Jump to content
Jacee

Piriform's CCleaner used to distribute malware

Recommended Posts

Link to vital information: http://www.bit-tech.net/news/tech/software/piriforms-ccleaner-used-to-distribute-malware/1/

 

'Our new parent company, the security company Avast, determined on the 12th of September that the 32-bit version of our CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 products, which may have been used by up to 3 percent of our users, had been compromised in a sophisticated manner,' the company admits in a statement published yesterday. 'Piriform CCleaner v5.33.6162 was released on the 15th of August, and a regularly scheduled update to CCleaner, without compromised code, was released on the 12th of September. CCleaner Cloud v1.07.3191 was released on the 24th of August, and updated with a version without compromised code on September 15.

Share this post


Link to post
Share on other sites

Not if you installed v5.33. It was Piriform's servers that were hacked and that malicious payload came from piriform.

Quote

Craig Williams from Talos, is stating that the CCleaner hack is much worse that they thought. It appears that there is a another stage to this malware that was unknown of previously....Recommendation is a full format of your hard drive

You can read the update from yesterday here

https://arstechnica.com/information-technology/2017/09/ccleaner-malware-outbreak-is-much-worse-than-it-first-appeared/

 

The story of CCleaner being hacked first broke on the 18th from a blog by Cisco Talos

http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html

 

Edited by Joe C

Share this post


Link to post
Share on other sites
9 hours ago, geewhiz said:

 

What are you using in its place?

I run PCMatic to keep my rigs clean/tuned up and if I install a program then remove it, I use the old jv16 power tools v.1.3 to clean it out of the registry. For temp files and such I run TFC v3.1.9.0

 

 

 

 

:geezer:

Share this post


Link to post
Share on other sites
17 hours ago, caintry_boy said:

I run PCMatic to keep my rigs clean/tuned up 

 

 

well... I don't use PCMatic. Perhaps I'll try Advanced SystemCare again. Used to run it until they got caught with helping themselves to Intellectual property back in 2009. I guess I should end my boycott and transfer it over to CCleaner (never thought I would be saying those words)

Share this post


Link to post
Share on other sites

So first AVG updates it's Privacy Policy to give them cart blanc rights to their user's information and the right to allow ads (that they choose) to be displayed on their user's machines:

https://np.reddit.com/r/privacy/comments/3l4apg/avg_anti_virus_just_updated_there_privacy_policy/

 

Then AVG is merged with Avast and the same policy is kept.

 

And now Avast acquires ccleaner and spyware is found in the program where it had always been clean previously..............

 

Gee Wally, think there may be a correlation? :shrug:  :laughing: 

 

I won't touch their products, personally. :nospys:

 

:) Y

Share this post


Link to post
Share on other sites
23 hours ago, geewhiz said:

 

well... I don't use PCMatic. Perhaps I'll try Advanced SystemCare again. Used to run it until they got caught with helping themselves to Intellectual property back in 2009. I guess I should end my boycott and transfer it over to CCleaner (never thought I would be saying those words)

I wouldn't put ASC on a system of someone I was trying to punish.  Back-in-the-day, I've spent way to many hours trying to rebuild registry's that were scrambled, then there was the stolen intellectual property, then there was the revenue deal they made where they were selling access to systems to adware slime-balls.  Granted I haven't known of any recent problems, but I'm not really the forgive and forget kind of guy.

 

I don't clean temp files on my systems.  Just like I don't defragment.  I run Microsoft security essentials and Malwarebytes.  I run adblocker+.  Then I just use my computer.  I don't spend much time worrying about security on my system... and that probably stems from the fact that I don't get infected.  I'm constantly cleaning systems of friends and family who seem to get hit by a variety of "drive by" infections... but it never happens to me.  I honestly wonder how they pick things up sometimes, sometimes I know because some people cannot resist clicking on things they shouldn't... and truthfully, I'm one of those.  I've been known to click on links purposefully to see what they payload might be. (I wouldn't recommend this).  I don't allow things to get installed so I don't get infected.  MSSE and/or Mbam will squawk and tell me what the payload is and I stop. (not a good idea).  Someday I'll get burned and then I'll stop doing this.  The bottom line is I just use my computer systems and don't spend much time worrying about them.  Historically, I'll run a computer until it loses that "new electronics smell", maybe  8 to 10 years and then get another one.

Share this post


Link to post
Share on other sites

It's extremely hard to know what's going on these days with "who bought who out" and "who added what adware/malware/tracking trojan program" to the product we used to TRUST!! What a sad situation we find ourselves in,  just to be comfortable with our own computers, in our own homes. "TRUST" is not ever the word to use with the Internet :nono:

Share this post


Link to post
Share on other sites

I couldn't agree more with Tomk...there is no reason to use these dangerous programs. Piriform and Iobit websites are cess pools of useless and unnecessary programs. Most folks have 1 Tb hard drives and use less than 100 gb so why bother and take the risks. ASC is dangerous bloatware. I run WOT (Web of Trust) on every browser as well as Adblock Plus and that keeps out most of the junk. You can delete your temp files all you want, that does nothing to your drive and they only build back anyway and will self empty when built up enough.

The word "optimize" is a trap for foolish users....everything you need is within Windows these days and if your pc slows down, look to your surfing habits and you will break your addiction on the dangerous products

Share this post


Link to post
Share on other sites

Half a dozen years ago, I used to run a lot of IObit software on my systems (ASC, Smart Defrag, IObit Uninstaller).  Then there was all that controversy... and I never did like the slightly sleazy way they used to install (without telling you, except deep in the ELUA) random PUP/trialware programs, along with their specific program, unless you used the advanced install method, where you were given a choice to uncheck and thereby prevent, the additional  programs from being installed by default.  Then  a few years ago, I decided to get rid of all their stuff (using their Uninstaller until I found another better Uninstaller...               hmmm?)

 

I slept better, but never did find a better uninstaller, than the IObit Uninstaller for removing everything about a specific program. 

 

It looks like they must have had an 'exclude list' that prevented certain programs from being removed (even by their "Remove all Traces" option)

 

Then Out of the Blue, this week during my daily deep scan on all my systems... PCMatic starts removing over 100 virus and PUPs from one of my systems and they are related to IObit???  (anyone know what's up, or the backstory?)

 

Example:     Security   High     C:\ Program Files\ IObit\ Advanced SystemCare 6\ Sua13_EmptyFolderScanner.exe              Found                      Remove
Edited by JohnDotCom
Clarity...

Share this post


Link to post
Share on other sites

another example... 

Security                 High        C:\ Program Files\ IObit\ Advanced SystemCare 6\ christmas.exe                   Found                   Remove

 

Hmmm...

Edited by JohnDotCom
Add Example...

Share this post


Link to post
Share on other sites

Everything was clean for a day or so after PCMatic removed the 100 plus programs listed as virus and also PUPs (all from the IObit folder).  Then today, it found 14 more including something called NewYear.exe!

Edited by JohnDotCom

Share this post


Link to post
Share on other sites
On 2/11/2018 at 9:03 AM, JohnDotCom said:

Half a dozen years ago, I used to run a lot of IObit software on my systems (ASC, Smart Defrag, IObit Uninstaller).  Then there was all that controversy... and I never did like the slightly sleazy way they used to install (without telling you, except deep in the ELUA) random PUP/trialware programs, along with their specific program, unless you used the advanced install method, where you were given a choice to uncheck and thereby prevent, the additional  programs from being installed by default.  Then  a few years ago, I decided to get rid of all their stuff (using their Uninstaller until I found another better Uninstaller...               hmmm?)

 

I slept better, but never did find a better uninstaller, than the IObit Uninstaller for removing everything about a specific program. 

 

It looks like they must have had an 'exclude list' that prevented certain programs from being removed (even by their "Remove all Traces" option)

 

Then Out of the Blue, this week during my daily deep scan on all my systems... PCMatic starts removing over 100 virus and PUPs from one of my systems and they are related to IObit???  (anyone know what's up, or the backstory?)

 

Example:     Security   High     C:\ Program Files\ IObit\ Advanced SystemCare 6\ Sua13_EmptyFolderScanner.exe              Found                      Remove

 

Hi John,

 

There was quite a bit of debate going on among the Super Shield team recently about software developers like iObit and Slimware and others how they are steadily moving themselves away from "less than respectable" with their installers and even their digital signatures.

 

The decision was made to add them to our black list and to start removing these adware generating applications.  This is why, those items that you had suspected had been removed previously were still lurking and then removed by these latest scans.

 

For those who wish to continue using these types of programs, they can be white listed locally through Super Shield and allowed to run, but we do not recommend this.

 

Glad that you got this stuff flushed out of there, John.

 

:) Y

Share this post


Link to post
Share on other sites

Thanks... I really appreciate your informed and candid response...

 

 

After the second round of removals that occurred (on my system at 2 am Sunday Feb 11th) I looked at the IObit Folder and discovered all kinds of undeleted/unremoved stuff still there.   So of course I just deleted the whole folder... hmmmm   

 

Maybe that wasn't so smart!

 

Is that going to prevent PCMatic from finding stuff, it wants to really remove, and not just delete

 

Sad situation these few companies have brought upon themselves... guess who has some of the best "recovr" and undelete programs out there?

I guess those programs could run with a ?infront of their program name?

 

I feel this is enough of a semi-universal problem that some guidance from PCMatic is appropriate, re deleting folders, etc.

Share this post


Link to post
Share on other sites
On 2/11/2018 at 8:03 AM, JohnDotCom said:

Half a dozen years ago, I used to run a lot of IObit software on my systems (ASC, Smart Defrag, IObit Uninstaller).  Then there was all that controversy... and I never did like the slightly sleazy way they used to install (without telling you, except deep in the ELUA) random PUP/trialware programs, along with their specific program, unless you used the advanced install method, where you were given a choice to uncheck and thereby prevent, the additional  programs from being installed by default.  Then  a few years ago, I decided to get rid of all their stuff (using their Uninstaller until I found another better Uninstaller...               hmmm?)

 

I slept better, but never did find a better uninstaller, than the IObit Uninstaller for removing everything about a specific program. 

 

It looks like they must have had an 'exclude list' that prevented certain programs from being removed (even by their "Remove all Traces" option)

 

Then Out of the Blue, this week during my daily deep scan on all my systems... PCMatic starts removing over 100 virus and PUPs from one of my systems and they are related to IObit???  (anyone know what's up, or the backstory?)

 

Example:     Security   High     C:\ Program Files\ IObit\ Advanced SystemCare 6\ Sua13_EmptyFolderScanner.exe              Found                      Remove

Hey Jon, if you'd like an alternative to IObit's uninstaller prog, I'd submit to you that RevoUninstaller is superior in every way and ISN'T related to any malware/PUA/junkware.

Share this post


Link to post
Share on other sites

Thank you more formally, Y kawika, for your candid response and knowledge of the details behind this.   I think the decision to start doing this was correct, and the "local white list" provides the perfect solution for the few individuals that might feel they need to object.  Especially when we are finding 'Christmas.exe' and 'NewYear.exe', buried in there (even if they were put there for Trolling purposes).  That fact by itself, tells you a lot about the culture of the companies involved (which is created from the top down).

 

Should others wait for the PCMatic list to grow larger (as it has on Friday and Sunday) and what should one do if you just deleted the whole folder.

 

I have submitted a Ticket on this subject and I will share what they tell me, but often they are not permitted to disclose too much at that level.   In any case, since this will not be that unique a situation, I will try to share what I can.

 

Edited by JohnDotCom
Clarity...

Share this post


Link to post
Share on other sites

Just to tie  a ribbon on this... PCmatic support confirmed what was said here (even confirming the recommendation made by Tx Redneck ) that for folks like me that may have deleted things like the whole IObit folder, it would be best to use the Revo Uninstaller, to trace installations and use their advanced uninstaller and forcefully uninstall. 

 

What a ball of yarn I found (in the IObit uninstall and clean up) going back even over 6 years.  

Share this post


Link to post
Share on other sites

Jon, try AdwCleaner 'free' cleaner, to remove all traces: Please download AdwCleaner by Xplode and save to your Desktop. Step 1.

  • Double click on AdwCleaner.exe to run the tool. Vista/Windows 7/8 users right-click and selectRun As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R#].txt) will open in Notepad for review (where the largest value of # represents the most recent report).
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

Step 2. Using AdwCleaner: Scan & Clean: This time click on the Clean button. Press OK when asked to close all programs and follow the onscreen prompts. Press OK again to allow AdwCleaner to restart the computer and complete the removal process. After rebooting, a logfile report (AdwCleaner[S#].txt) will open automatically (where the largest value of # represents the most recent report). Copy and paste the contents of that logfile in your next reply. A copy of that logfile will also be saved in the C:\AdwCleaner folder ***Removing/Uninstalling AdwCleaner: Double click on AdwCleaner.exe to run the tool again. Click on the Uninstall button. Click Yes when asked are you sure you want to uninstall. Both AdwCleaner.exe, its folder and all logs will be removed.

Share this post


Link to post
Share on other sites

Here is the log file requested...

 

 

# AdwCleaner 7.0.8.0 - Logfile created on Fri Mar 02 13:16:51 2018
# Updated on 2018/08/02 by Malwarebytes 
# Database: 03-01-2018.1
# Running on Windows 7 Home Premium (X86)
# Mode: scan
# Support: https://www.malwarebytes.com/support

***** [ Services ] *****

No malicious services found.

***** [ Folders ] *****

PUP.Optional.AdvancedSystemCare, C:\Windows\System32\config\systemprofile\AppData\Roaming\IObit\Advanced SystemCare
PUP.Optional.AdvancedSystemCare, C:\Windows\System32\config\systemprofile\AppData\Roaming\IObit\Advanced SystemCare


***** [ Files ] *****

No malicious files found.

***** [ DLL ] *****

No malicious DLLs found.

***** [ WMI ] *****

No malicious WMI found.

***** [ Shortcuts ] *****

No malicious shortcuts found.

***** [ Tasks ] *****

No malicious tasks found.

***** [ Registry ] *****

No malicious registry entries found.

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries.

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries.

*************************

C:/AdwCleaner/AdwCleaner[C1].txt - [6178 B] - [2016/6/21 4:39:22]
C:/AdwCleaner/AdwCleaner[C2].txt - [2709 B] - [2016/7/6 2:30:53]
C:/AdwCleaner/AdwCleaner[S1].txt - [5829 B] - [2016/6/21 4:38:4]
C:/AdwCleaner/AdwCleaner[S2].txt - [2475 B] - [2016/7/6 2:29:45]


########## EOF - C:\AdwCleaner\AdwCleaner[S2].txt ##########

Share this post


Link to post
Share on other sites

Here is the second (Clean) log file:

 

# AdwCleaner 7.0.8.0 - Logfile created on Fri Mar 02 13:20:35 2018
# Updated on 2018/08/02 by Malwarebytes 
# Running on Windows 7 Home Premium (X86)
# Mode: clean
# Support: https://www.malwarebytes.com/support

***** [ Services ] *****

No malicious services deleted.

***** [ Folders ] *****

Deleted: C:\Windows\System32\config\systemprofile\AppData\Roaming\IObit\Advanced SystemCare
Deleted: C:\Windows\System32\config\systemprofile\AppData\Roaming\IObit\Advanced SystemCare


***** [ Files ] *****

No malicious files deleted.

***** [ DLL ] *****

No malicious DLLs cleaned.

***** [ WMI ] *****

No malicious WMI cleaned.

***** [ Shortcuts ] *****

No malicious shortcuts cleaned.

***** [ Tasks ] *****

No malicious tasks deleted.

***** [ Registry ] *****

No malicious registry entries deleted.

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries deleted.

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries deleted.

*************************

::Tracing keys deleted
::Winsock settings cleared
::Additional Actions: 0

*************************

C:/AdwCleaner/AdwCleaner[C1].txt - [6178 B] - [2016/6/21 4:39:22]
C:/AdwCleaner/AdwCleaner[C2].txt - [2709 B] - [2016/7/6 2:30:53]
C:/AdwCleaner/AdwCleaner[S1].txt - [5829 B] - [2016/6/21 4:38:4]
C:/AdwCleaner/AdwCleaner[S2].txt - [1424 B] - [2016/7/6 2:29:45]


########## EOF - C:\AdwCleaner\AdwCleaner[C2].txt ##########

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×