robertcarroll6

Useful summary. Thanks

Lots of users waiting for some clarity from Piriform before making decisions on restoring/re-imaging. As of now: 1. the moderators seem to be saying restoring is overkill because installing 5.35 etc magicks problems away 2. the youtube video*** the mods are so anxious for us to view seems to be saying re-imaging is a waste of time since we are already "owned" by the hackers. 3. our best hope seems to be that the hackers will be too busy tussling with microsoft and google etc to bother with anything they got from our systems *** "https://www.youtube.com/watch?v=i1u0LqZLDvc&feature=youtu.be" It's ironic that mods on a piriform-ponsored forum are linking to a clip called "The Horrors of Ccleaner". It has cool music

Excellent post pearshaped. The paucity of posts from Piriform/Avast employees and the lack of response to specific questions is pretty telling. Piriform/Avast seem to be hiding behind volunteer moderators who are working on partial information. The moderators are reduced to referencing blogs/articles which analyse the problem based on research by Cisco's Talos Group. In each blog/article Talos is quoted as saying that a restore/re-format is called for; however the volunteer moderators insist this is "overkill". Like everyone else affected by this issue, I am anxious to avoid the time and cost and risks of restoring/re-formatting. In the absence of any coherent support from Piriform/Avast, the straw I'm grasping for at the moment is the suggestion that the hackers ignored us little guys in pursuit of bigger fry.

Thanks for these suggestions Nergal but they raise a couple more questions: 1. You write "If you have 64 bit Windows, make sure you update your ccleaner to the latest version (5.35 at the time of this post)".. Are you suggesting people with 32-bit window shouldn't update to 5.35? 2, You write "If you are very worried you can follow the steps in https://www.ghacks.net/2017/09/21/ccleaner-malware-second-payload-discovered/ " In the article you link to it says "Talos Group suggested to restore the computer system using a backup that was created prior to the infection. The new evidence reinforces this, and the researchers suggest strongly that it may not be enough to simply update CCleaner to get rid of the malware". Are you now suggesting we follow this advice (because a lot of us are, indeed, very worried)? 3. You write " the malware normally does not have the time to activate between the time ccleaner​.exe (32bit) hands off to ccleaner64.exe.". Can you please clarify what "normally" means in this context. Under what "non-normal" circumstances would the malware have been activated? Thanks Robert

Regardless of who's making the decisions, the lack of response to (or even acknowledgement of) some very straightforward questions being asked here is disrespectful and particularly so given that piriform has delivered some pretty dangerous software to our devices.

Nergal, your work as a volunteer is very much appreciated. However it appears you are relying on the same avast/piriform blogs and press releases as the rest of us for your information and these blogs etc leave many straightforward questions unanswered. Several people are asking the same questions. Given the seriousness of the threat to our systems we really should be getting answers from piriform employees based on their current knowledge. The last post from a piriform employee was from Stephen nearly 24 hours ago (post #131). It was disingenuous at best: he posted a link to an extremely technical avast blog post and then said he was working on answers to our more technical questions. Our questions aren't that technical. My summary of the questions is: does the 32-bit/64-bit distinction still hold? does having ccleaner.exe in scheduled startup mean we were exposed to 32-bit threats even on 64-bit devices? has the 2nd payload been found anywhere other than servers on the target list? Others have been posting similar questions - none of which seem that technical. The other service piriform/avast could usefully provide their users with is a forum on how to reformat/restore/recover their systems to a pre-ccsetup533.exe state. Such a forum could be provided on a non-prejudicial basis for users who voluntarily decide to go that that road.

Congratulations Bangeny. You get the prize for being the only person today to get a question answered by anybody with any connection to pirifrom/avast.

Mind you, "login" (post 129 above) found ccleaner.exe in start-up schedule on his Windows 10 64-bit device

Not sure if it is relevant to your point, but I did find (see my post above) that it was ccleaner.exe (32-bit?) scheduled to run at start-up on my Windows 7 64-bit machine but on my Windows 10 64-bit machine it was ccleaner64.exe scheduled at start-up

Thanks Stephen You write... "We are working on getting you answers to some of your more technical questions." The avast blog is interesting but far too technical for most of us posting here. It is some of the less technical questions we need answers to. eg (as in my posts above): is the 2nd pay-load a threat to casual users?: is running the 64-bit a reason to feel any more secure?; does having ccleaner.exe as part of startup schedule mean even 64-bit machines are exposed to 32-bit threat. Or should just follow advice from cisco etc and wipe our machines and re-install from scratch? Robert

Hi Tom Piriform, Based what I found in my startup scheduled tasks (see previous post) after reading login's post, I now have a third question: 3. Does the fact that ccleaner.exe (contains 32-bit code?) was in my startup scheduled tasks indicate that I was more exposed to the malware? Thanks

Hi login, thanks for more info on this stuff. I had no idea ccleaner would be scheduled to run on startup. I found Windows 7 64-bit machine - ccleaner.exe (not ccleaner64.exe) scheduled to run on startup Windows 10 64-bit machine - ccleaner64.exe scheduled to run on startup Robert

Dear Tom Piriform I understand that more information is being uncovered all the time about this incident and that the situation inside piriform must be hectic. However I think we should be given information based on the current knowledge about this incident. Specifically I would appreciate it if an official person from piriform could confirm whether the following statements reflect the current state of knowledge: 1. To date, there is no evidence that the second level pay-load was distributed anywhere other than to a specifically targeted group of users. 2. Users who launch ccleaner by running ccleaner64.exe are not at threat regardless of whether they downloaded and ran ccsetup533.exe or not. The latest information from avast is at https://blog.avast.com/avast-threat-labs-analysis-of-ccleaner-incident Users of limited technical knowledge (like myself) won't get much from that blog entry. However its mentions of 64-bit systems makes me a bit nervous about previous reassurances. Thanks

Seems we're getting a bit of "severity creep" here. 1. The second-stage payload was delivered after all but us little people are okay because the hackers only aimed it at selected corporate targets? 2. Does the 32-bit bad, 64-bit safe distinction still hold? There is more information - including list of targeted corporates - at: https://www.bleepingcomputer.com/news/security/ccleaner-hack-carried-out-in-order-to-target-big-tech-companies/ and http://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html

All pertinent questions that I think many users would like to see answered.