15 replies to this topic

[imnogoodwithcomputers]

I have 2 brand new HP Pavillion notebooks, running Vista 64 with Webroot Antivirus with Spy Sweeper the latest build as of 2-21-09. Both notebooks were setup at the store where thay were purchased, and all updates to windows and Spy Sweeper were done there without visiting any web sites. The only sites visited on either computer is MajorGeeks, then here, then File Hippo, to download the latest version of CCleaner. As soon as I began to run the CCleaner cleaning cycle, SpySweeper popped up with a message showing that Virtumonde had been quarantined. The files it showed were ircb-adk.ide.zip fakea-ju.ide.zip bho.jz.ide.zip adcli.fi.ide.zip . I can go ahead and tell you the SpySweeper log is no use to you, it just shows several places that Virtumonde version 1 was quarantined, it does not show the specific files it quarantined like the actual quarantine window shows. This problem actually started a couple of weeks ago on another machine of mine runnig Vista 32 with both CCleaner, and Spy Sweeper with Antivirus. I thought it was a genuine infection at the time but now I have no reason to believe it is anything more than either CCLeaner loading files that SpySweeper finds as Virtumonde, (hopefully not real) or as it deletes some files it exposes them to SpySweeper which in turn sees them (I guess falsely) as Virtumonde. i have had no Spyware symptoms, such as pop ups. I also have a brand new Router and Modem. Thanks!

[hazelnut]

Please report this false positive about Ccleaner to Spysweeper if you would and then they will fix it.

Also to make double sure about things, you could post here on the forum, should you need to, after following the guide

http://forum.pirifor...showtopic=20120

[imnogoodwithcomputers]

hazelnut, on Feb 22 2009, 02:39 PM, said:

Please report this false positive about Ccleaner to Spysweeper if you would and then they will fix it.

Also to make double sure about things, you could post here on the forum, should you need to, after following the guide

http://forum.pirifor...showtopic=20120

Im not sure they are false positives. Who is to say. I have already reported the issues to Webroot, and i cant be the only person this is happening to. You guys should be testing this out as well, should you not? Thanks!

[Rorschach112]

Like Hazel said, its a FP

[imnogoodwithcomputers]

I really appreciate the quick responses. Thank you. Malwarebytes also found some more things as well. Should I post the log?

[Andavari]

imnogoodwithcomputers, on Feb 22 2009, 09:52 PM, said:

Should I post the log?

Please refer to this thread about malware removal, and the possible posting of logs:
http://forum.pirifor...showtopic=20120

[ccnewbie]

I have this exact same problem using ccleaner and spy sweeper together. When I run the ccleaner, spy sweeper pops up that it has quarantined as virtumonde some of the temp files that ccleaner has just been removing. I use four computers, one a brand new laptop like the poster above, and this has happened on EVERY ONE OF THEM. They cannot all have virtumonde. I'm sure this is a false positive, but it is very frustrating nonetheless. Full scans by malwarebytes, superantispyware, and, yes, spy sweeper, are all clean. And there's no way all these computers could have virtumonde; they are showing no popups or other symptoms of virtumonde, the quarantining action only occurs during ccleaner scans, and none of the other security programs pick up a problem (malwarebytes, superantispyware, pest patrol, windows defender, spybot and Trend Micro Officescan corporate.

The files being flagged are three temp files in documents and settings -- application data for Mozilla firefox and for Sun Java. The temp files flagged vary from computer to computer though.

When I used Google Chrome on the older computers, this would constantly happen with Google Chrome files, and so I deleted it thinking it was an incompatibility with Chrome. But I've found it happens with Firefox as well.

I noticed someone posted on here in another thread about a month ago with the Google Chrome problem, but no one at ccleaner or spy sweeper seems to want to test it out.

[CHESTON]

It is most certainly NOT a false positive. I have tracked it to files that are installed when CCleaner is run. They come downloaded with the Piriform products and they are on active monitoring once online.

Piriform needs to address this. Your software is being downloaded with a trojan.

Don't believe me? Those of you with Spysweeper or AdAware- when you go to the quarantine when Virtumonde pops up, click on the box below and locate the files. Turn off system restore, delete the files, run the scan again. Shut down, reboot in safe mode WITHOUT networking so no new files can show up. Run your scans again and again. Delete CCleaner or other Piriform products. Run it again if you'd like.

Then boot up normally. You will see no alerts. Download and run CCleaner. BOOM. There it is again.

Now, how do I know it's not a false positive? It's in .jpg files. CCleaner's .jpg files aren't names of models, or so on. Further, the files and associated processes are attempting to use ports to get outbound and even inbound access.

It is real. And Piriform has ignored my email.

This is all just my humble, uneducated opinion.

[CHESTON]

PS- This will ruin Piriform's great reputation. It's a shame, because it may not be coming from them, but from their download partners.

Just my humble opinion again.

[brian2009]

CHESTON, on Feb 27 2009, 10:54 PM, said:

It is most certainly NOT a false positive. I have tracked it to files that are installed when CCleaner is run. They come downloaded with the Piriform products and they are on active monitoring once online.

Piriform needs to address this. Your software is being downloaded with a trojan.

Don't believe me? Those of you with Spysweeper or AdAware- when you go to the quarantine when Virtumonde pops up, click on the box below and locate the files. Turn off system restore, delete the files, run the scan again. Shut down, reboot in safe mode WITHOUT networking so no new files can show up. Run your scans again and again. Delete CCleaner or other Piriform products. Run it again if you'd like.

Then boot up normally. You will see no alerts. Download and run CCleaner. BOOM. There it is again.

Now, how do I know it's not a false positive? It's in .jpg files. CCleaner's .jpg files aren't names of models, or so on. Further, the files and associated processes are attempting to use ports to get outbound and even inbound access.

It is real. And Piriform has ignored my email.

This is all just my humble, uneducated opinion.

I am unable to re-produce this, CCleaner doesn't even install any jpgs. I'm pretty sure this is a failed troll or you're infected with something else.

[CHESTON]

brian2009, on Feb 28 2009, 12:10 AM, said:

I am unable to re-produce this, CCleaner doesn't even install any jpgs. I'm pretty sure this is a failed troll or you're infected with something else.

Not a troll, you dolt. This is real, and it's happening on every 64 and 32 bit system we have, all on different ISPs, users and so forth. You obviously work for piriform since your very first post is not one seeking help but one defending the company and attacking an honest poster seeking assistance and being ignored by the company.

I guess everyone else on here is trolling, as well, if they post about an issue this serious.

[CHESTON]

My IT guys just locked it down to the point of install.

When you do a registry analysis using even the latest version of CCleaner it installs Virtumonde of 2 different types. It is not a false positive. It is installing, as the trojan does, infected files under random file types and names under the AppData, Temp Internet Files, Low folders.

There you have it Piriform. Whether it's you or your uploading sites that are sticking the malicious code in there, it needs to be fixed. You have a better reputation than this.

[DennisD]

CHESTON, on Feb 28 2009, 07:27 PM, said:

Not a troll, you dolt.

I've no intention of repeating the previous comments made on this subject, but I will say to you that none of the members on this forum work for Piriform. We are all volunteer helpers, and if you make another comment like this one, I'll suspend your account without hesitation.

Edit: On second thoughts, I am suspending your account. That remark was unjustified and totally unacceptable.

[ccnewbie]

Hi Dennis: Do you have any idea what the problem is? I've downloaded the newest update of ccleaner and it hasn't happened since, and I sent logs to spy sweeper but never got a response. Nothing gets flagged with malwarebytes or superantispyware -- only spy sweeper.

[hazelnut]

Hello ccnewbie,

The problem is for spysweeper to solve, it is a false positive on their part and I am afraid all you can do is keep emailing them about it.

[Rorschach112]

This has gone on too far

IT IS a false positive. CHESTON please don't PM staff as well. This is clearly a problem on Webroots part, you can get in touch with them about it.


I have run the CCleaner installer through VirScan.org/Jotti/Virustotal, which scans it with around 40 anti-virus scanners. None of them detect any problems. It is completely clean.


Closing this topic since its clearly wrong and getting nowhere