CCleaner v5

Discussion in 'other software & services' started by anon, Nov 25, 2014.

  1. warwagon1979

    warwagon1979 Registered Member

    Joined:
    Nov 17, 2009
    Posts:
    21
    What I don't understand is that the second play load checks for 32bit or 64bit and gets either a 32bit or 64bit dll. But on a 64bit system, the 64bit ccleaner isn't infected just the ccleaner.exe. (32bit version).

    I'm also wondering if the virus is active only when ccleaner is running in the system tray and if the first and second payload is even able to drop if ccleaner on a 32bit machine isn't running in the system tray and that feature is turned off. As this is the first feature of ccleaner I turn off upon installation.

    I'm also wondering if it even goes through with the 2nd payload if the IP address it collects from the user in stage 1 doesn't match a large tech company.
     
  2. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    3,092
    Location:
    Europe, UE citizen
    Also in this case, the payload would bypass the FW only during CCleaner installing downloading with it, then if you block every connections it couldn't do nothing. And I wonder if an HIPS - in Paranoid Mode naturally - should block the payload copying info from the system, because - whatever the payload is or pretend to be - it would be a new activity, and then monitored by the HIPS.
     
  3. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    3,092
    Location:
    Europe, UE citizen
    It seems that also 64-bit are infected, read in this thread.
     
  4. ArchiveX

    ArchiveX Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    1,464
    Location:
    Land of the Light
    Oh, yeah. :thumb:
     
  5. pegas

    pegas Registered Member

    Joined:
    May 22, 2008
    Posts:
    2,436
    Quickly away!
     
    Last edited by a moderator: Sep 25, 2017
  6. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,789
    Location:
    The Netherlands
    Yes exactly. If outbound access was blocked, it was game over. Even if the disk-based payload was downloaded, it would be blocked from running with anti-exe. If the payload was in-memory, you only needed to restrict CCleaner. This means block it from getting read/write access to important folders, block key/screen logging, and block it from injecting code, for example.
     
  7. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    17,709
    Location:
    UK
    CCleaner 5.36

    Note the changes above in this build.

    Builds page here (no slim build yet)
    https://www.piriform.com/ccleaner/builds
     
  8. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,031
    Location:
    Mexico
    No portable version either. :mad: :geek:
     
  9. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,417
    Location:
    Under a bushel ...
    I downloaded v5.36.6278 portable from the link in @stapp's post?
     
  10. Special

    Special Registered Member

    Joined:
    Mar 23, 2016
    Posts:
    454
    Location:
    .
  11. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,031
    Location:
    Mexico
    I clicked on that link but redirects me to a blank page. Going to look into it later on.
     
  12. hayc59

    hayc59 Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,843
    Location:
    KEEP USA GREAT
    Thank you Stapp
     
  13. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    41,752
    It is working now
     
  14. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    17,709
    Location:
    UK
    Hashes available for all 5.36 versions

    https://forum.piriform.com/index.php?showtopic=49067#entry287835

    The Emergency Updater info applies to both the Free and Paid versions
     
  15. hayc59

    hayc59 Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,843
    Location:
    KEEP USA GREAT
    Added new executable: "CCUpdate.exe"
    Added new Windows Scheduled Task: "CCleaner Update


    Are these entries supposed to be in startup? I dont have them anywhere?? or in my task manager? Windows XP Pro
     
  16. Rules

    Rules Registered Member

    Joined:
    Mar 3, 2009
    Posts:
    614
    Location:
    EARTH
    have them! On W7_x64

    ccup.PNG task.PNG
     
    Last edited: Oct 24, 2017
  17. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,031
    Location:
    Mexico
    Thank you.
     
  18. Keatah

    Keatah Registered Member

    Joined:
    Jan 13, 2011
    Posts:
    1,021
    CCleaner seems to be becoming more and more connected with each new version.

    Now there is an emergency updater? Yet another vector that needs to be watched. What's wrong with the regular updater? Heh the updater needs and update.

    And why so many changes anyways? Can't they get it right the first time?
     
  19. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,789
    Location:
    The Netherlands
    I feel the same, do you really think we need an "Emergency Updater" after this debacle? I actually see this as a new security risk, because now it might forcefully download rogue versions LOL. I will stick with older versions, unless you can disable this crap.
     
  20. Keatah

    Keatah Registered Member

    Joined:
    Jan 13, 2011
    Posts:
    1,021
    Sic ccleaner on itself.

    I feel the the ccleaner franchise is beginning to lose focus. Why do they have to update it so frequently anyways? They've been working on it for over a decade and still can't get it right?
     
  21. VecchioScarpone

    VecchioScarpone Registered Member

    Joined:
    Aug 29, 2015
    Posts:
    341
    Location:
    Down Under the Southern Cross
    If by deleting the CCU emergency file you disable the darn thing, well I just did it.
    W10x64

    1.PNG
     
  22. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,066
    Location:
    .
    FWIW ~ I also delete CCleaner and language files (not folder). W10x64
     
  23. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,443
    Location:
    Slovenia
    Partly it's because apps ( browsers and similar) are updated and they need to change CCleaner to adopt to those changes.
     
  24. VecchioScarpone

    VecchioScarpone Registered Member

    Joined:
    Aug 29, 2015
    Posts:
    341
    Location:
    Down Under the Southern Cross
    Don't mind me asking, if I understand you correctly, CCleaner without the CCU emergency updater it is a risk.
    Thanks.
     
  25. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,417
    Location:
    Under a bushel ...
    The portable version does not have this, for those that are concerned about this.

    They at least seem to have fixed an apparent crash, which I hadn't quite figured out, when closing Firefox (in Sandboxie)? Maybe the 'session' data cleaning.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.