Jump to content

Return to Piriform.com

Photo

Warning re Virus in CCleaner download


  • Please log in to reply
2 replies to this topic

#1 OFFLINE 64bit Grunge

64bit Grunge

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 18 June 2010 - 08:13 AM

Hi,

(Apologies if this has arisen before or is in the wrong forum, please move it appropriately to the appropriate forum.)


I downloaded CCleaner on the 16th June 2010 from Filehippo. (ccsetup232.exe)

Because I strive to run a clean system, my anti virus program picked up Mal/Generic-L when installing CCleaner. The virus is in s415log.exe which is produced by CCleaner in the temp folder.

I thought it was my mistake, and I thought this was a case of a false positive warning, but just to check I sent the file to Sophos for analysis and they confirmed that it does indeed contain a virus.

Although there is the possibility that the FileHippo Server may have introduced the virus, the fact that it did not appear until after unzipping makes me think that the virus was present at the time of creation.

I thought it sensible to contact you and advise you, as it may affect everyone who has downloaded this file.

Grunge


------------
CONFIRMATION CORRESPONDENCE WITH SOPHOS
------------

To Sophos:


Here's an extract from my Sophos log file..

...
20100611 130244 File "C:\Documents and Settings\Surfer\Local Settings\Temp\s415log.exe" belongs to virus/spyware 'Mal/Generic-L'.
20100611 130244 On-access scanner has denied access to location "C:\Documents and Settings\Surfer\Local Settings\Temp\s415log.exe" for user THINGT-XP\Surfer
..... 20100611 132004 Using detection data version 4.54G (detection engine 3.7.1). This version can detect 1711507 items. ....

I also include the actual file I downloaded - ccsetup232.exe - (incl. some screen dumps of what I clicked on), and which was the executable run. I have zipped this, password = *** .....

Hope this is of help. Your advice is appreciated.

Regards

Grunge

-----------


On 18 Jun 2010, at 08:57, <support@sophos.com> wrote:

Hi Grunge,

Our labs have just finished going through the samples you provided - please see the results below:

- ccsetup232.exe is only detected under Application Control as Yahoo! Messenger
- s415log.exe is detected as Mal/Generic-L - the file copies itself into C:\Documents and Settings\support\Local Settings\Temp\s209log.exe and has been identified as a Trojan downloader

Hope it helps - please let me know if you have any questions.

Regards,

Jacek Majewski
Sophos Technical Support
http://www.sophos.co.../technical.html

Support knowledgebase: http://www.sophos.com/support
Subscribe to email notifications: http://www.sophos.co...y/notifications
New! SophosTalk community (discussion forums): http://community.sophos.com

SOPHOS - simply secure


-----Original Message-----
From: support@sophos.com
Sent: 2010-06-17 12:01 PM
To: grunge
Cc:

Hi Grunge,

Can you please send the file to the labs following the information below:

http://www.sophos.co...icle/11490.html

suspicious files sent to support are simply removed.
Please let me know when you have had a chance to go through this.


Regards,

Jacek Majewski
Sophos Technical Support
http://www.sophos.co.../technical.html

Support knowledgebase: http://www.sophos.com/support
Subscribe to email notifications: http://www.sophos.co...y/notifications
New! SophosTalk community (discussion forums): http://community.sophos.com

SOPHOS - simply secure


-----Original Message-----
From: grunge
Sent: 2010-06-17 11:44 AM
To: supportuk@Sophos.com,
Cc:
________________________________

WARNING: One or more of the attachments (s415log.zip, ccsetup232.zip) in this e-mail have been removed because they might exhibit potentially malicious behaviour.

The original attachments have been automatically sent to Sophos Labs for analysis. If the attachments are clean, you should receive them within 30 minutes of this e-mail.

Attached Files



#2 OFFLINE MrG

MrG

    Administrator

  • Admin
  • 1,187 posts
  • Gender:Male
  • Location:London, UK

Posted 18 June 2010 - 08:52 AM

We've rechecked all our installers, and they're all fine and virus free.
My guess is that the s415log.exe file came from another installer.

#3 OFFLINE 64bit Grunge

64bit Grunge

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 18 June 2010 - 10:46 AM

We've rechecked all our installers, and they're all fine and virus free.
My guess is that the s415log.exe file came from another installer.


Hmmm... Mysteryousandmysterous...

I'll recheck my system tonight just in case another virus has got through.. :-(


Sorry in advance if I've made a mistake... I'll get back to you guys


Thanks Mr G