• Hey, guest user. Hope you're enjoying NeoGAF! Have you considered registering for an account? Come join us and add your take to the daily discourse.
  • Hi Guest. We've rebooted and consolidated our Communities section, so be sure to check it out and subscribe to some threads. Thanks!

CCleaner infected with malware

MilkBeard

Member
Jun 20, 2013
9,220
2
0
Phew. Apparently, looking at the update history, I updated on August 6th, before the infection was being distributed, and then again afterward (after I came back from vacation) to 5.34. I somehow dodged a bullet there.

EDIT: Also, 64bit user, so also another good sign.
 

blu

Wants the largest console games publisher to avoid Nintendo's platforms.
May 4, 2007
13,688
251
1,260
No more straight-forward way to install a trojan than with a malware remover.
 
Jan 4, 2010
4,212
0
0
To everyone saying "this is why you don't turn on automatic updates": This is dangerous advice. 99/100 times an update will be helpful (just speaking in terms of security). This sort of thing should never happen because it strongly indicates that Avast's servers were compromised, which should NEVER EVER happen, especially not to a company developing security software.
 

dh4niel

Member
Mar 1, 2014
3,565
1
0
God damn. This is one of the only apps I have that I use on a regular basis so I update regularly too.

I am already dead.
 

TheUsual

Member
Dec 10, 2009
2,462
186
810
Looks like I was infected, but reading the thread, I have the 64bit version of the software. So I should be fine? Anyways, updated to the newest version and the old program quarantined.
 

M3d10n

Member
Aug 28, 2006
11,468
1
0
I stopped trusting those kinds of programs years ago. Registry cleaning hasn't been necessary on Windows since 8, I think, and it can be actually harmful if the program mistakenly deletes a registry key it shouldn't have (what is even the methodology they use to determine which keys are leftovers and which ones aren't, BTW?).

Anything CCleaner does you can do yourself using tools like Autoruns.exe, msconfig and even the task manager itself (on Windows 10, not the useless Windows 7 one).

When any program pops up the UAC prompt and you click "yes", you are giving it carte blanche to do whatever it wants on your PC. I basically stopped using these so-called "free" closed source tools years ago because they often devolve into malware/nagware/adware delivery machines.
 

throwawayname

Member
Jun 3, 2009
4,489
0
0
Read the blog post to look for artifacts of the malware interacting on your system. aside form that, I'm not sure yet. this seems to still be breaking. Some antivirus software may already be updated to scan for anything it leaves on your system, or shortly will be.
You probably wanna reinstall. It's the only real safe option.
Put an up to date antivirus on a flash drive through another PC. Boot infected PC into safemode with networking off. Run scan with flash drive. This usually catches most things. Worse case scenario you'll need to wipe.
I have a 64bit system but I'm not 100% sure I had the 64bit version installed, I uninstalled the program hastly without checking.
IIRC I got the installer from the piriform site that doesn't give you the option to choose the which bit version you will download, does it automatically choose the right version when you download the free version?
 

Ty4on

Member
Jun 22, 2011
11,588
0
520
Norway
I've never downloaded a virus scanner on android. It's too hard to weed out the scam scanners, and android has been relatively safe so far in terms of malware, as long as you don't go to weird sites (oddly enough, NeoGAF mobile is the scariest site I go to, with its weird redirecting ads that vibrate your phone, and whatnot).

Should I download a virus scanner, though? And if so, does anyone have a recommendation for a legitimate virus scanner?
No. Google is trying to stop people from downloading "virus scanners" for Android.

All apps in the play store have to be approved. For a malicious app to enter your phone either something wrong has to happen with the play store verification (in which case they will remove it once detected) or you've enabled the setting to allow installing apps from unknown sources. Just make sure that last one is turned off and keep your phone updated and you should be safe.
 

emag

Member
Apr 26, 2012
3,355
0
0
People still use CC Cleaner in the age of the SSD?
What does having an SSD have to do with CCleaner's functionality?

CCleaner is useless on modern computers anyway.
Registry cleaning is (and arguably has always been) useless and the storage recovery just empties temp/cache directories and the recycle bin, but CCleaner's uninstall list and startup manager are far better than the built-in Windows features.

For a malicious app to enter your phone either something wrong has to happen with the play store verification (in which case they will remove it once detected)
This happens routinely and often isn't caught for millions of downloads over several months. Google really needs to step up its game with the Play Store approval process. (But I wouldn't recommend running antivirus software on Android, either.)
 

compo

Banned
Jul 26, 2016
569
0
0
No. Google is trying to stop people from downloading "virus scanners" for Android.

All apps in the play store have to be approved. For a malicious app to enter your phone either something wrong has to happen with the play store verification (in which case they will remove it once detected) or you've enabled the setting to allow installing apps from unknown sources. Just make sure that last one is turned off and keep your phone updated and you should be safe.
Alright, I'm just going to continue to not worry about viruses/malware on android.
 

M3d10n

Member
Aug 28, 2006
11,468
1
0
Registry cleaning is (and arguably has always been) useless and the storage recovery just empties temp/cache directories and the recycle bin, but CCleaner's uninstall list and startup manager are far better than the built-in Windows features.
The CCleaner uninstall is "better" because it's brute forcing it's way into uninstalling programs that have badly coded uninstallers, by looking into places where an installed program would usually have left traces on and working it's way from there.

Anything it does you can do yourself using the SysInternals Autoruns.exe tool, which is distributed by Microsoft themselves these days. It gives you a complete look into everything that is installed and registered in your system: the various flavors of start up programs, drivers, services, codecs, explorer hooks and even rootkits. If you want to remove rogue software off a PC, Autoruns.exe and ProcExp.exe are all you need 99.9% of the cases.
 

Kayant

Member
Feb 25, 2014
6,015
0
0
Good thing I don't update it often. I used to use it as my quick clean all solution. Well really I shouldn't be too lazy anymore with that. I guess i just stick to Windirstat for cleaning now.
People still use CC Cleaner in the age of the SSD?
???😂
 

Sulik2

Member
Apr 17, 2012
7,834
0
0
Quality product for years, bought out by a larger company, immediately starts having major issues its never had in 15 years. The cycle of buyouts wrecking everything continues. This sounds like an inside job.
 

GreenMonkey

Member
Apr 26, 2011
867
0
0
Registry cleaning is (and arguably has always been) useless and the storage recovery just empties temp/cache directories and the recycle bin, but CCleaner's uninstall list and startup manager are far better than the built-in Windows features.
This

Wasn't needed in Win7 either.

It's like the black viper registry tweaks from the XP era. When tested they turned out to actually either do nothing or maybe slow the PC down.

Turns out Microsoft understands their registry and OS better than some internet dude. Imagine that.
 

M3d10n

Member
Aug 28, 2006
11,468
1
0
This happens routinely and often isn't caught for millions of downloads over several months. Google really needs to step up its game with the Play Store approval process. (But I wouldn't recommend running antivirus software on Android, either.)
What Google needs to is step up Android's actual security model. For example, Android apps can literally download and execute unsigned executable code (actual ARM binaries and JAR files) from random internet locations with zero need for special permissions. That's how RetroArch downloaded and updated its cores on Android.

Google began banning apps from the store that do this (RetroArch included) because (of course) some app SDKs/middleware were compromised into downloading entire apps and even rooting utilities without the users knowledge. But the fact the very OS itself allows it to happen is alarming. They need to figure out a better way to keep Android's openness without such blatant security oversights.

Twice already I had to clean up my aunt's phone because it was popping up ads on top of the fucking UI and it turned out to be a random Antivirus/cleaner/optimizer application my uncle installed.
 

aravuus

Member
Aug 30, 2012
12,606
0
0
5.25 here, phew. I'll uninstall it anyway, though, I don't think I ever use it for anything else than emptying the trash.
 
Nov 16, 2011
2,757
0
0
According to Windows I installed 5.34 on 9/15/17

Honestly can't remember what version I had before that and can't think of a way to check either.

Malwarebytes says my system is clean.
 

Sarcasm

Member
Jul 15, 2010
14,217
0
0
From a reddit post. I had the 64 bit version installed.


Have I been infected?

By default (as always), and at the risk of sounding pessimistic: yes, but the malware doesn't seem to do anything bad (TALOS sinkholed the bad domain names and the malware should be neutralized as a consequence).
Long answer: you'll have to do some checks.

hashes

Check the hash of the files if you still have them. If you have 7zip installed, it can calculate a SHA256 from the contextual menu (right click) (thx u/kftX__).
Else, using Powershell (thx u/ArchiMarK):
C:\> Get-Filehash "C:\Program Files\CCleaner\CCleaner.exe"

This calculates a (unique) signature from the file between quotes. Replace this path with any CCleaner binary you find on your system; also check the installer in your Downloads' folder. If the command above returns one of the following strings, you're infected:
6f7840c77f99049d788155c1351e1560b62b8ad18ad0e9adda8218b9f432f0a9
1a4a5123d7b2c534cb3e3168f7032cf9ebf38b9a2a97226d0fdb7933cf6030ff
36b36ee9515e0a60629d2c722b006b33e543dce1c8c2611053e0651a0bfdb2e9

Registry

You might also check your registry for indicators of compromise (type regedit.exe in the start menu, and try to navigate to):

HKLM\SOFTWARE\Piriform\Agomo:TCID
HKLM\SOFTWARE\Piriform\Agomo:MUID
HKLM\SOFTWARE\Piriform\Agomo:NID

if you find one of them, you have been infected.

Networking traces

If you have the chance of having log traces on your firewall or router, check for the domains and IPs listed in this list.

Okay, I'm infected: so what's the big deal?

My understanding is that ATM the malware does nothing. It's just there, waiting for instructions that will should never come (because TALOS sinkholed the bad domains). Possible solutions include:

Restore from backup if dated before August 15th
Wait for your antivirus to receive an update so that it can identify and deal with this threat
Nuking from orbit Reinstalling sounds also like a sane solution.
Note that uninstalling CCleaner after you've been infected will not fix the issue. The malware was bundled in the installer, so when you ran the installation, it installed both the legit CCleaner + the malware.

Should I stop updating?

Haha, nope. Really, updating software is part of its life on your system and it (usually) solves more issues than it creates. Even if updating software on Windows is cumbersome and associated with downtime (Please don't turn off your machine...), don't lag behind: it's an accident waiting to happen.
Other resources

Original article (search on reddit.com for this link, see r/netsec as well)
Piriform statement -> Only CCleaner cloud v1.07.3191 and CCleaner v5.33.6162 32bit are affected
Virus Bulletin
 

KonradLaw

Member
Aug 2, 2015
4,972
641
495

We heard you don't like malware, so we put malware into your anti-malware software, so you can get malware, while trying to remove malvare
 

throwawayname

Member
Jun 3, 2009
4,489
0
0
"Registry

You might also check your registry for indicators of compromise (type regedit.exe in the start menu, and try to navigate to):

HKLM\SOFTWARE\Piriform\Agomo:TCID
HKLM\SOFTWARE\Piriform\Agomo:MUID
HKLM\SOFTWARE\Piriform\Agomo:NID"

Do these go away when you uninstall CCCleaner before checking? I don't even have a \Piriform path in the registery anymore.
 

QuantumZebra

Member
Dec 5, 2013
8,343
0
0
Atlanta, GA
I never trusted CCleaner. I go w/ nothing but Malwarebytes and Windows Defender. Been issue free for ... years... decades really.

*Caveat: I do run Avast For Business (its free believe it or not) at home and at work now - you just sign up using a business name and you have free top-tier antivirus, and it has a built in VPN that costs $5 / month. VERY good.
 

Noctilum

Member
Aug 11, 2016
149
0
0
I stopped using it over a year ago because every time I tried to download the update my gateway AV would stop the download saying it detected malware in the file. I figured the company sold out.
 

Red Liquorice

Member
Jun 4, 2011
12,690
0
0
This is why I don't have automatic updates on progrems. Tell me there's a new version, fine - but I'll decide if I want it or not.
 

GodofWine

Member
May 8, 2008
7,383
2
0
At this point I'm almost assuming the entire worlds information is now hacked.

Which in a way makes me feel safe from a numbers perspective lol.

Luckily I don't use CCleaner though.
 
Mar 17, 2014
10,388
0
0
fuck, when i was booting up ccleaner i found this thread on gaf lol



i installed it the 21 of august, i will have to delete it from my other laptop as well
 
Jun 6, 2004
14,917
0
1,590
I have win10 64bit and missed the infected version (yay for not updating for months). Does the site automatically give you the installer based on your OS? I don't ever remember selecting a 32/64 bit version when I download it.
 

blly155

Member
Aug 3, 2014
10,080
1,713
580
I have no idea what version I have but it's getting uninstalled real fast as soon as I get back to my PC. Have been meaning to do it for a while now anyway.
 

zeelman

Member
Dec 7, 2008
1,690
8
755
Quality product for years, bought out by a larger company, immediately starts having major issues its never had in 15 years. The cycle of buyouts wrecking everything continues. This sounds like an inside job.
Buy out the competition, sabotage their software to slowly kill them.