Find Malicious Versions of CCleaner

In light of the recent discovery about the malicious versions of CCleaner and the millions affected, it felt like a great time to write some PowerShell scripts that enable a person to identify if the malicious versions of CCleaner are on a system and if so, provides a method to delete the software.

The below checks a local machine for the malicious versions of CCleaner.

Get-ItemProperty -Path HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* |
Where-Object {$_.DisplayName -like "CCleaner*" -and $_.displayversion -eq "5.33.6162" -or $_.displayversion -eq "1.07.3191"}

Get-ItemProperty -Path HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* |
Where-Object {$_.DisplayName -like "CCleaner*" -and $_.displayversion -eq "5.33.6162" -or $_.displayversion -eq "1.07.3191"}

Using PS Remoting, the below allows you to get a list of systems with the infected versions.

$cpu = Get-Content c:\list\of\computers.txt

Invoke-Command -computername $cpu -ScriptBlock 
    {
    Get-ItemProperty -Path HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* |
    Where-Object {$_.DisplayName -like "CCleaner*" -and $_.displayversion -eq "5.33.6162" -or $_.displayversion -eq "1.07.3191"}

    Get-ItemProperty -Path HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* |
    Where-Object {$_.DisplayName -like "CCleaner*" -and $_.displayversion -eq "5.33.6162" -or $_.displayversion -eq "1.07.3191"}
    }

Using PS Remoting, the below allows you to remove CCleaner with the infected versions.

$cpu = Get-Content c:\list\of\computers.txt

Invoke-Command -computername $cpu -ScriptBlock 
    {
    $erroraction = 'stop'
    try
        {
        $x64 = (Get-ItemProperty -Path HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* |
        Where-Object {$_.DisplayName -like "CCleaner*" -and $_.displayversion -eq "5.33.6162" -or $_.displayversion -eq "1.07.3191"}).installlocation

        & "$x64\uninst.exe" /S

        $x86 = (Get-ItemProperty -Path HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* |
        Where-Object {$_.DisplayName -like "CCleaner*" -and $_.displayversion -eq "5.33.6162" -or $_.displayversion -eq "1.07.3191"}).installlocation

        & "$x86\uninst.exe" /S
        }
    catch {}

Using WMI, the below allows you to look for the infected versions. It also writes a log of infected and not infected machines along with deleting the software from the infected machines.

$cpu = Get-Content c:\list\of\computers.txt

foreach($sys in $cpu)
    {
    $app = Get-WmiObject -Class Win32_Product -computername $sys| Where-Object {$_.DisplayName -like "CCleaner*" -and $_.displayversion -eq "5.33.6162" -or $_.displayversion -eq "1.07.3191"
    }
    if ($app -eq $null)
        {
        $sys | Out-File c:\CCleaner_Not_Infected.txt -Append
        }
    else
        {
        $sys | Out-file c:\CCleaner_Infected.txt -Append
        $app.Uninstall()
        }
    }