-
Posts
10,581 -
Joined
-
Last visited
Everything posted by Nergal
-
I agree that looks too agressive.
-
1. the "if you're 64bit" the you was directed at the previous poster. Everyone should update to 5.35. 2. no, just meant to look for and remove the files and registry suggested in the article. 3. I may have been unclear. Certain researchers have discovered that the first payload did not begin until ccleaner.exe (32bit) had been open for roughly 10 minutes. I have seen this timing in action but am waiting on another piriform moderator to speak with me before posting it (s/he lives in the UK so I think it's still late there). But, my mispeak was to use normal when no evidence points to any non-normal situation. I hope this cleared up those 3 questions.
-
If you have 64 bit Windows, make sure you update your ccleaner to the latest version (5.35 at the time of this post). If you are very worried you can follow the steps in https://www.ghacks.net/2017/09/21/ccleaner-malware-second-payload-discovered/ However the malware normally does not have the time to activate between the time ccleaner​.exe (32bit) hands off to ccleaner64.exe.
-
So do ccleaner users need to use custom location until piriform devs change the detect/cleaning rule. http://www.piriform.com/docs/ccleaner/advanced-usage/ccleaner-ini-files/how-to-clean-user-data-from-non-standard-mozilla-browsers
-
CCleaner not cleaning Chrome cookies again
Nergal replied to eruption77's topic in CCleaner Bug Reporting
Thanks to all, the developers read all threads, I'm sure (once the malware fire is over) they get this fixed. -
I've pushed this up the ladder hopefully we'll have an answer soon
-
@jonmar that is why it's suggested to check your pc for signs of payload 2. But the likelihood is high that only those corporations are targeted by the attack. Am not suggesting that people shouldn't be vigilant but that an entire wipe is likely overkill. As attacks go, this one seems to be small. I've rarely seen a virus/malware that would require such a drastic measure.
-
Where did you find in on piriform?
-
@rexg as I already told you you seem to have checked all that is known to be checked at this stage. I'm sorry that I'm not officially with piriform, as an employee, but as a moderator I would hope that my words would've been enough. Right now, everything that's been disclosed you have done to protect your PC. The second stage stuff you were looking for has ONLY been noted of the computers of large influential companies - and only on 20 pcs out of hundreds or more checked at those organizations. Avast and Piriform are taking this seriously and they and cisco are working in tandem. All three of those (Avast, Piriform, Cisco/talos) are publicizing what they know as they know it. If more is discovered then and only then might your safeness level rise to looking for more. If you've rid yourself of the 5.33, if you've checked for the rare chance that you have second stage files and/or registry, then you've done all you can for now.
-
The was a security flaw (backdoor trojan) in the ccleaner 5.33 executable. The current version is 5.35 it is virus free.
-
Download the portable version from piriform.com/ccleaner/builds Copy ccleaner.exe and ccleaner64 from the zip file to your installation path for ccleaner (usually c:\program files\ccleaner), this will require admin account a uac confirmation depending on your pc's uac setting. if it gets stuck trying to overwrite one of the files delete the file (again admin and/or uac) and tell the copy to retry
-
It's been asked for before, yet not implemented.
-
Yes piriform does read these and (once the fire about 5.33 is out) they will work on getting your cleaning back in order.
-
CCleaner not cleaning Chrome cookies again
Nergal replied to eruption77's topic in CCleaner Bug Reporting
have you both exhausted the steps found https://forum.piriform.com/index.php?showtopic=40285 @eruption77 make sure to wipe all traces of 5.33 as it was infected with malware -
I believe ccleaner (32bit) had to completely load (show the ccleaner window) and, if on 64bit machine, the handoff from ccleaner.exe to ccleaner64.exe was not enough for the backdoor to load. Please note this is my personal understanding based on what has been told to us and articles readily available to the public. It should not be confused for malware advice, if you feel you may be infected you should seek help at a reputable security website.
-
TR/CCleanerHKed.533.1.exe (Sep 19, 2017 23.36H)
Nergal replied to niko79's topic in CCleaner Bug Reporting
Niko79 that's not the official name of the exe, it looks like (especially since it's version 5.33 which is the trojan'd version) your antivirus renamed it