Nergal

So do ccleaner users need to use custom location until piriform devs change the detect/cleaning rule. http://www.piriform.com/docs/ccleaner/advanced-usage/ccleaner-ini-files/how-to-clean-user-data-from-non-standard-mozilla-browsers

Thanks to all, the developers read all threads, I'm sure (once the malware fire is over) they get this fixed.

I've pushed this up the ladder hopefully we'll have an answer soon

@jonmar that is why it's suggested to check your pc for signs of payload 2. But the likelihood is high that only those corporations are targeted by the attack. Am not suggesting that people shouldn't be vigilant but that an entire wipe is likely overkill. As attacks go, this one seems to be small. I've rarely seen a virus/malware that would require such a drastic measure.

Where did you find in on piriform?

@rexg as I already told you you seem to have checked all that is known to be checked at this stage. I'm sorry that I'm not officially with piriform, as an employee, but as a moderator I would hope that my words would've been enough. Right now, everything that's been disclosed you have done to protect your PC. The second stage stuff you were looking for has ONLY been noted of the computers of large influential companies - and only on 20 pcs out of hundreds or more checked at those organizations. Avast and Piriform are taking this seriously and they and cisco are working in tandem. All three of those (Avast, Piriform, Cisco/talos) are publicizing what they know as they know it. If more is discovered then and only then might your safeness level rise to looking for more. If you've rid yourself of the 5.33, if you've checked for the rare chance that you have second stage files and/or registry, then you've done all you can for now.

The was a security flaw (backdoor trojan) in the ccleaner 5.33 executable. The current version is 5.35 it is virus free.

@Emrah just the name geesetup_x86.dll, though I even just did geesetup and had it search for that everywhere on my harddrive. As far as the last two I had no clue what they meant so I just ignored them

@Emrah I wouldn't be able to tell you or anyone 100% but those are the steps I took and am (until further news is released) confident in my safeness.

Download the portable version from piriform.com/ccleaner/builds Copy ccleaner.exe and ccleaner64 from the zip file to your installation path for ccleaner (usually c:\program files\ccleaner), this will require admin account a uac confirmation depending on your pc's uac setting. if it gets stuck trying to overwrite one of the files delete the file (again admin and/or uac) and tell the copy to retry

@Emrah earlier today a second stage was found on a small number of computers at a select number of big companies. For more info read the links in my previous post

It's been asked for before, yet not implemented.

Yes piriform does read these and (once the fire about 5.33 is out) they will work on getting your cleaning back in order.

To those worried about the newly released 2nd stage. It looks like it was very limited http://bgr.com/2017/09/21/avast-ccleaner-backdoor-hack-malware/ https://arstechnica.com/information-technology/2017/09/ccleaner-malware-outbreak-is-much-worse-than-it-first-appeared/

have you both exhausted the steps found https://forum.piriform.com/index.php?showtopic=40285 @eruption77 make sure to wipe all traces of 5.33 as it was infected with malware

SYMANTEC and maybe Norton too, users may find a dll with the name of the 64bit second payload. Choose file insight or virus total to make sure it's valid or not my virus total https://www.virustotal.com/#/file/3a1bd821724b6da69011f9cf7b162e14d5f1c4f30c2c9897a751761db03a2d9c/detection

@rexg I'd at least say you've done as much as anyone could do. While I can't guarantee that something else won't come up, but you sound like you've got a handle on it.

I believe ccleaner (32bit) had to completely load (show the ccleaner window) and, if on 64bit machine, the handoff from ccleaner.exe to ccleaner64.exe was not enough for the backdoor to load. Please note this is my personal understanding based on what has been told to us and articles readily available to the public. It should not be confused for malware advice, if you feel you may be infected you should seek help at a reputable security website.

The Version your antivirus captured was the trojan'd version 5.33, the setup for which you still had on your pc somewhere.

Niko79 that's not the official name of the exe, it looks like (especially since it's version 5.33 which is the trojan'd version) your antivirus renamed it

@DuffyD download the portable version from piriform.com/ccleaner/builds copy ccleaner.exe and ccleaner64.exe and paste them into the install path (usually c:\program files\ccleaner ) Before doing this make sure ccleaner is not running (also check the system tray in case monitoring is activated)

Version 1.20.91 was released with fixes for Oreo. Please let us know if it fixed your issue.

Version 1.20.91 was released with fixes for Oreo. Please let us know if it fixed your issue.

@Cerberus8 the 64 bit version was in fact virus free, the problem is the 32bit is included in a install. On your computer it looks like you deleted ccleaner.exe manually and sent it to the recycle bin (that's shown on your screenshot under location). It is postulated that the handoff from ccleaner.exe to ccleaner64.exe takes place before the trojan is up and running.

Agomo is ccleaner cloud, but yes those reg entries should go