I suggest an explanation of why I see trojan/virus's in current builds when scanning ccsetup 553

This topic is not currently been answered.

I am seeing UI changes when opening Ccleaner to use. I opened Ccleaner to use and there was a Quick Scan icon ontop of the normal scan button. ( never seen that before ). What was weird is it went away all on its own back to normal. I did not uninstall that version and install another, it changed on the same version.

This is why I decided to remove all piriform related software from my PC now.

I see pop ups appearing. I am reading the pop up is only supposed to happen once and go away. There is discussion to block the cookie, there is no cookie to block or accept in the list of Cookies in Ccleaner.

When I scan the ccsetup553 it either shows a trojan or virus. Even on the 'slim' version, if I scan it and expand it, it shows a positive.

There are files related to rus . The countries vary in the expansion of each of the 3 files that the file is 'related' to.. sending information or talking to.

Basically, it is about time this gets answered.

W** is going on?

EDIT: to add... I have been in contact with Email support.. " we need to make money somehow " is the basic end of the discussion regarding the pop up.

553.JPG

553 zip.JPG

All you can really go by is what antivirus tells you really, but some of those scanners produce allot of false positives.

I've just scanned the Slim version installer the results are listed below.

-----------------

CCleaner Free v5.53.7034 Slim installer from:

https://www.ccleaner.com/ccleaner/builds

Jotti has one detection for it (VBA scanner):

https://virusscan.jotti.org/en-US/filescanjob/g4dm4xunw1

VirusTotal finds nothing wrong:

https://www.virustotal.com/en/file/8911097985f2e42aa4436f2eb66aa1a03092c17e74a5effb5df7cb6a55562283/analysis/1551395497/

Verification:

File: ccsetup553_slim.exe


Size: 14.7 MB (15,469,064 bytes)


MD5 Hash: 570504d1a4ea62c42372555abb82dfc1


SHA-1 Hash: 298a3c5473179060bed2069e10bb9938d29fa6da


SHA-256 Hash: 8911097985f2e42aa4436f2eb66aa1a03092c17e74a5effb5df7cb6a55562283

Quote
<div class="ipsQuote_contents">
	<p>
		<strong style="background-color:#ffffff;color:#353c41;font-size:14px;">VirusTotal finds nothing wrong:</strong>
	</p>
</div>

Log into VirusTotal, expand it.

slim today.JPG

slim today Relations.JPG

slim today expanded 1 pink icon click it.JPG

slim today 1 malware found by ESET.jpg

I don't have a Virus Total account to log into, and I'm not creating one just for this.

What ESET finds and will likely always find is the 3rd party Google software packaged inside the Standard Installer, use the Slim Installer or the Portable ZIP instead.

Hi Andavari,

Thank you for your reply

I am however concerned on your replies to this thread.

YOU are the one that posted YOUR findings of VirusTotal scan (Which I NOW find out you don't have a simple log in set up to VirusTotal)

First, you said there is no findings on the slim version of ccsetup 553.

I then expanding the ccsetup553_slim.exe for YOU and even edit the screenshot to show you where to look.

Now reply by saying

9 hours ago, Andavari said:
<div class="ipsQuote_contents">
	<p>
		<strong>I don't have a Virus Total account to log into, and I'm not creating one just for this</strong>.
	</p>
</div>

Then why are you using that scan result to answer a thread here on the forums?

Now, I have another concern with your reply.

9 hours ago, Andavari said:
<div class="ipsQuote_contents">
	<p>
		What ESET finds and will likely always find is the <strong>3rd party Google software packaged</strong> inside the Standard Installer, <strong>use the Slim Installer</strong> or the Portable ZIP instead.
	</p>
</div>

I don't believe this has anything to do with Google. (photo below)

	http://softok.servtodown.ru/CCleaner_Rus_Setup.exe
	

This photo is about the Slim Installer.

Please, if you are going to refuse to back up your claim, I suggest you don't answer the thread.

slim rus..JPG

mar1.JPG

39 minutes ago, Just ME Onlyme said:
<div class="ipsQuote_contents">
	<p>
		</p>
				
			http://softok.servtodown.ru/CCleaner_Rus_Setup.exe

	<p>
		 
	</p>
</div>

What is this?

8 hours ago, Nergal said:
<div class="ipsQuote_contents">
	<p>
		What is this?
	</p>
</div>

I ask the same.

If this is how Just ME Onlyme got his download for CCleaner from then there is little point in continuing this thread, it looks like a repack.

Seems there's no need to sign in, this is what he's on all about (near the bottom on the Comments page which also shows various renamed CCleaner setup files):

https://www.virustotal.com/en/file/8911097985f2e42aa4436f2eb66aa1a03092c17e74a5effb5df7cb6a55562283/analysis/1551395497/

To reiterate VirusTotal finds nothing wrong with the official file downloaded from CCleaner.com, as it clearly states: Detection ratio: 0 / 67.

That other data on the Comments page is what someone has posted on their own and it is not from VirusTotal, and it's from a scan done by Hybrid Analysis. You can not compare resulting scans done by VirusTotal vs Hybrid Analysis - it will only cause confusion.

If you download from the official Piriform CCleaner website according to VirusTotal the file is clean. If you do not trust the file then the solution is very simple for you and that is: Don't use it

I'm done with this.

You guys are probably way ahead of me, but just for my satisfaction I checked this out.

I just downloaded the 553 slim version from major geeks (no longer available at the builds link) and sent it to VT. It has the same hashes as the 553 version mentioned here.

553 slim version analyzes clean.


Some of the detections here and at VT are for the zip file &amp; the installer exe, not the slim.

Fwiw, The user named billy AKA billy bob made those comments, and also included the incorrect download link that nergal noticed. There are links to download a file called CCleaner_Rus_Setup from 2 different sites.

See here.  Didn't need to sign in.

https://www.virustotal.com/en/user/billy/

That "Rus" setup is just in a list of renamed setup files, who knows if the hashes match or if it's a repack (which would be illegal). In any event it's now obsolete, since there's a new version 5.54 to scrutinize.

5 hours ago, Andavari said:
<div class="ipsQuote_contents">
	<p>
		That "Rus" setup is just in a list of renamed setup files, who knows if the hashes match or if it's a repack (which would be illegal). In any event it's now obsolete, since there's a new version 5.54 to scrutinize.
	</p>
</div>

Ahhhh, yes. Never a dull moment, eh? :)

**** positives in the 554 versions too.

What a joke.

I downloaded my versions from a link from a Ccleaner email from a support ticket i put in.

https://www.ccleaner.com/ccleaner/builds

On 3/1/2019 at 21:10, hazelnut said:
<div class="ipsQuote_contents">
	<p>
		 
	</p>

	<p>
		I ask the same.
	</p>

	<p>
		If this is how Just ME Onlyme got his download for CCleaner from then there is little point in continuing this thread, it looks like a repack.
	</p>
</div>

https://www.ccleaner.com/ccleaner/builds

On 3/1/2019 at 12:57, Nergal said:
<div class="ipsQuote_contents">
	<p>
		What is this?
	</p>
</div>

The thread started out by including screenshots.

The screenshot has a web address from

Virustotal.com

7 hours ago, Just ME Onlyme said:
<div class="ipsQuote_contents">
	<p>
		**** positives in the 554 versions too.
	</p>
</div>

Almost every version will trigger at least one antivirus scanner. You can either trust whatever virus scanner listed on VirusTotal has found something, or you can trust your installed antivirus and antimalware software, the choice is yours.

Hello, I have just registered on the forum because of your concern. While I know it can be frustrating and confusing sometimes on the big world wide web, I think that it should also be noted it can sometimes be down to own lack of education. So please don't panic with Virus totals findings. Virus total is a very powerful tool. It is also a very confusing tool if you do not understand the basic mechanics of Security software and other tools such as Virus total. Moving on...

I will focus on One example to keep it simple. If we take Endgame for example as the flagged AV vendor. The Engine on VT is a static ML(machine learning) module that does not use a database or heuristic scanning.  The ML engine processes files on a point system. To make it simple let's say the engine scores a file 1 out of 10. This is called confidence scoring(I believe is the correct term). Here is the big catch. VirusTotal does not support confidence scores, so even very low score will flag up as Malware. 




For programmers out there a difference in score could be affected by the project being compiled in debug or release. Test it for yourself. 

17 hours ago, Just ME Onlyme said:
<div class="ipsQuote_contents">
	<p>
		The thread started out by including screenshots.
	</p>

	<p>
		The screenshot has a web address from
	</p>

	<p>
		Virustotal.com
	</p>
</div>

No specifically the .ru based ccleaner installer you mentioned. That is not an official download site and well could be full of malware. The ONLY places to download ccleaner are ccleaner.com and file hippo. Else yes it may have dangerous intent.

The *Rus* setup file is probably just a renamed setup file though, otherwise it wouldn't be showing up on the same scan page/session on VirusTotal, and some online scanners show what all the renamed setup files are that it has scanned even though they have the same hash (MD5, SHA-1, SHA-256, etc.).

I don't know, are you guys not reading my posts or something? I don't get it.

On 3/10/2019 at 21:32, Just ME Onlyme said:
<div class="ipsQuote_contents">
	<p>
		<a href="https://www.ccleaner.com/ccleaner/builds" rel="external nofollow">https://www.ccleaner.com/ccleaner/builds</a>
	</p>
</div>

I did not download Ccleaner from a 3rd party site.

On 3/11/2019 at 14:50, Nergal said:
<div class="ipsQuote_contents">
	<p>
		No specifically the .ru based ccleaner installer you mentioned. That is not an official download site and well could be full of malware.  The ONLY places to download ccleaner are ccleaner.com and file hippo.  Else yes it may have dangerous intent.
	</p>
</div>

The .ru is what I found IN that download.

I am saying, I downloaded Ccleaner from that https://www.ccleaner.com/ccleaner/builds website, and the .ru was IN IT.

Do we understand each other now? ? :D

I dare to check again .. shall I ? LOL

Lets do the portable version. : )

Just looking at the findings on that is scary to me.

I know it doesn't show .ru, things seem to change every time I re download and check. It is if the file is being changed in the download but still the same version.

I don't know, but every time I check there is SOMETHING.. like below... have fun reading what you find when you click one.

(providing you even try) Don't forget, you must sign into virustotal to see the 'expanded view' of the files you scan.

If you don't bother to look, don't reply.

What I am saying is, every time I scan a download from there website, ( https://www.ccleaner.com/ccleaner/builds ),

there is something found. Every time.

Scan it.JPG