trojan in Spywareguard install?

I downloaded SpywareGuard yesterday onto 2 different computers. The first was a Win/XP machine and I chose the minimal install. Everything went swimmingly and I was able to run the live update. The second was a Win/98 SE machine and I chose the full install (first from the topmost link, but when that page was unavailable, I downloaded from the second link (BTN mirror)). I was redirected to majorgeeks.com and then to the BTN download link. Everything installed as expected, and I ran the live update. Just after that I scanned the 98 machine with my anti-virus software and turned up a trojan, indentified as TROJ_SCTHOUGHT.C by the anti-virus software. It was imbedded into install23.exe ? located in my temporary internet files. Since I flush the temporary internet files with every use, I am fairly certain that this trojan came down with your install package.
Ironic, dontja think ? There I was downloading a tool to prevent spyware and trojans from gaining a foot-hold on my computer, and in so doing, downloaded a trojan. Kind of like getting beat up by your body guard. No harm done. What the anti-virus did not destroy, I sought out and destroyed myself (a file named 'stcloader.exe' in \windows\system). Just thouht you should know, and lest you lose credibility, something you should take care of. Who's going to take you seriously, talking about spyware and security issues, when your own utility comes with malicious code imbedded in the install ?

[Detox]

Split this from "Spywareguard 2.2 released" and renamed appropriately - Detox

[Valkyri001]

Hello Detox!
does this mean i should move spywaregaurd down the list of installs for a few days or just be cautious where I dwld from

[Detox]

Valkyri - I find that highly doubtful, myself.

Anyway, the SpywareGuard install file is called "SpywareGuardsetup.exe"

[spy1]

Quote:

quoting: kcsmike link=board=34;threadid=22402;start=0#msg133624 date=1077290250]
Since I flush the temporary internet files with every use, I am fairly certain that this trojan came down with your install package.

"fairly certain"? And yet you go to make a remark like this?

Quote:

quoting: kcsmike link=board=34;threadid=22402;start=0#msg133624 date=1077290250]Who's going to take you seriously, talking about spyware and security issues, when your own utility comes with malicious code imbedded in the install ?

Question:

What A/V program gave you the alert?

Was it fully updated when it did so?

Did you submit the files in question to that A/V vendor to see if they were false positives?

I totally un-installed/re-installed SG using the same process you did just now - it's clean. From NOD32 (totally updated and all scanning options checked):

[spy1]

From TDS-3 (likewise up-to-date and all scan options chosen):

[BlackSwan]

This is ridiculous. I've been running SG almost as long as I've been using a computer, and recommending it to everyone I know. Never had problems of any kind or heard anyone complain about it.

The alleged "trojan" was most probably a F/P from the antivirus (even they may err sometimes).

Just my 2c worth,
BS

EDIT - Just did a brief research and found that install23.exe is related to I-Worm/Swen.A, which spreads via e-mail. Malicious e-mail attachments are known to drop infected files in the Temp folder, even if you just preview the e-mail without physically opening the attachment. kcsmike, how can you be so sure the "trojan" didn't come from a similar source?

[spy1]

From The Cleaner (updated and full scan, all options checked):

[spy1]

TrojanHunter(ditto,ditto,ditto):

(I could go on, but I really do think it's clean). Pete

Sorry if my comments were a little over the top. Here's what I did last night.... I burned a CD. I visited this website. I downloaded Spyware Guard 2.2 as explained earlier. After installation, Spyguard seemed to be working just fine. I did not check email. I then went out to the TrendMicro site and downloaded their latest virus pattern
and scanned my C: drive. PC-cillin 2003 quarantined the trojan, and I deleted it. At this point, I re-booted. On the way back up, Spyware Guard encountered an error and gave me a choice to CLOSE or IGNORE. I chose CLOSE. I clicked on the Spyware Guard icon, and got the same error. I then visited the TrendMicro site to read up on TROJ_SCTHOUGHT.C. I checked for what was suggested, and found a file in \windows\system named 'stcloader.exe'. I had to re-boot into safe mode to delete it. I then uninstalled Spyware Guard 2.2.
I have IE set to clear the temporary internet files at the end of each session, so I don't see how install23.exe could be lingering there from a prior session. Sorry if I offended anyone's sensibilities, but I am glad someone took the time to check it out. If I didn't pick up the trojan from the Spyware Guard installation, my apologies and I stand chastised. Today, I checked out the Win/Xp computer, ran the TrendMicro virus scan (although it's a more current product than PC-cillin 2003), and came up with nothing. I searched for the same files I searched for on the Win/98 machine, and also came up with nothing. So I kept Spyware Guard 2.2 on that computer.

[BlackSwan]

Here's some more info on stcloader.exe:

1) http://www.liutilities.com/products/...ary/stcloader/
2) http://www.viruslist.com/eng/viruslist.html?id=815149
3) http://www.pestpatrol.com/PestInfo/s/secondthought.asp
4) http://www.spywareguide.com/product_show.php?id=611

Just to back up my arguments with tangible proof as well, I too uninstalled SG, downloaded it again (the minimal setup) from here: http://www.wilderssecurity.net/spywareguard.html (you were right that the full install cannot download from the first location due to SpywareInfo being down at the moment) and re-installed it, monitoring it via Total Uninstall. Nothing out of the ordinary. Then scanned the PC with AVG, Ad-Aware, Spybot Search & Destroy, Bazooka, and online at both Symantec & Trend Micro, and all scans were squeaky clean.

Are you sure there was nothing malicious already installed on your PC without your knowing, which probably corrupted SG's core files/database?

Thanks for the links, Black Swan. Am I sure.... ? Well, I didn't actually see the trojan get planted on my computer. I just put 1 and 2 together. I downloaded something, virus-scanned, and turned up a trojan related to some sort of install, and concluded it must have been the thing I installed. Maybe I jumped the gun. Maybe the virus pattern was improved and just now picked up what had been sitting out there for a while.

I am a little confused about something else. When IE is set to clear out all of the temporary internet files after each session, and I end IE, how can anything be left over in the internet temporary files ? It's bad enough that I can't see them via DOS, or via Explorer. Once a week I run this DOS command from the C:\WINDOWS prompt: DELTREE /Y TEMPOR~1\*.* I never see anything get deleted, and it never complains.

Anyway, this weekend I'll try again. I'll virus-scan the disk, download SpywareGuard again; and virus-scan again. That's about 4 hours right there. I'll see if it turns up again.

I guess I pushed everybody's buttons with this. I am not too proud to say 'whoops'. Javacool, your integrity is officially restored. Keep up the good work. On the other hand, if I hadn't, everyone would have brushed me off, and no one would have bothered to check it out.

[puff-m-d]

If the file is in use, it cannot be deleted. So if a file remains in your temp file, it is either active or in use by some other program....

HTH....

Regards,
Kent

[BlackSwan]

Quote:

quoting: puff-m-d link=board=34;threadid=22402;start=0#msg133956 date=1077362551]

If the file is in use, it cannot be deleted. So if a file remains in your temp file, it is either active or in use by some other program....

Exactly. Or maybe even regenerated each time you reboot, even if you've actually deleted it (if the programme that dumps it there is still resident somewhere in your system).

BS

[subratam]

hi all,

sorry to pop in here but... if thrs some doubts or no surity over the evil why dun kcsmike have your hijackthis log posted so that experts can have a look at it and say if thrs anything still residing...

thx

[Paul Wilders]

The file as available from the BTN mirror is perfectly safe.

Any positive flagging from a security software scanning points to a false positive from the software in question as for SG.

There's no need to publish HJT logs as for SpywareGuard.

regards.

paul

[subratam]

Quote:

quoting: Paul Wilders link=board=34;threadid=22402;start=15#msg133975 date=1077366624]

There's no need to publish HJT logs as for SpywareGuard.

regards.

paul

Paul,

sorry but I told kcsmike to post HJT coz he said he doubts if he have any trojans.... anyways if u feel its not needed then there must be reasons.

thx

[Paul Wilders]

sub,

Quote:

Paul,

sorry but I told kcsmike to post HJT coz he said he doubts if he have any trojans.... anyways if u feel its not needed then there must be reasons.

thx

...and you were right in doing so . I merely pointed out there's no relationship with this SG download and the need for a HJT log in this context.

regards.

paul