trojan in Spywareguard install?

Discussion in 'SpywareBlaster & Other Forum' started by kcsmike, Feb 20, 2004.

Thread Status:
Not open for further replies.
  1. kcsmike

    kcsmike Guest

    I downloaded SpywareGuard yesterday onto 2 different computers. The first was a Win/XP machine and I chose the minimal install. Everything went swimmingly and I was able to run the live update. The second was a Win/98 SE machine and I chose the full install (first from the topmost link, but when that page was unavailable, I downloaded from the second link (BTN mirror)). I was redirected to majorgeeks.com and then to the BTN download link. Everything installed as expected, and I ran the live update. Just after that I scanned the 98 machine with my anti-virus software and turned up a trojan, indentified as TROJ_SCTHOUGHT.C by the anti-virus software. It was imbedded into install23.exe ? located in my temporary internet files. Since I flush the temporary internet files with every use, I am fairly certain that this trojan came down with your install package.
    Ironic, dontja think ? There I was downloading a tool to prevent spyware and trojans from gaining a foot-hold on my computer, and in so doing, downloaded a trojan. Kind of like getting beat up by your body guard. No harm done. What the anti-virus did not destroy, I sought out and destroyed myself (a file named 'stcloader.exe' in \windows\system). Just thouht you should know, and lest you lose credibility, something you should take care of. Who's going to take you seriously, talking about spyware and security issues, when your own utility comes with malicious code imbedded in the install ?
     
  2. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    Split this from "Spywareguard 2.2 released" and renamed appropriately - Detox
     
  3. Valkyri001

    Valkyri001 Registered Member

    Joined:
    Feb 15, 2004
    Posts:
    300
    Location:
    Friendswood Tx. 77546
    :)Hello Detox!
    o_Odoes this mean i should move spywaregaurd down the list of installs for a few days or just be cautious where I dwld from o_O
     
  4. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    Valkyri - I find that highly doubtful, myself.

    Anyway, the SpywareGuard install file is called "SpywareGuardsetup.exe"
     
  5. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    "fairly certain"? And yet you go to make a remark like this?


    Question:

    What A/V program gave you the alert?

    Was it fully updated when it did so?

    Did you submit the files in question to that A/V vendor to see if they were false positives?

    I totally un-installed/re-installed SG using the same process you did just now - it's clean. From NOD32 (totally updated and all scanning options checked):
     

    Attached Files:

  6. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    From TDS-3 (likewise up-to-date and all scan options chosen):
     

    Attached Files:

  7. BlackSwan

    BlackSwan Registered Member

    Joined:
    Jul 13, 2003
    Posts:
    104
    This is ridiculous. I've been running SG almost as long as I've been using a computer, and recommending it to everyone I know. Never had problems of any kind or heard anyone complain about it.

    The alleged "trojan" was most probably a F/P from the antivirus (even they may err sometimes).

    Just my 2c worth,
    BS

    EDIT - Just did a brief research and found that install23.exe is related to I-Worm/Swen.A, which spreads via e-mail. Malicious e-mail attachments are known to drop infected files in the Temp folder, even if you just preview the e-mail without physically opening the attachment. kcsmike, how can you be so sure the "trojan" didn't come from a similar source?
     
  8. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    From The Cleaner (updated and full scan, all options checked):
     

    Attached Files:

  9. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    TrojanHunter(ditto,ditto,ditto):

    (I could go on, but I really do think it's clean). Pete
     

    Attached Files:

  10. kcsmike

    kcsmike Guest

    Sorry if my comments were a little over the top. Here's what I did last night.... I burned a CD. I visited this website. I downloaded Spyware Guard 2.2 as explained earlier. After installation, Spyguard seemed to be working just fine. I did not check email. I then went out to the TrendMicro site and downloaded their latest virus pattern
    and scanned my C: drive. PC-cillin 2003 quarantined the trojan, and I deleted it. At this point, I re-booted. On the way back up, Spyware Guard encountered an error and gave me a choice to CLOSE or IGNORE. I chose CLOSE. I clicked on the Spyware Guard icon, and got the same error. I then visited the TrendMicro site to read up on TROJ_SCTHOUGHT.C. I checked for what was suggested, and found a file in \windows\system named 'stcloader.exe'. I had to re-boot into safe mode to delete it. I then uninstalled Spyware Guard 2.2.
    I have IE set to clear the temporary internet files at the end of each session, so I don't see how install23.exe could be lingering there from a prior session. Sorry if I offended anyone's sensibilities, but I am glad someone took the time to check it out. If I didn't pick up the trojan from the Spyware Guard installation, my apologies and I stand chastised. Today, I checked out the Win/Xp computer, ran the TrendMicro virus scan (although it's a more current product than PC-cillin 2003), and came up with nothing. I searched for the same files I searched for on the Win/98 machine, and also came up with nothing. So I kept Spyware Guard 2.2 on that computer.
     
  11. BlackSwan

    BlackSwan Registered Member

    Joined:
    Jul 13, 2003
    Posts:
    104
    Here's some more info on stcloader.exe:

    1) http://www.liutilities.com/products/wintaskspro/processlibrary/stcloader/
    2) http://www.viruslist.com/eng/viruslist.html?id=815149
    3) http://www.pestpatrol.com/PestInfo/s/secondthought.asp
    4) http://www.spywareguide.com/product_show.php?id=611

    Just to back up my arguments with tangible proof as well, I too uninstalled SG, downloaded it again (the minimal setup) from here: http://www.wilderssecurity.net/spywareguard.html (you were right that the full install cannot download from the first location due to SpywareInfo being down at the moment) and re-installed it, monitoring it via Total Uninstall. Nothing out of the ordinary. Then scanned the PC with AVG, Ad-Aware, Spybot Search & Destroy, Bazooka, and online at both Symantec & Trend Micro, and all scans were squeaky clean.

    Are you sure there was nothing malicious already installed on your PC without your knowing, which probably corrupted SG's core files/database?
     
  12. kcsmike

    kcsmike Guest

    Thanks for the links, Black Swan. Am I sure.... ? Well, I didn't actually see the trojan get planted on my computer. I just put 1 and 2 together. I downloaded something, virus-scanned, and turned up a trojan related to some sort of install, and concluded it must have been the thing I installed. Maybe I jumped the gun. Maybe the virus pattern was improved and just now picked up what had been sitting out there for a while.

    I am a little confused about something else. When IE is set to clear out all of the temporary internet files after each session, and I end IE, how can anything be left over in the internet temporary files ? It's bad enough that I can't see them via DOS, or via Explorer. Once a week I run this DOS command from the C:\WINDOWS prompt: DELTREE /Y TEMPOR~1\*.* I never see anything get deleted, and it never complains.

    Anyway, this weekend I'll try again. I'll virus-scan the disk, download SpywareGuard again; and virus-scan again. That's about 4 hours right there. I'll see if it turns up again.

    I guess I pushed everybody's buttons with this. I am not too proud to say 'whoops'. Javacool, your integrity is officially restored. Keep up the good work. On the other hand, if I hadn't, everyone would have brushed me off, and no one would have bothered to check it out.
     
  13. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,452
    Location:
    North Carolina, USA
    If the file is in use, it cannot be deleted. So if a file remains in your temp file, it is either active or in use by some other program....

    HTH....

    Regards,
    Kent
     
  14. BlackSwan

    BlackSwan Registered Member

    Joined:
    Jul 13, 2003
    Posts:
    104
    Exactly. Or maybe even regenerated each time you reboot, even if you've actually deleted it (if the programme that dumps it there is still resident somewhere in your system).

    BS
     
  15. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    hi all,

    sorry to pop in here but... if thrs some doubts or no surity over the evil why dun kcsmike have your hijackthis log posted so that experts can have a look at it and say if thrs anything still residing...

    thx
     
  16. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    The file as available from the BTN mirror is perfectly safe.

    Any positive flagging from a security software scanning points to a false positive from the software in question as for SG.

    There's no need to publish HJT logs as for SpywareGuard.

    regards.

    paul
     
  17. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    Paul,

    sorry but I told kcsmike to post HJT coz he said he doubts if he have any trojans.... anyways if u feel its not needed then there must be reasons.

    thx
     
  18. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    sub,

    ...and you were right in doing so ;). I merely pointed out there's no relationship with this SG download and the need for a HJT log in this context.

    regards.

    paul
     
Thread Status:
Not open for further replies.