Potential Virus in CCleaner Updater

CCleaner for Windows CCleaner Windows Bug Reporting
1

According to Glasswire (I am not real familiar with this yet), it says there is potentially a virus in the updater. Here is a bit of a cut and paste from their page.

SHA256: 1d488908989290c7ce58ccae36ed4a2c4ed06489b8c2248fb178327af4bcdbe8
File name: 1d488908989290c7ce58ccae36ed4a2c4ed06489b8c2248fb178327af4bcdbe8
Detection ratio: 1 / 67
Analysis date: 2017-12-20 23:00:31 UTC ( 3 days, 19 hours ago ) 
		<div>
			<div>
				<img src="https://chart.googleapis.com/chart?chs=120x60&amp;cht=gom&amp;chco=d60c1A,379f32&amp;chds=-100,100&amp;chd=t:1" style="border:0px;vertical-align:middle;" alt="chart?chs=120x60&amp;cht=gom&amp;chco=d60c1A,379f32&amp;chds=-100,100&amp;chd=t:1"></div>

			<div>
				<div style="padding:0px 8px;">
					<div style="color:#379f32;font-size:30px;">
						1
					</div>

					<div>
						 
					</div>
				</div>

				<div>
					<div style="color:#b40c1a;font-size:30px;">
						0
					</div>

					<div>
						 
					</div>
				</div>
			</div>
		</div>
	</div>
</div>
  • AnalysisThe file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block and FileVersionInfo properties 
			<div>
				<div style="border-bottom:1px dotted #dddddd;padding:3px;">
					<div>
						Copyright
					</div>

					<div>
						Copyright (c) 2017 AVAST Software
					</div>
				</div>

				<div style="border-bottom:1px dotted #dddddd;padding:3px;">
					<span>Product</span><span> </span>CCleaner
				</div>

				<div style="border-bottom:1px dotted #dddddd;padding:3px;">
					<span>Original name</span><span> </span>CCUpdate.exe
				</div>

				<div style="border-bottom:1px dotted #dddddd;padding:3px;">
					<span>Internal name</span><span> </span>CCUpdate.exe
				</div>

				<div style="border-bottom:1px dotted #dddddd;padding:3px;">
					<span>File version</span><span> </span>1, 0, 999, 0
				</div>

				<div style="border-bottom:1px dotted #dddddd;padding:3px;">
					<span>Description</span><span> </span>CCleaner updater
				</div>

				<div style="border-bottom:1px dotted #dddddd;padding:3px;">
					<span>Signature verification</span><span> </span><span style="color:#379f32;"><span> </span>Signed file, verified signature</span>
				</div>

				<div style="border-bottom:1px dotted #dddddd;padding:3px;">
					<span>Signing date</span><span> </span>12:53 PM 9/22/2017
				</div>

				<div style="border-bottom:1px dotted #dddddd;padding:3px;">
					<table style="background-color:transparent;border-collapse:collapse;border-spacing:0px;padding:0px;"><tbody><tr style="padding:0px;"><td style="padding:0px;vertical-align:top;">
									Signers
								</td>
								<td style="padding:0px;vertical-align:top;">
									<div>
										<a href="https://www.virustotal.com/en/file/1d488908989290c7ce58ccae36ed4a2c4ed06489b8c2248fb178327af4bcdbe8/analysis/1513810831/#" style="color:#777777;" rel="external nofollow">[+] AVAST Software s.r.o.</a>
									</div>

									<div>
										<a href="https://www.virustotal.com/en/file/1d488908989290c7ce58ccae36ed4a2c4ed06489b8c2248fb178327af4bcdbe8/analysis/1513810831/#" style="color:#777777;" rel="external nofollow">[+] DigiCert High Assurance Code Signing CA-1</a>
									</div>

									<div>
										<a href="https://www.virustotal.com/en/file/1d488908989290c7ce58ccae36ed4a2c4ed06489b8c2248fb178327af4bcdbe8/analysis/1513810831/#" style="color:#777777;" rel="external nofollow">[+] DigiCert</a>
									</div>
								</td>
							</tr></tbody></table></div>

				<div style="border-bottom:0px;padding:3px;">
					<table style="background-color:transparent;border-collapse:collapse;border-spacing:0px;padding:0px;"><tbody><tr style="padding:0px;"><td style="padding:0px;vertical-align:top;">
									Counter signers
								</td>
								<td style="padding:0px;vertical-align:top;">
									<div>
										<a href="https://www.virustotal.com/en/file/1d488908989290c7ce58ccae36ed4a2c4ed06489b8c2248fb178327af4bcdbe8/analysis/1513810831/#" style="color:#777777;" rel="external nofollow">[+] DigiCert Timestamp Responder</a>
									</div>

									<div>
										<a href="https://www.virustotal.com/en/file/1d488908989290c7ce58ccae36ed4a2c4ed06489b8c2248fb178327af4bcdbe8/analysis/1513810831/#" style="color:#777777;" rel="external nofollow">[+] DigiCert Assured ID CA-1</a>
									</div>

									<div>
										<a href="https://www.virustotal.com/en/file/1d488908989290c7ce58ccae36ed4a2c4ed06489b8c2248fb178327af4bcdbe8/analysis/1513810831/#" style="color:#777777;" rel="external nofollow">[+] DigiCert</a>
									</div>
								</td>
							</tr></tbody></table></div>
			</div>

			<h5 style="border:1px solid #ededed;color:inherit;font-size:13px;padding:5px;">
				<span> </span>PE header basic information
			</h5>

			<div>
				<div style="border-bottom:1px dotted #dddddd;padding:3px;">
					<span>Target machine</span><span> </span>Intel 386 or later processors and compatible processors
				</div>

				<div style="border-bottom:1px dotted #dddddd;padding:3px;">
					<span>Compilation timestamp</span><span> </span>2017-09-14 11:07:04
				</div>

				<div style="border-bottom:1px dotted #dddddd;padding:3px;">
					<span>Entry Point</span><span> </span>0x00023C30
				</div>

				<div style="border-bottom:0px;padding:3px;">
					<span>Number of sections</span><span> </span>7
				</div>
			</div>
		</div>
	</div>
</div>
2

It has one detection on VirusTotal, as seen here.

3

Is this something to be concerned with? It was picked-up by VirusTotal in the Updater. I guess I am asking what should the next step be as Glasswire/TotalVirus indicates there is an issue? Thank You

4

With one detection I'd personally say it's a false positive after the efforts Avast/Piriform have put into securing the Piriform software such as CCleaner - that is if it were me attempting to update it -- but I won't ever again say with 100% confidence that it's alright after the September actual infection. With that in mind you can make up your mind on what you wish to do. I don't know if you're aware of this however you can also get the Portable ZIP Version which does not contain CCUpdate.exe, and you can use the Portable version to update your already installed version.

To update an already installed version using the Portable version you only need to unzip the following files: 

1. The two *.EXE files (<strong>CCleaner.exe</strong> and <strong>CCleaner64.exe</strong>) over the already installed ones on an English installation, and you're done updating. Tip: If your system is not 64-bit you won't need CCleaner64.exe.


2. Optional: If your language is English you do NOT need to follow this step!


If your language is not English, and to have CCleaner display in your language you'll also need to also unzip the <strong>lang</strong> folder over the already installed ones, and you're done updating.

Also a member stated a while back that CCUpdate.exe was a filename detected by an anti-virus or anti-malware (I'm thinking Malwarebytes but could be completely wrong), and even when something isn't actually infected it can be generically detected by filename only - Piriform were already made aware of that issue however haven't yet renamed the .EXE.

5

Thanks for your assistance with this, I was relatively lucky and my AV caught the September issue on a scan. However, as you say, one can never say never in this day and age, but I kind of agree that it is a false positive. (Nothing like the numbers I saw on the YTD Video Downloader program, I got rid of that real quick) Thanks for the info on the portable ZIP Version, I didn't know about that option. Thanks again for your help and knowledge.

6 

I work with many people each week that over panic when regarding VirusTotal. It's a tool yes, but when you need to understand. When dealing with Malware we may sometimes instruct the user asking for help to upload a fresh copy of the exe. This One instance has panicked you. Not because the file may or may not be an infection, it's simply because you are not trained on using Virustotal.




We work with a number of files that have previously had around 15 or more flags and the file was safe. Malware identification takes practice researching files takes even more training.

http://www.pacs-portal.co.uk/startup_content.php

Pacs portal was created by myself and a guy called paul. We sold it to Malwarebytes. Here are a few more links.

http://www.systemlookup.com

https://web.archive.org/web/20060106081601/http://www.doxdesk.com/parasite/database.html.

You can include bleepingcomputers database also.




YTD is not an infection and is clean. It's flagged as a PUP. Possible unwanted program. Thats it, nothing more.




We use FRST <a href="https://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/" rel="external nofollow">https://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/</a> to analyze computers before writing custom scripts and instruct OP's the next steps forward. FRST is often flagged as malware, well One instance.

7

Just bear in mind gavsta that we do not give malware advice on this forum. Instead we point members to dedicated malware removal forums. See item 10 here

https://forum.piriform.com/announcement/15-forum-rules/

So please, no more mentions of your site in your posts.

Thanks.

8

Yes, i know you do not allow malware advice. I did not offer any. Trained under One o your old malware mods at geekstogo and been qualified 6 years. Im united agasint malware member and work as a malware mod bot of avast and emisoft. 

I did not offer any malware assistance or let alone ask for a FRST log. I simply pointed out a few facts.




So i do not get it wrong again which part offered would you class at malware removal advice? Then i won't post said part again.

9

don't provide ANY links regarding malware. 

don't advertise the fact you claim to be a malware removal expert.


don't self-promote your web site.