Jump to content
Sign in to follow this  
aqtech

CCLEANER.EXE false positive?

Recommended Posts

After installing the new CCleaner 3.0 from Piriform's site today, MBAM picked up the following entry as: security.hijack HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Image File Execution Options\CCLEANER.EXE

I have Windows 7 Home Premium x64 and the x64 version of the new CCleaner is the one installed, specifically 3.00.1303. For the time being, I'm ignoring the detected threat, as I don't want anything to happen to CCleaner.

Thanks in advance

Share this post


Link to post
Share on other sites
After installing the new CCleaner 3.0 from Piriform's site today, MBAM picked up the following entry as: security.hijack HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Image File Execution Options\CCLEANER.EXE

I have Windows 7 Home Premium x64 and the x64 version of the new CCleaner is the one installed, specifically 3.00.1303. For the time being, I'm ignoring the detected threat, as I don't want anything to happen to CCleaner.

Thanks in advance

Oops, meant to include this

mbam_log_2010_10_28__20_37_03_.txt

Share this post


Link to post
Share on other sites

That key is designed to run other executables instead of the one listed in the key. Normally this would block CCleaner and we would be unblocking it.

I use CCleaner and have never seen this. If your version modified or something?

Share this post


Link to post
Share on other sites

I just confirmed that this is not part of their install. I am not sure where it came from but it is not part of CCleaner. If anything this would be designed to hijack CCleaner and run something else instead.

Share this post


Link to post
Share on other sites
That key is designed to run other executables instead of the one listed in the key. Normally this would block CCleaner and we would be unblocking it.

I use CCleaner and have never seen this. If your version modified or something?

No, it's not modified to my knowledge. I've used CCleaner for years with MBAM and this is the first I've seen. I figured either I got an infected version or the new 64-bit version of CCleaner is giving a false positive.

Share this post


Link to post
Share on other sites

Okay, so I also scanned with SAS Pro, which also identified it as the same threat. I went ahead and deleted the file after both what I've seen here and from the second program. Also, I checked the original installer and, as it did before, it prompted me to install the Yahoo toolbar. I deleted that one and re-downloaded the same installer from Piriform. This time, it did not come bundled with the toolbar functions...? I'm not sure what happened or how it happened, to be honest. I re-scanned everything with MBAM, SAS, and Norton, none of which found any threats this time around after re-installing CCleaner with the newly downloaded installer. Weird?

Share this post


Link to post
Share on other sites

Nothing on 64 bit either.

Did you happen to set CCleaner to run instead of windows cleanup or something? That is about the only legit reason I can come up with for this key being there.

I would just let Malwarebytes remove it, it wont affect CCleaner or windows in any way.

Share this post


Link to post
Share on other sites
Nothing on 64 bit either.

Did you happen to set CCleaner to run instead of windows cleanup or something? That is about the only legit reason I can come up with for this key being there.

I would just let Malwarebytes remove it, it wont affect CCleaner or windows in any way.

I do have CCleaner set to the /AUTO function via the task scheduler. Would that do it?

Share this post


Link to post
Share on other sites

East to test. Remove the key and see if that stops working. If it does its easy to restore and you can set it to ignore.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.