VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, VirSCAN can scan compressed files with password 'infected' or 'virus'.

Language
Server load
Server Load

File information
Safety rating:80
Behavior list
Basic Information
MD5:bd4122d5b2830c8db3992cb9d2920f0e
file type:Nsis
Production company:Piriform Ltd
version:2.0.0.0---2.0.0.0
Shell or compiler information:
Subfile information:CCleaner.exe / big file / EXE
PF-Toolbar-W78.exe / 8f53b1d567c452a9f1d22face7f70308 / Nsis
PF-Chrome-W78.exe / fe4b83764ae1921d1949985b8adee435 / Nsis
syschk.dll / 42fb0c5333071b1f4b04587b4e38353e / DLL
gcapi_dll.dll / d496480a00abde0655c0fdce9530b43e / DLL
CCleaner64.exe / big file / EXE
pfWWW.dll / cb1d8d51abc47fcf036a8aac36c5f4aa / DLL
uninst.exe / 001fa0be9f6690b79cb47a1b169c7825 / Nsis
pfWWW.dll / 1bf8a77ace38e746320dc8d67b2e7236 / DLL
[NSIS].nsi / fcbbf4c0a99e449e6589987866fb1437 / Unknown
gtapi_signed.dll / 61bc40d1fad9e0faa9a07219b90ba0e4 / DLL
lang-1032.dll / 4b796a880ebf4545c842f0b9ce2266a5 / DLL
lang-1027.dll / a1ae041826d40e05b02046490d1435d5 / DLL
lang-1043.dll / a4f6693a47201d529e61eaa7eb43ee1d / DLL
lang-1036.dll / 6589248024dd002da882bb57cce9e52d / DLL
lang-1155.dll / 4fa5bd69945984dc9f85a55c2da0c14b / DLL
lang-2070.dll / 916701ca48e0256ae24ee430f981c1f6 / DLL
lang-1034.dll / d1487ec0aebf8c34c674712424118d0d / DLL
lang-1035.dll / 20eccee5d9cc473ff1c56afc589b2223 / DLL
Key behavior
Behavior description:隐藏指定窗口
details:[Window,Class] = [,Button]
[Window,Class] = [www.piriform.com,Static]
[Window,Class] = [www.piriform.com ,Static]
[Window,Class] = [,Static]
[Window,Class] = [,ComboLBox]
[Window,Class] = [Cancel,Button]
[Window,Class] = [Advanced,Button]
[Window,Class] = [Install Options,Static]
[Window,Class] = [,pfBrowser]
[Window,Class] = [,Shell Embedding]
[Window,Class] = [,Internet Explorer_Server]
[Window,Class] = [Show &details,Button]
[Window,Class] = [,SysListView32]
[Window,Class] = [,msctls_progress32]
[Window,Class] = [Downloading installation files...,Static]
Behavior description:屏蔽窗口关闭消息
details:hWnd = 0x0006027e, Text = CCleaner v5.10 Setup , ClassName = #32770.
Behavior description:在桌面创建快捷方式
details:C:\Documents and Settings\All Users\桌面\CCleaner.lnk
Behavior description:写权限映射文件
details:CiceroSharedMemDefaultS-*
MSCTF.MarshalInterface.FileMap.MBJ..JGNIH
MSCTF.MarshalInterface.FileMap.MBJ.B.JGNIH
MSCTF.MarshalInterface.FileMap.MBJ.C.JGNIH
MSCTF.MarshalInterface.FileMap.MBJ.D.JGNIH
MSCTF.MarshalInterface.FileMap.MBJ.E.JGNIH
MSCTF.MarshalInterface.FileMap.MBJ.F.JGNIH
MSCTF.MarshalInterface.FileMap.MBJ.G.JGNIH
MSCTF.Shared.SFM.MBJ
\WINDOWS\system32\zh-cn\ieframe.dll.mui
Local\UrlZonesSM_Administrator
Local\!PrivacIE!SharedMem!Counter
Local\C:_Documents and Settings_Administrator_Local Settings_History_History.IE5_MSHist012015092520150926_index.dat_16384
Local\C:_Documents and Settings_Administrator_Local Settings_History_History.IE5_MSHist012015092520150926_index.dat_32768
MSCTF.MarshalInterface.FileMap.MBJ.H.BDDLH
Behavior description:向窗口发送DDE执行消息
details:Process = iexplore.exe, hWnd = 0x0006015a, Window = , Class = DDEMLUnicodeServer.
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012015092520150926
C:\Documents and Settings\Administrator\UserData
Behavior description:按名称获取主机地址
details:www.piriform.com
Process behavior
Behavior description:隐藏窗口创建进程
details:ImagePath = , CmdLine = "c:\docume~1\admini~1\locals~1\temp\nsa6.tmp\ns7.tmp" ping -n 1 -w 5000 www.piriform.com
Behavior description:创建进程
details:ImagePath = C:\WINDOWS\system32\ping.exe, CmdLine = ping -n 1 -w 5000 www.piriform.com
Behavior description:创建新文件进程
details:ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsa6.tmp\ns7.tmp, CmdLine = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsa6.tmp\ns7.tmp" ping -n 1 -w 5000 www.piriform.com
ImagePath = C:\Program Files\CCleaner\CCleaner.exe, CmdLine = "C:\Program Files\CCleaner\CCleaner.exe"
ImagePath = C:\Program Files\CCleaner\CCleaner.exe, CmdLine = "C:\Program Files\CCleaner\CCleaner.exe" /monitor
Behavior description:枚举进程
details:N/A
File behavior
Behavior description:在系统敏感位置(如开始菜单等)释放链接或快捷方式
details:C:\Documents and Settings\All Users\「开始」菜单\程序\CCleaner\CCleaner.lnk
C:\Documents and Settings\All Users\「开始」菜单\程序\CCleaner\CCleaner Homepage.url
Behavior description:创建可执行文件
details:C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsa6.tmp\System.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsa6.tmp\UserInfo.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsa6.tmp\g\gtapi_signed.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsa6.tmp\g\gcapi_dll.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsa6.tmp\g\pfWWW.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsa6.tmp\ButtonEvent.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsa6.tmp\nsDialogs.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsa6.tmp\nsProcess.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsa6.tmp\nsExec.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsa6.tmp\ns7.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsa6.tmp\inetc.dll
C:\Program Files\CCleaner\CCleaner.exe
C:\Program Files\CCleaner\Lang\lang-1031.dll
C:\Program Files\CCleaner\Lang\lang-1041.dll
C:\Program Files\CCleaner\Lang\lang-1049.dll
Behavior description:查找文件
details:FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\Local Settings
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsa6.tmp
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsa6.tmp\g
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1
FileName = C:\DOCUME~1\ADMINI~1
FileName = C:\DOCUME~1
FileName = C:\Documents and Settings\ADMINI~1
FileName = C:\Documents and Settings\Administrator\LOCALS~1
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp\nsa6.tmp
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp\nsa6.tmp\g
Behavior description:在桌面创建快捷方式
details:C:\Documents and Settings\All Users\桌面\CCleaner.lnk
Behavior description:写权限映射文件
details:CiceroSharedMemDefaultS-*
MSCTF.MarshalInterface.FileMap.MBJ..JGNIH
MSCTF.MarshalInterface.FileMap.MBJ.B.JGNIH
MSCTF.MarshalInterface.FileMap.MBJ.C.JGNIH
MSCTF.MarshalInterface.FileMap.MBJ.D.JGNIH
MSCTF.MarshalInterface.FileMap.MBJ.E.JGNIH
MSCTF.MarshalInterface.FileMap.MBJ.F.JGNIH
MSCTF.MarshalInterface.FileMap.MBJ.G.JGNIH
MSCTF.Shared.SFM.MBJ
\WINDOWS\system32\zh-cn\ieframe.dll.mui
Local\UrlZonesSM_Administrator
Local\!PrivacIE!SharedMem!Counter
Local\C:_Documents and Settings_Administrator_Local Settings_History_History.IE5_MSHist012015092520150926_index.dat_16384
Local\C:_Documents and Settings_Administrator_Local Settings_History_History.IE5_MSHist012015092520150926_index.dat_32768
MSCTF.MarshalInterface.FileMap.MBJ.H.BDDLH
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012015092520150926
C:\Documents and Settings\Administrator\UserData
Behavior description:修改文件内容
details:C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsa6.tmp\g\gcombo\ComboOffer.html---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsa6.tmp\g\gcombo\combo-offer.png---> Offset = 16384
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsa6.tmp\modern-header.bmp---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsa6.tmp\modern-wizard.bmp---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsa6.tmp\g\gcombo\ChromeLogo.bmp---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsa6.tmp\g\gcombo\ComboText.bmp---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012015092520150926\index.dat---> Offset = 0
C:\Documents and Settings\All Users\桌面\CCleaner.lnk---> Offset = 0
C:\Documents and Settings\All Users\「开始」菜单\程序\CCleaner\CCleaner.lnk---> Offset = 0
C:\Documents and Settings\All Users\「开始」菜单\程序\CCleaner\CCleaner Homepage.url---> Offset = 0
C:\Documents and Settings\All Users\「开始」菜单\程序\CCleaner\CCleaner Homepage.url---> Offset = 58
C:\Documents and Settings\All Users\「开始」菜单\程序\CCleaner\CCleaner Homepage.url---> Offset = 69
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsf5.tmp---> Offset = 98304
C:\WINDOWS\wininit.ini---> Offset = 0
Network behavior
Behavior description:联网打开网址
details:InternetOpenUrlA: https://www.piriform.com/go/app_cc_pro_trialkey hInternet = 0x00000304
InternetOpenUrlA: https://license.piriform.com/verify/?p=ccpro&c=cc&cv=5.10.5373&l=1033&lk=MZw u鍜憈f鍑?u 3钃?鏂勫P铮?D]?t Ot23绡盺j|顡?绂?铮祏榛僕P铮祏铮祏铮祏铮祏 铮佃?楂?S宀撮W铮祏?u铮?<,E闉丒椁圥j 铮
Behavior description:下载文件
details:C:\Program Files\CCleaner\CheckUpdate.log
Behavior description:连接指定站点
details:InternetConnectA: ServerName = service.piriform.com, PORT = 80
Behavior description:读取网络文件
details:hFile = 0x00000504, BytesToRead =8192, BytesRead = 8192.
hFile = 0x00000304, BytesToRead =2048, BytesRead = 2048.
hFile = 0x000003ac, BytesToRead =2048, BytesRead = 2048.
Behavior description:打开HTTP请求
details:HttpOpenRequestA: service.piriform.com:80/installcheck.aspx?p=1&v=5.10.5373&vx=&l=1033&b=1&o=5.1w3&g=7&i=1&a=0, hConnect = 0x0000054c
Behavior description:按名称获取主机地址
details:www.piriform.com
Registry behavior
Behavior description:修改注册表
details:\REGISTRY\MACHINE\SOFTWARE\Google\Google Toolbar\test
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015092520150926\CachePath
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015092520150926\CachePrefix
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015092520150926\CacheLimit
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015092520150926\CacheOptions
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015092520150926\CacheRepair
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell\Run CCleaner\command\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell\Open CCleaner...\command\
\REGISTRY\MACHINE\SOFTWARE\Piriform\CCleaner\UpdateCheck
\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\
\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\
\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\open\
\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\open\command\
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\ccleaner.exe\
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\ccleaner.exe\Path
Behavior description:删除注册表键值
details:\REGISTRY\MACHINE\SOFTWARE\Google\Google Toolbar\test
\REGISTRY\MACHINE\SOFTWARE\Google\No Toolbar Offer Until\Piriform Ltd
\REGISTRY\MACHINE\SOFTWARE\Google\No Chrome Offer Until\Piriform Ltd
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CCleaner\InstallDate
\REGISTRY\MACHINE\SOFTWARE\Microsoft\ESENT\Process\CCleaner\DEBUG\Trace Level
\REGISTRY\USER\S-*\Software\Piriform\CCleaner\AutoICS
\REGISTRY\USER\S-*\Software\Piriform\CCleaner\AutoUpdateNotificationExpiryTime
Behavior description:修改注册表_URL协议关联
details:\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\URL Protocol
Behavior description:删除注册表键
details:\REGISTRY\MACHINE\SOFTWARE\Google\Google Toolbar
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015082520150826
Other behavior
Behavior description:创建互斥体
details:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
MSCTF.Shared.MUTEX.ELH
MSCTF.Shared.MUTEX.MBJ
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
Local\!PrivacIE!SharedMemory!Mutex
Local\c:!documents and settings!administrator!local settings!history!history.ie5!mshist012015092520150926!
SHIMLIB_LOG_MUTEX
Behavior description:隐藏指定窗口
details:[Window,Class] = [,Button]
[Window,Class] = [www.piriform.com,Static]
[Window,Class] = [www.piriform.com ,Static]
[Window,Class] = [,Static]
[Window,Class] = [,ComboLBox]
[Window,Class] = [Cancel,Button]
[Window,Class] = [Advanced,Button]
[Window,Class] = [Install Options,Static]
[Window,Class] = [,pfBrowser]
[Window,Class] = [,Shell Embedding]
[Window,Class] = [,Internet Explorer_Server]
[Window,Class] = [Show &details,Button]
[Window,Class] = [,SysListView32]
[Window,Class] = [,msctls_progress32]
[Window,Class] = [Downloading installation files...,Static]
Behavior description:使用SCSI指令读写硬盘
details:N/A
Behavior description:获取系统权限
details:SE_LOAD_DRIVER_PRIVILEGE
SE_RESTORE_PRIVILEGE
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [#32770,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
NtUserFindWindowEx: [Class,Window] = [MS_AutodialMonitor,]
NtUserFindWindowEx: [Class,Window] = [MS_WebCheckMonitor,]
NtUserFindWindowEx: [Class,Window] = [PiriformRegistration,]
NtUserFindWindowEx: [Class,Window] = [#32770,Piriform CCleaner]
NtUserFindWindowEx: [Class,Window] = [ThunderRT6FormDC,CCleaner]
NtUserFindWindowEx: [Class,Window] = [PiriformCCleaner,]
NtUserFindWindowEx: [Class,Window] = [SysListView32,]
Behavior description:屏蔽窗口关闭消息
details:hWnd = 0x0006027e, Text = CCleaner v5.10 Setup , ClassName = #32770.
Behavior description:窗口信息
details:Pid = 2336, Hwnd=0x302a2, Text = &Next >, ClassName = Button.
Pid = 2336, Hwnd=0x501f2, Text = Cancel, ClassName = Button.
Pid = 2336, Hwnd=0x202d4, Text = www.piriform.com , ClassName = Static.
Pid = 2336, Hwnd=0x302dc, Text = www.piriform.com, ClassName = Static.
Pid = 2336, Hwnd=0x302b8, Text = Advanced, ClassName = Button.
Pid = 2336, Hwnd=0x502ce, Text = View license agreement, ClassName = Button.
Pid = 2336, Hwnd=0x302b6, Text = View privacy policy, ClassName = Button.
Pid = 2336, Hwnd=0x202d2, Text = English, ClassName = ComboBox.
Pid = 2336, Hwnd=0x202d0, Text = Select your language:, ClassName = Static.
Pid = 2336, Hwnd=0x202ac, Text = Welcome to the CCleaner v5.10 Setup, ClassName = Static.
Pid = 2336, Hwnd=0x402be, Text = Setup will guide you through the installation of CCleaner v5.10. Click Next to continue., ClassName = Static.
Pid = 2336, Hwnd=0x702c0, Text = By installing this product you agree to our license agreement and privacy policy., ClassName = Static.
Pid = 2336, Hwnd=0x6027e, Text = CCleaner v5.10 Setup, ClassName = #32770.
Pid = 2336, Hwnd=0x802c0, Text = Add Desktop Shortcut, ClassName = Button(CheckBox).
Pid = 2336, Hwnd=0x502be, Text = Add Start Menu Shortcuts, ClassName = Button(CheckBox).
Behavior description:内联HOOK
details:C:\WINDOWS\system32\USER32.dll--->EnableScrollBar Offset = 0x0
C:\WINDOWS\system32\USER32.dll--->GetScrollInfo Offset = 0x0
C:\WINDOWS\system32\USER32.dll--->GetScrollPos Offset = 0x0
C:\WINDOWS\system32\USER32.dll--->GetScrollRange Offset = 0x0
C:\WINDOWS\system32\USER32.dll--->SetScrollInfo Offset = 0x0
C:\WINDOWS\system32\USER32.dll--->SetScrollPos Offset = 0x0
C:\WINDOWS\system32\USER32.dll--->SetScrollRange Offset = 0x0
C:\WINDOWS\system32\USER32.dll--->ShowScrollBar Offset = 0x0
Behavior description:获取TickCount值
details:TickCount = 506350, SleepMilliseconds = 100.
TickCount = 506381, SleepMilliseconds = 100.
TickCount = 508115, SleepMilliseconds = 100.
TickCount = 508193, SleepMilliseconds = 100.
TickCount = 508240, SleepMilliseconds = 100.
TickCount = 508256, SleepMilliseconds = 100.
TickCount = 508271, SleepMilliseconds = 100.
TickCount = 508287, SleepMilliseconds = 100.
TickCount = 508334, SleepMilliseconds = 100.
TickCount = 508350, SleepMilliseconds = 100.
TickCount = 508396, SleepMilliseconds = 100.
TickCount = 510631, SleepMilliseconds = 100.
TickCount = 510818, SleepMilliseconds = 100.
TickCount = 510834, SleepMilliseconds = 100.
TickCount = 510865, SleepMilliseconds = 100.
Behavior description:打开图片文件
details:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsa6.tmp\modern-header.bmp
\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsa6.tmp\modern-wizard.bmp
\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsa6.tmp\g\gcombo\ChromeLogo.bmp
\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsa6.tmp\g\gcombo\ComboText.bmp
Behavior description:向窗口发送DDE执行消息
details:Process = iexplore.exe, hWnd = 0x0006015a, Window = , Class = DDEMLUnicodeServer.
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
Translated by Keith Miller, United States
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号