robertcarroll6
-
Posts
16 -
Joined
-
Last visited
Posts posted by robertcarroll6
-
-
Well said Patryk R, The silence from Piriform/Avast is deafening, Where is their integrity and responsibility to their clients/customers. I too am absolutely gobsmacked at this level of non assistance ....
...I too have regular backups to a seperate HD,automated as full systems ,but the time and losses to approx July August Sept data is huge,seeing as i updated CCleaner at every version release.
Lots of users waiting for some clarity from Piriform before making decisions on restoring/re-imaging.
As of now:
1. the moderators seem to be saying restoring is overkill because installing 5.35 etc magicks problems away
2. the youtube video*** the mods are so anxious for us to view seems to be saying re-imaging is a waste of time since we are already "owned" by the hackers.
3. our best hope seems to be that the hackers will be too busy tussling with microsoft and google etc to bother with anything they got from our systems
*** "https://www.youtube.com/watch?v=i1u0LqZLDvc&feature=youtu.be"
It's ironic that mods on a piriform-ponsored forum are linking to a clip called "The Horrors of Ccleaner". It has cool music
-
Hi all,
I think I have been lucky because there are no signs that my PCs were affected, but yet I am still a bit concerned because of the uncertainties in this story....
...
Even though the new developments don't seem to affect my own Windows 10 64-bit, all the "surprises" in this story still leave me in doubt. Call me paranoid, but I would like to be *positive* that my system has not been compromised.
I also feel that the silence from Piriform and Avast on the official forums, after their first announcements and posts, is a sign that even they are not 100 percent sure that the incident caused no real harm at all, how could they be?
Thanks in advance for any *real* clarifications.
Excellent post pearshaped. The paucity of posts from Piriform/Avast employees and the lack of response to specific questions is pretty telling.
Piriform/Avast seem to be hiding behind volunteer moderators who are working on partial information. The moderators are reduced to referencing blogs/articles which analyse the problem based on research by Cisco's Talos Group. In each blog/article Talos is quoted as saying that a restore/re-format is called for; however the volunteer moderators insist this is "overkill".
Like everyone else affected by this issue, I am anxious to avoid the time and cost and risks of restoring/re-formatting. In the absence of any coherent support from Piriform/Avast, the straw I'm grasping for at the moment is the suggestion that the hackers ignored us little guys in pursuit of bigger fry.
-
If you have 64 bit Windows, make sure you update your ccleaner to the latest version (5.35 at the time of this post). If you are very worried you can follow the steps in https://www.ghacks.net/2017/09/21/ccleaner-malware-second-payload-discovered/ However the malware normally does not have the time to activate between the time ccleaner.exe (32bit) hands off to ccleaner64.exe.
Thanks for these suggestions Nergal but they raise a couple more questions:
1. You write "If you have 64 bit Windows, make sure you update your ccleaner to the latest version (5.35 at the time of this post)".. Are you suggesting people with 32-bit window shouldn't update to 5.35?
2, You write "If you are very worried you can follow the steps in https://www.ghacks.net/2017/09/21/ccleaner-malware-second-payload-discovered/ "
In the article you link to it says "Talos Group suggested to restore the computer system using a backup that was created prior to the infection. The new evidence reinforces this, and the researchers suggest strongly that it may not be enough to simply update CCleaner to get rid of the malware". Are you now suggesting we follow this advice (because a lot of us are, indeed, very worried)?
3. You write " the malware normally does not have the time to activate between the time ccleaner.exe (32bit) hands off to ccleaner64.exe.". Can you please clarify what "normally" means in this context. Under what "non-normal" circumstances would the malware have been activated?
Thanks
Robert
-
The thing is they have to get permission before answering questions about it. Some stuff the moderation staff was asking about in a separate private area couldn't be answered either because they had to get permission first and all of that takes time. Frustrating yes, however we're all in the same boat and waiting for information that is hopefully not overly technical.
Regardless of who's making the decisions, the lack of response to (or even acknowledgement of) some very straightforward questions being asked here is disrespectful and particularly so given that piriform has delivered some pretty dangerous software to our devices.
-
@rexg as I already told you you seem to have checked all that is known to be checked at this stage. I'm sorry that I'm not officially with piriform, as an employee, but as a moderator I would hope that my words would've been enough. Right now, everything that's been disclosed you have done to protect your PC.
Nergal, your work as a volunteer is very much appreciated. However it appears you are relying on the same avast/piriform blogs and press releases as the rest of us for your information and these blogs etc leave many straightforward questions unanswered.
Several people are asking the same questions. Given the seriousness of the threat to our systems we really should be getting answers from piriform employees based on their current knowledge.
The last post from a piriform employee was from Stephen nearly 24 hours ago (post #131). It was disingenuous at best: he posted a link to an extremely technical avast blog post and then said he was working on answers to our more technical questions.
Our questions aren't that technical. My summary of the questions is:
does the 32-bit/64-bit distinction still hold?
does having ccleaner.exe in scheduled startup mean we were exposed to 32-bit threats even on 64-bit devices?
has the 2nd payload been found anywhere other than servers on the target list?
Others have been posting similar questions - none of which seem that technical.
The other service piriform/avast could usefully provide their users with is a forum on how to reformat/restore/recover their systems to a pre-ccsetup533.exe state. Such a forum could be provided on a non-prejudicial basis for users who voluntarily decide to go that that road.
-
Congratulations Bangeny. You get the prize for being the only person today to get a question answered by anybody with any connection to pirifrom/avast.
-
Not sure if it is relevant to your point, but I did find (see my post above) that it was ccleaner.exe (32-bit?) scheduled to run at start-up on my Windows 7 64-bit machine but on my Windows 10 64-bit machine it was ccleaner64.exe scheduled at start-up
Mind you, "login" (post 129 above) found ccleaner.exe in start-up schedule on his Windows 10 64-bit device
-
In The avast blog update when It talks about The Trojan 32 And 64 bit of The second payload They speak of Windows 7 And xp so It Can be probably that The 32bit Trojan Can activate in a 64 bit system But on 7 or xp (systems that Most companies use yet)
Not sure if it is relevant to your point, but I did find (see my post above) that it was ccleaner.exe (32-bit?) scheduled to run at start-up on my Windows 7 64-bit machine but on my Windows 10 64-bit machine it was ccleaner64.exe scheduled at start-up
-
Thanks Stephen
You write... "We are working on getting you answers to some of your more technical questions."
The avast blog is interesting but far too technical for most of us posting here.
It is some of the less technical questions we need answers to. eg (as in my posts above):
is the 2nd pay-load a threat to casual users?:
is running the 64-bit a reason to feel any more secure?;
does having ccleaner.exe as part of startup schedule mean even 64-bit machines are exposed to 32-bit threat.
Or should just follow advice from cisco etc and wipe our machines and re-install from scratch?
Robert
-
Dear Tom Piriform
I understand that more information is being uncovered all the time about this incident and that the situation inside piriform must be hectic. However I think we should be given information based on the current knowledge about this incident.
Specifically I would appreciate it if an official person from piriform could confirm whether the following statements reflect the current state of knowledge:
1. To date, there is no evidence that the second level pay-load was distributed anywhere other than to a specifically targeted group of users.
2. Users who launch ccleaner by running ccleaner64.exe are not at threat regardless of whether they downloaded and ran ccsetup533.exe or not.
The latest information from avast is at https://blog.avast.com/avast-threat-labs-analysis-of-ccleaner-incident
Users of limited technical knowledge (like myself) won't get much from that blog entry. However its mentions of 64-bit systems makes me a bit nervous about previous reassurances.
Thanks
Hi Tom Piriform,
Based what I found in my startup scheduled tasks (see previous post) after reading login's post, I now have a third question:
3. Does the fact that ccleaner.exe (contains 32-bit code?) was in my startup scheduled tasks indicate that I was more exposed to the malware?
Thanks
-
1. Was there any malicious code in the 64-bit version of CCleaner?
2. Why is a 32-bit exe-file installed on a 64-bit system?
3. Does the 64-bit system always run the 64-bit version of CCleaner?
4. If the 64-bit version is clean, could a Trojan from a 32-bit exe-file get into a 64-bit system? In theory?
5. Why in a 64-bit system when you skip the Account Control for CCleaner, a 32-bit version (CCleaner.exe) is added to the tasks?
Hi login, thanks for more info on this stuff. I had no idea ccleaner would be scheduled to run on startup. I found
Windows 7 64-bit machine - ccleaner.exe (not ccleaner64.exe) scheduled to run on startup
Windows 10 64-bit machine - ccleaner64.exe scheduled to run on startup
Robert
-
Dear Tom Piriform
I understand that more information is being uncovered all the time about this incident and that the situation inside piriform must be hectic. However I think we should be given information based on the current knowledge about this incident.
Specifically I would appreciate it if an official person from piriform could confirm whether the following statements reflect the current state of knowledge:
1. To date, there is no evidence that the second level pay-load was distributed anywhere other than to a specifically targeted group of users.
2. Users who launch ccleaner by running ccleaner64.exe are not at threat regardless of whether they downloaded and ran ccsetup533.exe or not.
The latest information from avast is at https://blog.avast.com/avast-threat-labs-analysis-of-ccleaner-incident
Users of limited technical knowledge (like myself) won't get much from that blog entry. However its mentions of 64-bit systems makes me a bit nervous about previous reassurances.
Thanks
-
Hello everyone,
Yesterday I updated the first post in this thread to give a better overview of events to any new reader, and as a handy reference for anyone wishing to fact-check.
This morning another official announcement has been made from the team investigating the attack. Importantly, it reveals that the second-stage payload was delivered to select IP addresses and seems to be targeted at select large technology and telecommunication companies in Japan, Taiwan, UK, Germany and the US. I would encourage you to read this blog and I have added it to the threadstarter.
Avast blog: Investigation Progress Update by Avast Threat Labs team (Thursday, 21 September 2017)
Seems we're getting a bit of "severity creep" here.
1. The second-stage payload was delivered after all but us little people are okay because the hackers only aimed it at selected corporate targets?
2. Does the 32-bit bad, 64-bit safe distinction still hold?
There is more information - including list of targeted corporates - at:
and
http://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html
-
I am not particularly knowledgeable on such situations.
I think those who have/may have installed the version identified have many questions. A few I can think of are:
1) Will updating to the latest software version remove the infected files? I assume it will as it were those particular files that were affected. However, what about the "2nd payload" mentioned in the blog post? Was this actually downloaded or just potentially could have been downloaded if set to do so? If it is downloaded somewhere, is it in a separate location as the files affected or in the same location and will it too be removed? Clarification on this would be good.
2) The blog post mentions it is the 32-bit version of Windows that is affected. From the above post I can see that it is the 32-bit version of the CCleaner software that is affected. I assume the 64-bit version isn't affected, however like the above post mentions, their ccsetup5.33 installer has been flagged (mine too). When I read one of the original articles I updated immediately as I had the affected version number in question, however I did not notice if I had the 64-bit or 32. It now says I have the 64-bit latest release. This may sound dumb, but I guess that the updater will not update to 64-bit from 32 and assume I had 64-bit before? If anyone could confirm that would be great.
3) Is there any information on what the 2nd payload did/was supposed to do? I guess what people really want to know is are all my passwords safe? Is my bank info safe? Do I need to change everything?
4) Is there anyway to tell if we were/are infected? Can we see if our PC's contacted this IP or downloaded anything from there? Will the latest updates to scanners detect anything? (See Q5)
5) I assume that all the security packages, malware scanners etc. are now aware of the situation and can scan for anything affected? I guess I should be checking their website for updates as well, but clarification on this would be good.
I realise some of these are probably dumb questions, but there maybe people out there who are in the same boat and would like information on this matter to sort the problem or alleviate their own fears.
Thanks
All pertinent questions that I think many users would like to see answered.
-
So far I've seen lots of technical information about the backdoor trojan security breach in 5.33 but virtually no advice on what action I should take, other than update to 5.34 (which I have done).
I don't really want to revert to a pre-August system backup unless I have to, so what are the risks?
A scan with Malwarebytes seemed to indicate 'petya' in the cc533 setup file - I believe that is ransomware, so was that the objective? Or have all my financial login data etc. been collected and distributed so I need to change all my passwords?
Please, Piriform, give us a clear account of the risks we now face (if any) and some practical advice on limiting the damage
Under the circumstances you would think Piriform would be bending over backwards to help users with questions like these.
Announcement: Security Notification for CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191
in CCleaner
Posted
Useful summary. Thanks