Author Topic: CCleaner Trojans  (Read 162099 times)

0 Members and 1 Guest are viewing this topic.

GrahamE

  • Guest
CCleaner Trojans
« on: May 16, 2007, 03:08:16 AM »
Hello all,

Whenever I log off from the internet, I use CCleaner to remove any Temp Internet Files, cookies, etc. Over the past couple of weeks, when I run it, Avast finds a trace of a Trojan when the cleaning is taking place. So far I have in the Chest:
Win32:Agent GYJ[Trj]
   "         "    GKD[Trj] (twice)
   "         "    GWO[Trj]
   "         "     GHL[Trj]
Win32:Nilage-FP[Trj]

I've sent them all to Avast from the Chest with an explanation.

I've run numerous boot-time scans and normal scans which find nothing, and non of my other anti-malware stuff finds anything.

Is anyone else experiencing this? I'm not visiting any iffy sites (honestly!! ;D). One appeared after being on eBay, here and the Dell Forum.


Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: CCleaner Trojans
« Reply #1 on: May 16, 2007, 04:01:25 AM »
Does avast mention the name and the path of the infected file?
Did you disable the System Restore before running avast at boot time?
The best things in life are free.

GrahamE

  • Guest
Re: CCleaner Trojans
« Reply #2 on: May 16, 2007, 01:26:54 PM »
Hi Tech,

This is what I've got in the log viewer:

27/04/2007 21:55:41   GE   3024   Sign of "Win32:Agent-GKD [Trj]" has been found in "C:\WINDOWS\WindowsUpdate.log" file. 
28/04/2007 00:31:12   GE   1372   Sign of "Win32:Agent-GKD [Trj]" has been found in "C:\Documents and Settings\GE\Local Settings\Temporary Internet Files\Content.IE5\WPSHGFSL\JJJJJJJJJJJJJJJJJJJJJJ.JJ" file. 
07/05/2007 00:25:26   GE   1484   Sign of "Win32:Agent-GKD [Trj]" has been found in "C:\WINDOWS\Internet Logs\VVVVVVVVV.VV.VV.VVV" file. 
09/05/2007 11:17:35   GE   1488   Sign of "Win32:Agent-GHL [Trj]" has been found in "C:\Documents and Settings\GE\Local Settings\Temporary Internet Files\Content.IE5\86CTQTEM\YYYYYYYYYYYY.YYY" file. 
14/05/2007 14:37:05   GE   1512   Sign of "Win32:Agent-GYJ [Trj]" has been found in "C:\Documents and Settings\GE\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat" file. 
15/05/2007 12:07:32   GE   1384   Sign of "Win32:Nilage-FP [Trj]" has been found in "C:\WINDOWS\TEMP\{19EC4B5E-F950-4F72-ADB6-DEFB2148866C}\{EFB7D050-CAD2-11D4-B34D-00105A1C23DD}\XXXXXXXX.XXX" file. 
15/05/2007 20:28:29   GE   1412   Sign of "Win32:Agent-GWO [Trj]" has been found in "C:\Documents and Settings\GE\Local Settings\Temporary Internet Files\Content.IE5\NTNMGHTF\LoJack%20ReRevised_400k[1].flv" file. 
16/05/2007 03:14:09   GE   1412   Sign of "Win32:Agent-GWO [Trj]" has been found in "C:\Documents and Settings\GE\Local Settings\Temporary Internet Files\Content.IE5\9RLOOSBW\IIIIIIII.III" file. 
16/05/2007 03:14:26   GE   1412   Sign of "Win32:Agent-GVO [Trj]" has been found in "C:\Documents and Settings\GE\Local Settings\Temporary Internet Files\Content.IE5\HNJH4TJO\IIIIIIIIIIII.III" file. 

I didn't disable System Restore before doing the boot scan. Since it didn't find anything, would disabling it have made any difference? I'll try it anyway, as my logic has let me down too many times before!!

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: CCleaner Trojans
« Reply #3 on: May 16, 2007, 01:43:45 PM »
Since it didn't find anything, would disabling it have made any difference?
No. Disabling is a way to avoid reinfection by replication of the virus. If you don't have any, don't worry.

Can you submit the files to virus@avast.com and inform a link to this thread in the email body? Thanks.
The best things in life are free.

GrahamE

  • Guest
Re: CCleaner Trojans
« Reply #4 on: May 16, 2007, 03:17:29 PM »
I did it anyway and it found nothing again.

I've sent them all off, linking to this thread, as you said. One of them (#7 in the list) was a biggy (3588096KB).

Just wait and see, I guess. Thanks Tech.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: CCleaner Trojans
« Reply #5 on: May 16, 2007, 03:54:34 PM »
One of them (#7 in the list) was a biggy (3588096KB).
You can use Alwil FTP server as a second way to transfer only big files. Upload them to ftp://ftp.avast.com/incoming (please, note that you won't have READ access to the ftp server, just write - so you won't even be able to see what you've just uploaded).
Hope they monitor the ftp server and see this thread...
The best things in life are free.

GrahamE

  • Guest
Re: CCleaner Trojans
« Reply #6 on: May 16, 2007, 03:57:30 PM »
The big one was sent from the chest after I increased the 'file size to be sent' thingy.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: CCleaner Trojans
« Reply #7 on: May 16, 2007, 04:45:01 PM »
The big one was sent from the chest after I increased the 'file size to be sent' thingy.
Better... 8)
The best things in life are free.

GrahamE

  • Guest
Re: CCleaner Trojans
« Reply #8 on: May 16, 2007, 08:46:59 PM »
Just found another one. That's after being on here and nowhere else.

16/05/2007 19:24:32   SYSTEM   1428   Sign of "Win32:Agent-GWO [Trj]" has been found in "C:\WINDOWS\TEMP\DDDDDDD.DDD" file. 

I've sent it off again.

Offline calcu007

  • Avast Evangelist
  • Poster
  • ***
  • Posts: 482
  • I'm lamma!
Re: CCleaner Trojans
« Reply #9 on: May 17, 2007, 12:35:58 AM »
Wow, you have a lot viruses..where you browse.  ;D :P
Asus Intel i7 8GB RAM , Win 8.1 64 bit, Avast IS

GrahamE

  • Guest
Re: CCleaner Trojans
« Reply #10 on: May 17, 2007, 01:14:47 AM »
Oh well that's really great! I'm infested with traces of Trojans and I'm a pervert!!  ;D

mauserme

  • Guest
Re: CCleaner Trojans
« Reply #11 on: May 17, 2007, 02:23:08 AM »
Do you have any idea when this started (the malware, not the pervert thing)?  Let's try this:

Download Deckard's System Scanner (DSS) to your Desktop.
  • Close all applications and windows.
  • Double-click on DSS.exe to run it, and follow the prompts.
  • The scan may take a minute. When the scan is complete, a text file will open - Main.txt
Extra Note: When running DSS, some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so. Also, it may happen that your Antivirus flags DSS as suspicious. Please allow the  Deckard's System Scanner  to run and don't let your Antivirus delete it. (In this case, it may be better to temporary disable your Antivirus)

Post the  main.txt from the C:\Deckard\System Scanner folder into your next reply.



non of my other anti-malware stuff finds anything.
What other programs have you tried?

GrahamE

  • Guest
Re: CCleaner Trojans
« Reply #12 on: May 17, 2007, 04:48:00 AM »
It started on 27th April (see log viewer in earlier post).

It'll be in the log below I guess, but I use Zone Alarm free, Avast, Counterspy (real-time protection and scanner), Adaware SE (real-time and scanner), WinPatrol, SpywareBlaster, SuperAntispyware (scanner only), Spyware Terminator (real-time and scanner), Spybot (scanner only), AVG antispyware (scanner only). Nothing has been found doing scans with any of them, including Avast.

Here is the main.txt:

Deckard's System Scanner v20070426.43
Run by GE on 2007-05-17 at 03:10:24
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2007-05-17 02:10:35 UTC - RP1 - System Checkpoint


Backed up registry hives.

Performed disk cleanup.


-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of HijackThis v1.99.1
Scan saved at 2007-05-17 03:12:13
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.0.5730.11)

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\Program Files\SiteAdvisor\6066\SAService.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\Documents and Settings\GE\My Documents\My Utilities\Deckards System Scanner\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TClockEx] C:\Documents and Settings\GE\My Documents\Unzipped\tclockex\TCLOCKEX.EXE
O4 - Startup: Blaster.lnk = C:\Program Files\SpywareBlaster\spywareblaster.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra 'Tools' menuitem: (no name) - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: AtiExtEvent - C:\WINDOWS\system32\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\system32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - "C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"
O23 - Service: avast! Antivirus - ALWIL Software - "C:\Program Files\Alwil Software\Avast4\ashServ.exe"
O23 - Service: avast! Mail Scanner - ALWIL Software - "C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service
O23 - Service: avast! Web Scanner - ALWIL Software - "C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSVCCDA.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Microsoft Corp., Veritas Software - C:\WINDOWS\System32\dmadmin.exe /com
O23 - Service: iPod Service - Apple Inc. - "C:\Program Files\iPod\bin\iPodService.exe"
O23 - Service: NBService - Unknown owner - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - "C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe"
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6066\SAService.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service



GrahamE

  • Guest
Re: CCleaner Trojans
« Reply #13 on: May 17, 2007, 04:49:30 AM »
2nd bit (too many characters for one post):
-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 AVG Anti-Spyware Driver - c:\program files\grisoft\avg anti-spyware 7.5\guard.sys
R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
R1 SASKUTIL - c:\program files\superantispyware\saskutil.sys
R1 sp_rsdrv2 (Spyware Terminator Driver 2) - c:\windows\system32\drivers\sp_rsdrv2.sys
R2 ElbyCDIO (ElbyCDIO Driver) - c:\windows\system32\drivers\elbycdio.sys <Not Verified; Elaborate Bytes AG; CDRTools>
R3 AnyDVD - c:\windows\system32\drivers\anydvd.sys <Not Verified; SlySoft, Inc.; AnyDVD>
R3 ElbyCDFL - c:\windows\system32\drivers\elbycdfl.sys <Not Verified; SlySoft, Inc.; CloneCD>
R3 ElbyDelay - c:\windows\system32\drivers\elbydelay.sys <Not Verified; Elaborate Bytes AG; CDRTools>

S3 ati2mtaa - c:\windows\system32\drivers\ati2mtaa.sys <Not Verified; ATI Technologies Inc.; ATI Rage 128 Family>
S3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 sp_rssrv (Spyware Terminator Realtime Shield Service) - c:\program files\spyware terminator\sp_rsser.exe <Not Verified; Crawler.com; Crawler Spyware Terminator>

S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe


-- Files created between 2007-04-17 and 2007-05-17 -----------------------------

2007-05-17 00:40:06         0 d-------- C:\Documents and Settings\All Users\Application Data\The Learning Company
2007-05-17 00:39:22         0 d-------- C:\Program Files\The Learning Company
2007-05-17 00:35:20         0 dr-h----- C:\Documents and Settings\GE\Recent
2007-05-16 19:16:02         0 d-------- C:\Program Files\Registrar Lite
2007-05-15 12:14:56         0 d-------- C:\NVIDIA
2007-05-08 01:42:38         0 d-------- C:\Documents and Settings\GE\Application Data\Spyware Terminator
2007-05-08 01:42:38         0 d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2007-05-08 01:42:31         0 d-------- C:\Program Files\Spyware Terminator
2007-05-08 01:39:37         0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-05-08 01:39:25         0 d-------- C:\Program Files\SUPERAntiSpyware
2007-05-08 01:38:52         0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-05-08 01:17:42         0 d-------- C:\WINDOWS\system32\appmgmt
2007-05-03 15:18:45         0 d-------- C:\Documents and Settings\GE\Application Data\ATI
2007-05-03 14:30:55         0 d-------- C:\WINDOWS\SxsCaPendDel
2007-05-02 22:19:54         0 d-------- C:\Program Files\Karen's Computer Profiler
2007-05-02 11:11:13         0 d-------- C:\Documents and Settings\Administrator\Application Data\SiteAdvisor
2007-05-02 11:09:55         0 d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2007-05-02 11:09:49         0 d-------- C:\Documents and Settings\Administrator\Application Data\WinPatrol
2007-05-02 11:08:49         0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2007-05-02 11:07:53         0 d--h----- C:\Documents and Settings\Administrator\Templates
2007-05-02 11:07:53         0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-05-02 11:07:53         0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-05-02 11:07:53         0 dr-h----- C:\Documents and Settings\Administrator\Recent
2007-05-02 11:07:53         0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2007-05-02 11:07:53         0 d--h----- C:\Documents and Settings\Administrator\NetHood
2007-05-02 11:07:53         0 dr------- C:\Documents and Settings\Administrator\My Documents
2007-05-02 11:07:53         0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2007-05-02 11:07:53         0 dr------- C:\Documents and Settings\Administrator\Favorites
2007-05-02 11:07:53         0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-05-02 11:07:53         0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2007-05-02 11:07:53         0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-05-02 11:07:53         0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-05-02 10:27:56         0 d-------- C:\WINDOWS\system32\URTTemp
2007-04-24 00:09:33         0 d-------- C:\Documents and Settings\All Users\Application Data\NVIDIA
2007-04-24 00:03:53         0 d-------- C:\WINDOWS\nview
2007-04-23 12:52:05         0 d-------- C:\WINDOWS\Sun
2007-04-23 12:52:05         0 d-------- C:\Documents and Settings\GE\Application Data\Sun
2007-04-23 12:50:39         0 d-------- C:\Documents and Settings\GE\Application Data\AdobeUM
2007-04-23 00:11:24         0 d-------- C:\Documents and Settings\GE\Application Data\OfficeUpdate12
2007-04-23 00:10:49         0 d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2007-04-22 14:40:51         0 d-------- C:\Documents and Settings\LocalService\Application Data\Spyware Terminator
2007-04-22 14:16:57         0 d-------- C:\Documents and Settings\GE\Application Data\SUPERAntiSpyware.com
2007-04-22 14:13:15         0 d-------- C:\Documents and Settings\LocalService\Desktop
2007-04-22 14:13:15         0 d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2007-04-22 14:12:48         0 d-------- C:\Program Files\SiteAdvisor
2007-04-22 14:12:40         0 d-------- C:\Documents and Settings\GE\Application Data\SiteAdvisor
2007-04-22 14:12:40         0 d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-04-22 14:12:40         0 d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2007-04-22 14:00:55         0 d-------- C:\Program Files\Common Files\xing shared
2007-04-22 13:59:57         0 d-------- C:\Program Files\Common Files\Real
2007-04-22 13:59:55         0 d-------- C:\Program Files\Real
2007-04-22 13:59:37         0 d-------- C:\Documents and Settings\GE\Application Data\Real
2007-04-22 13:56:44         0 d-------- C:\My Downloads
2007-04-22 12:17:07         0 d-------- C:\Documents and Settings\GE\Application Data\Apple Computer
2007-04-22 12:16:38         0 d-------- C:\Program Files\iPod
2007-04-22 12:16:33         0 d-------- C:\Program Files\iTunes
2007-04-22 12:15:15         0 d-------- C:\Program Files\QuickTime
2007-04-22 12:14:38         0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-04-22 12:13:37         0 d-------- C:\Documents and Settings\GE\Application Data\Roxio
2007-04-22 12:09:04         0 d-------- C:\Program Files\Common Files\Napster Shared
2007-04-22 12:08:26         0 d-------- C:\Documents and Settings\All Users\Application Data\Napster
2007-04-22 12:08:14         0 d-------- C:\Program Files\Napster
2007-04-22 03:27:15         0 d-------- C:\Documents and Settings\GE\Application Data\Macromedia
2007-04-22 02:17:56         0 d-------- C:\WINDOWS\system32\ReinstallBackups
2007-04-22 00:42:33         0 d-------- C:\WINDOWS\system32\PreInstall
2007-04-22 00:42:30         0 d--h----- C:\WINDOWS\$hf_mig$
2007-04-22 00:38:12         0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-04-22 00:37:17         0 d--hs---- C:\Documents and Settings\GE\UserData
2007-04-22 00:24:13         0 d-------- C:\Documents and Settings\GE\Application Data\Lavasoft
2007-04-22 00:23:47         0 d-------- C:\Program Files\Lavasoft
2007-04-22 00:23:01         0 d-------- C:\Documents and Settings\GE\Application Data\WinPatrol
2007-04-22 00:22:55         0 d-------- C:\Program Files\BillP Studios
2007-04-22 00:22:41         0 d-------- C:\WINDOWS\Downloaded Installations
2007-04-22 00:20:34         0 d-------- C:\Documents and Settings\All Users\Application Data\Sunbelt Software
2007-04-22 00:20:10         0 d-------- C:\Program Files\Sunbelt Software
2007-04-22 00:14:47         0 d-------- C:\Program Files\Alwil Software
2007-04-22 00:09:56         0 d-------- C:\WINDOWS\system32\ZoneLabs
2007-04-22 00:09:12         0 d-------- C:\WINDOWS\Internet Logs
2007-04-21 23:59:19         0 d-------- C:\Program Files\SAGEM

GrahamE

  • Guest
Re: CCleaner Trojans
« Reply #14 on: May 17, 2007, 04:51:17 AM »
3rd bit:

2007-04-21 23:59:19         0 d-------- C:\Program Files\SAGEM
2007-04-21 23:58:36         0 d-------- C:\Program Files\Tiscali Broadband
2007-04-21 23:38:48         0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-04-21 23:36:38         0 d-------- C:\Program Files\SpywareBlaster
2007-04-21 23:34:59         0 d-------- C:\Documents and Settings\GE\Application Data\Google
2007-04-21 23:34:32         0 d-------- C:\Program Files\Google
2007-04-21 23:30:36         0 d-------- C:\Program Files\CCleaner
2007-04-21 23:29:19         0 d-------- C:\Program Files\PrivacyEraser Computing
2007-04-21 23:28:16         0 d-------- C:\Program Files\Java
2007-04-21 23:28:14         0 d-------- C:\Program Files\Common Files\Java
2007-04-21 23:27:03         0 d-------- C:\Documents and Settings\GE\Application Data\Adobe
2007-04-21 23:26:41         0 d-------- C:\Program Files\Common Files\Adobe
2007-04-21 23:26:37         0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2007-04-21 23:22:51         0 d-------- C:\Program Files\Veoh Networks
2007-04-21 20:45:30         0 d-------- C:\Program Files\Elaborate Bytes
2007-04-21 20:43:12         0 d-------- C:\Program Files\SlySoft
2007-04-21 20:41:03         0 d-------- C:\Program Files\Windows Media Connect 2
2007-04-21 20:39:53         0 d-------- C:\WINDOWS\system32\LogFiles
2007-04-21 20:39:53         0 d-------- C:\WINDOWS\system32\drivers\UMDF
2007-04-21 20:39:23         0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2007-04-21 20:38:36         0 d-------- C:\Program Files\Atomic Clock Sync
2007-04-21 20:38:01         0 d-------- C:\Program Files\IrfanView
2007-04-21 20:10:29         0 d-------- C:\Program Files\hp deskjet 3320 series
2007-04-21 20:09:06         0 d-------- C:\Program Files\Hewlett-Packard
2007-04-21 20:02:59         0 d-------- C:\Documents and Settings\GE\Application Data\Ahead
2007-04-21 20:01:37         0 d-------- C:\Program Files\Nero
2007-04-21 20:01:37         0 d-------- C:\Program Files\Common Files\Ahead
2007-04-21 10:20:00         0 d-------- C:\Documents and Settings\GE\Application Data\CyberLink
2007-04-21 10:19:24         0 d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2007-04-21 10:19:20         0 d-------- C:\Program Files\CyberLink
2007-04-21 10:13:13         0 d-------- C:\Program Files\Jasc Software Inc
2007-04-21 10:05:06         0 d-------- C:\Program Files\Common Files\L&H
2007-04-21 10:04:56         0 d-------- C:\Program Files\Microsoft ActiveSync
2007-04-21 10:04:47         0 d-------- C:\WINDOWS\SHELLNEW
2007-04-21 10:04:28         0 d-------- C:\Program Files\Microsoft Works
2007-04-21 10:03:18         0 dr-h----- C:\MSOCache
2007-04-21 10:02:50         0 d-------- C:\IUware Online
2007-04-21 09:56:30         0 d-------- C:\WINDOWS\system32\Defaults
2007-04-21 09:56:09         0 d-------- C:\WINDOWS\system32\Data
2007-04-21 09:54:12         0 d--h----- C:\Program Files\InstallShield Installation Information
2007-04-21 09:54:12         0 d-------- C:\Program Files\Creative
2007-04-21 09:54:09         0 d-------- C:\Program Files\Common Files\InstallShield
2007-04-21 08:56:58         0 d-------- C:\Documents and Settings\GE\Application Data\Identities
2007-04-21 08:56:49         0 d--h----- C:\Documents and Settings\GE\Templates
2007-04-21 08:56:49         0 dr------- C:\Documents and Settings\GE\Start Menu
2007-04-21 08:56:49         0 dr-h----- C:\Documents and Settings\GE\SendTo
2007-04-21 08:56:49         0 d--h----- C:\Documents and Settings\GE\PrintHood
2007-04-21 08:56:49         0 d--h----- C:\Documents and Settings\GE\NetHood
2007-04-21 08:56:49         0 dr------- C:\Documents and Settings\GE\My Documents
2007-04-21 08:56:49         0 d--h----- C:\Documents and Settings\GE\Local Settings
2007-04-21 08:56:49         0 dr------- C:\Documents and Settings\GE\Favorites
2007-04-21 08:56:49         0 d-------- C:\Documents and Settings\GE\Desktop
2007-04-21 08:56:49         0 d--hs---- C:\Documents and Settings\GE\Cookies
2007-04-21 08:56:49         0 dr-h----- C:\Documents and Settings\GE\Application Data
2007-04-21 08:51:40         0 d-------- C:\WINDOWS\SoftwareDistribution
2007-04-21 08:51:38         0 d---s---- C:\WINDOWS\system32\Microsoft
2007-04-21 08:51:38         0 d-------- C:\WINDOWS\Prefetch
2007-04-21 08:51:37         0 d--h----- C:\Documents and Settings\LocalService\Local Settings
2007-04-21 08:51:37         0 d--hs---- C:\Documents and Settings\LocalService\Cookies
2007-04-21 08:51:37         0 d-------- C:\Documents and Settings\LocalService\Application Data
2007-04-21 08:51:37         0 d---s---- C:\Documents and Settings\LocalService\Application Data\Microsoft
2007-04-21 08:50:47         0 d--h----- C:\Documents and Settings\NetworkService\Local Settings
2007-04-21 08:50:47         0 d---s---- C:\Documents and Settings\NetworkService\Cookies
2007-04-21 08:50:47         0 d-------- C:\Documents and Settings\NetworkService\Application Data
2007-04-21 08:50:47         0 d---s---- C:\Documents and Settings\NetworkService\Application Data\Microsoft
2007-04-21 08:46:58         0 d-------- C:\WINDOWS\system32\xircom
2007-04-21 08:46:58         0 d-------- C:\Program Files\microsoft frontpage
2007-04-21 08:46:37         0 d-------- C:\DELL
2007-04-21 08:44:58         0 d--hs---- C:\Documents and Settings\All Users\DRM
2007-04-21 08:44:44         0 dr------- C:\WINDOWS\Offline Web Pages
2007-04-21 08:44:44         0 d---s---- C:\WINDOWS\Downloaded Program Files
2007-04-21 08:44:29         0 d--h----- C:\Program Files\WindowsUpdate
2007-04-21 08:44:06         0 d-------- C:\WINDOWS\system32\DirectX
2007-04-21 08:43:33         0 d---s---- C:\WINDOWS\Tasks
2007-04-21 08:43:32         0 d-------- C:\Program Files\Common Files\MSSoap
2007-04-21 08:43:29         0 d-------- C:\WINDOWS\srchasst
2007-04-21 08:43:28         0 d-------- C:\WINDOWS\system32\Macromed
2007-04-21 08:43:21         0 d-------- C:\Program Files\Movie Maker
2007-04-21 08:43:13         0 d-------- C:\WINDOWS\system32\Restore
2007-04-21 08:42:00         0 d-------- C:\WINDOWS\Registration
2007-04-21 08:41:52         0 d-------- C:\Program Files\Online Services
2007-04-21 08:41:42         0 d-------- C:\Program Files\Messenger
2007-04-21 08:41:39         0 d-------- C:\Program Files\MSN Gaming Zone
2007-04-21 08:41:01         0 d-------- C:\Program Files\Windows NT
2007-04-21 08:40:58         0 d-------- C:\WINDOWS\system32\MsDtc
2007-04-21 08:40:57         0 d-------- C:\WINDOWS\system32\Com
2007-04-21 03:13:48         0 d--hs---- C:\WINDOWS\Installer
2007-04-21 03:13:47         0 d-------- C:\Program Files\Common Files\ODBC
2007-04-21 03:13:44         0 d-------- C:\Program Files\Common Files\SpeechEngines
2007-04-21 03:13:43         0 dr------- C:\Program Files
2007-04-21 03:13:15         0 d--h----- C:\Documents and Settings\Default User\Templates
2007-04-21 03:13:15         0 dr------- C:\Documents and Settings\Default User\Start Menu
2007-04-21 03:13:15         0 dr-h----- C:\Documents and Settings\Default User\SendTo
2007-04-21 03:13:15         0 d--h----- C:\Documents and Settings\Default User\Recent
2007-04-21 03:13:15         0 d--h----- C:\Documents and Settings\Default User\PrintHood
2007-04-21 03:13:15         0 d--h----- C:\Documents and Settings\Default User\NetHood
2007-04-21 03:13:15         0 d-------- C:\Documents and Settings\Default User\My Documents
2007-04-21 03:13:15         0 dr-h----- C:\Documents and Settings\Default User\Local Settings
2007-04-21 03:13:15         0 d-------- C:\Documents and Settings\Default User\Favorites
2007-04-21 03:13:15         0 d-------- C:\Documents and Settings\Default User\Desktop
2007-04-21 03:13:15         0 d---s---- C:\Documents and Settings\Default User\Cookies
2007-04-21 03:13:15         0 d--h----- C:\Documents and Settings\All Users\Templates
2007-04-21 03:13:15         0 dr------- C:\Documents and Settings\All Users\Start Menu
2007-04-21 03:13:15         0 d-------- C:\Documents and Settings\All Users\Favorites
2007-04-21 03:13:15         0 dr------- C:\Documents and Settings\All Users\Documents
2007-04-21 03:13:15         0 d-------- C:\Documents and Settings\All Users\Desktop
2007-04-21 03:13:00         0 d-------- C:\WINDOWS\system32\CatRoot2
2007-04-21 03:13:00         0 d-------- C:\WINDOWS\system32\CatRoot
2007-04-21 03:12:55         0 dr-h----- C:\Documents and Settings\Default User\Application Data
2007-04-21 03:12:55         0 d---s---- C:\Documents and Settings\Default User\Application Data\Microsoft
2007-04-21 03:12:54         0 dr-h----- C:\Documents and Settings\All Users\Application Data
2007-04-21 03:12:54         0 d---s---- C:\Documents and Settings\All Users\Application Data\Microsoft