CCleaner 5.37 - Do you trust it 100%?

tim one

Level 21
Verified
Honorary Member
Top Poster
Malware Hunter
Jul 31, 2014
1,086
Uhmm...at this point I'm no more so sure to use Ccleaner.
Moreover, EAM warned me about something strange on CCupdate.exe... (I don't remember exactly what).
I quarantined it, this story is lasting too, I will uninstall it permanently.
 

TairikuOkami

Level 36
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,540
NO. CCleaner behaves more like adware now and the worst part is, that it eroded my trust in Avast. I no longer recommend it (it caused other issues as well).

Wise Care 365 Pro might be my next stop or something else.
Same, I have setup Wise Disk Cleaner to run at shutdown, unfortunately it removes all logins, not at restart though, strange.
So I have started to use browser's autosave for passwords, I know, but only for forums and unimportant stuff like that.

As for reg cleaning, I have moved to Wise and Regseeker (since Wise Free cleans only HKCU).

Block with firewall.
CCleaner injects explorer and connects via the browser regardless, if it is blocked or not.
 

TairikuOkami

Level 36
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,540
Could you please elaborate this please?
It was mentioned in the other thread, like after install it opens a browser and connects. It can be blocked only via some HIPS capability (Comodo/Zone Alarm).
By default, it has got admin rights and realtime monitoring enabled. So theoretically, when it detects a browser running, it might do anything, like hidden within iframes.
 
Last edited:

cruelsister

Level 42
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,166
Mr X- CCleaner will open to Default browser and go to a Piriform page when you check for updates. This will occur with either the installed (even though it has a built in CCUpdate module) or with the Portable version. But BOTH versions will on first run connect (through CCleaner.exe) to the CloudFlare/GlobalSign server in San Fransisco. This connection seems to be a one time only thing and so probably transmits basic user data (an installation was done at a certain geographical location). By the way, I am not bothering to mention the ubiquitous connect to the SF Prirform servers at 151.101.184.64 which occurs every time you use CCleaner.

With the malicious CCleaner 5.33 I suppose what tipped off the person that discovered the connection to Blackhat command was the persistence of a continuing CCleaner.exe connection to the server in Los Angeles in addition to the SF onetimer. Then it was just a hunt for the reg entries that caused the connection.
 

boredog

Level 9
Verified
Jul 5, 2016
416
CS

Was that VT link you provided for the new CC version being flagged by all those AV's? If so what reason do they have for flagging it now?
 

Mr.X

Level 8
Verified
Well-known
Aug 2, 2014
368
CCleaner will open to Default browser and go to a Piriform page when you check for updates. This will occur with either the installed (even though it has a built in CCUpdate module) or with the Portable version
That in red letters matters to me as I use the portable version and unchecked "Automatically check for updates to CCleaner" feature in Options > Settings since the beginning when I started using the portable. To be honest, I haven't seen any other attempt of injection or triggering a default browser instance at all.

ccleaner.exe is not blocked in the firewall but if tried to connect, this would block it. Again, I haven't seen any attempt of calling home or any other place.
 
Last edited:

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,048
NO. CCleaner behaves more like adware now and the worst part is, that it eroded my trust in Avast. I no longer recommend it (it caused other issues as well).


Same, I have setup Wise Disk Cleaner to run at shutdown, unfortunately it removes all logins, not at restart though, strange.
So I have started to use browser's autosave for passwords, I know, but only for forums and unimportant stuff like that.

As for reg cleaning, I have moved to Wise and Regseeker (since Wise Free cleans only HKCU).


CCleaner injects explorer and connects via the browser regardless, if it is blocked or not.
You mean the Wise Registry Cleaner Pro cleans the entire registry vs its FREE version which cleans only the HKCU? Is there a comparison table to show the differences between the 2 versions?

Thanks
 

TairikuOkami

Level 36
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,540
You mean the Wise Registry Cleaner Pro cleans the entire registry vs its FREE version which cleans only the HKCU?
Yes, if you try to enable it in settings, it is locked for Pro.
RegSeeker does not allow deep cleaning, but it is already dangerous as it is. :)

EDIT: Just reading it, maybe I was wrong, again, it is just for user management, but it certainly does not clean some HKLM items, which even weaker CCleaner cleans.
 

Attachments

  • capture_11222017_093835.jpg
    capture_11222017_093835.jpg
    89.7 KB · Views: 420

cruelsister

Level 42
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,166
Boredog- That VT link wasn't to CCleaner itself, but instead to a malware file (ransomware distributed by the Neutrino EK) that connected a while back to the same IP that PiriForm now used to acquire usage statistics (104.31.75.124); CCleaner Portable will also connect to that IP. But note that this is on First run only, and only on a system that has never had CCleaner installed.

The portable version will also check that the version used is the latest by a connection to 151.101.184.64, but also only on first run.
 

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,048
  • Like
Reactions: bribon77

darko999

Level 17
Verified
Well-known
Oct 2, 2014
805
I just download updated version manually, blocked ccleaner by firewall like many others do; it's worth. I like the software and it has some useful features. I also deleted the Ccleaner UAC skip task, it's shady.
 
  • Like
Reactions: Andytay70
F

ForgottenSeer 58943

I just download updated version manually, blocked ccleaner by firewall like many others do; it's worth. I like the software and it has some useful features. I also deleted the Ccleaner UAC skip task, it's shady.

SkipUAC tasks are common with all tools like this. Otherwise they wouldn't work properly so nothing shady there for the most part. I still won't use Ccleaner, but that is a personal choice. Plenty of other solutions that do the job and since we mostly use Chromebooks, I just powerwash, which is a 20-30 second full restore. For the few desktops left in the home - Wise Portable, Kerish, Privazer, all good options IMO.
 

darko999

Level 17
Verified
Well-known
Oct 2, 2014
805
SkipUAC tasks are common with all tools like this. Otherwise they wouldn't work properly so nothing shady there for the most part. I still won't use Ccleaner, but that is a personal choice. Plenty of other solutions that do the job and since we mostly use Chromebooks, I just powerwash, which is a 20-30 second full restore. For the few desktops left in the home - Wise Portable, Kerish, Privazer, all good options IMO.

The program could ask for elevation like usually other programs do, thing is UAC skip for Ccleaner is pointless. I just run it and it ask for elevation, I'll see if it is the proper moment to give that elevation, but leting Ccleaner skip elevation prompt is by no means good just IMO.
 
F

ForgottenSeer 55474

I have Ccleaner Professional plus and I mostly use wisecare pro
 
F

ForgottenSeer 67480

I using Kerish Doctor 2 years and no problems. What about CCleaner: I used him from 2012 to 2014 year and it's not a bad choice, but much i preffer test Kerish Doctor.
 
  • Like
Reactions: Sunshine-boy

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top