Goodbye CCleaner
@cox.net | CCleaner now installs with adware?
D/Led the new version 2.02.257 - and when i ran my av overnight I found that Adware.SystemProcess was also now installed. AV removed it, but I was wondering if anyone else saw this too? The new CC version was all I d/led yesterday.
Thankss |
|
Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire | i just updated my version and nothing untoward found
what is the location of the suspected adware process and what AV reported it?
Cudni |
|
Doctor Olds
I Need A Remedy For What's Ailing Me.
Premium,VIP
join:2001-04-19
1970 442 W30
clubs:
1 edit | reply to Goodbye CCleaner
An infector that was first found in 2005? Not likely that it came with CC. Your system let this BHO get installed from elsewhere.
»www.rickmaybury.com/fffpages/fff···v05.html
quote:
26-27/11/05
MALWARE INFESTATION WON''T GO AWAY
Hi Rick, I use Ad-Aware SE Personnel and Firefox. However, I keep getting a malware called "Adware.SystemProcess". Do you know where it originates and whether it is a cause for concern?
Nigel Deller
A. No problem, Adware SystemProcess is a persistent piece of malware that hides inside the Registry and latches on to Internet Explorer (yet another good reason to switch to Firefox), it then makes use of your internet connection and fiddles with your Firewall settings to allow it to connect with an outside company (usually ValueClick or one of its affiliates) to display ads in pop-up windows. AdAware should have removed it, however, the specific malware definition was included in update SE1R72, released on the 26th of October, so I suggest you download the latest updates and run it again. Otherwise there are manual removal procedures, (which involve editing the Registry) on the Symantec web site.
--
What’s the point of owning a supercar if you can’t scare yourself stupid from time to time? |
|
MagMan
Life is simpler when you tell the truth.
Premium
join:2003-10-01
Westlake, OH
 ·AT&T Midwest
·AT&T Midwest
| reply to Goodbye CCleaner
said by Goodbye CCleaner :
D/Led the new version 2.02.257 - and when i ran my av overnight I found that Adware.SystemProcess was also now installed. AV removed it, but I was wondering if anyone else saw this too? The new CC version was all I d/led yesterday.
Thankss
Out of curiosity what AV are you using,because my NIS 2007 zapped that the other day after an update.I thought it was a FP !! it could be if your using NAV too. 
Just curious are you??
--
"The truth is incontrovertible, malice may attack it, ignorance may deride it, but in the end; there it is." |
|
sashwa
Pixie Cat Crunchin' n Foldin'
Premium,Mod
join:2001-01-29
Alcatraz
clubs:  | I'm using NAV 2006 and have CC 2.02.257. I ran a AV scan yesterday and I just noticed that it tagged the same thing - Adware.SystemProcess |
|
amysheehan
Premium,VIP,MVM
join:1999-12-21
Huntington Beach, CA
 ·RoadRunner Cable
1 edit | reply to Goodbye CCleaner
Just for everyone's info - I have sent the link to this topic to my contact at Symantec so it can be reviewed.
-amy-
--
DSLR Phishtracker |
|
MagMan
Life is simpler when you tell the truth.
Premium
join:2003-10-01
Westlake, OH | Thanks Amy.
Was trying to find some info on this,but did not come up with much. |
|
amysheehan
Premium,VIP,MVM
join:1999-12-21
Huntington Beach, CA
·RoadRunner Cable
| What would really help is for everyone to post the name of the file that was flagged during the scan - go to the Log Viewer / Security Risks for the source and name of the file found.
Thanks !!!
-amy-
--
DSLR Phishtracker |
|
Doctor Olds
I Need A Remedy For What's Ailing Me.
Premium,VIP
join:2001-04-19
1970 442 W30
clubs:
| reply to sashwa
»www.symantec.com/security_respon···&tabid=2
quote:
Updated: February 13, 2007 11:46:22 AM
Type: Adware
Version: 1.0.0.1
Risk Impact: High
File Names: ccapp.exe,navshext.dll
Systems Affected: Windows 2000, Windows 98, Windows CE, Windows Me, Windows NT, Windows Server 2003, Windows XP
When Adware.SystemProcess is executed, it performs the following actions:
1. Creates the following files:
* %System%\ccapp.exe
* %System%\navshext.dll
* %System%\p.dat
* %System%\system.dat
Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
2. Downloads the following file:
%System%\ustart.exe (This is detected as Adware.WintaskAd.)
3. Creates the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Uninstall\Startup
HKEY_LOCAL_MACHINE\SOFTWARE\System Process
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
\{C2EEB4FA-B6D6-41b9-9CFA-ABA87F862BCB}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Explorer\Browser Helper Objects
\{C2EEB4FA-B6D6-41b9-9CFA-ABA87F862BCB}
HKEY_USERS\S-1-5-21-448539723-413027322-839522115-1003
\Software\Microsoft\Windows\CurrentVersion\Internet Settings
\P3P\History\anrdoezrs.net
HKEY_USERS\S-1-5-21-448539723-413027322-839522115-1003
\Software\Microsoft\Windows\CurrentVersion\Internet Settings
\P3P\History\bfast.com
HKEY_USERS\S-1-5-21-448539723-413027322-839522115-1003
\Software\Microsoft\Windows\CurrentVersion\Internet Settings
\P3P\History\cc-dt.com
HKEY_USERS\S-1-5-21-448539723-413027322-839522115-1003
\Software\Microsoft\Windows\CurrentVersion\Internet Settings
\P3P\History\commission-junction.com
HKEY_USERS\S-1-5-21-448539723-413027322-839522115-1003
\Software\Microsoft\Windows\CurrentVersion\Internet Settings
\P3P\History\dpbolvw.net
HKEY_USERS\S-1-5-21-448539723-413027322-839522115-1003
\Software\Microsoft\Windows\CurrentVersion\Internet Settings
\P3P\History\fastclick.com
HKEY_USERS\S-1-5-21-448539723-413027322-839522115-1003
\Software\Microsoft\Windows\CurrentVersion\Internet Settings
\P3P\History\fastclick.net
HKEY_USERS\S-1-5-21-448539723-413027322-839522115-1003
\Software\Microsoft\Windows\CurrentVersion\Internet Settings
\P3P\History\jdoqocy.com
HKEY_USERS\S-1-5-21-448539723-413027322-839522115-1003
\Software\Microsoft\Windows\CurrentVersion\Internet Settings
\P3P\History\kqzyfj.com
HKEY_USERS\S-1-5-21-448539723-413027322-839522115-1003
\Software\Microsoft\Windows\CurrentVersion\Internet Settings
\P3P\History\linksynergy.com
HKEY_USERS\S-1-5-21-448539723-413027322-839522115-1003
\Software\Microsoft\Windows\CurrentVersion\Internet Settings
\P3P\History\qksrv.net
HKEY_USERS\S-1-5-21-448539723-413027322-839522115-1003
\Software\Microsoft\Windows\CurrentVersion\Internet Settings
\P3P\History\tkqlhce.com
4. Adds the value:
"*.system-processes.com" = ""
to the registry subkey:
HKEY_USERS\S-1-5-21-448539723-413027322-839522115-1003\Software
\Microsoft\Internet Explorer\New Windows\Allow
5. Adds the value:
"%Windir%\system32\ccapp.exe" = "%Windir%\system32\ccapp.exe:*:Enabled:System Process"
to the registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\SharedAccess\Parameters\FirewallPolicy\StandardProfile
\AuthorizedApplications\List
6. Adds the value:
"System Process Uninstall" = "%Windir%\system32\ccapp.exe UAF"
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
--
What’s the point of owning a supercar if you can’t scare yourself stupid from time to time? |
|
MagMan
Life is simpler when you tell the truth.
Premium
join:2003-10-01
Westlake, OH
·AT&T Midwest
·AT&T Midwest
| reply to amysheehan
said by amysheehan  :What would really help is for everyone to post the name of the file that was flagged during the scan - go to the Log Viewer / Security Risks for the source and name of the file found. Thanks !!! -amy- This is what I have amy it is not showing a source.
--
"The truth is incontrovertible, malice may attack it, ignorance may deride it, but in the end; there it is." |
|
dadkins
Can you do Blu?
Premium,MVM
join:2003-09-26
Hercules, CA
·Comcast
| reply to Goodbye CCleaner
Newest(shocker?) CrapCleaner here, went through the manual removal steps at the Symantec site - nada.
avast never made a peep when I installed CCleaner - ever.
Just finished a system scan with avast - nada.
Me thinks, like Doctor Olds, it came from somewhere else.
If, in fact, you did get this old critter, you should be more concerned on how or why it got past your current AV.
--
Think outside the Fox... Opera |
|
hayc59
VoodooChild
Premium
join:2001-02-26
David R.I.P. | reply to Goodbye CCleaner
Ran NOD32/SUPERAntispyware/KAV
found no such beast here!! |
|
dadkins
Can you do Blu?
Premium,MVM
join:2003-09-26
Hercules, CA
·Comcast
| said by hayc59 :Ran NOD32/SUPERAntispyware/KAV found no such beast here!! You can add a2 to that list as well...
--
Think outside the Fox... Opera |
|
amysheehan
Premium,VIP,MVM
join:1999-12-21
Huntington Beach, CA
·RoadRunner Cable
| reply to MagMan
Detailed Risk Properties Info |
said by MagMan :said by amysheehan :What would really help is for everyone to post the name of the file that was flagged during the scan - go to the Log Viewer / Security Risks for the source and name of the file found. Thanks !!! -amy- This is what I have amy it is not showing a source. I found more details for a 'tracking cookie' that was found this AM that had no details by going to Quick Tasks / View History / Security History / Advanced Details / Risk Properties / Details.
See screenshot for more info - have a look there if you can. [2007 and 2008 versions]
-amy-
--
DSLR Phishtracker |
|
hayc59
VoodooChild
Premium
join:2001-02-26
David R.I.P.
| reply to dadkins
said by dadkins :said by hayc59 :Ran NOD32/SUPERAntispyware/KAV found no such beast here!! You can add a2 to that list as well... Yes indeed, just got done running that |
|
sashwa
Pixie Cat Crunchin' n Foldin'
Premium,Mod
join:2001-01-29
Alcatraz
clubs:
·Comcast
·Alameda Power & Te..
Host:
Broadband Modem (H..
MSN
DSL Extreme
Windstream
Southeast Asian Br..
1 edit | reply to amysheehan
Amy, I'm not showing anything in my Log Viewer / Security Risks for yesterday's date.
FWIW, I submitted the file to Symantec for review.
NAV said it was found in 25 registry entries. Also NAV never made a peep when I downloaded and installed the new version of CCleaner which was when it first come out. It squawked during my weekly full scan.
--
TH ~ NE ~ EPN ~ NC ~ TD |
|
MagMan
Life is simpler when you tell the truth.
Premium
join:2003-10-01
Westlake, OH
·AT&T Midwest
·AT&T Midwest
| reply to dadkins
Let me clarify my post I was never infected with this,or was there any unusual behavior going on with in my machine.That is why I am saying it is a false positive for me.Especially after checking the log file and it shows no source. 
--
"The truth is incontrovertible, malice may attack it, ignorance may deride it, but in the end; there it is." |
|
MagMan
Life is simpler when you tell the truth.
Premium
join:2003-10-01
Westlake, OH
·AT&T Midwest
·AT&T Midwest
| reply to amysheehan
said by amysheehan :said by MagMan :said by amysheehan :What would really help is for everyone to post the name of the file that was flagged during the scan - go to the Log Viewer / Security Risks for the source and name of the file found. Thanks !!! -amy- This is what I have amy it is not showing a source. I found more details for a 'tracking cookie' that was found this AM that had no details by going to Quick Tasks / View History / Security History / Advanced Details / Risk Properties / Details. See screenshot for more info - have a look there if you can. [2007 and 2008 versions] -amy- This is what mine shows.
--
"The truth is incontrovertible, malice may attack it, ignorance may deride it, but in the end; there it is." |
|
amysheehan
Premium,VIP,MVM
join:1999-12-21
Huntington Beach, CA
·RoadRunner Cable
| reply to sashwa
said by sashwa :Amy, I'm not showing anything in my Log Viewer / Security Risks for yesterday's date. FWIW, I submitted the file to Symantec for review. NAV said it was found in 25 registry entries. Also NAV never made a peep when I downloaded and installed the new version of CCleaner which was when it first come out. It squawked during my weekly full scan. [att=1][att=2] Thanks for the screenshot and for submitting your item to them. Looks like it may just be registry entries that were found. I'm sure that info will be helpful to Symantec.
-amy-
--
DSLR Phishtracker |
|
MagMan
Life is simpler when you tell the truth.
Premium
join:2003-10-01
Westlake, OH
1 edit | Thanks for your imput. |
|
