worm-koobface alert when running CCleaner

[dangerous53]

Having a problem with my registered SpySweeper W/Antivirus giving file alerts for worm-koobface whenever I finish a web session and run CCleaner. This does not happen every time, but it happens often. The file it quarantines is always in C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\wgo54x7s.default\cache.

 

This never shows up in a scan, only when CCleaner is run. (set at 7 passes) I have run several online scans with OneCare, Housecall, and Eset, and nothing shows up. I have also used RootkitRevealer, Gmer, RootRepeal, and Sophos Anti rootkit, and nothing out of the ordinary shows up, there is no infection on my machine.

 

I recently renewed my SS subscription, and just in case, I uninstalled it and redownloaded it again from Webroot's site. I also re-downloaded the most recent version of CC from filehippo.

 

Today I ran a little experiment, surfed a bit (at known and trusted sites), copied the Firefox cache file so I had an uncorrupted copy, scanned the original with no threat found, and then when I ran CCleaner I got a file alert for worm-koobface. I did this to narrow down which particular file was causing the trigger, because once CC runs, the file is overwritten.

 

I then made a copy of the file causing the trigger, scanned it with no result, deleted it with no result, and when I ran CCleaner it triggered on the file in the recycle bin. I uploaded the file to virustotal with no threat found.

 

I have a ticket open with Webroot regarding this problem and will post the results when they come in. The tech said he had another similar ticket, but neglected to mention if they used CCleaner.

[hazelnut]

Interesting...do keep us posted

[Ishi]

So what operating system do you use??? I am assuming you are using Windows XP.

[dangerous53]

Win XP Pro.

 

Yesterday I was deleting some old files, which have been on my computer for over a year and scanned hundreds of times in regular sweeps. When I ran CCleaner to clean things up SS triggered on 6 of the files in the recycle bin.

 

I'm positive the files were OK, so I think there is a conflict with CCleaner and Spysweeper, unfortunately I updated both right around the same time.

 

Going to try backdating CC and see if that makes a difference.

[dangerous53]

Just got an answer from Webroot regarding this:

 

Hi,

Since I only help customers clean infections from their systems and yours is clean, I can only give you a suggestion regarding this issue.

Please try shutting down Spy Sweeper and then running CCleaner to avoid what sounds like a conflict between the two applications over which is going to handle a file. You should do the same while logged into any other user accounts that are on your system.

After running CCleaner, go ahead and run a full sweep in Spy Sweeper.

 

As for your file, please submit any suspicious files to our partner Sophos using the following link:

http://www.sophos.com/support/knowledgebas...icle/11490.html

 

If you believe that there is a conflict between CCleaner and Spy Sweeper, please either have someone at CCleaner or yourself use the link on our web site to submit a request to look into it.

http://www.webroot.com/En_US/about-contact...2313b0e85f2d61d

At the very bottom:

Software Vendors

Submit a request to investigate if you believe Spy Sweeper is incorrectly detecting your product.

[Guest MrT]

Hi,

 

CCleaner deletes a file by calling a very standard Windows API called "DeleteFile".

 

If you are using CCleaner's Secure Deletion option, then CCleaner needs to open the file to overwrite and then uses the same Windows API above to delete the file.

 

Try to turn off Secure Deletion if you are using it and run some testing.

 

Otherwise, there is really nothing extraordinary that CCleaner does when deleting a file.

 

Let us know

 

Thanks

[In Arizona]

Hi,

 

I'm new to the forum. However, I have been having almost exactly the same issues with Webroot & Ccleaner. I have Ccleaner set to 1 pass, secure deletion, and every once in a while, when running Ccleaner, "Webroot Internet Security Essentials" pops up and warns of a "Koobface" Trojan. I have run several "full" scans of my machine and dozens of "Quick" scans. None have detected a virus. I submitted a ticket to Webroot. So far I have received the usual broad sweeping answers. I will continue to follow up with Webroot.

 

I have created a folder for copies of my Firefox Cashe files, then copied the Cashe to that folder, the run Webroot on the folder and find no problems, then run Ccleaner and about 1 in 10 times, up pops a koobface warning. I run a folder scan on the files I copied and still no problems are found.

 

This problem is really a challenge because it can go a couple of days without showing up. I don't know if Ccleaner is writing files (during the overwrite process) that Webroot is picking up, or if Webroot is looking at odd behavior, or if it's in the Webroot definitions. I assume Ccleaner uses totally random data to overwrite the files, which makes the problem even more confusing. I wish that Ccleaner included a setting to make it write all zeros. That would eliminate the random data issue. When Ccleaner is run it overwrites a lot of files; the recycle bin, the explorer files, etc. Each time Webroot warns of a koobface alert, it always comes from the Firefox Cache. However, keep in mind I don't use Internet explorer hardly at all.

 

Here's some facts:

Machine: HPdv1000

Op Sys: Win XP SP3 (system updates are current within a few days)

Webroot: 6.1.0.145 (engine version: 3.4.1 - Latest data Update 2/27/2010)

Ccleaner: v2.27.1070

First detected: Feb 17, 2010

 

 

Today, my other machine, a Sony Desktop, pops up with the same Webroot alert while running Ccleaner. I hardly ever even use that machine to go to the internet. It also contains the same version of Webroot, and It's virus database is up to date. The only difference is the version of Ccleaner is v2.26.1070

 

Here are my possible conclusions:

 

1: Webroot is falsely detecting behavior or,

2: Ccleaner has got a problem or,

3: This is one very scary Trojan, because it alludes multiple scans!!!

 

That's all I know for now, any comments are welcome.

[dangerous53]

I think at this point I can rule out #3 (on my machine anyways) as I have been through a number of scan procedures with different software with no results found. Including MalwareBytes, SuperAntiSpyware, Eset Online Scanner, Windows Live OneCare safety scanner. For rootkits: Gmer, Rootrepeal, Sophos Antirootkit, and more that I can't remember. There is a thread about it here as well: http://forums.majorgeeks.com/showthread.php?t=210893

 

I don't believe it is #2 either, as I have tried with backdated versions of CCleaner with the same result.

 

My problem started shortly after renewing my subscription to SpySweeper and re-downloading the program, so my vote is for #1. This does not just involve Firefox's cache, see post #4.

 

I tried to report this to Webroot using the supplied link in their reply, but only Piriform can report it and get Webroot to investigate.

[In Arizona]

You're most likely correct about the Warning showing up in more then just the Firefox Cache Files.

 

I have been trying a different method lately. I use the cleanup function in Webroot first and then use Ccleaner to get the rest of my files. Such as temp files other graphic programs leave, and such. Webroot doesn't have a custom file setting like Ccleaner. Since I have been erasing files in this manner I haven't seen the warning pop up. But, then again, my machine has been known to go a couple of days without complaining before. I agree this is probably a Webroot problem. And, I agree that the folks at Piriform need to call and talk with Webroot about solving it.

 

I hope when a definitive answer is found. Both Webroot and Piriform will let the users know what happened so we can rest assured this is a technical problem, and not a Trojan.... Both Webroot and Piriform are great, but sometimes companies shy away from admitting mistakes, because they fear there clients will lose faith. Personally, I am impressed with anyone who comes forward and is open about there product.

[In Arizona]

One other note,

 

I have been using the same Webroot engine for a while. I would tend to suspect the problem is in the virus signature definition list. Or, some other file that is downloaded during routine updates. I did my initial install with Webroot back in May 2009.

 

Like I said Webroot showed the first warning to me on about Feb 17, 2010.

[paulc201]

This is exactly what happens to me. If I use other cleaner software ( Clean Disk Security, Webroot or even Firefox's own clear recent history>>clean cache) to clean my cache, there is no problem. I have done multiple security sweeps with multiple applications which all show no problem. It seems that there is a definitive trigger that CCleaner starts this behavior.

By the way, did anyone else get a 6 month extension to Webroot? It seems that my subscription to Webroot Internet Security Essentials was extended, for free and without request, from Webroot. This happened near the same time that the koobface warnings started popping up....

[paulc201]

This is exactly what happens to me. If I use other cleaner software ( Clean Disk Security, Webroot or even Firefox's own clear recent history>>clean cache) to clean my cache, there is no problem. I have done multiple security sweeps with multiple applications which all show no problem. It seems that there is a definitive trigger that CCleaner starts this behavior.

By the way, did anyone else get a 6 month extension to Webroot? It seems that my subscription to Webroot Internet Security Essentials was extended, for free and without request, from Webroot. This happened near the same time that the koobface warnings started popping up....

 

3/16/10 Update- The problem has stopped. My Webroot Internet Security Essentials program had a problem while I was adding a program manually to the firewall. It basically started doing some sort of updating repeatedly and after 15 or so minutes I had to manually turn off my computer. I restarted and Webroot Internet Security Essentials was downgraded to the standard Webroot AntiVirus with Spysweeper. I even re-downloaded the program and re-installed and it's still the standard Webroot AntiVirus with Spysweeper. Ball's now in Webroot's court...