[solved]BleachBit RANSOMWARE Windows 10

Forums: 

Hello,

I have an issue with a potential virus installed in BleachBit.

First, you have to know I'm working on Windows 10 64 bits (installed today on a new SSD).

So, I wanted to test BleachBit on my new system. I downloaded the software here, on this site).
I installed it without any problem. Then my antivirus detected one file (uninstall.exe) with a virus attached.
Here is the image: https://framapic.org/TNKK1MrHAahU/eeyD9CFqh4pF.png

The infection is "Trojan-Ransom.NSIS.Onion.zti".

My antivirus deleted it immediately but now I c'an't uninstall BleachBit. Indeed the file "uninstall.exe" has been deleted.

So how can I remove BleachBit (temporarily^^) ?

Thank you :)

ROCKNROLLKID's picture

This is a false positive from ZoneAlarm. I recommend you report this to the company so they can apply a fix. For now, you can make a exclusion for this so it doesn't happen again in the future.

IF you download another copy of BleachBit, the install has a built in uninstaller for any previously installed BleachBit. Alternatively, you can just go to the directory it was installed and delete it manually, too.

____________________
Also known as Alex.

Moderator for BleachBit and a maintainer for Winapp2.

Check out my open-source group on Steam: http://steamcommunity.com/groups/opencommunity

Windows 10 x64 (switching to ReactOS in the future).

Thank you for your fast answer.

I reinstalled it like you said, I made an exclusion.
Now, all seems to be ok, I'm relieved. :)

Thank you

In the screenshot I can see ZoneAlarm identifies c:\program files (x86)\BleachBit\Uninstall.exe as infected with Trojan-Ransom.NSIS.Onion.zti

Under the hood ZoneAlarm uses Kaspersky anti-virus

When I submit that file to virustotal.com the detection rate is 3/53, with false positives from Panda, Antiy-avl, and Tencent. However, Kaspersky shows the file is clean as of the 20160709 database update.

For good measure I submitted the false positive (uninstaller.exe) to Kaspersky at https://virusdesk.kaspersky.com/

If you continue to see false positives, let me know.

Also in the future make sure you download BleachBit only from this web site and that the Windows installer is digitally signed by Andrew Ziem, which indicates the installer was not tampered with.

---
Andrew, lead developer

Hi Andrew,

Please check this:

http://imgur.com/a/k2RcV

Regards

ROCKNROLLKID's picture

Maybe you want to explain a little on what you are trying to accomplish and what the error is?

Anyways, from what I can tell, it seems you are trying to load BleachBit via a TrueCrypt container (why exactly?). BleachBit is currently not capable on running on non C: drives, so you got all those errors.

Also, TrueCrypt is a dead project. Maybe you want to try VeraCrypt instead. It is the successor to TrueCrpyt.

____________________
Also known as Alex.

Moderator for BleachBit and a maintainer for Winapp2.

Check out my open-source group on Steam: http://steamcommunity.com/groups/opencommunity

Windows 10 x64 (switching to ReactOS in the future).

That's good news :-)

Thank you for your work. I didn't have any false positive until now so I think it's solved.

Don't worry, it's been many years now that I download all my programs on official websites to avoid these problems.

Hi Rock,

Thanks for the reply. The instance was running portable applications on an encrypted file, now the installer used was bleachbit in itself and not the portable version which is possibly a cause for errors.

I wouldn't rule out errors due to the fact that it's a separate partition drive because I had errors in the past from my previous bleachbit usage.

I've formatted my drive and reinstalled and OS so I can't provide feedback on what the error is.

The reason I'm running bleachbit from a truecrypt container isn't specified because since full encryption can't be done with the gipt - I haven't checked further on other methods or installers - I'm running bleachbit on a separate drive because everything else is on that drive including a potential second or third OS.

Truecrypt being used is personal preference because I'm more inclined to believe that veracrypt has some nsa backdoor and truecrypt was tough to break (if it has been broken) and is still used.

The installer is from a valid source unless you're implying there's also a backdoor on that one which is plausible (what doesn't have a backdoor nowadays, even OS'es (ssd firmware?) and CPUs have backdoors with Intel ME on skylake and further)

So it's possible that it's a false positive from a legitimate malware source that was flagged, in any case there's some correlation between a "false positive" and in this scenario where there's an effective CMD override. I'm not a technical expert but this scenario can be recreated. It's also interesting to note that the "uninstaller.exe" was removed by the antivirus used and I couldn't uninstall bleachbit unless I deleted the folder. I'm fairly convinced that bleachbit is probably too good of an app for both legitimate and illegitimate users which enters the frame of security and anonymity but it's fair. Keep up the good work. Regards

ROCKNROLLKID's picture

"Truecrypt being used is personal preference because I'm more inclined to believe that Veracrypt has some NSA backdoor and Truecrypt was tough to break (if it has been broken) and is still used."

Veracrypt can't have a backdoor because it is open-source. You can view the sourcecode yourself if your paranoid over that. Truecrypt has actually much weaker encryption then Veracrypt, too

"The installer is from a valid source unless you're implying there's also a backdoor on that one which is plausible (what doesn't have a backdoor nowadays, even OS'es (ssd firmware?) and CPUs have backdoors with Intel ME on skylake and further)"

I am not sure what your trying to say here. I never implied that there was ever a backdoor. BleachBit is also open-source, so it can't have a backdoor, again view the sourcecode if you are paranoid.

Also, just so you know, using Truecrypt/Veracrypt doesn't shield your PC against NSA backdoors. They even state this on their projects. They are only meant if your harddrive ever gotten stolen or something. Actually, there isn't anyway to shield your PC from NSA backdoors, unless you stick with open-source software.

As for anything having NSA backdoor's, sure it is possible, but they are much more effect in something that is required on a PC, like Operating Systems or graphics drivers. Anyways, it's been many years since the first NSA backdoor was discovered. I am sure they have found other ways to tap into systems without needing backdoors anymore, like stealth spyware that loads into your system every time you connect to the internet.

____________________
Also known as Alex.

Moderator for BleachBit and a maintainer for Winapp2.

Check out my open-source group on Steam: http://steamcommunity.com/groups/opencommunity

Windows 10 x64 (switching to ReactOS in the future).