Author Topic: CCleaner Trojans  (Read 162098 times)

0 Members and 1 Guest are viewing this topic.

mauserme

  • Guest
Re: CCleaner Trojans
« Reply #45 on: May 24, 2007, 04:16:09 AM »
Its perplexing.  On the one hand we have avast! alerting on some very suspicious looking file names in suspicious locations but then those detections disappear days later.

Then we also have

... I use Zone Alarm free, Avast, Counterspy (real-time protection and scanner), Adaware SE (real-time and scanner), WinPatrol, SpywareBlaster, SuperAntispyware (scanner only), Spyware Terminator (real-time and scanner), Spybot (scanner only), AVG antispyware (scanner only). Nothing has been found doing scans with any of them, including Avast.

and

I've run the AVG and Panda Anti-Rootkits, and they've both come up clean.

plus ComboFix found nothing to delete or quarantine and no hidden processes.


Graham, what was the reason your reformatted in April?  Was it malware or something else?

The next time you get an alert see if you can upload the file(s) to Virus Total for analysis and post the results

http://www.virustotal.com/en/indexf.html


Also, in the other thread related to this, you said you've experienced these alerts with both the current and prior version of CCleaner.   Are you sure?  I mean, I'm not doubting you but I would like to eliminate the CCleaner update as the cause.

I'm a pervert!!  ;D

Hmmmm

Still not sure we can help with that  :P
« Last Edit: May 24, 2007, 04:47:13 AM by mauserme »

GrahamE

  • Guest
Re: CCleaner Trojans
« Reply #46 on: May 24, 2007, 10:17:16 AM »
I reformat on quite a regular basis. On this occasion, I'd been having probs with a graphics card/drivers. I installed a new PSU as part of the process of upgrading and decided to start afresh.

Definitely happened with both versions of CCleaner. I actually thought, when the new version came out, that it might solve the problem, if there was a bug in the old one.

However, since I've set Internet Explorer to empty the Temporary Internet Files when I log off, the problem has stopped (no alerts since Sunday, anyway). I still use CCleaner, but it's removing virtually nothing, and there's obviously nothing in the TIF's for it to deal with.

I don't know whether this is a good way to deal with it, or why Avast would detect something when CCleaner cleans, but not when Windows does it.

I'm not sure how I'll be able to send the files to Virus Total. Actually that might not be true. Am I right in thinking that (assuming that I go back to using CCleaner), when Avast find something, move it to Chest (if I 'ignore', CCleaner will remove it) and then restore it. It should then still be in the TIF's and I'll be able to upload it.

I think I'm finally coming to terms with the pervert thing. Talking about it has obviously helped me a lot. The Avast Forum has been a lot cheaper than a psychiatrist as well, so I have a lot to thank this Forum for.  ;D

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: CCleaner Trojans
« Reply #47 on: May 24, 2007, 11:36:38 AM »
Definitely happened with both versions of CCleaner. I actually thought, when the new version came out, that it might solve the problem, if there was a bug in the old one.
The problem is that no one is relating a bug in CCleaner... I don't think there is this kind of trouble with it...

why Avast would detect something when CCleaner cleans, but not when Windows does it.
Because CCleaner cleans deeper and 'touch' much more files and folders than when just closing IE and cleaning by Windows. The mystery is which file(s) is(are) bringing trouble...

when Avast find something, move it to Chest (if I 'ignore', CCleaner will remove it) and then restore it.
Did you set avast to work on Silent Mode?
If not, avast won't move files automatically to Chest.
Definitively, avast does not 'restore' anything automatically. There isn't such an option.
The best things in life are free.

mauserme

  • Guest
Re: CCleaner Trojans
« Reply #48 on: May 24, 2007, 01:32:11 PM »
If you don't mind experimenting a little, go back to deleting temporary internet files with CCleaner and then do as you suggested about restoring from the chest in order to scan at Virus Total.  I would especially be interestd in non-temporary internet files.  I think you had some in c:\windows\temp in earlier posts.

Spiritsongs

  • Guest
Multiple "real-time" antiSPYWARE programs
« Reply #49 on: May 24, 2007, 07:33:43 PM »
 :)  Hi All :

      As far as I know, having multiple antiSPYWARE programs providing
      "real-time" protection is undesirable, providing "conflicts" as when
      2 or more antiVIRUS programs "real-time" components run .
      So it seems wise to "disable" or "turn OFF" the "real-time" protection
      of either Counterspy, Spyware Terminator, or Ad-Aware, leaving ONLY
      1 "running" . Are any of these on "Trial" "status" ? Counterspy appears
      to be the Best of these 3 !?

      And for a Temporary Internet Files cleaner, along with other Items,
      it would be wise to consider "replacing" CCleaner with ATF Cleaner,
      developed by antiSPYWARE Expert "ATribune" and available at
      www.atribune.org/content/view/19/2/  .

Gabriele 08

  • Guest
Re: CCleaner Trojans
« Reply #50 on: May 24, 2007, 07:42:00 PM »
Because CCleaner cleans deeper and 'touch' much more files and folders than when just closing IE and cleaning by Windows. The mystery is which file(s) is(are) bringing trouble...
I think this is the central point!!
But I'm not so optimist about how to discovery this... ???

GrahamE

  • Guest
Re: CCleaner Trojans
« Reply #51 on: May 24, 2007, 07:42:51 PM »
when Avast find something, move it to Chest (if I 'ignore', CCleaner will remove it) and then restore it.
Did you set avast to work on Silent Mode?
If not, avast won't move files automatically to Chest.
Definitively, avast does not 'restore' anything automatically. There isn't such an option.
[/quote]

No, sorry, I don't think I expressed what I meant very well. I meant that when I run CCleaner, if Avast finds something, I would send it to the Chest. I would then restore it from the Chest, and then send it to Virus Total. If, when Avast found something during the CCleaner process, I chose to 'ignore' it, then CCleaner would remove it, and I wouldn't have the option of sending it to VirusTotal.

If you don't mind experimenting a little, go back to deleting temporary internet files with CCleaner and then do as you suggested about restoring from the chest in order to scan at Virus Total.  I would especially be interestd in non-temporary internet files.  I think you had some in c:\windows\temp in earlier posts.

Yeah, I'll do that.

Thanks to both.

:)  Hi All :

      As far as I know, having multiple antiSPYWARE programs providing
      "real-time" protection is undesirable, providing "conflicts" as when
      2 or more antiVIRUS programs "real-time" components run .
      So it seems wise to "disable" or "turn OFF" the "real-time" protection
      of either Counterspy, Spyware Terminator, or Ad-Aware, leaving ONLY
      1 "running" . Are any of these on "Trial" "status" ? Counterspy appears
      to be the Best of these 3 !?

I can't say that I've heard that there can be a problem with running more than one anti-spyware program with real-time protection. Obviously I knew this is true for firewalls and anti-virus. I thought that unless there was a definite conflict between different programs, that it was a case of 'the more the merrier', within reason obviously. Also I've been running the same anti-spyware for quite a while now without problem (before 27th April, that is!).


      And for a Temporary Internet Files cleaner, along with other Items,
      it would be wise to consider "replacing" CCleaner with ATF Cleaner,
      developed by antiSPYWARE Expert "ATribune" and available at
      www.atribune.org/content/view/19/2/  .

I'm a bit loath to do that, since a lot of people use CCleaner without problem, as I have for a long time up until this problem. Also, it has been inferred that the problem isn't actually with CCleaner.

GrahamE

  • Guest
Re: CCleaner Trojans
« Reply #52 on: May 25, 2007, 01:49:06 AM »
Okay, I'm now really confused!

I rescanned one of the most recent 'finds' in the Chest, and it's still being reported as infected. The particular Trojan is:

21/05/2007 20:52:55   SYSTEM   1456   Sign of "Win32:Agent-GTZ [Trj]" has been found in "C:\Documents and Settings\GE\Local Settings\Temporary Internet Files\Content.IE5\NR1NG8KM\SSSSSSSSSSSSSSSSSSSSSSSS.SS" file.

I restored it from the Chest.

I changed the settings to 'show hidden files and folders' and went to C:\D&S\GE\Local Settings. There is no file called Temporary Internet Files.

In C:\D&S there are 3 folders - All Users, Default User and GE. I found the TIF's in Default User. Perhaps this is normal, I don't know. Inside the TIF folder there is a folder called Content.IE5. I scanned the contents of this folder individually with Avast, and found nothing. I scanned Content.IE5 as a whole and found nothing. I scanned C:\D&S\Default\Local Settings (ie. 'scan Local Settings') and found nothing.

I turned my attention to C:\D&S\GE\Local Settings. In here there are 2 folders - Application Data and Temp. I scanned both - nothing. I scanned the contents of Temp (_Avast4_, ~DFCOA8.tmp, ~DFCO7C.tmp, ~8A56EAB7.TMP) individually and found nothing. I did the same with the Application Data folder and it's contents - nothing.

However, if I scan the folder C:\D&S\GE\Local Settings (ie. scan 'Local Settings') as a whole, Avast finds Win32:Agent-GTZ[Trj].  Having done the scan a couple of times (and pressed 'continue'), I have been able to make out that it is being found in "C:\Documents and Settings\GE\Local Settings\Temporary Internet Files\Content.IE5\NR1NG8KM\SSSSSSSSSSSSSSSSSSSSSSSS.SS", which is the file I originally restored. However, as I said before, C:\D&S\GE\Local Settings\Temporary Internet Files doesn't exist, or at least it can't be seen, even with 'show hidden files etc' ticked. How can it be found there if the file isn't there?? Also, I can't send the file to VirusTotal, because it isn't there!!

I hope I've been able to explain this ok  ???

The other thing is that C:\D&S\GE\Local Settings is 18.5MB. Of the two folders inside, Application Data is 17.7MB and Temp is 16.6KB. Again, I don't know if this is normal, but my maths says it isn't!
« Last Edit: May 25, 2007, 02:00:53 AM by GrahamE »

mauserme

  • Guest
Re: CCleaner Trojans
« Reply #53 on: May 25, 2007, 02:17:40 AM »
I hope I've been able to explain this ok  ???
Yeah, I think I've got it.  Is GE a user you expect to find on your computer?  (I suppose I know the answer but I don't want to make assumptions).

Do you see any symptoms of infection other than the avast! alerts?  System slow downs, unusual firewall activity, etc?

Leaving that file where it is, do the rootkit detectors find anything?

EDIT:  Try F-Secure Blacklight this time

http://www.f-secure.com/blacklight/



Assuming there is no rootkit detection, if you clean with CCleaner does avast! alert on the same file again?


      As far as I know, having multiple antiSPYWARE programs providing
      "real-time" protection is undesirable, providing "conflicts"  ...
I think there's some truth in that, not to mention the extra overhead on your system.  But I don't think its related to the current situation.
« Last Edit: May 25, 2007, 03:12:48 AM by mauserme »

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: CCleaner Trojans
« Reply #54 on: May 25, 2007, 04:46:35 AM »
There is no file called Temporary Internet Files.
It's not a file but a folder.

Perhaps this is normal, I don't know.
No, it's not normal. Default user is used to 'create' new users into XP. It's an 'empty' account.

I turned my attention to C:\D&S\GE\Local Settings. In here there are 2 folders - Application Data and Temp. I scanned both - nothing. I scanned the contents of Temp (_Avast4_, ~DFCOA8.tmp, ~DFCO7C.tmp, ~8A56EAB7.TMP) individually and found nothing. I did the same with the Application Data folder and it's contents - nothing.
How did you scan? Right clicking the files and folders?

I can't send the file to VirusTotal, because it isn't there!!
Do not restore the file but 'extract' it to a known folder. Submit to VirusTotal from that known folder.
The best things in life are free.

GrahamE

  • Guest
Re: CCleaner Trojans
« Reply #55 on: May 25, 2007, 10:07:19 PM »
Is GE a user you expect to find on your computer?

Yes, that's me. I'm the only user.

Do you see any symptoms of infection other than the avast! alerts?  System slow downs, unusual firewall activity, etc?

No.

It's not a file but a folder.

 :-[ Sorry, I meant folder.

No, it's not normal. Default user is used to 'create' new users into XP. It's an 'empty' account.

Why the hell has that happened then?

How did you scan? Right clicking the files and folders?

Yes.

Do not restore the file but 'extract' it to a known folder. Submit to VirusTotal from that known folder.

Thanks.


Right, this is what I've now done:

1) Restored files from Chest:

22/05/2007 08:12:19   GE   1492   Sign of "Win32:Agent-GWD [Trj]" has been found in "C:\Documents and Settings\GE\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat" file.

24/05/2007 23:58:50   GE   2928   Sign of "Win32:Agent-GTZ [Trj]" has been found in "C:\Documents and Settings\GE\Local Settings\Temporary Internet Files\Content.IE5\NR1NG8KM\SSSSSSSSSSSSSSSSSSSSSSSS.SS" file.

I'll refer to the first as GWD, the second as GTZ.

2) Scanned with Panda, AVG and F-Secure Anti-Rootkits - found nothing.

3) Scanned with CCleaner. Avast found GWD, but is now calling it GXN. (GTZ not found)

4) Scanned (right-click) all the files/folders detailed in my last post with Avast, found nothing.

5) Extracted files from Chest, and uploaded to VirusTotal.
    GWD - no virus found except Avast (4.7.997) found Win32:Agent-GWD
    GTZ - no virus found except Avast found Win32:Agent-GTZ.

6) Logged off from internet, ran CCleaner. Avast found GWD, but this time called it GVO.


Don't know where GTZ went to. I've done a full scan with Avast and found nothing, but then full scans have never found anything.


Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: CCleaner Trojans
« Reply #56 on: May 25, 2007, 10:43:52 PM »
Why the hell has that happened then?
A new infection method (?), who knows... every new account created will be infected as far I can understand.

How did you scan? Right clicking the files and folders?
Good. The deepest scanning using ashQuick.exe.

3) Scanned with CCleaner. Avast found GWD, but is now calling it GXN. (GTZ not found)
4) Scanned (right-click) all the files/folders detailed in my last post with Avast, found nothing.
I can't explain this behavior, detecting in one case and not in the other.

5) Extracted files from Chest, and uploaded to VirusTotal.
    GWD - no virus found except Avast (4.7.997) found Win32:Agent-GWD
    GTZ - no virus found except Avast found Win32:Agent-GTZ.
Seems false positive but, you may think, what a strange name of a file...
SSSSSSSSSSSSSSSSSSSSSSSS.SS
Isn't it suspicious?
The best things in life are free.

thomas01155

  • Guest
Re: CCleaner Trojans
« Reply #57 on: May 25, 2007, 11:14:29 PM »
I dunno if this helps im expernicing the same problem it only picks it up when i use ccleaner all differnt virtains of the win32:agent-GVO  virus/torjan avast only added it to the defs yestaday. If i just scan the fixefox chache nothign is picked up only when i use ccleaner.

GrahamE

  • Guest
Re: CCleaner Trojans
« Reply #58 on: May 25, 2007, 11:21:52 PM »
I dunno if this helps

It certainly helps to be not the only one!!  :D


GrahamE

  • Guest
Re: CCleaner Trojans
« Reply #59 on: May 25, 2007, 11:33:25 PM »
Isn't it suspicious?

That's one word for it....

A new infection method (?), who knows... every new account created will be infected as far I can understand.

The only advantage I have there is that I'm not going to create any, not that it's much of a consolation!


I've just been roaming around, right-clicking and scanning various things.
When I scan C:\D&S\GE\Local Settings, and I watch the Avast window that comes up as it scans, I can see (some of) the things it scans as it goes along. It is scanning Temporary Internet Files\Content.IE5, even though it can't be seen in there (even when 'show hidden files...' is ticked).

Things are getting weirder by the minute!