Trojan-Downloader.W32.ZLob.apw Virus Found on Recent Update

[ItsMe]

Protector Plus 2008 Anti-Virus

Kapersky Anti-Virus 7.0

GRISoft AVG Anti-Virus 7.5

ESET NOD32 3.0 Anti Virus Pro

Panda Internet Security 2008

Norton AntiVirus 2008

Frisk Software FPCMC Anti-Virus

 

All found Trojan-Downloader.W32.Zlob.apw VIRUS at filehippo.com (ccsetup207.exe) 5-17-2008 for CCleaner 207.exe recent update download.

 

Generic.Zlob.39FF91C0

 

Aliases: Downloader.Zlob.GOE (GRISoft AVG 7.5.516/1280 15-Feb-2008)

Trojan-Downloader.Win32.Zlob.apw (Kapersky Lab KavCon 1.0.0.48 15-Feb-2008)

W32/Zlob.EBV - Frisk SoftWare FPCMD 4.4.3 14-Feb-2008)

 

Detected by: SOFWIN BitDefender BDSCAN 1.01 15-Feb-2008

 

Consider uninstalling CCleaner completely and registry keys related to program. DO NOT USE THIS PROGRAM! UNINSTALL IMMEDIATELY!

3 systems running ESET NOD 32 will not let the latest UPDATE from filehippo.com (http://fs8.filehippo.com) from touching my machine, instantly stops the .exe file from being downloaded. ZLOB VIRUS DETECTED with CCleaner RECENT DOWNLOAD AT FILEHIPPO.COM

 

Whats going on with all the freeware out there? This is the 4th freeware my security software (and I have the best) that has found embedded viruses and trojans trying to compromise my machines. This is crazy!

[hazelnut]

This will be yet another false postitive. There is no need to uninstall CCleaner.

 

Please report this false positive to the relevant software vendors so they can update their definitions.

 

More and more false postives are being found in software setups and uninstallers because of the way they are 'packed'

[ItsMe]

This will be yet another false postitive. There is no need to uninstall CCleaner.

 

Please report this false positive to the relevant software vendors so they can update their definitions.

 

More and more false postives are being found in software setups and uninstallers because of the way they are 'packed'

 

I have CCleaner on 26 systems all running various AV software at 6 different sites around the country since its was first made available as freeware. ALL found the ZLOB virus in the recent download at hippo.com. This to me does not seem be a false positive with all these top virus vendors you want me to report this to them on your behalf? I rather just uninstall the software all together. To continue using CCleaner I would have to shut down all the virus programs just the get the recent download at filehippo.com and allow it to be downloaded to my machines. I mean I'm not even executing the file yet and my AV software on all 26 machines are preventing the download off the hippo.com server all-together. I don't understand how this download can be a false positive, this has never happened in many downloads of CCleaner. Its freeware so what can I say, and like I said you are just the 4th freeware company where my virus and anti-malware programs found viable threats, not just false positives.

 

Goodbye CCleaner. I'll stay with Webroot's Window Washer, a program I can trust and the investment is worth it.

[Keithuk]

ALL found the ZLOB virus in the recent download at hippo.com. This to me does not seem be a false positive with all these top virus vendors you want me to report this to them on your behalf?

There is nothing wrong with CCleaner 2.06.567 from FileHippo, I always get mine from there.

To continue using CCleaner I would have to shut down all the virus programs

You don't need more that one virus checker running, just select a good one and ditch the rest.

[davey]

Protector Plus 2008 Anti-Virus

Kapersky Anti-Virus 7.0

GRISoft AVG Anti-Virus 7.5

ESET NOD32 3.0 Anti Virus Pro

Panda Internet Security 2008

Norton AntiVirus 2008

Frisk Software FPCMC Anti-Virus

 

All found Trojan-Downloader.W32.Zlob.apw VIRUS at filehippo.com (ccsetup207.exe) 5-17-2008 for CCleaner 207.exe recent update download.

Hello ItsMe,

Exactly where was this test done!!! Eveything else in your post was about other things and over months old.

You come in here in a panic and start making foolish accusations instead of asking for the help you need.

 

There is an alternative download site.I downloaded from there a little while ago. 07:16 pm and successfully installed.I am running AVG 7.5 with updates from moments prior to the download.

No problems were found.

 

I successfully downloaded and installed from http://www.filehippo.com/download_ccleaner/

I ran another scan using AVG 7.5 and no problems were found.

 

Now,you need to get yourself calm and collected and together we can help you in your time of crisis.

 

Best wishes,

davey

P.S. I have some current thoughts about your problem.I won't go there right now.

I am currently testing and downloading on another computer without any AVG updates since yesterday May 16,2008.

P.S. Forgot to return but testing on another machine Without Avg updates since May !6,2008

still resulted in no problems fouund.

This is either a "hoax" or the problem is not being caused in any way by CCleaner.

Edited May 20, 2008 by davey

[stanmarsh14]

Sorry to say this, but I am with this poster here.

 

Recently serviced 6 machines using the aforementioned version of CCleaner from the File Hippo link this past two weeks and have had to revisit every one of these machines after their respective a/v's reported problems with the zlob trojan.

 

Now fortunately I have been able to remove the issues with Spybot S&D, and resorted to using an earlier version of CCleaner I had on a memory stick.

 

Suggest users take a look at the following if they get hit with zlob (Warning, the following link assumes you have good working computer know-how. If you do not feel comfortable, I suggest you use Spybot S&D, and follow it's instructions when scanning):

 

I have CCleaner on 26 systems all running various AV software at 6 different sites around the country since its was first made available as freeware. ALL found the ZLOB virus in the recent download at hippo.com. This to me does not seem be a false positive with all these top virus vendors you want me to report this to them on your behalf? I rather just uninstall the software all together. To continue using CCleaner I would have to shut down all the virus programs just the get the recent download at filehippo.com and allow it to be downloaded to my machines. I mean I'm not even executing the file yet and my AV software on all 26 machines are preventing the download off the hippo.com server all-together. I don't understand how this download can be a false positive, this has never happened in many downloads of CCleaner. Its freeware so what can I say, and like I said you are just the 4th freeware company where my virus and anti-malware programs found viable threats, not just false positives.

 

Goodbye CCleaner. I'll stay with Webroot's Window Washer, a program I can trust and the investment is worth it.

[YoKenny]

Sorry to say this, but I am with this poster here.

 

Recently serviced 6 machines using the aforementioned version of CCleaner from the File Hippo link this past two weeks and have had to revisit every one of these machines after their respective a/v's reported problems with the zlob trojan.

I just downloaded and ran the latest CCleaner 2.08.588 update from FileHippo and avast! never complained about it being infected.

 

I have never had any CCleaner download infected by Zlobe.

 

Now fortunately I have been able to remove the issues with Spybot S&D, and resorted to using an earlier version of CCleaner I had on a memory stick.

 

Suggest users take a look at the following if they get hit with zlob (Warning, the following link assumes you have good working computer know-how. If you do not feel comfortable, I suggest you use Spybot S&D, and follow it's instructions when scanning):

The user's systems where not infected via CCleaner but as Zlob is mutating so fast there are many ways that a system can become infected especially if they are not protected by MBAM Resident, SpywareBlaster, Windows Defender or WinPatrol.

[davey]

Sorry to say this, but I am with this poster here.

 

Recently serviced 6 machines using the aforementioned version of CCleaner from the File Hippo link this past two weeks and have had to revisit every one of these machines after their respective a/v's reported problems with the zlob trojan.

 

Now fortunately I have been able to remove the issues with Spybot S&D, and resorted to using an earlier version of CCleaner I had on a memory stick.

 

Suggest users take a look at the following if they get hit with zlob (Warning, the following link assumes you have good working computer know-how. If you do not feel comfortable, I suggest you use Spybot S&D, and follow it's instructions when scanning):

Hello stanmarsh14,

You sound like you are in better condition to reasonably discuss this situation than the original poster.

 

The original poster was obviously out of control.I offered to discuss this with him as I am with you.

I agree with the fact that A/V programs can report the "apparent" presence of a malware.

Do you agree with his actions.He went around this forum telling people to remove CCleaner etc.

He did this without reasonably discussing his situation.He obviously has a problem with his systems and that is what he needed to resolve.He had already had these reports with other software.

 

Now, to your situation.

You had reports from one A/V or several also?

 

What was the name of the package,program etc. that was identified?

 

Did you have any problems removing the suspected software?

 

Did you experience all the other associated problems that come with the actual presence of a virus?

 

What method do you use to download?

 

What method is used to install the software?

 

Do you possibly know the exact date the software was downloaded?

 

Best wishes,

davey

[stanmarsh14]

OK, first I need to apologise in that the version concerned was v2.07, and NOT the current v2.08 what I have just spotted.

 

Most of the machines I have serviced are using Norton IS / Symantec Corp AV, though there are two that are running a different a/v (Steganos and Zone Alarm Security Suite), all the machines are reporting issues with v2.07 CCleaner resulting from the file hippo link.

 

Yes, mistakes can and do happen in this world, and yes the origonal poster was getting a bit out of control, but on the flipside the OP was basicaly getting an unhelpful responce from staff / trusted members here, saying basicaly "nothing to do with us, our product is clean" without any apparent double checking till later in this thread.

 

I think what has happened is that folks have gotten confused with what versions of CCleaner was affected here. From what I can see, it is v2.07 from File Hippo and NOT the current v2.08, though I have yet to check this myself, though I am sure it will be fine, and it was just one of those mistakes that can and do happen in computer programming (Big clue here is to read the DISCLAIMER of ANY software you choose to install).

 

EG: "This software is provided 'as-is', without any express or implied warranties whatsoever. In no event will the authors, partners or contributors be held liable for any damages, claims or other liabilities direct or indirect, arising from the use of this software."

 

Removal of the issues with Zlob appear to be easy if you use Spybot S&D (http://www.safer-networking.org/en/index.html), or if you are more of a comp techie like myself you could follow the information here:

(Warning, this info is for advanced users ONLY!)

 

Bottom line is..... if after all of this, will I stop using CCleaner?...... NO. Piriform have a fantastic product, and better yet ITS FREEWARE unlike Norton Utilities (Which is the nerist product that comes to mind that comes close to what CCleaner can do). People have to relise in that ANYTHING they download always carries some risk, and most will check the item downloaded with a good anti-virus BEFORE installing (If need be, you can check any files by checking out http://www.virustotal.com/ which uses 30 a/v scanners, free of charge).

 

(If Piriform are reading this, seriously guys, for a product like this, you need to start charging for it, even if it's just like say $10 US).

 

Hello stanmarsh14,

You sound like you are in better condition to reasonably discuss this situation than the original poster.

 

The original poster was obviously out of control.I offered to discuss this with him as I am with you.

I agree with the fact that A/V programs can report the "apparent" presence of a malware.

Do you agree with his actions.He went around this forum telling people to remove CCleaner etc.

He did this without reasonably discussing his situation.He obviously has a problem with his systems and that is what he needed to resolve.He had already had these reports with other software.

 

Now, to your situation.

You had reports from one A/V or several also?

 

What was the name of the package,program etc. that was identified?

 

Did you have any problems removing the suspected software?

 

Did you experience all the other associated problems that come with the actual presence of a virus?

 

What method do you use to download?

 

What method is used to install the software?

 

Do you possibly know the exact date the software was downloaded?

 

Best wishes,

davey

[stanmarsh14]

Right, just downloaded v2.08, using the alt location NOT the File Hippo link.

 

Just sent the file to Virus Total, and these are the results....

 

File ccsetup208.exe received on 05.31.2008 11:24:51 (CET)

Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 1/30 (3.34%)

Loading server information...

Your file is queued in position: ___.

Estimated start time is between ___ and ___ .

Do not close the window until scan is complete.

The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.

If you are waiting for more than five minutes you have to resend your file.

Your file is being scanned by VirusTotal in this moment,

results will be shown as they're generated.

Compact Compact

Print results Print results

Your file has expired or does not exists.

Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

 

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.

Email:

 

Antivirus Version Last Update Result

AhnLab-V3 2008.5.30.1 2008.05.30 -

AntiVir 7.8.0.25 2008.05.30 -

Authentium 5.1.0.4 2008.05.31 -

Avast 4.8.1195.0 2008.05.31 -

AVG 7.5.0.516 2008.05.30 -

BitDefender 7.2 2008.05.31 -

CAT-QuickHeal 9.50 2008.05.30 -

ClamAV 0.92.1 2008.05.31 -

DrWeb 4.44.0.09170 2008.05.31 -

eSafe 7.0.15.0 2008.05.29 -

eTrust-Vet 31.4.5837 2008.05.30 -

Ewido 4.0 2008.05.31 -

F-Prot 4.4.4.56 2008.05.31 -

F-Secure 6.70.13260.0 2008.05.31 -

Fortinet 3.14.0.0 2008.05.30 -

GData 2.0.7306.1023 2008.05.31 -

Ikarus T3.1.1.26.0 2008.05.31 -

Kaspersky 7.0.0.125 2008.05.31 -

McAfee 5307 2008.05.30 -

Microsoft None 2008.05.31 -

NOD32v2 3148 2008.05.30 -

Norman 5.80.02 2008.05.30 -

Panda 9.0.0.4 2008.05.31 Suspicious file

Prevx1 V2 2008.05.31 -

Rising 20.46.50.00 2008.05.31 -

Sophos 4.29.0 2008.05.31 -

Sunbelt 3.0.1139.1 2008.05.29 -

Symantec 10 2008.05.31 -

VirusBuster 4.3.26:9 2008.05.30 -

Webwasher-Gateway 6.6.2 2008.05.30 -

Additional information

File size: 2914296 bytes

MD5...: 615b5b05eb90ddb4a071ddfb3514a9e1

SHA1..: 788b87df7efcf14d26de5a4abc793fd547c173e2

SHA256: 3ce60972e4ede061b3306aebc435fd4ae7d0179fbfc02e2827b32c2b200b0518

SHA512: 7ab255d955e17cb9d351540edd8cb6d1e7cf685c64b0cadeb9dac3ec6815f774

e69e759d15a2e478db172552f55b088ba6611dfb746e6ea72367aebc8b28ced0

PEiD..: -

PEInfo: PE Structure information

 

( base data )

entrypointaddress.: 0x403225

timedatestamp.....: 0x47eebf2f (Sat Mar 29 22:14:07 2008)

machinetype.......: 0x14c (I386)

 

( 5 sections )

name viradd virsiz rawdsiz ntrpy md5

.text 0x1000 0x5934 0x5a00 6.46 663546ac41801daf2dc51f560ec05a56

.rdata 0x7000 0x1190 0x1200 5.18 db16645055619c0cc73276ff5c3adb75

.data 0x9000 0x1af98 0x400 4.70 f0511f18783910813a0de0de02bc1206

.ndata 0x24000 0xb000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e

.rsrc 0x2f000 0x8668 0x8800 4.83 2f872074846dfae7e1a9228f0ebe6c70

 

( 8 imports )

> KERNEL32.dll: CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetFileTime, GetTempPathA, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetWindowsDirectoryA

> USER32.dll: EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow

> GDI32.dll: SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject

> SHELL32.dll: SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation

> ADVAPI32.dll: RegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA

> COMCTL32.dll: ImageList_AddMasked, ImageList_Destroy, -, ImageList_Create

> ole32.dll: CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance

> VERSION.dll: GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

 

( 0 exports )

packers (Kaspersky): WiseSFXDropper, WiseSFXDropper, WiseSFXDropper

 

As you can see, I have received only ONE HIT, and that is from Panda, which is most likely a FALSE-POSITIVE. If this file was infected with something, I would expect to see a lot more hits than this (I would normaly concider that anything which results in hit's totalling more than 33% to be enough to warrant further checking / not installing the app).

[davey]

Yes, mistakes can and do happen in this world, and yes the origonal poster was getting a bit out of control, but on the flipside the OP was basicaly getting an unhelpful responce from staff / trusted members here, saying basicaly "nothing to do with us, our product is clean" without any apparent double checking till later in this thread.

Hi Stan,

Glad you responded

Also a very sensible response too.

The statement above is not true though.

The OP's first post told people to uninstall and not use CCleaner right off the bat.

Then he went to another thread and posted a reply to the same effect only minutes later.

The first reply he got was from hazelnut, a very respected member and Global Moderator of this forum.

Her reply was very reasonable and not uncaring.She had already done her checking and knew what she was talking about.She has a very gentle way of suggesting that you may be confused,not have your facts straight or be absolutely wrong.

He did not accept her reply and went right on with his unreasonable attacks.

Again thanks for your reply and your valued membership,

davey

[Keithuk]

The first reply he got was from hazelnut, a very respected member and Global Moderator of this forum.

Her reply was very reasonable and not uncaring.She had already done her checking and knew what she was talking about.She has a very gentle way of suggesting that you may be confused,not have your facts straight or be absolutely wrong.

Sorry to go off topic guys and gals but is hazelnut a female? You can't always go by their avatar.

 

Ok I've just read her profile.