Author Topic: CCleaner Trojans  (Read 162079 times)

0 Members and 1 Guest are viewing this topic.

GrahamE

  • Guest
Re: CCleaner Trojans
« Reply #30 on: May 17, 2007, 07:32:07 PM »
Hi Tech,

This is what I've got in the log viewer:

27/04/2007 21:55:41   GE   3024   Sign of "Win32:Agent-GKD [Trj]" has been found in "C:\WINDOWS\WindowsUpdate.log" file. 
28/04/2007 00:31:12   GE   1372   Sign of "Win32:Agent-GKD [Trj]" has been found in "C:\Documents and Settings\GE\Local Settings\Temporary Internet Files\Content.IE5\WPSHGFSL\JJJJJJJJJJJJJJJJJJJJJJ.JJ" file. 
07/05/2007 00:25:26   GE   1484   Sign of "Win32:Agent-GKD [Trj]" has been found in "C:\WINDOWS\Internet Logs\VVVVVVVVV.VV.VV.VVV" file. 
09/05/2007 11:17:35   GE   1488   Sign of "Win32:Agent-GHL [Trj]" has been found in "C:\Documents and Settings\GE\Local Settings\Temporary Internet Files\Content.IE5\86CTQTEM\YYYYYYYYYYYY.YYY" file. 
14/05/2007 14:37:05   GE   1512   Sign of "Win32:Agent-GYJ [Trj]" has been found in "C:\Documents and Settings\GE\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat" file. 
15/05/2007 12:07:32   GE   1384   Sign of "Win32:Nilage-FP [Trj]" has been found in "C:\WINDOWS\TEMP\{19EC4B5E-F950-4F72-ADB6-DEFB2148866C}\{EFB7D050-CAD2-11D4-B34D-00105A1C23DD}\XXXXXXXX.XXX" file. 
15/05/2007 20:28:29   GE   1412   Sign of "Win32:Agent-GWO [Trj]" has been found in "C:\Documents and Settings\GE\Local Settings\Temporary Internet Files\Content.IE5\NTNMGHTF\LoJack%20ReRevised_400k[1].flv" file. 
16/05/2007 03:14:09   GE   1412   Sign of "Win32:Agent-GWO [Trj]" has been found in "C:\Documents and Settings\GE\Local Settings\Temporary Internet Files\Content.IE5\9RLOOSBW\IIIIIIII.III" file. 
16/05/2007 03:14:26   GE   1412   Sign of "Win32:Agent-GVO [Trj]" has been found in "C:\Documents and Settings\GE\Local Settings\Temporary Internet Files\Content.IE5\HNJH4TJO\IIIIIIIIIIII.III" file. 

I've just scanned everything in the Chest, and entry #2 for 28/04/2007 and entry #3 for 07/05/2007 are now showing 'no virus'. There isn't an entry in the Chest for entry #1 in the log file. This means that it's no longer finding the Win32:Agent-GKD [Trj]. Does this mean they, and possibly all of them are false-positives??

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: CCleaner Trojans
« Reply #31 on: May 17, 2007, 07:35:36 PM »
Are now showing 'no virus'. Does this mean they, and possibly all of them are false-positives??
Most probably...
The best things in life are free.

GrahamE

  • Guest
Re: CCleaner Trojans
« Reply #32 on: May 17, 2007, 07:39:00 PM »
Does that mean that my name, dragged through the mud as a filthy pervert, will finally be cleared?  :D

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: CCleaner Trojans
« Reply #33 on: May 17, 2007, 07:41:50 PM »
Does that mean that my name, dragged through the mud as a filthy pervert, will finally be cleared?  :D
Not yet... you must prove your innocence ;D
The best things in life are free.

GrahamE

  • Guest
Re: CCleaner Trojans
« Reply #34 on: May 17, 2007, 07:47:53 PM »
Damn!  :'(

mauserme

  • Guest
Re: CCleaner Trojans
« Reply #35 on: May 17, 2007, 08:11:58 PM »
I'm still sifting through the combofix log (my goodness you've installed alot of software lately).  So far it looks clean, so I'm tentatively guessing false positives too.


Does that mean that my name, dragged through the mud as a filthy pervert, will finally be cleared?  :D
No, we'll keep the rumors going for a while ....



EDIT:  Did you reinstall the OS on April 21?
« Last Edit: May 17, 2007, 08:21:35 PM by mauserme »

GrahamE

  • Guest
Re: CCleaner Trojans
« Reply #36 on: May 17, 2007, 08:22:06 PM »
I'm still sifting through the combofix log (my goodness you've installed alot of software lately).

I reformatted not too long ago, that's probably what it is.

I think you're all being very unfair on the pervy business.  ::)

EDIT: Not sure of exact date of reinstall, but 21st sounds about right.
« Last Edit: May 17, 2007, 08:40:30 PM by GrahamE »

mauserme

  • Guest
Re: CCleaner Trojans
« Reply #37 on: May 17, 2007, 08:25:47 PM »
Carefull - I might have to post what I really saw in those logs of yours.

Actually, you look clean but post again if you get any more alerts. :)

GrahamE

  • Guest
Re: CCleaner Trojans
« Reply #38 on: May 17, 2007, 08:36:03 PM »
 :o Damn! I was sure I'd checked through them!  ;D

I've had no alerts today, so I'm hopeful.

Many thanks to Tech, mauserme and calcu007 for all the help. VERY much appreciated.

I'll try to stay away for a while, and perhaps you'll have forgotten my name.  ;D

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: CCleaner Trojans
« Reply #39 on: May 17, 2007, 09:19:52 PM »
I'll try to stay away for a while, and perhaps you'll have forgotten my name.  ;D
I usually forget names, if so, forgive me ;D
The best things in life are free.

GrahamE

  • Guest
Re: CCleaner Trojans
« Reply #40 on: May 23, 2007, 07:24:53 PM »
I've left a post in Gabriele 08's thread http://forum.avast.com/index.php?topic=28039.0

It's probably best if I continue here though. I'll copy what was said in the other thread and then continue. I don't know if this is how you're supposed to do it, but I can't work out how to quote from that thread in here...

I wrote:

Sadly, my problem hasn't been resolved, since I've had 2 more occurrences since my last post. The second of these came when (having used CCleaner when I came offline previously), I opened Internet Explorer, my homepage (Google) came up, and I was called away and so logged off. On using CCleaner, Avast found (traces of) a virus in the temp internet files!

Since I, and other members of this Forum with far greater knowledge than mine, had pretty well decided that these were false-positives, and since it seemed to be using CCleaner that was causing the problem to some extent, I've set Internet Explorer to empty the temp internet files when the browser is closed. I'm still using CCleaner as well, but nothing has come up so far, after 2 days of doing this.

I'm assuming that if there really was a virus/Trojan, Avast would still detect it when Windows cleared the files (?)


Tech replied:

Quote from: GrahamE on Today at 12:04:56 AM
"Sadly, my problem hasn't been resolved, since I've had 2 more occurrences since my last post".

If you still detecting any strange behavior or even you're sure you're not clean, maybe it will be good to test your machine with anti-rootkit applications (http://www.antirootkit.com/software/index.htm). I suggest AVG, Panda and/or F-Secure BlackLight.


Quote from: GrahamE on Today at 12:04:56 AM
"Since I, and other members of this Forum with far greater knowledge than mine, had pretty well decided that these were false-positives".

Do any of us said so?
« Last Edit: May 23, 2007, 07:36:24 PM by GrahamE »

GrahamE

  • Guest
Re: CCleaner Trojans
« Reply #41 on: May 23, 2007, 07:31:49 PM »
Hi Tech,

Sorry, but I was assuming that there was a high probability of false positives bacause of:



Are now showing 'no virus'. Does this mean they, and possibly all of them are false-positives??
Most probably...

Quote

Actually, you look clean but post again if you get any more alerts. :)

I've run the AVG and Panda Anti-Rootkits, and they've both come up clean. I didn't fancy the F-Secure one as it was a beta...

What do you think?
« Last Edit: May 23, 2007, 07:37:34 PM by GrahamE »

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: CCleaner Trojans
« Reply #42 on: May 24, 2007, 01:30:07 AM »
GrahamE, I'll need time to see this deeply... maybe tomorrow.
Maybe some other malware expert could help you before. Sorry.
The best things in life are free.

GrahamE

  • Guest
Re: CCleaner Trojans
« Reply #43 on: May 24, 2007, 01:37:13 AM »
Okay, thank you.  :)

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: CCleaner Trojans
« Reply #44 on: May 24, 2007, 02:53:56 AM »
I've run the AVG and Panda Anti-Rootkits, and they've both come up clean.
Good.

Sadly, my problem hasn't been resolved, since I've had 2 more occurrences since my last post.
What about now? Any other occurrence or you're clean?
The best things in life are free.