[WARNING] Hackers Hid Backdoor In CCleaner Security App With 2 Billion Downloads

[AtlCPU]

Just saw this and wanted to pass it on. I use it all the time.

https://www.forbes.com/sites/thomasbrewster/2017/09/18/ccleaner-cybersecurity-app-infected-with-backdoor/#70e5243b316a

 

[alluseridsrejected]

OMG!

 

[ZenTree]

Jesus. Thanks for the heads up, haven't proactively used it in a while but know it was very popular with some clients a while back.

 

[GTP]

There's a couple of duplicate threads going for this topic...
I stopped using CCleaner a couple of days after Avast aquired Piriform.
Instead, I use the portable versions of BleachBit and System Ninja. System Ninja Pro tech license is only $49.

 

[Slaters Kustum Machines]

Since when is CCleaner known as a security app?

 

[alluseridsrejected]

There's a couple of duplicate threads going for this topic...
I stopped using CCleaner a couple of days after Avast aquired Piriform.
Instead, I use the portable versions of BleachBit and System Ninja. System Ninja Pro tech license is only $49.

Do you know if the System Ninja Pro version cleans temp files for ALL user accounts? CCleaner free only cleans the currently logged on account, which is why I always used the CCleaner Pro.

 

[cam w]

Thanks for the heads up!

 

[GTP]

Do you know if the System Ninja Pro version cleans temp files for ALL user accounts? CCleaner free only cleans the currently logged on account, which is why I always used the CCleaner Pro.

I'm not sure. I've always used the portable version so that I can just run it simultaneously on each user account.
I've just asked the question on the Pro Support Forum at Singular Labs, so I'll get back to you.

 

[GTP]

Hey @alluseridsrejected . Got a reply from Singular Labs already. If anything they have great support!
System Ninja Pro (and the portable version) do indeed clean all user accounts.

 

[alluseridsrejected]

Hey @alluseridsrejected . Got a reply from Singular Labs already. If anything they have great support!
System Ninja Pro (and the portable version) do indeed clean all user accounts.

I will be buying a copy today!

 

[AlexanderCS]

There's a couple of duplicate threads going for this topic...
I stopped using CCleaner a couple of days after Avast aquired Piriform.
Instead, I use the portable versions of BleachBit and System Ninja. System Ninja Pro tech license is only $49.

Hey, am I just not seeing it? I looked into SNP and it looks like I have to be a "Pro Club" member at $15USD/year? I don't see a spot to scoop the tech license for $50.

 

[GTP]

Hey, am I just not seeing it? I looked into SNP and it looks like I have to be a "Pro Club" member at $15USD/year? I don't see a spot to scoop the tech license for $50.

Yes, I noticed that when I went to the page a little while ago. I got System Ninja Pro about 5 years ago. At that time it was AU$49. It looks like it's now $15 p/y.
Still not much for a great little tool.

 

[AtlCPU]

I am checking out System Ninja as well. I had never heard of it before.

 

[HCHTech]

I have a workstation that was decommisioned last week at one of my clients. Running Win7 pro-64, it had v5.33.6162, and the program was definitely run last week prior to backing up the profile.

None of the registry entries (HKLM\Software\Piriform\Agomo) were there because while CCleaner installs both the 32-bit and 64-bit versions, the desktop shortcut links to the 64-bit version. The malware is in the 32-bit executable at c:\program files\ccleaner\ccleaner.exe.

I'm happy to report that the latest version of Malwarebytes Free with a current update does detect the infection in the 32-bit executable as listed above as Trojan.Nyetya. Just another reason to love Malwarebytes.

So...if you have this situation where the malware has not been executed, I would just blow away the 32-bit executable.

With the machine disconnected from the network & internet, I tried running the 32-bit executable - it looks like it automatically detects I'm on a 64-bit system and runs the 64-bit executable instead. After doing this, I still did not have the Agomo registry entries, so it looks like (at first blush, anyway - I am not a forensic software investigator) you need to be on a 32- bit system and you need to run the 32-bit executable (and possibly only while connected to the internet) to install the malware.

 

[ComputerRepairTech]

ugh i guess i better go through some ninite logs and find out who had CCleaner installed and got it automatically updated.

Edit: oh wait thats right, ninite removed ccleaner long time ago, sweeeeeet

 

[GTP]

I've only ever used the portable version. I have only a couple of clients that have it actually installed.
Generally, if a client wants it I try to talk them out of it telling them it's a tool for "experts" only and can cause major problems in the wrong hands.
If they insist on having it, I just give them the portable with a desktop shortcut to the executable.

 

[frase]

Thanks Barcelona, just purchased Pro about $AUS18

 

[AlexanderCS]

Thanks Barcelona, just purchased Pro about $AUS18

How? I only see it as part of their "subscription" service.

 

[frase]

How? I only see it as part of their "subscription" service.

Oh sorry, yes that is what I meant