Author Topic: CCleaner Trojans  (Read 162112 times)

0 Members and 1 Guest are viewing this topic.

Gabriele 08

  • Guest
Re: CCleaner Trojans
« Reply #150 on: June 03, 2007, 09:41:53 PM »
Mmh...me too!
So I think may be interesting this hypothesis..
CCleaner is *changing* somehow the file while deleting it... and avast is only detecting it after CCleaner puts its hands over it...

GrahamE

  • Guest
Re: CCleaner Trojans
« Reply #151 on: June 03, 2007, 09:50:37 PM »
Mmh...me too!
So I think may be interesting this hypothesis..
CCleaner is *changing* somehow the file while deleting it... and avast is only detecting it after CCleaner puts its hands over it...

I don't know what effect using the secure delete has. Obviously I know that it over-writes 3 times, but what it's doing to the actual file that's being deleted to cause Avast a problem, I don't know. Still can't explain my one Avast alert while using Adaware either. Also can't explain how I was able to use 1.39.502 for a week with no problem. Also can't explain ( :P) why, if you go to exactly the same websites again that you visited when CCleaner caused an alert, Avast doesn't alert second time.

Gabriele 08

  • Guest
Re: CCleaner Trojans
« Reply #152 on: June 03, 2007, 11:03:38 PM »
Mmh...me too!
So I think may be interesting this hypothesis..
CCleaner is *changing* somehow the file while deleting it... and avast is only detecting it after CCleaner puts its hands over it...

I don't know what effect using the secure delete has. Obviously I know that it over-writes 3 times, but what it's doing to the actual file that's being deleted to cause Avast a problem, I don't know...
I don't know too!
But is during this action that something not good happens!
So I was considering Tech's hypothesis, because I'm thinking we need hypothesis...
We should discover the "culprit" before transforming this topic in an "ever ending history"

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: CCleaner Trojans
« Reply #153 on: June 03, 2007, 11:17:55 PM »
Still can't explain my one Avast alert while using Adaware either.
This is a little bit different and easier: while ad-aware is working with a file (scanning) avast could 'detect' the file on the memory and warns about a virus. Some users suggest that when you scan with an application, you should disable the other residents (specially the antivirus in this case).

why, if you go to exactly the same websites again that you visited when CCleaner caused an alert, Avast doesn't alert second time.
Can you explain a little more? What do you mean with "you visited when CCleaner caused an alert"?
The best things in life are free.

GrahamE

  • Guest
Re: CCleaner Trojans
« Reply #154 on: June 04, 2007, 01:13:38 AM »
This is a little bit different and easier: while ad-aware is working with a file (scanning) avast could 'detect' the file on the memory and warns about a virus. Some users suggest that when you scan with an application, you should disable the other residents (specially the antivirus in this case).

Yeah, DavidR said about that earlier. I just find it odd that Avast alerted while I was doing an Adaware scan at this time - i.e. while there is the same problem with CCleaner. It has never happened before with Adaware, even though I've never disabled Avast before doing any scan. Because I've never done it before, it does seem a bit like masking the problem, like using something else instead of CCleaner - it would stop the problem, but wouldn't explain the 'why?' bit.

Can you explain a little more? What do you mean with "you visited when CCleaner caused an alert"?

I'll give a hypothetical example. I log on to the internet. My homepage, Google, loads. I go to the Download.com home page. I then log off and run CCleaner. Avast pops up with an alert, which I send to the Chest. I then reconnect to the internet, Google, Download.com, log off. I use CCleaner and this time there is no alert. Why an alert the first time and not the second? One would imagine that the files being deleted would be identical, the way CCleaner deals with them would be identical, so why not an identical alert?

We should discover the "culprit" before transforming this topic in an "ever ending history"

Since this is reply #154 in this thread, it might be a little late for that!  ;D

They're still coming, by the way:

03/06/2007 20:51:25   GE   1488   Sign of "Win32:Agent-GWD [Trj]" has been found in "C:\Documents and Settings\GE\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat" file.

@ Gabriele 08:
Are you still getting alerts?


GrahamE

  • Guest
Re: CCleaner Trojans
« Reply #155 on: June 04, 2007, 01:31:57 AM »
Sorry, been thinking,

This is a little bit different and easier: while ad-aware is working with a file (scanning) avast could 'detect' the file on the memory and warns about a virus.

How does this differ to what happens when CCleaner is working with a file and Avast 'detects' something? Doesn't that point towards Avast being at fault? We (you) felt in earlier posts that it wasn't CCleaner that was at fault:

Definitely happened with both versions of CCleaner. I actually thought, when the new version came out, that it might solve the problem, if there was a bug in the old one.
The problem is that no one is relating a bug in CCleaner... I don't think there is this kind of trouble with it...

why Avast would detect something when CCleaner cleans, but not when Windows does it.
Because CCleaner cleans deeper and 'touch' much more files and folders than when just closing IE and cleaning by Windows. The mystery is which file(s) is(are) bringing trouble...

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: CCleaner Trojans
« Reply #156 on: June 04, 2007, 02:47:06 AM »
I'll take your words... Sorry, been thinking... and then guessing, not in a linear way but in circles...
Did you run HijackThis, can you post it here after all you've scanned and cleaned?
The best things in life are free.

Gabriele 08

  • Guest
Re: CCleaner Trojans
« Reply #157 on: June 04, 2007, 06:15:36 AM »
@ Gabriele 08:
Are you still getting alerts?
Yes! (don't worry I don't you leave alone  ;D )
As usual, in "random mode". I mean, one time yes, 2-3 times no, and so on...

Dangerman

  • Guest
Re: CCleaner Trojans
« Reply #158 on: June 04, 2007, 10:48:07 AM »
@ Gabriele 08:
Are you still getting alerts?
Yes! (don't worry I don't you leave alone  ;D )
As usual, in "random mode". I mean, one time yes, 2-3 times no, and so on...

I have also had several more alerts this weekend of the Win32:Agent"G" series variety, but like GrahamE, not on every scan even after visiting the same site.

Also to note, I have run AdAware and have Avast running at the same time and nothing has been picked up.  However, I have not run AdAware every day or before each CCleaner scan. I also use the secure option(3 passes)for cleaning.

The trojans are only ever picked up in Firefox, documents and settings.  On the rare occasion that I use IE, and clean afterwards nothing has been found.

It has also been mentioned before that no other anti-virus/spyware/malware, etc, picks these up and I can confirm that as I've tried many of them and everything comes up clean.

I am also the only Administrator on my pc.


GrahamE

  • Guest
Re: CCleaner Trojans
« Reply #159 on: June 04, 2007, 12:55:30 PM »
I'll take your words... Sorry, been thinking... and then guessing, not in a linear way but in circles...

I think that's what we're all doing, as there doesn't seem to be a simple answer to this. Perhaps if the people at CCleaner respond, or someone at Alwil......
HijackThis:

Logfile of HijackThis v1.99.1
Scan saved at 11:44:26, on 04/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\Program Files\SiteAdvisor\6066\SAService.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\PROGRAM FILES\CREATIVE\SB LIVE! 24-BIT\SURROUND MIXER\CTSYSVOL.EXE
C:\Documents and Settings\GE\My Documents\My Utilities\Virus\Virus Scanners\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
O4 - HKCU\..\Run: [TClockEx] C:\Documents and Settings\GE\My Documents\Unzipped\tclockex\TCLOCKEX.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Blaster.lnk = C:\Program Files\SpywareBlaster\spywareblaster.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6066\SAService.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)


GrahamE

  • Guest
Re: CCleaner Trojans
« Reply #160 on: June 04, 2007, 01:02:31 PM »
@ Gabriele 08:
Are you still getting alerts?
Yes! (don't worry I don't you leave alone  ;D )

Yeah, don't leave me alone with this!  ;D

I have also had several more alerts this weekend of the Win32:Agent"G" series variety, but like GrahamE, not on every scan even after visiting the same site.

It's the random nature of this that's making it difficult for anyone to pinpoint the problem, I guess. Perhaps if the people at CCleaner respond, or someone at Alwil... ;D

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: CCleaner Trojans
« Reply #161 on: June 04, 2007, 07:38:40 PM »
Check the automatic analysis of your HijackThis log here:
http://www.4shared.com/file/17245185/6e105f2c/GrahamE.html

You can find more info in the links of the last column of this table.
That info could guide you on the cleaning process.
Anyway, if you have doubts, just post here.
Also, take a careful look at the first column of the table:

1. If you don't recognize a legit program in one of the items marked as FIX IF UNKNOWN, please post it back here and maybe we can help you. Or, if you're sure it's a malware item, you can remove it as posted bellow.

2. If you agree with the automatic classification of the infected items marked as FIX (CHECK NOTES!), you can turn back to HijackThis program, check the box of this item and then remove it using the button 'Fix checked'.

Other automatic analysis - which is never as having an experienced human operator around - could be done by the following sites: http://hijackthis.de/index.php, http://www.tomcoyote.org/hjt/ and http://hjt.networktechs.com/.
The best things in life are free.

Gabriele 08

  • Guest
Re: CCleaner Trojans
« Reply #162 on: June 04, 2007, 10:14:51 PM »
Well, there is a little threat in GrahamE's pc, but I think there is no relation with CCleaner-Avast troubles.
In everycase after removing it, we'll see.
But...I'm really surprised, that avast don't recognize this not new "little trojan", altough is described like a very low risk trojan. 

GrahamE

  • Guest
Re: CCleaner Trojans
« Reply #163 on: June 05, 2007, 12:55:48 AM »
Check the automatic analysis of your HijackThis log here:
http://www.4shared.com/file/17245185/6e105f2c/GrahamE.html

Ok, I'm not sure what to do here (just for a change!)

I'm pretty sure that the 'FIX IF UNKNOWN' items are okay.

The red FIX one - 011 Options group [INTERNATIONAL] international*. Hmmmm......

According to this, "currently only the 'CommonName' Hijacker uses this"

But, using the other analyser (http://hijackthis.de/Index.php), this entry is listed as 'safe'

A Google search reveals it to be the "Internationalized Domain Name Support in Internet Explorer 7" and is therefore legitimate.

On the other hand, hijackthis.de/... lists
"RO HKCU\Software\Microsoft\Internet Explorer\Main, Local Page =" as "Nasty"
and yet this is ok on the other one. I'm pretty sure that this was changed to 'blank' when IE7 was installed, so again, I'm pretty sure it's ok (though not certain, I must admit).

I think I'm ok on the 'undetermined' bits except for the large window with Spywareblaster.exe. Are the entries here to do with entries in the SpywareBlaster definitions? I hope so. If not, what is yahoo_toolbar.exe, or surfer.exe? What the hell is penis32.exe?


Well, there is a little threat in GrahamE's pc, but I think there is no relation with CCleaner-Avast troubles.
In everycase after removing it, we'll see.
But...I'm really surprised, that avast don't recognize this not new "little trojan", altough is described like a very low risk trojan. 

Which 'threat' are you referring to?

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: CCleaner Trojans
« Reply #164 on: June 05, 2007, 03:24:22 AM »
I'm pretty sure that the 'FIX IF UNKNOWN' items are okay.
The red FIX one - 011 Options group [INTERNATIONAL] international*. Hmmmm......
But, using the other analyser (http://hijackthis.de/Index.php), this entry is listed as 'safe'
I'm pretty sure it's ok (though not certain, I must admit
Indeed... that does not seem to be the problem with CCleaner & avast. Never mind, was just a precaution to know if any other thing could be interfering with avast.

If not, what is yahoo_toolbar.exe, or surfer.exe? What the hell is penis32.exe?
POSSIBLE THREATS as stated.
Why do you have C:\Program Files\SpywareBlaster\spywareblaster.exe at the startup items? For what?
The best things in life are free.