would be nice to be told, because my system is riddled with the things!

Offline GrahamE

  • Sr. Member
  • ****
  • Posts: 232
Re: CCleaner Trojans
« Reply #70 on: May 26, 2007, 01:36:04 PM »
 :'(

26/05/2007 12:28:54   GE   1480   Sign of "Win32:Agent-GXN [Trj]" has been found in "C:\Documents and Settings\GE\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat" file. 

CCleaner.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67247
Re: CCleaner Trojans
« Reply #71 on: May 26, 2007, 01:46:32 PM »
I'm with CCleaner 1.40.520 and had never a problem.
It's strange that other antispywares are detecting infections, now Ad-aware  ::)
I was thinking in false positives, now I'm not so sure.

Why don't you test full computer on-line scanning:
Kaspersky (very good detection rates)
Trendmicro housecall
AVGas (does not necessary if you have AVG antispyware installed)
F-Secure
Panda ActiveScan
BitDefender (free removal of the malware)
HitmanPro (new online scanner with multiply scanners)
The best things in life are free.

Offline thomas01155

  • Newbie
  • *
  • Posts: 7
Re: CCleaner Trojans
« Reply #72 on: May 26, 2007, 03:27:18 PM »
Kapersky online found Trojan-Dropper.Win32.Mudrop.z

C:\Program Files\InstallShield Installation Information\{35CB6715-41F8-4F99-8881-6FC75BF054B0}\setup.exe   Infected: Trojan-Dropper.Win32.Mudrop.z   skipped
C:\Program Files\InstallShield Installation Information\{E0DB6D6E-2317-4EAF-9896-E2DE6559EF82}\setup.exe   Infected: Trojan-Dropper.Win32.Mudrop.z   skipped
C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe   Infected: Trojan-Dropper.Win32.Mudrop.z   skipped
C:\Program Files\PeerGuardian2\history.db   Object is locked   skipped
C:\System Volume Information\MountPointManagerRemoteDatabase   Object is locked   skipped
C:\System Volume Information\_restore{80F09174-9BC6-4D4E-89E5-C2C0C0CCD4B7}\RP63\A0029831.exe   Infected: Trojan-Dropper.Win32.Mudrop.z   skipped
C:\System Volume Information\_restore{80F09174-9BC6-4D4E-89E5-C2C0C0CCD4B7}\RP82\A0059947.exe   Infected: Trojan-Dropper.Win32.Mudrop.z   skipped
C:\System Volume Information\_restore{80F09174-9BC6-4D4E-89E5-C2C0C0CCD4B7}\RP98\change.log   Object is locked   skipped

Offline thomas01155

  • Newbie
  • *
  • Posts: 7
Re: CCleaner Trojans
« Reply #73 on: May 26, 2007, 03:39:13 PM »
 Scan taken on 26 May 2007 13:28:28 (GMT)
A-Squared    
Found nothing
AntiVir    
Found nothing
ArcaVir    
Found nothing
Avast    
Found nothing
AVG Antivirus    
Found nothing
BitDefender    
Found nothing
ClamAV    
Found nothing
Dr.Web    
Found nothing
F-Prot Antivirus    
Found nothing
F-Secure Anti-Virus    
Found nothing
Fortinet    
Found nothing
Kaspersky Anti-Virus    
Found Trojan-Dropper.Win32.Mudrop.z
NOD32    
Found nothing
Norman Virus Control    
Found nothing
Panda Antivirus    
Found nothing
Rising Antivirus    
Found nothing
VirusBuster    
Found nothing
VBA32    
Found nothing

Offline mauserme

  • Massive Poster
  • ****
  • Posts: 2475
Re: CCleaner Trojans
« Reply #74 on: May 26, 2007, 03:45:11 PM »
Are those the results of a Virus Total or Jotti scan of one of the setup.exe's?
"If at first you don't succeed keep on sucking 'till you do succeed" - Curley Howard in Movie Maniacs (1935)