Remember the infected version of CCleaner? 2.27 million downloads, but only 40 got the royal treatment

Topic

New Reply

If you remember the widely-publicized CCleaner attack, you may be surprised to discover that of the 2.27 million infected downloads, the attackers onl
[See the full post at: Remember the infected version of CCleaner? 2.27 million downloads, but only 40 got the royal treatment]

6 users thanked author for this post.

Elly, walker, SueW, laidbacktokyo, WildBill, OscarCP

Reply | Quote

Replies

I use Malwarebytes  ADW Cleaner  a free download.

Reply | Quote

Malwarebytes claimed that the two subsequent Ccleaner releases would fully remove the malware. They did not on any of my Win7 machines. Nor did System Restore fully remove the malware either. GMER kept periodically showing one or two unnamed threads which were running. I can’t remember if it was one or two unnamed threads. I had to restore all of my Win7 computers from backups in order to resolve the issue.

1 user thanked author for this post.

WildBill

Reply | Quote

“Malwarebytes claimed that the two subsequent Ccleaner releases would fully remove the malware.”

You mean Avast.

Anyway, Malwarebytes Antimalware didn’t do anything against floxif for me, as I painfully realized. Only Antirootkit would react to it, but it didn’t fix it from starting after reboot. And this happened towards the end of last year.

That reminded me of virut, lots of corrupted files. Very agressive and viral stuff.

2 users thanked author for this post.

GoneToPlaid, WildBill

Reply | Quote

Aw c***. I meant to say that Piriform claimed that those two subsequent updates would remove the malware.

Edit for content.

Reply | Quote

None of the updates remove the malware. The updated version of ccleaner (of course) replaces the old tampered version ccleaner, but not the malware it may have downloaded (the malware only decided to attack <100 computers though…)

Reply | Quote

Bleachbit is a great alternative according to a famous person who never got the royal treatment..

If debian is good enough for NASA...

3 users thanked author for this post.

HiFlyer, geekdom, GoneToPlaid

Reply | Quote

Thanks a million for that info about Bleachbit. I downloaded it, but haven’t installed it yet. I will install it and run it through its paces on my Win7 test computer, yet only after I have performed another differential backup of the OS partition.

Reply | Quote

Whilst online you may wish to OPEN up even more settings in bleachbit.

In the preferences section there is a tick option to ‘check periodically for updates’ tick this and also tick the ‘download and update..winapp2’.

Close and restart the program and a new winapp2.ini should be downloaded (kb’s) that opens up further settings.

Warning: Be careful and preview before deleting by right clicking each item in the left hand pane.

Oh and watch you don’t delete any emails lol

If debian is good enough for NASA...

3 users thanked author for this post.

HiFlyer, GoneToPlaid, WildBill

Reply | Quote

Bleachbit. Nice. Light. Easy.

On permanent hiatus {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1992 x64 i5-9400 RAM16GB HDD Firefox116.0b3 MicrosoftDefender

Reply | Quote

I believe register cleaners, as a group, are mostly dangerous and best avoided at all times. Even if they have no malware in them, they are infamous for their tendency to brick PCs.

In general, much software available online that is claimed can fix, clean or otherwise “improve” the functioning of one’s computer is, oft times, bad news. Whatever one would like to install to scratch a particular technological itch, it pays to investigate beforehand which applications meant for that purpose at least have good reviews in the (somewhat) reputable Tech online sites.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

4 users thanked author for this post.

SueW, woody, HiFlyer, WildBill

Reply | Quote

CCleaner is not exactly a registry cleaner. The registry cleaner functionality in there is pretty marginal. Plus, it suggests to make a backup before cleaning anything for a reason.

Reply | Quote

Actually Ccleaner’s registry cleaning is pretty good — if you know how to use it. It starts by pruning the extremely deepest notes, like pruning dead leaves on a tree. Then you run it again, and it prunes the dead smaller branches. Run it again and it then prunes the dead larger branches. On a computer in which many programs have been installed and uninstalled, the pruning may have to be rerun four or five times until nothing further is found. Yet on such a computer, I always make a full backup of the OS partition before using Ccleaner to clean a registry which has tons of no longer relevant entries.

Cleaning the registry should not be done by those who are not familiar with the registry.

Reply | Quote

And yes, I agree it does better job than most wrt the registry cleaning. (At least, it does not make blatently insane cleanup suggestions — which is otherwise often the norm with competing products…)

Reply | Quote

I used CCleaner once – long before the malware episode – and it totally wrecked my PC. I would never recommend it, or any other program like it.

Reply | Quote

That’s a very exhaustive, documented and statistically relevant tested process.

BTW, CCleaner -as do most of the registry cleaning tools- offers a backup of the affected registry keys before deleting anything.

Reply | Quote

My PC was infected by CCleaner. As is my habit, I ran the update installer through VirusTotal before installing. Nothing alarming was reported.

By coincidence,  I ran a Malwarebytes scan early on the day the infection started to be detected. Due to Malwarebytes report, I again referred the file to VirusTotal. VirusTotal reported three AV companies detected a problem (obviously, one of those was Malwarebytes).  One of the detecting AV companies was NOT my regular AV so I kept checking the VirusTotal link and saw the numbers grow. My AV eventually appeared. I kept checking, ostensibly to check how long it took Microsoft to report the problem. The detecting AV companies grew in number. Eventually, “I have better things to do” came to mind. All the popular (in my experience) AV companies EXCEPT Microsoft were  listed as detecting the CCleaner infection by the time I gave up. I don’t recall specifically but believe this was days rather than hours.

My regret is not keeping screen shots of VirusTotal results.

Reply | Quote

I downloaded and tried to install the infected version the day that it was released. Initially Panda flagged it as containing malware. I figured that it was a false positive, yet I cancelled the installation and waited until the following day, and Panda gave it the “all clear” since Panda and other AV companies have a habit of immediately white listing known and supposedly trusted utilities such as Ccleaner. It took a while for the AV companies to blacklist this version of Ccleaner, once they realized that it really was infected.

Reply | Quote

I was lucky. I tend to download ccleaner updates after they nag me a bit, then set a restore point and install  – after i check online for bugs. I am more careful after that mess.

Reply | Quote

Me too. Now I wait a few weeks before I install a newer version of CCleaner.

Reply | Quote

My version of CCleaner updated itself automatically to v5.41.6446.  It’s never done that before because it was always set to manually check for updates. Is this version ok?

Reply | Quote

its ok since there is no report of it being not-ok
you may want to check the update settings
they have an “emergency” update function now and can force your system to allow whatever they deem ‘important’ to puch through since the last horror show

the latest version just out Monday, April 23, 2018 CCleaner v5.42
CCleaner 5.42.6495
since released on Tuesday, March 13, 2018 CCleaner v5.41
it seem its trying hard to push product strated with the ugly UI + the forced problem mentioned above
and now 5.42 they giving their frinedly help – “Where appropriate, CCleaner Free may recommend improvements to your system’s antivirus protection” AKA AVAST
this is what happens a good product get bought out by other not-good company
maybe its switching to ‘cloth’ time???
but the “cloth” scares me somewhat – i often ‘accidentally’ delete the whole stystem and its gone forever… really gone forever
any other good comparable product out there??? anyone?

back to fishing for better dreams

Reply | Quote

I recall that the latest versions of CCleaner offer Avast, which you have to uncheck in the installer. I do know that even without installing Avast, the latest versions of CCleaner do set a browser cookie for Avast which you must remove from the cookies to keep.

1 user thanked author for this post.

Lori

Reply | Quote

anonymous wrote:

any other good comparable product out there???

I know that MajorGeeks has recommended Wise Disk Cleaner in the past: http://www.wisecleaner.com/wise-disk-cleaner.html.  You might also want to check this: https://www.techradar.com/news/the-best-free-alternatives-to-ccleaner.

Win 7 SP1 Home Premium 64-bit; Office 2010; Group B (SaS); Former 'Tech Weenie'

3 users thanked author for this post.

cesmart4125, Lori, Elly

Reply | Quote

I installed Wise Disk Cleaner three days ago, and it appears to be working well.

1 user thanked author for this post.

SueW

Reply | Quote

Anon #186538 said:
now 5.42 they giving their frinedly help – “Where appropriate, CCleaner Free may recommend improvements to your system’s antivirus protection” AKA AVAST

Anon #186609 said:
I do know that even without installing Avast, the latest versions of CCleaner do set a browser cookie for Avast which you must remove from the cookies to keep.

The Avast Free Antivirus (opt-out) offer that appears during CCleaner installation is not tied to CCleaner setting itself to keep the Avast browser cookie.

You would see the Avast Antivirus offer, if the below registry value does not exist:
HKCU\Software\AvastAdSDK\LastOffer

It is possible to avoid the Avast offer (as well as the hassle of having to install CCleaner during every version upgrade) by using the self-contained portable build. Simply extract the downloaded ZIP file, scan it for possible malware, & run either the 32-bit or 64-bit executable inside the folder when you feel ready to do so. (Win x64 users can delete the 32-bit CCleaner executable supplied inside the folder.)

No multi-page installation required, no third-party offers, no hidden tasks quietly added to Windows Task Scheduler, & no automatic forced version updates.

1 user thanked author for this post.

SueW

Reply | Quote

What is ironic for me is that Avast discovered the problem after they had acquired Piriform. I was a long time user of Avast as it was one of the few reliable free antivirus programs. I registered and joined the forums to get some advice and just before the Avast breach occurred. I remember changing passwords doing security checks after that episode.

I still use CCleaner but use a different AV supplied by my ISP. For a security company Avast seems to get caught with their pants down too often. We expect more from companies we rely on and if c**p happens it is hard for them to regain our trust.
-firemind

Reply | Quote

“… Of those, about 1.65 million copies of the CCleaner malware phoned home to the attackers, and they only targeted 40 with a second stage of the attack: installing ShadowPad. All of these were technology and IT enterprise targets”.

That indicates it was an attack sponsored by a state actor. Research and Development secrets and intellectual property were probably the prize they were after. Espionage also likely. Several countries have armies of hackers on full time employment for this very purpose. Using Ccleaner was brilliant and the fact that the second stage was so targeted is a clear indication that it was black ops. When companies serve up these secrets on a silver platter it is hard to empathize with them. Unfortunately, it is the consumer who eventually fits the bill for it.

1 user thanked author for this post.

Bill C.

Reply | Quote

Hi Guys ‘n’ Gals,

I am not a computer expert, so am not sure if it’s best to register or just post as
“anonymous.”
Anyway, I usually check here every day for the latest “stuff-ups” by MS & others.
After reading this thread, I decided to let you all know about how & why CCleaner, free
automatically updated itself….in case you didn’t already know.
AVAST, “In their wisdom” (well, not really, but “they decided it was best”)
installed > CCleaner.updater.exe in one of their latest updates.
For more, please check out my thread on the AVAST fora.
> https://forum.avast.com/index.php?topic=217752.0
I hope this is O.K.

Thanks.

2 users thanked author for this post.

Lori, SueW

Reply | Quote

It would be nice to have you here as a member of the AskWoody forum. I would venture to say that the majority of the forum’s members are far from experts with regards to computers, or with regards to the plethora of Windows Update issues which Microsoft now confronts us with nearly every single month. They, just like you, are here because they are either looking for guidance and assistance, or are willing to take their time to offer guidance and assistance.

Personally, I enjoy trying to help others here, even though I usually have no idea who they are and even though I know that I most likely will never meet them in person. For me, it is all about trying to do even the smallest thing to make this world a slightly better place for another person. I think that what Woody has created, via this forum, is a remarkable community of people who come from all walks of life and who are here for the same underlying reason — to ask for help and to help one another.

1 user thanked author for this post.

SueW

Reply | Quote

To the best of my knowledge, I don’t have any Avast on my pc apart from C.Cleaner so I don’t understand how an Avast anti virus update could affect my version of C.Cleaner. Perhaps they just took it upon themselves to update  C.Cleaner on peoples pc’s

1 user thanked author for this post.

GoneToPlaid

Reply | Quote

geekdom wrote:

Bleachbit. Nice. Light. Easy.

So if you use the Bleachbit solution are you in “Group C?”

Reply | Quote

Is that your spouse?

If debian is good enough for NASA...

Reply | Quote

anonymous wrote:

To the best of my knowledge, I don’t have any Avast on my pc apart from C.Cleaner so I don’t understand how an Avast anti virus update could affect my version of C.Cleaner. Perhaps they just took it upon themselves to update C.Cleaner on peoples pc’s

I have been thinking about your post all morning long since it has been really bugging me. I too do not use Avast. The one thing which I did after installing CCleaner version 5.41 was to delete the Avast cookie which showed up under the cookies to keep. When I installed this version, I do not recall any setting for automatically updating CCleaner, just the setting to check for updates.

I use the free version of CCleaner. I just ran the installer again, and I don’t see any setting in the installer for automatically downloading updates. This makes me wonder if deleting the Avast.com cookie which magically showed up under the cookies in CCleaner which are not to be deleted, could somehow be involved in making CCleaner automatically update itself.

The following may be key:

I should note that I always manually run CCleaner since I killed its ability to actively monitor anything. The settings which I killed are called “Enable System Monitoring” and “Enable Active Monitoring”. I killed these settings as soon as they were introduced by Piriform. Given that I have had these two settings disabled ever since they were introduced by Piriform, perhaps these settings (if enabled) is what allows CCleaner to automatically update itself? This seems like a good question to ask, since the Avast cookie might not be involved at all.

1 user thanked author for this post.

Cascadian

Reply | Quote

GoneToPlaid said:
I use the free version of CCleaner. I just ran the installer again, and I don’t see any setting in the installer for automatically downloading updates.

Nope, there is no GUI option offered during the installation process (or afterwards) for the user to disable automatic version upgrade.

The installer builds of CCleaner since v5.36.6278 (24 Oct 2017) come with their own updater. From the v5.36.6278 changelog:

– Added new executable: “CCUpdate.exe”
– Added new Windows Scheduled Task: “CCleaner Update”

The above is supposed to be an “Emergency Updater” to deal with critical security vulnerabilities, but I suppose CCleaner’s Dev team &/or its parent (Avast) can always trigger it even during non-emergency situations — whether by accident or by intent.

Note that you need to run Windows Task Scheduler with admin rights (or use SysInternals Autoruns) to see & disable the the aforementioned ‘CCleaner Update’ task. Otherwise, the task auto-starts with Windows & proceeds to contact Avast/Piriform around 8 minutes after the OS starts.

The reason why it’s better to disable rather than delete the ‘CCleaner Update’ task is because CCleaner simply recreates the task again the next time you run the installer (eg. when upgrading to a new version).

Anon #186615 said:
I don’t have any Avast on my pc apart from C.Cleaner so I don’t understand how an Avast anti virus update could affect my version of C.Cleaner. Perhaps they just took it upon themselves to update  C.Cleaner on peoples pc’s

Besides the presence of the CCUpdate.exe & associated task in the installer build of CCleaner, there are also user reports that the installer build of CCleaner is able to auto-update itself, if user is also using either Avast or AVG Antivirus. (AVG was acquired by Avast in Jul 2016.)

In addition, there is also (unconfirmed) user speculation that Avast/AVG Antivirus users running the portable build of CCleaner may possibly also have their CCleaner automatically updated without any user consent.

I use CCleaner Free portable, but not Avast or AVG Antivirus. And so far, my CCleaner portable has never auto-updated itself.

1 user thanked author for this post.

Cascadian

Reply | Quote

Update to my previous comment #186861:

A member of the Avast team has admitted that users with old versions of CCleaner (installer build) are forcibly updated to the latest version withut user notification or consent.

Meanwhile, portable builds of CCleaner are not affected by the forced version update.

1 user thanked author for this post.

SueW

Reply | Quote

Have you checked the network traffic if using CCleaner whilst online?

You’ll be surprised what goes on behind the scenes via their IPv4 remote address. A simple firewall rule kills this.

If debian is good enough for NASA...

Reply | Quote

Microfix said:
Have you checked the network traffic if using CCleaner whilst online? You’ll be surprised what goes on behind the scenes via their IPv4 remote address. A simple firewall rule kills this.

So far, my portable CCleaner has always remained totally quiet, even when the PC is online. I don’t have any firewall rules pertaining to CCleaner, but as a matter of precaution, I do have the following entries in my HOSTS file:

• 0.0.0.0 ipm-provider.ff.avast.com  # reference
• 0.0.0.0 google-analytics.com  # reference

Does your CCleaner (is it the installer or portable build ?) try to connect to anywhere else ?

Of course, if one has a trojan-injected version of CCleaner (eg. v5.33.6162), it tries to connect to various IP addresses owned by the threat actors.

Reply | Quote

@Woody:   I think I got hit by “something” today, and I’ve never used any CC Cleaner, or Disk Cleanup!  I booted up, looked okay, except then a black screen appears and stated that one of my drives was not functioning, and once it started its scanning it just kept on, and you COULD NOT cancel it.

I was suspicious, so I did a hard shutdown, not having a clue as to what the problem was.   I waited a while and did another “test” with the same results (doing a hard shutdown between the start ups)..  Waited a short time and tried it again, the verbiage was a little different, but same “fast” scanning the C Drive.

I was away all day long, and when I returned – – – there it was again.    One IT person said to let it run, that perhaps one of my “drives” was going out, so I did.    It went very FAST.

Now after reading about what’s occurring, I don’t know what to think.   How can I stop this program from ever running again?   I have never used either of these “cleanups” all of the years I’ve had computers.    ANY  HELP WOULD BE VERY MUCH APPRECIATED.   Can’t take much more – – – – trying to “survive” the UPDATE MESS, and now this.       

Reply | Quote

From your limited description, I think you have either malware or failing hard drive. If it were my computer, I would take the computer for repair along with last valid backup to a local, small computer shop (not a big box store). The backup could be used to retrieve your files, if necessary.

On permanent hiatus {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1992 x64 i5-9400 RAM16GB HDD Firefox116.0b3 MicrosoftDefender

1 user thanked author for this post.

walker

Reply | Quote

@geekdom:  Thank you for the information you provided.   I have ESET, so I doubt that the problem was malware, however I have an IT contact whom I had where I lived previously, and he too mentioned that it could possibly be a failing hard drive.   Since that incident, the computer has been running much better, so I’m hoping that “whatever it was” was “repairable”.  It did state that the hard drive was restored to its previous state.   Any changes I will post here if possible.  Thank you for your excellent advice, as always!   

Reply | Quote

I am using CCleaner version 5.40.6411 64 bit, look in the folder C:Program Files/CCleaner and delete the application CCleanerUpdater.exe,  AND also go through all the Options, especially Settings = Uncheck “Inform me of  Updates to CCleaner”.  Turn off the monitoring and schedules, and do not use Avast Anti Virus.  Review all settings, options, preferences, etc, in all your computer software and applications. Learn to be safe.

 

1 user thanked author for this post.

Lori

Reply | Quote

Hi again,

I’m not sure how CCleaner/AVAST would handle a simple delete of the CCleanerUpdater.exe.
I can see where it may just re-D/L that “missing” file & you’re back to square one.
I blocked it in my COMODO free firewall, as I mentioned in my AVAST forum “complaint.”.
I also un-installed the “new” version, 5.x.x..xxx. or whatever & re-installed my old faithful,v2.34.xxx.
I also checked the Task Scheduler & disabled or deleted any new items related to AVAST & CCleaner that I wasn’t sure about &/or pertained to updates.
AVAST has/had no right to install an updater.exe file to auto update any old program on anyone’s M/C.

I only run the 4 basic Shields…
File/Behavior/Mail & Web.

1 user thanked author for this post.

Lori

Reply | Quote

Nothing I’ve read here about CCleaner is particularly reassuring. I will continue to avoid this software.

On permanent hiatus {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1992 x64 i5-9400 RAM16GB HDD Firefox116.0b3 MicrosoftDefender

Reply | Quote

Thanks for the tips. I’ve deleted the update exe from the Program files and also the other “goodies” that I found under “settings” Perhaps the fact that I use AVG Free allowed Avast to update CCleaner?  I think I may also have been conned into installing a trial version of AVG security suite.  Normally, if AVG says in red that it needs updating, I just hit the ok button and have had no problem before. About a month or so ago the same sign appeared, I thought no more about it, hit ok, and everything seemed fine. The other day, however, when I tried to run AVG anti virus, the message said “your free trial of AVG security suite has expired: press ok to update to the paid version.”  I was given no option of just ignoring this message, it wouldn’t go away and I couldn’t run AVG.  On checking on the internet I found this wasn’t an uncommon occurrence and I had to uninstall AVG at least twice and reinstall the free anti virus which is all I want.

Reply | Quote

Anon #186958 said:
I’ve deleted the update exe from the Program files and also the other “goodies” that I found under “settings” Perhaps the fact that I use AVG Free allowed Avast to update CCleaner?

Besides Avast Antivirus users, there are also AVG Antivirus users who reported that their CCleaner got automatically updated.

Based on the available info, it appears that Avast can & does enforce automatic updates for whichever (installed) software that falls under its umbrella (eg. AVG, CCleaner).

From Avast team member (13 Apr 2018):

We have decided to upgrade all outdated CCleaner versions (v1.xx – v5.20) to the latest version. Portable versions were excluded.

The reason is that old CCleaner version may not work as expected for for the latest software (your CCleaner is old, but users expect it will work perfectly also for e.g. latest Chrome which is updated every 6 weeks), maintenance of the latest version is much more easier for both developers and support and also from possible security issues.

As such, if you wish to retain some user control over the timing of version updates, consider using the portable build of CCleaner AND put its folder outside of the system drive (eg. at D: or E:). The portable build keeps the user settings as an INI file (ccleaner.ini) inside its working folder.

Reply | Quote

After installing/updating CCleaner to v5.42 (which I previously had v5.40), I make sure I remove the “CCleaner Update” task from the Task Scheduler Library folder so that CCleaner does not automatically update to a newer version on its own without my approval. I also perform a custom install os CCleaner so that it won’t auto update.

I usually skip certain versions of CCleaner so I don’t update to every new version that comes out.

1 user thanked author for this post.

Lori

Reply | Quote