Jump to content
CCleaner Community Forums
Experimentalist

Apparent virus in version 2.32.1165

Recommended Posts

Sorry to make a virus report as my first post, but that is what I believe has happened.

 

Every time I run CCleaner version 2.32.1165, my antivirus software catches "trojan-relayer-jolleee". This is a very repeatable observation. Every time I run CCleaner, my antivirus software pops up with the Trojan in quarantine.

 

Trojan-Relayer-Jolleee is ranked as a high-risk virus. My antivirus software offers the following description: "Trojan-Relayer-Jolleee is a remore access Trojan that may allow a hacker to gain unrestriced access to your computer when you are online".

 

I believe I downloaded my version of CCleaner from File Hippo, though I am not certain.

 

Can anyone verify similar experience? Is Piriform aware of the issue, and is a clean copy of CCleaner available?

 

Thanks.

 

<<Updated>>

 

I uninstalled CCleaner, and downloaded directly from Piriform. This version appears to be free of the above mentioned Trojan.

Share this post


Link to post
Share on other sites

I understand panic when an A.V. reports a virus.

 

I do NOT understand why a virus reappears after it has been quarantined.

 

Did you let it out of quarantine yourself to see what it would do ?

Is your A.V. spectacularly useless at keeping the quarantine doors locked ?

 

Alan

Share this post


Link to post
Share on other sites

and of course (so long as you did download it from File Hippo) please report the false postive to the Company that makers your antivirus (of which you've yet to reply with the Name)

Share this post


Link to post
Share on other sites

I understand panic when an A.V. reports a virus.

 

I do NOT understand why a virus reappears after it has been quarantined.

 

Did you let it out of quarantine yourself to see what it would do ?

Is your A.V. spectacularly useless at keeping the quarantine doors locked ?

 

Alan

 

I am using Webroot antivirus with spy sweeper.

 

And no.... I did not let the virus out after it went into quarantine. :rolleyes: I destroyed it every time it was captured.

 

I'll say up front that I do not know for certain what was happening. However, I have some good ideas.

 

What I do know is that the virus appeared consistently every time CCleaner was run.

 

I also know that after uninstalling CCleaner, and then reinstalling from the Piriform web site, the problem went away.

 

My supposition is that the version available on File Hippo was compromised. The compromised CCleaner tried to install the virus every time it was run, which is why Webroot flagged it even though it was previously destroyed.

 

Perhaps I should let the good folks over at File Hippo know? Or maybe the people from Piriform would carry more authority?

Share this post


Link to post
Share on other sites

and of course (so long as you did download it from File Hippo) please report the false postive to the Company that makers your antivirus (of which you've yet to reply with the Name)

 

Interesting. It was repeatably demonstrated that the virus appeared whenever CCleaner was run, and the problem went away when CCleaner was reinstalled from an alternative source.

 

And yet you think this was a false positive on the part of the antivirus program? Your confidence in File Hippo appears unshakable.

Share this post


Link to post
Share on other sites

And yet you think this was a false positive on the part of the antivirus program? Your confidence in File Hippo appears unshakable.

 

It's probably because the FileHippo.com download also included the toolbar, whereas on the Piriform.com site you can get a slim or portable build without the toolbar. FileHippo.com is however an official download site for the software, along with Piriform.com

Share this post


Link to post
Share on other sites

I also am getting the same result and am using "webroot AntiVirus" program. If you go to their website at http://research.webr...an%20Horse&rc=1

there is a full report on this issue.

In the ccleaner setting< i am using 'secure delete with 3 passes.' I wonder if this has anything to do with this issue.

 

Larry

 

 

It's a vanishingly small probability that this problem is caused by software settings in CCleaner.

 

Your (and my) Webroot AntiViris software recognized a serious threat. This is not some software incompatibility, nor is it something the users have done wrong.

 

It's a malicious piece of software someone deliberately installed into the CCleaner download from File Hippo. While I am not a hacker myself, I understand it's not terribly difficult to hack a web site. It's in the news often enough. I would guess someone hacked File Hippo and replaced the legitimate version of CCleaner with the hacked version.

 

Either that, or someone on the inside did it. Disgruntled worker, etc.

 

Do the Piriform people read this forum? As far as I know the compromised version remains available on File Hippo. This is a serious situation.

Share this post


Link to post
Share on other sites

Do you believe in Webroot more than in 41 other AVs ? I don't. http://www.virustota...7ded-1276292217 ;)

 

Exactly. It's just another false positive detection that any antivirus is capable of, and it isn't the first time and not the last by far.

 

Webroot just needs to update their signature files to remove the false positive, although I understand the concern of the op not wanting to use something the antivirus states is infected - which is why there's VirusTotal, Jotti's Malware Scan, and virSCAN.org to verify if it's a false positive or not.

Share this post


Link to post
Share on other sites

Exactly. It's just another false positive detection that any antivirus is capable of, and it isn't the first time and not the last by far.

 

Webroot just needs to update their signature files to remove the false positive, although I understand the concern of the op not wanting to use something the antivirus states is infected - which is why there's VirusTotal, Jotti's Malware Scan, and virSCAN.org to verify if it's a false positive or not.

 

How then do you explain that the problem went away after I uninstalled the software, then reinstalled from a different source?

 

I did not make any changes to what I do or do not want installed.

 

You really think the signatures can be that easily confused? I'm surprised, but then I'm far from an expert on the subject.

Share this post


Link to post
Share on other sites

Actually, here's a question: When you check the antivirus libraries of these different programs, is that particular virus listed?

 

There's a lot of them out there, and tests have shown a lot of divergence in antivirus software coverage.

Share this post


Link to post
Share on other sites

How then do you explain that the problem went away after I uninstalled the software, then reinstalled from a different source?

Most likely you also got updated virus definitions from your AV provider at the same time, with the false positive removed.

Share this post


Link to post
Share on other sites

As far as I know the compromised version remains available on File Hippo. This is a serious situation.

 

A compromised version is NOT available on filehippo.

 

I have unshakeable faith in FileHippo - but have just tested for your benefit.

 

I have downloaded CCleaner version 2.32.1165, both from Filehippo and from Piriform.

Both downloads had identical sizes of 3,387,040 bytes,

BUT FAR MORE CONVINCING a binary comparison tool found a perfect match in the contents, byte for byte.

 

The only potential compromise I have ignored is that of an Alternate Data Stream.

I know such things can exist, but have neither tools nor experience to detect any such infection.

Hopefully someone with more knowledge than I can comment on this.

 

I believe an A.D.S. infection at Filehippo is most unlikely.

It is far more probable that they had an infection when you downloaded, and they cured it by the time I downloaded.

It is far far far more likely that, as suggested by pwillener,

your A.V. gave a false positive which was fixed with a signature update between use of Filehippo and use of identical Piriform.

 

It would be nice if a hash checksum was quoted for every binary file - even MD5 is better than nowt ! !

 

Alan

Share this post


Link to post
Share on other sites

Get rid of a crappy AV for s start.

Share this post


Link to post
Share on other sites

Get rid of a crappy AV for s start.

 

 

Now now ident, I'm sure you can be a bit more diplomatic than that, in fact I expect you to be :)

Share this post


Link to post
Share on other sites

I uninstalled ccleaner version 2.32.1165 using revo uninstaller, then installed a new downloaded version from Piniform and still had the same problem. Would anybody know if it's just Webroot that is finding this virus?

 

Larry

 

 

A compromised version is NOT available on filehippo.

 

I have unshakeable faith in FileHippo - but have just tested for your benefit.

 

I have downloaded CCleaner version 2.32.1165, both from Filehippo and from Piriform.

Both downloads had identical sizes of 3,387,040 bytes,

BUT FAR MORE CONVINCING a binary comparison tool found a perfect match in the contents, byte for byte.

 

The only potential compromise I have ignored is that of an Alternate Data Stream.

I know such things can exist, but have neither tools nor experience to detect any such infection.

Hopefully someone with more knowledge than I can comment on this.

 

I believe an A.D.S. infection at Filehippo is most unlikely.

It is far more probable that they had an infection when you downloaded, and they cured it by the time I downloaded.

It is far far far more likely that, as suggested by pwillener,

your A.V. gave a false positive which was fixed with a signature update between use of Filehippo and use of identical Piriform.

 

It would be nice if a hash checksum was quoted for every binary file - even MD5 is better than nowt ! !

 

Alan

Share this post


Link to post
Share on other sites

I am having the same problem. About 3 months ago, CCleaner was setting off a false positive (in Webroot Internet Security) as it cleaning the cache files of Firefox. It was resolved after about 2 updates in CCleaner and Webroot. I use Malwarebytes' Anti-Malware for the double check. It showed no infection then and no infection for this latest false positive. I'll start a ticket at webroot site.

post-36107-127646799241_thumb.png

Share this post


Link to post
Share on other sites

Just me guessing:

Maybe it's not the toolbar after all, but instead the update checker that runs now during setup to make sure people aren't installing a old version. Now that I could see as possibly setting off an AV looking for any behaviour that may seem out of the ordinary.

Share this post


Link to post
Share on other sites

Wow! 3 Cases. Webroot really needs to check their signature now, and yeah, I have to agree with ident, get Avira Free Edition if you must! :)

Share this post


Link to post
Share on other sites

^ 4th Case! :mellow:

 

EDIT: Webroot Spysweeper ranks pretty low in the AV list, get a better AV! :)

Share this post


Link to post
Share on other sites

Shouldn't need a ticket, most Av's have false postive reporting sections (or features in the actual software)

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...