- Apr 13, 2013
- 3,224
A real quick and dirty look-see into the CCleaner malware:
The Horror of CCleaner
- Thread starter cruelsister
- Start date
It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
- Jan 29, 2017
- 1,201
Wondering now if I ever used this version... and I get my CCleaner updates through Kaspersky too. 
So blocking CCleaner 'net access would have rendered this moot? Apart from update checks, there's no reason this program requires outside access AFAIK.
So blocking CCleaner 'net access would have rendered this moot? Apart from update checks, there's no reason this program requires outside access AFAIK.
Last edited:
Wondering now if I ever used this version... and I get my CCleaner updates through Kaspersky too.
So blocking CCleaner 'net access would have rendered this moot? Apart from update checks, there's no reason this program requires outside access AFAIK.
The fundamental issue is not specific to CCleaner.
It doesn't much matter what security software you have installed if it employs the concept of trusting files and processes based upon widely accepted criteria.
- Jan 29, 2017
- 1,201
Unfortunately, that is true, and defenses for the average/semi-advanced user are lacking.
- Jul 16, 2014
- 215
This happened to me, I manually deleted ''Agomo'' from the Registry Editor and updated CCleaner to the latest version.
The fundamental issue affects everyone regardless of their knowledge and skills. So it includes even the mightily capable.
Avast stated that the Agomo key was not relevant, but at the same time they have revised their statements regarding compromised CCleaner a few times already. Revisions of initial analyses and reports are generally common. Just look at Eternal Blue\Double Pulsar\SMB as a prime example.
- Jul 16, 2014
- 215
Yeah ....... But, I was supposed to do something, I can not just ignore it .
- Apr 13, 2013
- 3,224
LS- deleting the agomo key is pointless as it will be repopulated when the malware next starts. Deletion will not prevent subsequent connections.
I know. I already played with it. However, I just don't want to be involved in the "you said, but Avast said, Piriform is now saying, and Cisco Talos says everybody else is wrong, etc." As you already know these topics are generally an endeavor against misinformation or incorrect information right from the very initial report - and I'd rather just stay out of it. Just look at what was done with EB\DB\SMB - where some (actually more than just some people) insulted themselves professionally.
- Jul 16, 2014
- 215
Okay, ....... but whay do I left the 'agamo' key there (when I know is there), now at least I know that it is gone and if it accidentally appears again, then I will know that the malware reacted again.
P.S. - Will you leave the 'agamo' key there ?
Last edited:
- Sep 22, 2014
- 1,767
Maybe you should check this reg key:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WbemPerf
Is it empty or not?
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WbemPerf
Is it empty or not?
- Jul 16, 2014
- 215
Yes I check 2 days ago it's empty --- just this: = (default) - REG-SZ - (value not set)
- Jul 16, 2014
- 215
CCleaner was infected but only version 5.33.6162 & (also) the CCleaner Cloud version 1.07.3191 .
....... BUT NOW It's Okay to use it - Updated Version 5.35 and UP , the same is for CCleaner Cloud .......
....... - I Use It and there is no more infections in CCleaner - It's Clean ! ! ! (Portable Version Too) = Also the Millions of Users still Use CCleaner !!! Yes !!!
Here Some Alternatives for CCleaner :
- Wise Care 365
- AVG PC TuneUP
- Glary Utilities
- Win Optimizer
- BleachBit
- Private Eraser
- KCleaner
- PrivaZer
- Wise Disk Cleaner
& Here You Have This:
- The best free alternatives to CCleaner 2017 | TechRadar
& Plus You Have (to look for info) :
- www.google.com/
& Some Extra Courtesy :
- Piriform - Security Notification for CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 for 32-bit Windows users
- Aug 16, 2013
- 67
I had the infected installer on my laptop. Fortunatley the infected one was 32 bit. 64bit was clear. Microsoft Security has detected and deleted it in the same moment i was reading news about server violation of Ccleaner Software house. I was surprised because i don't trust at all that program. After that i installed Emsisoft anti-malware just in case
- Apr 13, 2013
- 3,224
Hi Fede! The issue with the 2nd opinion scanners was that they only detected this thing after the MD5 was released by Cisco/Talos.
I did a video (unpublished because I didn't think anyone would care) testing the big three (MB, HMP, Zemana) against the most common CCleaner malware and was surprised that even after 30 days only 1 of the 3 detected the malware, and none detected the reg entry.
Also, I keep reading that some folk think they would never have an issue with stuff like this as they would deny Network access to it. Although quite true in this case, understand that other software may require Internet access to work. Consider that the Group (this was no script Kiddie malware!) needed to acquire BOTH the Private Signing key to legitimize the false CCleaner as well as getting the FTP credentials to upload the malware to the Server. Getting either of these things is not easy or inexpensive.
Fortunately Peasants like us would never be bothered by such high quality stuff- as soon as those responsible detected that we were just plain folk the secondary malware would never have been uploaded to our systems. This malware was created for Corporate Espionage, but could also be used for Military Cyber Attacks. But still we should not feel good that we as individuals would have been unaffected. Personally I would rather have my personal info stolen then living in a Country where the Defense C&C Severs were taken down as the missiles fly in, or having the Electrical Grid crash as the Tanks barrel across the border (btw, this was the rationale of why the US questions the use of K in critical infrastructure. Thank God there are FINALLY Ears that Hear and Minds that actually Think).
I did a video (unpublished because I didn't think anyone would care) testing the big three (MB, HMP, Zemana) against the most common CCleaner malware and was surprised that even after 30 days only 1 of the 3 detected the malware, and none detected the reg entry.
Also, I keep reading that some folk think they would never have an issue with stuff like this as they would deny Network access to it. Although quite true in this case, understand that other software may require Internet access to work. Consider that the Group (this was no script Kiddie malware!) needed to acquire BOTH the Private Signing key to legitimize the false CCleaner as well as getting the FTP credentials to upload the malware to the Server. Getting either of these things is not easy or inexpensive.
Fortunately Peasants like us would never be bothered by such high quality stuff- as soon as those responsible detected that we were just plain folk the secondary malware would never have been uploaded to our systems. This malware was created for Corporate Espionage, but could also be used for Military Cyber Attacks. But still we should not feel good that we as individuals would have been unaffected. Personally I would rather have my personal info stolen then living in a Country where the Defense C&C Severs were taken down as the missiles fly in, or having the Electrical Grid crash as the Tanks barrel across the border (btw, this was the rationale of why the US questions the use of K in critical infrastructure. Thank God there are FINALLY Ears that Hear and Minds that actually Think).
- Jul 3, 2015
- 8,153
Indeed, we should not waste our time and energy trying to protect ourselves from super-advanced attacks that are not targeting us anyway. Our time would be better spent brushing our teeth or doing other similar things that have known benefits.
That infected CCleaner is not a horror
The horror is when your AV/AM software in your system cannot automatically detect and clean it
The horror is when your AV/AM software in your system cannot automatically detect and clean it
- May 13, 2017
- 2,639
That is a good point, I am sure that many AVs exclude it even from a behavioural scanning because it is a trusted software. How many others are also neglected?!
Similar threads
