Windows 10: CCleaner: A Vast Number of Machines at Risk

Quote from Tweakhound.com





Sources:
1. Cisco's Talos Intelligence Group Blog: CCleanup: A Vast Number of Machines at Risk
2. CCleaner Compromised - TweakHound

 

Beat me to it swarfega! *Smile

Looks like I'm safe but am still apprehensive. I run a Pro x64 version of Ccleaner but will be doing a very detailed check..... just in case.

Now.... I have been using Ccleaner for many many years and have always been happy with it and recommended it to family and friends. But this news has me worried to say the least. I cannot help but notice that this has occurred since Avast bought Piriform which in turn has made me wonder about the parent companies products also. I stopped using Avast once they bought AVG, but how can a company whose sole purpose in being is computer security have let this happen?

:)

 

Windows 10 reversionist

You can get it from here: Windows 10 herunterladen

The vast majority of upgrades go well. However, upgraded machines are nowhere near as stable and robust as a tried and proven Windows 7 machine. Ultimately you need to weigh the benefits (what benefits do you expect?) against the risks. Looking at the numerous
posts in this forum will demonstrate some of the risks.

I never ever upgrade a machine unless I have an image of its pre-upgrade system partition.

 

Can't reboot Windows 10 after running CCleaner

You decided to install CCleaner and run it, for solutions to problems relating to using CCleaner contact CCleaner support, what actions you have changed we have no idea.

You use apps like CCleaner at own risk.

Uninstall CCleaner and perfoem a clean re-installation oif W10.

 

From Piriform's Forum

Posted Today, 02:12 AM

We recently determined that older versions of our Piriform CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 had been compromised. We resolved this quickly and believe no harm was done to any of our users. This compromise only affected customers with the 32-bit version of the v5.33.6162 of CCleaner and the v1.07.3191 of CCleaner Cloud. No other Piriform or CCleaner products were affected. We encourage all users of the 32-bit version of CCleaner v5.33.6162 to download v5.34 here: download. We apologize and are taking extra measures to ensure this does not happen again.

 

Thanks for posting this, swarfega.

Ironic to say the least.

 

I have uninstalled it for now. I won't need it until next Saturday anyway, hopefully they will have addressed this by then.

They have acknowledged this: Piriform - Security Notification for CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 for 32-bit Windows users

 

As for myself, I removed ccleaner and use bleachbit instead.

Henry

 

I would not jump ship just yet, but as I said above, I would uninstall it just to be safe. I have the Pro version as well.

 

Wasn't too happy at Pirform getting taken over by Avast and now this! Thanks for the heads up.
64 bit version here two have been updated to 5.34 anyway, the third spare PC which I only switch on for updates once a month was still on 5.33 however downloaded an urgent update without having to go to the download site. Just to be sure checked the registry for the HKLM\SOFTWARE\Piriform\Agomo entry on all PC's nothing found.

The only 32bit OS machine I had was wiped and replaced with Linux at the beginning of August.

Makes you wonder if someone hacked the Ccleaner downloads that easily what else they may have messed with.

 

I did the same as you, checked my registry, found no "Piriform\Agomo entry" and I only run the 64bit versions also. I see no reason to remove my Pro version.

 

Hackers hid malware in CCleaner PC tool for nearly a month | ZDNet

 

CCleaner Hacked - Malware Spread to 2.2 Million Users - MajorGeeks

Here is the official summary and apology:

"We would like to apologize for a security incident that we have recently found in CCleaner version 5.33.6162 and CCleaner Cloud version 1.07.3191. A suspicious activity was identified on September 12th, 2017, where we saw an unknown IP address receiving data from software found in version 5.33.6162 of CCleaner, and CCleaner Cloud version 1.07.3191, on 32-bit Windows systems. Based on further analysis, we found that the 5.33.6162 version of CCleaner and the 1.07.3191 version of CCleaner Cloud was illegally modified before it was released to the public, and we started an investigation process. We also immediately contacted law enforcement units and worked with them on resolving the issue. Before delving into the technical details, let me say that the threat has now been resolved in the sense that the rogue server is down, other potential servers are out of the control of the attacker, and we’re moving all existing CCleaner v5.33.6162 users to the latest version. Users of CCleaner Cloud version 1.07.3191 have received an automatic update. In other words, to the best of our knowledge, we were able to disarm the threat before it was able to do any harm.

Technical description
An unauthorized modification of the CCleaner.exe binary resulted in an insertion of a two-stage backdoor capable of running code received from a remote IP address on affected systems.

The malware was also programmed to collect a bunch of user data, including:

Name of the computer
List of installed software, including Windows updates
List of running processes
MAC addresses of first three network adapters
Additional information whether the process is running with administrator privileges, whether it is a 64-bit system, etc.

Talos’ report warns that the malware was found in CCleaner version 5.33, which was actively distributed between August 15 and September 12. What is particularly jarring is that it appears the infected app was signed with a valid certificate Symantec issued to Piriform (recently acquired by Avast)."

Be sure to update your CCleaner immediately with version 5.34.6207 or better yet, get a better drive cleaner and replace it with Wise Disk Cleaner. It would also be a good idea to scan your system with a trusted application like Malwarebytes.

 

I just ran a scan on my 64 bit machine and this is what I got:
This is CC Pro version.

 

For some easier ID'ing if you've been infected, search in HKEY_LOCAL_MACHINE\SOFTWARE\Piriform\CCleaner\Agomo for the following keys values

If they are present, you're infected!

Addionally, the Agomo key should not be present in your registry.