Jump to content

Apparent virus in version 2.32.1165


Recommended Posts

Sorry to make a virus report as my first post, but that is what I believe has happened.

 

Every time I run CCleaner version 2.32.1165, my antivirus software catches "trojan-relayer-jolleee". This is a very repeatable observation. Every time I run CCleaner, my antivirus software pops up with the Trojan in quarantine.

 

Trojan-Relayer-Jolleee is ranked as a high-risk virus. My antivirus software offers the following description: "Trojan-Relayer-Jolleee is a remore access Trojan that may allow a hacker to gain unrestriced access to your computer when you are online".

 

I believe I downloaded my version of CCleaner from File Hippo, though I am not certain.

 

Can anyone verify similar experience? Is Piriform aware of the issue, and is a clean copy of CCleaner available?

 

Thanks.

 

<<Updated>>

 

I uninstalled CCleaner, and downloaded directly from Piriform. This version appears to be free of the above mentioned Trojan.

Link to comment
Share on other sites

I understand panic when an A.V. reports a virus.

 

I do NOT understand why a virus reappears after it has been quarantined.

 

Did you let it out of quarantine yourself to see what it would do ?

Is your A.V. spectacularly useless at keeping the quarantine doors locked ?

 

Alan

Link to comment
Share on other sites

  • Moderators

and of course (so long as you did download it from File Hippo) please report the false postive to the Company that makers your antivirus (of which you've yet to reply with the Name)

 

ADVICE FOR USING CCleaner'S REGISTRY INTEGRITY SECTION

DON'T JUST CLEAN EVERYTHING THAT'S CHECKED OFF.

Do your Registry Cleaning in small bits (at the very least Check-mark by Check-mark)

ALWAYS BACKUP THE ENTRY, YOU NEVER KNOW WHAT YOU'LL BREAK IF YOU DON'T.

Support at https://support.ccleaner.com/s/?language=en_US

Pro users file a PRIORITY SUPPORT via email support@ccleaner.com

Link to comment
Share on other sites

I understand panic when an A.V. reports a virus.

 

I do NOT understand why a virus reappears after it has been quarantined.

 

Did you let it out of quarantine yourself to see what it would do ?

Is your A.V. spectacularly useless at keeping the quarantine doors locked ?

 

Alan

 

I am using Webroot antivirus with spy sweeper.

 

And no.... I did not let the virus out after it went into quarantine. :rolleyes: I destroyed it every time it was captured.

 

I'll say up front that I do not know for certain what was happening. However, I have some good ideas.

 

What I do know is that the virus appeared consistently every time CCleaner was run.

 

I also know that after uninstalling CCleaner, and then reinstalling from the Piriform web site, the problem went away.

 

My supposition is that the version available on File Hippo was compromised. The compromised CCleaner tried to install the virus every time it was run, which is why Webroot flagged it even though it was previously destroyed.

 

Perhaps I should let the good folks over at File Hippo know? Or maybe the people from Piriform would carry more authority?

Link to comment
Share on other sites

and of course (so long as you did download it from File Hippo) please report the false postive to the Company that makers your antivirus (of which you've yet to reply with the Name)

 

Interesting. It was repeatably demonstrated that the virus appeared whenever CCleaner was run, and the problem went away when CCleaner was reinstalled from an alternative source.

 

And yet you think this was a false positive on the part of the antivirus program? Your confidence in File Hippo appears unshakable.

Link to comment
Share on other sites

  • Moderators

And yet you think this was a false positive on the part of the antivirus program? Your confidence in File Hippo appears unshakable.

 

It's probably because the FileHippo.com download also included the toolbar, whereas on the Piriform.com site you can get a slim or portable build without the toolbar. FileHippo.com is however an official download site for the software, along with Piriform.com

Link to comment
Share on other sites

I also am getting the same result and am using "webroot AntiVirus" program. If you go to their website at http://research.webr...an%20Horse&rc=1

there is a full report on this issue.

In the ccleaner setting< i am using 'secure delete with 3 passes.' I wonder if this has anything to do with this issue.

 

Larry

 

 

It's a vanishingly small probability that this problem is caused by software settings in CCleaner.

 

Your (and my) Webroot AntiViris software recognized a serious threat. This is not some software incompatibility, nor is it something the users have done wrong.

 

It's a malicious piece of software someone deliberately installed into the CCleaner download from File Hippo. While I am not a hacker myself, I understand it's not terribly difficult to hack a web site. It's in the news often enough. I would guess someone hacked File Hippo and replaced the legitimate version of CCleaner with the hacked version.

 

Either that, or someone on the inside did it. Disgruntled worker, etc.

 

Do the Piriform people read this forum? As far as I know the compromised version remains available on File Hippo. This is a serious situation.

Link to comment
Share on other sites

  • Moderators

Do you believe in Webroot more than in 41 other AVs ? I don't. http://www.virustota...7ded-1276292217 ;)

 

Exactly. It's just another false positive detection that any antivirus is capable of, and it isn't the first time and not the last by far.

 

Webroot just needs to update their signature files to remove the false positive, although I understand the concern of the op not wanting to use something the antivirus states is infected - which is why there's VirusTotal, Jotti's Malware Scan, and virSCAN.org to verify if it's a false positive or not.

Link to comment
Share on other sites

Exactly. It's just another false positive detection that any antivirus is capable of, and it isn't the first time and not the last by far.

 

Webroot just needs to update their signature files to remove the false positive, although I understand the concern of the op not wanting to use something the antivirus states is infected - which is why there's VirusTotal, Jotti's Malware Scan, and virSCAN.org to verify if it's a false positive or not.

 

How then do you explain that the problem went away after I uninstalled the software, then reinstalled from a different source?

 

I did not make any changes to what I do or do not want installed.

 

You really think the signatures can be that easily confused? I'm surprised, but then I'm far from an expert on the subject.

Link to comment
Share on other sites

How then do you explain that the problem went away after I uninstalled the software, then reinstalled from a different source?

Most likely you also got updated virus definitions from your AV provider at the same time, with the false positive removed.

Link to comment
Share on other sites

As far as I know the compromised version remains available on File Hippo. This is a serious situation.

 

A compromised version is NOT available on filehippo.

 

I have unshakeable faith in FileHippo - but have just tested for your benefit.

 

I have downloaded CCleaner version 2.32.1165, both from Filehippo and from Piriform.

Both downloads had identical sizes of 3,387,040 bytes,

BUT FAR MORE CONVINCING a binary comparison tool found a perfect match in the contents, byte for byte.

 

The only potential compromise I have ignored is that of an Alternate Data Stream.

I know such things can exist, but have neither tools nor experience to detect any such infection.

Hopefully someone with more knowledge than I can comment on this.

 

I believe an A.D.S. infection at Filehippo is most unlikely.

It is far more probable that they had an infection when you downloaded, and they cured it by the time I downloaded.

It is far far far more likely that, as suggested by pwillener,

your A.V. gave a false positive which was fixed with a signature update between use of Filehippo and use of identical Piriform.

 

It would be nice if a hash checksum was quoted for every binary file - even MD5 is better than nowt ! !

 

Alan

Link to comment
Share on other sites

I uninstalled ccleaner version 2.32.1165 using revo uninstaller, then installed a new downloaded version from Piniform and still had the same problem. Would anybody know if it's just Webroot that is finding this virus?

 

Larry

 

 

A compromised version is NOT available on filehippo.

 

I have unshakeable faith in FileHippo - but have just tested for your benefit.

 

I have downloaded CCleaner version 2.32.1165, both from Filehippo and from Piriform.

Both downloads had identical sizes of 3,387,040 bytes,

BUT FAR MORE CONVINCING a binary comparison tool found a perfect match in the contents, byte for byte.

 

The only potential compromise I have ignored is that of an Alternate Data Stream.

I know such things can exist, but have neither tools nor experience to detect any such infection.

Hopefully someone with more knowledge than I can comment on this.

 

I believe an A.D.S. infection at Filehippo is most unlikely.

It is far more probable that they had an infection when you downloaded, and they cured it by the time I downloaded.

It is far far far more likely that, as suggested by pwillener,

your A.V. gave a false positive which was fixed with a signature update between use of Filehippo and use of identical Piriform.

 

It would be nice if a hash checksum was quoted for every binary file - even MD5 is better than nowt ! !

 

Alan

Link to comment
Share on other sites

I am having the same problem. About 3 months ago, CCleaner was setting off a false positive (in Webroot Internet Security) as it cleaning the cache files of Firefox. It was resolved after about 2 updates in CCleaner and Webroot. I use Malwarebytes' Anti-Malware for the double check. It showed no infection then and no infection for this latest false positive. I'll start a ticket at webroot site.

post-36107-127646799241_thumb.png

Link to comment
Share on other sites

  • Moderators

Just me guessing:

Maybe it's not the toolbar after all, but instead the update checker that runs now during setup to make sure people aren't installing a old version. Now that I could see as possibly setting off an AV looking for any behaviour that may seem out of the ordinary.

Link to comment
Share on other sites

  • Moderators

Shouldn't need a ticket, most Av's have false postive reporting sections (or features in the actual software)

 

ADVICE FOR USING CCleaner'S REGISTRY INTEGRITY SECTION

DON'T JUST CLEAN EVERYTHING THAT'S CHECKED OFF.

Do your Registry Cleaning in small bits (at the very least Check-mark by Check-mark)

ALWAYS BACKUP THE ENTRY, YOU NEVER KNOW WHAT YOU'LL BREAK IF YOU DON'T.

Support at https://support.ccleaner.com/s/?language=en_US

Pro users file a PRIORITY SUPPORT via email support@ccleaner.com

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.