In light of the recent discovery about the malicious versions of CCleaner and the millions affected, it felt like a great time to write some PowerShell scripts that enable a person to identify if the malicious versions of CCleaner are on a system and if so, provides a method to delete the software.
The below checks a local machine for the malicious versions of CCleaner.
Get-ItemProperty -Path HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Where-Object {$_.DisplayName -like "CCleaner*" -and $_.displayversion -eq "5.33.6162" -or $_.displayversion -eq "1.07.3191"} Get-ItemProperty -Path HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Where-Object {$_.DisplayName -like "CCleaner*" -and $_.displayversion -eq "5.33.6162" -or $_.displayversion -eq "1.07.3191"}
Using PS Remoting, the below allows you to get a list of systems with the infected versions.
$cpu = Get-Content c:\list\of\computers.txt Invoke-Command -computername $cpu -ScriptBlock { Get-ItemProperty -Path HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Where-Object {$_.DisplayName -like "CCleaner*" -and $_.displayversion -eq "5.33.6162" -or $_.displayversion -eq "1.07.3191"} Get-ItemProperty -Path HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Where-Object {$_.DisplayName -like "CCleaner*" -and $_.displayversion -eq "5.33.6162" -or $_.displayversion -eq "1.07.3191"} }
Using PS Remoting, the below allows you to remove CCleaner with the infected versions.
$cpu = Get-Content c:\list\of\computers.txt Invoke-Command -computername $cpu -ScriptBlock { $erroraction = 'stop' try { $x64 = (Get-ItemProperty -Path HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Where-Object {$_.DisplayName -like "CCleaner*" -and $_.displayversion -eq "5.33.6162" -or $_.displayversion -eq "1.07.3191"}).installlocation & "$x64\uninst.exe" /S $x86 = (Get-ItemProperty -Path HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Where-Object {$_.DisplayName -like "CCleaner*" -and $_.displayversion -eq "5.33.6162" -or $_.displayversion -eq "1.07.3191"}).installlocation & "$x86\uninst.exe" /S } catch {}
Using WMI, the below allows you to look for the infected versions. It also writes a log of infected and not infected machines along with deleting the software from the infected machines.
$cpu = Get-Content c:\list\of\computers.txt foreach($sys in $cpu) { $app = Get-WmiObject -Class Win32_Product -computername $sys| Where-Object {$_.DisplayName -like "CCleaner*" -and $_.displayversion -eq "5.33.6162" -or $_.displayversion -eq "1.07.3191" } if ($app -eq $null) { $sys | Out-File c:\CCleaner_Not_Infected.txt -Append } else { $sys | Out-file c:\CCleaner_Infected.txt -Append $app.Uninstall() } }