Jump to content
Piriform Community Forums
Just ME Onlyme

I suggest an explanation of why I see trojan/virus's in current builds when scanning ccsetup 553

Recommended Posts

This topic is not currently been answered.

I am seeing UI changes when opening Ccleaner to use. I opened Ccleaner to use and there was a Quick Scan icon ontop of the normal scan button. ( never seen that before ). What was weird is it went away all on its own back to normal. I did not uninstall that version and install another, it changed on the same version. 

This is why I decided to remove all piriform related software from my PC now.

 

 

I see pop ups appearing. I am reading the pop up is only supposed to happen once and go away. There is discussion to block the cookie, there is no cookie to block or accept in the list of Cookies in Ccleaner. 

When I scan the ccsetup553 it either shows a trojan or virus. Even on the 'slim' version, if I scan it and expand it, it shows a positive.

There are files related to rus . The countries vary in the expansion of each of the 3 files that the file is 'related' to.. sending information or talking to.

 

Basically, it is about time this gets answered.

 

W** is going on?

 

EDIT: to add... I have been in contact with Email support.. " we need to make money somehow " is the basic end of the discussion regarding the pop up.

 

 

553.JPG

553 zip.JPG

Share this post


Link to post
Share on other sites

All you can really go by is what antivirus tells you really, but some of those scanners produce allot of false positives.

I've just scanned the Slim version installer the results are listed below.

-----------------

CCleaner Free v5.53.7034 Slim installer from:
https://www.ccleaner.com/ccleaner/builds

Jotti has one detection for it (VBA scanner):
https://virusscan.jotti.org/en-US/filescanjob/g4dm4xunw1

VirusTotal finds nothing wrong:
https://www.virustotal.com/en/file/8911097985f2e42aa4436f2eb66aa1a03092c17e74a5effb5df7cb6a55562283/analysis/1551395497/

Verification:
File: ccsetup553_slim.exe
Size: 14.7 MB (15,469,064 bytes)
MD5 Hash: 570504d1a4ea62c42372555abb82dfc1
SHA-1 Hash: 298a3c5473179060bed2069e10bb9938d29fa6da
SHA-256 Hash: 8911097985f2e42aa4436f2eb66aa1a03092c17e74a5effb5df7cb6a55562283

Share this post


Link to post
Share on other sites

I don't have a Virus Total account to log into, and I'm not creating one just for this.

What ESET finds and will likely always find is the 3rd party Google software packaged inside the Standard Installer, use the Slim Installer or the Portable ZIP instead.

Share this post


Link to post
Share on other sites

Hi Andavari,

Thank you for your reply

I am however concerned on your replies to this thread.

 

YOU are the one that posted YOUR findings of VirusTotal scan (Which I NOW find out you don't have a simple log in set up to VirusTotal)

First, you said there is no findings on the slim version of ccsetup 553.

 

I then expanding the ccsetup553_slim.exe for YOU and even edit the screenshot to show you where to look.

Now reply by saying 

9 hours ago, Andavari said:

I don't have a Virus Total account to log into, and I'm not creating one just for this.

Then why are you using that scan result to answer a thread here on the forums?

Now, I have another concern with your reply.

9 hours ago, Andavari said:

What ESET finds and will likely always find is the 3rd party Google software packaged inside the Standard Installer, use the Slim Installer or the Portable ZIP instead.

 

I don't believe this has anything to do with Google. (photo below)

	http://softok.servtodown.ru/CCleaner_Rus_Setup.exe
	

This photo is about the Slim Installer.

 

Please, if you are going to refuse to back up your claim, I suggest you don't answer the thread.

 

slim rus..JPG

mar1.JPG

Edited by Nergal
coded worrying link

Share this post


Link to post
Share on other sites
39 minutes ago, Just ME Onlyme said:

				
			http://softok.servtodown.ru/CCleaner_Rus_Setup.exe

 

What is this?

Share this post


Link to post
Share on other sites
8 hours ago, Nergal said:

What is this?

 

I ask the same.

If this is how Just ME Onlyme got his download for CCleaner from then there is little point in continuing this thread, it looks like a repack.

Share this post


Link to post
Share on other sites

Seems there's no need to sign in, this is what he's on all about (near the bottom on the Comments page which also shows various renamed CCleaner setup files):
https://www.virustotal.com/en/file/8911097985f2e42aa4436f2eb66aa1a03092c17e74a5effb5df7cb6a55562283/analysis/1551395497/

To reiterate VirusTotal finds nothing wrong with the official file downloaded from CCleaner.com, as it clearly states: Detection ratio: 0 / 67.

That other data on the Comments page is what someone has posted on their own and it is not from VirusTotal, and it's from a scan done by Hybrid Analysis. You can not compare resulting scans done by VirusTotal vs Hybrid Analysis - it will only cause confusion.

If you download from the official Piriform CCleaner website according to VirusTotal the file is clean. If you do not trust the file then the solution is very simple for you and that is: Don't use it

I'm done with this.

Share this post


Link to post
Share on other sites

You guys are probably way ahead of me, but just for my satisfaction I checked this out. 

I just downloaded the 553 slim version from major geeks (no longer available at the builds link) and sent it to VT. It has the same hashes as the 553 version mentioned here.
553 slim version analyzes clean.
Some of the detections here and at VT are for the zip file & the installer exe, not the slim.

Fwiw, The  user named billy AKA billy bob made those comments, and also included the incorrect download link that nergal noticed. There are links to download a file called CCleaner_Rus_Setup from 2 different sites.
See here.  Didn't need to sign in.

https://www.virustotal.com/en/user/billy/

 

Share this post


Link to post
Share on other sites

That "Rus" setup is just in a list of renamed setup files, who knows if the hashes match or if it's a repack (which would be illegal). In any event it's now obsolete, since there's a new version 5.54 to scrutinize.

Share this post


Link to post
Share on other sites
5 hours ago, Andavari said:

That "Rus" setup is just in a list of renamed setup files, who knows if the hashes match or if it's a repack (which would be illegal). In any event it's now obsolete, since there's a new version 5.54 to scrutinize.

Ahhhh, yes.  Never a dull moment, eh?  :) 

Share this post


Link to post
Share on other sites
7 hours ago, Just ME Onlyme said:

**** positives in the 554 versions too.

Almost every version will trigger at least one antivirus scanner. You can either trust whatever virus scanner listed on VirusTotal has found something, or you can trust your installed antivirus and antimalware software, the choice is yours.

Share this post


Link to post
Share on other sites

Hello, I have just registered on the forum because of your concern. While I know it can be frustrating and confusing sometimes on the big world wide web, I think that it should also be noted it can sometimes be down to own lack of education. So please don't panic with Virus totals findings. Virus total is a very powerful tool. It is also a very confusing tool if you do not understand the basic mechanics of Security software and other tools such as Virus total. Moving on...

I will focus on One example to keep it simple. If we take Endgame for example as the flagged AV vendor. The Engine on VT is a static ML(machine learning) module that does not use a database or heuristic scanning.  The ML engine processes files on a point system. To make it simple let's say the engine scores a file 1 out of 10. This is called confidence scoring(I believe is the correct term). Here is the big catch. VirusTotal does not support confidence scores, so even very low score will flag up as Malware. 

For programmers out there a difference in score could be affected by the project being compiled in debug or release. Test it for yourself. 

Share this post


Link to post
Share on other sites
17 hours ago, Just ME Onlyme said:

The thread started out by including screenshots.

The screenshot has a web address from

Virustotal.com

No specifically the .ru based ccleaner installer you mentioned. That is not an official download site and well could be full of malware.  The ONLY places to download ccleaner are ccleaner.com and file hippo.  Else yes it may have dangerous intent.

Share this post


Link to post
Share on other sites

The *Rus* setup file is probably just a renamed setup file though, otherwise it wouldn't be showing up on the same scan page/session on VirusTotal, and some online scanners show what all the renamed setup files are that it has scanned even though they have the same hash (MD5, SHA-1, SHA-256, etc.).

Share this post


Link to post
Share on other sites

I don't know, are you guys not reading my posts or something? I don't get it.

On 3/10/2019 at 21:32, Just ME Onlyme said:

I did not download Ccleaner from a 3rd party site.

On 3/11/2019 at 14:50, Nergal said:

No specifically the .ru based ccleaner installer you mentioned. That is not an official download site and well could be full of malware.  The ONLY places to download ccleaner are ccleaner.com and file hippo.  Else yes it may have dangerous intent.

The .ru is what I found IN that download. 

 

I am saying, I downloaded Ccleaner from that https://www.ccleaner.com/ccleaner/builds website, and the .ru was IN IT.

 

Do we understand each other now? ?   :D

I dare to check again .. shall I ? LOL

Lets do the portable version. : )

Just looking at the findings on that is scary to me.

I know it doesn't show .ru, things seem to change every time I re download and check. It is if the file is being changed in the download but still the same version.

I don't know, but every time I check there is SOMETHING.. like below... have fun reading what you find when you click one. 

(providing you even try) Don't forget, you must sign into virustotal to see the 'expanded view' of the files you scan.

 

If you don't bother to look, don't reply.

What I am saying is, every time I scan a download from there website, ( https://www.ccleaner.com/ccleaner/builds ),

there is something found. Every time.

 

 

Scan it.JPG

Share this post


Link to post
Share on other sites

Good evening. In my previous post, I stated it was down to own lack of education. I guess I should have expanded more. 

You are not qualified to understand the VirusTotal report hence this outburst. And I mean that in a nice way. Being a community member does not make you a Malware expert. The graphs you are looking at are only there to help identify the relationship between files, urls, domains and IP's. The file here is not flagged which is called the root node has not been flagged but the relationship with One of the above has been addressed. Any community investigation will be made public by the user unless set to private. It is nothing more than an attempt to generate a  relationship between files and addresses. It is designed for investigators to share results with One another.  

Share this post


Link to post
Share on other sites

This is the whole contents of portable.dat from CCleaner Portable and has been for years, it's not infected in any way shape or form:
 

#PORTABLE#

 

Share this post


Link to post
Share on other sites

I have downloaded Ccleaner in the past, scanned it and there was nothing found....NOTHING found.

Now that AVAST is in control, there is crap found in almost EVERY version.

For those that ridicule me for pointing that out .....

In your neck.

 

 

...and yet, every time I show ( NO, I HOLD YOUR HAND ) how I found something, you guys have sOMe excuse for it.

"#portable#

'Oh it's this'... 'oh it's that'...

There should not be anything in this (like it used to be).

 

Every

Freakn (Yes, I did change this)

Time.

 

NOW there is reports of the pop up, people upgraded are still getting the pop up.

 

 

 

ccsetup555.exe today. 

 

 

Quote

You are not qualified to understand

 

I'm qualified to understand it never had ANY positives before.....

ccleaner downloaded mar 17 2019.JPG

Share this post


Link to post
Share on other sites

Good evening. This is going around in circles because you are not listening. How could 58 other engines be so wrong? Stop focusing on basic false positives.  The engines on VT have minimal disassembling power, and VT does not execute the files for more comprehensive analyses. I have already covered Endgames false positive so no need to go over old ground. ESET is clearly flagging the packed toolbar and states "potentially". Anity labs is/was a bit of a joke.

It is because of such limitations VT engines have regarding disassembling makes the files extremely hard to read. Compressed and packed files, in particular, are often flagged as suspicious by VT. Considering heuristic analysis AV engines have no way to determine the good or pad in a program based on certain methods which therefore they may alert you of a dangerous nature.

If a person has a firearm on them who can accurately distinguish between good or bad intentions. So we simply flag the firearm.

Share this post


Link to post
Share on other sites

No infection in any of the portable versions listed in this topic so far.  I downloaded & checked them all.  The 555 zip file does show a false positive, but none of the files extracted from it do.

I suggest that the OP begin posting the hash values in code tags instead of pictures so it is easier to be sure we are all talking about the same file. 
No way am I going to try to manually type all those hashes & verify them, don't have time. :(  
But it would be simple to copy and search for the text string.

For example, VT shows the hash for the portable CCleaner 64 exe extracted from ver. 555 as this: 

SHA-256	e482637cbad141b517ac6f27ceff8cf04e36a92c51c00ea29c1d2c0119a74782

It's easy to copy and check that hash in several ways, both here and at VT.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

×