Another CCleaner fake, this one via google

[login123]

Today the top 2 google selections for "Piriform" sent me to incorrect installers for CCleaner.

 

 

The short story is that the exe files you get are a wrong version of CCleaner.

One of the sites, Soft8, installs version 3.23 and tries to install unwanted junk.

For both sites, every time you run their version of CCleaner, it pops up a box asking you to register.

I don't know, is that maybe because it is the pro version as a trial?

 

The good news is that simply uninstalling the incorrect program and reinstalling the correct one from Filehippo or Piriform eliminates the popup.

 

The bad news is that new users might not know how CCleaner is supposed to behave, and think the popup is normal.

[DennisD]

If it was the Pro version, it would say "CCleaner Professional" in the UI banner where the free version says "CCleaner.com".

 

I'll point the devs to this Login, and I have a link for the "Softm8" site but not the other one you mention, and only the one pops up if I repeat your search.

 

Just out of interest, why were you googling for CCleaner? Were you lost?

 

Good find by the way.

[login123]

Lost ball in high weeds, thats me.

 

Was just comparing search engines, playing around.

 

The link to Softm8 (not soft8 as earlier stated) is this, still works as of right now:

http://ccleaner.softm8.com/?gclid=CInitqXJoLUCFQU5nAod-2IALQ

 

Have some screenshots, will put'em on photobucket and be back with thumbs in a little while.

[login123]

If you follow through that first highlighted link in the pictured google search, you wind up with this installed:

 

 

If you run that version of CCleaner, you get this popup asking for license details, but the software runs as a trial:

 

 

If you run the installer from softm8, the second highlighted link, it tries to install these:

 

and

 

and you eventually get to this installer for ver. 3.23

 

 

Either installation pops up that license detail request, if i recall corrctly.

 

In any case, its easy to get right one installed, but those incorrect links might explain some of the strange posts where someone describes odd behaviors by CCleaner.

[Alan_B]

I suggest that the final screenshot might be a toolbar / trojan launcher created by Softm8 which dumps all its junk on your system,

and finally may install some version of CCleaner.

The previous screenshots promised version 3.27.

 

Did you finally get 3.23 installed as indicated by the screenshot.

or was a a simply launcher that finally connected you to the latest version ?

Perhaps they forgot to rename the launcher to match the current product.

[pwillener]

softm8.com (located in Bulgaria) appears to be a rogue download site. It lists these softwares on their main page:

• Skype 5.1 - the latest version is 6.1.0.129
  
• avast! Free Antivirus 7.0 - the latest version is 7.0.1474
  
• CCleaner 3.23 - we know what the latest version is
  
• Minecraft 1.4.2 - the latest version is 1.15.1
  
• Free Download Manager 3.9 - the latest version is 3.9.2
  
• Flash Player 11 - the latest version is 11.5.502.146
  
• Yahoo Messenger 11.5 - the latest version is 11.5.0.228
  
• 7-Zip 4.42 - the latest version is 9.20
  

I bet they package all their downloads in a similar fashion as they do with CCleaner.

[pwillener]

Today the top 2 google selections for "Piriform" sent me to incorrect installers for CCleaner.

 

 

But interestingly, when I do that same search as you did, I do not see that rogue download site anywhere in my results:

[nodles]

Are you using AdBlock+ or similar? These addons often hide paid/ads in Google.

[pwillener]

Nothing like that; just plain Firefox.

[TheWebAtom]

But interestingly, when I do that same search as you did, I do not see that rogue download site anywhere in my results:

 

Google lets you target your ads to specific users based on country, OS and browser.

 

Malicious 'sponsored results' usually only show for Windows XP/Internet Explorer users, as they are typically less tech savvy (and more vulnerable to attacks) than users of other platforms.

[hazelnut]

 

 

Malicious 'sponsored results' usually only show for Windows XP/Internet Explorer users, as they are typically less tech savvy

 

I know lots of users who use that combo and they definitely ARE tech savvy.

[TheWebAtom]

typically

I was very careful to use the word typically in that sentence. While there will always be exceptions, the vast majority of users still using the XP/IE combo are average Joe computer users.

 

Although that wording still doesn't look right: let's go with "the vast majority of average Joe PC users are running XP/IE"

 

Sometimes it's easy to forget that we live in a world where 3.5 million people still buy dial-up internet from AOL...

[login123]

Alan, answer is yes, I did get both versions, 3.23 and 3.27, installed.

Both installations ran but asked for license detais. Didn't actually use the apps, just installed and opened them. I saved the exes, compared the hashes, and a bunch of other stuff, but didn't want to belabor the details.

Edit: That first highlighted link in the picture eventually installs ver 3.27, and the second link eventually installs ver 3.23 via softm8 (with the foistware offers). Was able to uncheck the foistware offers.

 

Pwilliner, that pictured search happened here when I entered the word piriform with a space after it, then let google make its suggestions. Still does that right now. Without the space at the end I get a different set of suggestions.

 

Shane, I must confess to being only barely semi-tekkie. I thought API stood for "Always Provide Instructions".

 

That was the reason for this topic. I think most folks are not very tekkie. I wondered how many would follow those links and wind up with some sort of CCleaner installation that would leave them with annoying popups or a bunch of foistware, and blame Piriform for it.

[hazelnut]

I thought API stood for "Always Provide Instructions".

 

You mean it doesn't???

 

On a more serious note it's a good thing all you guys watch each others backs by bringing these sites to members attention Keep up the good work.

 

@Shane I know what you meant about xp and IE8 but we don't want to upset anyone

[DennisD]

Thanks for all your hard work in this Login.

 

Stirling stuff.

[Alan_B]

and the second link eventually installs ver 3.23 via softm8 (with the foistware offers). Was able to uncheck the foistware offers.

Did you also uncheck the keylogger that may have come with their delivery of ver 3.23 ?

 

Sorry for any panic but how confident are you of your malware protection ?

 

It occurs to me that softm8 may deliver the Professional version with the hope of an on-line purchase from Piriform whilst their keylogger is observing and phoning home.

 

It could also keep an eye open for all your other financial transactions.

 

Please note that the above is pure speculation - when I cry WOLF the reality could be a Tiger or a Mouse

There are others here with far greater experience who hopefully can tell you not to panic - or otherwise

 

N.B.

A year or two ago I searched for "Portable Notepad" and clicked on several results.

One result was a download helper from Softonics which I refused to run.

 

Although I never ran it,

Windows then started to report "side-by-side" errors due to that file which was Never used and never moved from the download folder on a non-system HDD

I deleted that file but the errors persisted.

I scanned for malware and found none.

I restored my system from an earlier Partition Image Backup and the errors stopped and my panic subsided.

 

Sweet Dreams

 

Alan

[login123]

. . .

Sweet Dreams

 

Alan

 

 

Alan, I have more layers of security on here than The International Bureau of Super Secrets (IBOSS).

Never heard of IBOSS? Well there ya go, see, pretty secret outfit, huh?

 

Actually, I would never have tried any of that stuff without Powershadow or some equivalent (yet to be found) running. And other anti malware apps, of course.

 

But thanks for looking out for me. Nothing is bulletproof, and I didn't think of a keylogger.

[Winapp2.ini]

softm8.com (located in Bulgaria) appears to be a rogue download site. It lists these softwares on their main page:

• Minecraft 1.4.2 - the latest version is 1.15.1
  

I bet they package all their downloads in a similar fashion as they do with CCleaner.

 

Latest version is 1.4.7 actually

[Nergal]

hmm there's also the fact that when you click the ads, for evil-ware, you're telling the Google-thing to serve you more of them.

[Vollyman]

CCleaner is a top quality product and I have promoted it with my clients for years. Saying that...I was working on a laptop for a client yesterday and to my horror I discovered the maulware folks have a new trick that I just ran into. I go to google to download ccleaner and I'm made the mistake of using the fake ccleaner package and it "tried" to install a bunch of maulware. The shielding I had setup beforehand stopped it however I had to spend hours scanning to make sure nothing got through. 

 

When you type in "ccleaner" in google Search it shows up as an ad at the top of the search results. (ccleaner.downloadinfo.co). Foolish me clicked on the ad link instead of the link from Piriform.

 

Lovely. I wonder how many people see this and get tricked into messing their rig up with this garbage.

 

edit: Not sure if this is considered a necropost or not. If it is (I'm new here) my apologies.

[Andavari]

Lovely. I wonder how many people see this and get tricked into messing their rig up with this garbage.

 

edit: Not sure if this is considered a necropost or not. If it is (I'm new here) my apologies.

 

Welcome to the forums.

 

Thank you for posting your findings, it could save someone from clicking the wrong thing.

[Nergal]

 

I go to google to download ccleaner and I'm made the mistake of using the fake ccleaner package and it "tried" to install a bunch of maulware.

My father, recently had the same experience. I swear by DuckDuckGo.com with WOT enabled for all results

[Andavari]

with WOT enabled for all results

 

Forgot about that. Yeah it could've prevented it with the warning dialog that blocks the loading of a bad site, that is if it recognized the site as bad.