Jump to content
CCleaner Community Forums
Westkane

Potential Virus in CCleaner Updater

Recommended Posts

According to Glasswire (I am not real familiar with this yet), it says there is potentially a virus in the updater.  Here is a bit of a cut and paste from their page.

 

SHA256: 1d488908989290c7ce58ccae36ed4a2c4ed06489b8c2248fb178327af4bcdbe8
File name: 1d488908989290c7ce58ccae36ed4a2c4ed06489b8c2248fb178327af4bcdbe8
Detection ratio: 1 / 67
Analysis date: 2017-12-20 23:00:31 UTC ( 3 days, 19 hours ago )
chart?chs=120x60&cht=gom&chco=d60c1A,379f32&chds=-100,100&chd=t:1
1
 
0
 
  •  AnalysisThe file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
 Authenticode signature block and FileVersionInfo properties
Copyright
Copyright (c) 2017 AVAST Software
Product CCleaner
Original name CCUpdate.exe
Internal name CCUpdate.exe
File version 1, 0, 999, 0
Description CCleaner updater
Signature verification  Signed file, verified signature
Signing date 12:53 PM 9/22/2017
 PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2017-09-14 11:07:04
Entry Point 0x00023C30
Number of sections 7

Share this post


Link to post
Share on other sites

Is this something to be concerned with?  It was picked-up by VirusTotal in the Updater.  I guess I am asking what should the next step be as Glasswire/TotalVirus indicates there is an issue?   Thank You

Share this post


Link to post
Share on other sites

With one detection I'd personally say it's a false positive after the efforts Avast/Piriform have put into securing the Piriform software such as CCleaner - that is if it were me attempting to update it -- but I won't ever again say with 100% confidence that it's alright after the September actual infection. With that in mind you can make up your mind on what you wish to do. I don't know if you're aware of this however you can also get the Portable ZIP Version which does not contain CCUpdate.exe, and you can use the Portable version to update your already installed version.

To update an already installed version using the Portable version you only need to unzip the following files:
1. The two *.EXE files (CCleaner.exe and CCleaner64.exe) over the already installed ones on an English installation, and you're done updating. Tip: If your system is not 64-bit you won't need CCleaner64.exe.
2. Optional: If your language is English you do NOT need to follow this step!
If your language is not English, and to have CCleaner display in your language you'll also need to also unzip the lang folder over the already installed ones, and you're done updating.

Also a member stated a while back that CCUpdate.exe was a filename detected by an anti-virus or anti-malware (I'm thinking Malwarebytes but could be completely wrong), and even when something isn't actually infected it can be generically detected by filename only - Piriform were already made aware of that issue however haven't yet renamed the .EXE.

Share this post


Link to post
Share on other sites

Thanks for your assistance with this, I was relatively lucky and my AV caught the September issue on a scan.  However, as you say, one can never say never in this day and age, but I kind of agree that it is a false positive.  (Nothing like the numbers I saw on the YTD Video Downloader program, I got rid of that real quick)   Thanks for the info on the portable ZIP Version, I didn't know about that option.  Thanks again for your help and knowledge.

 

Share this post


Link to post
Share on other sites



I work with many people each week that over panic when regarding VirusTotal. It's a tool yes, but when you need to understand. When dealing with Malware we may sometimes instruct the user asking for help to upload a fresh copy of the exe. This One instance has panicked you. Not because the file may or may not be an infection, it's simply because you are not trained on using Virustotal.

We work with a number of files that have previously had around 15 or more flags and the file was safe. Malware identification takes practice researching files takes even more training.
http://www.pacs-portal.co.uk/startup_content.php

Pacs portal was created by myself and a guy called paul. We sold it to Malwarebytes. Here are a few more links.

http://www.systemlookup.com
https://web.archive.org/web/20060106081601/http://www.doxdesk.com/parasite/database.html

You can include bleepingcomputers database also.

YTD is not an infection and is clean. It's flagged as a PUP. Possible unwanted program. Thats it, nothing more.

We use FRST https://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/ to analyze computers before writing custom scripts and instruct OP's the next steps forward. FRST is often flagged as malware, well One instance.

Share this post


Link to post
Share on other sites

Yes, i know you do not allow malware advice. I did not offer any.  Trained under One o your old malware mods at geekstogo and been qualified 6 years. Im united agasint malware member and work as a malware mod bot of avast and emisoft.

I did not offer any malware assistance or let alone ask for a FRST log. I simply pointed out a few facts.

So i do not get it wrong again which part offered would you class at malware removal advice? Then i won't post said part again.

Share this post


Link to post
Share on other sites

don't provide ANY links regarding malware.
don't advertise the fact you claim to be a malware removal expert.
don't self-promote your web site.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...