Jump to content
CCleaner Community Forums


  • Content Count

  • Joined

  • Last visited

Community Reputation

0 Neutral

About patrykr

  • Rank
  1. Hello, no one can confirm that for you with 100% certainty. Piriform, forum moderators and members provide the relevant information, the rest is up to you to figure out based on your knowledge of your system. There are some unusual and highly unlikely conditions which, when met, could get your system infected with the first payload. Let me tell you this, if I were in Millionaires, and the last $1.000.000 question would be "Did malika4 get infected with the first stage payload during the CCleaner v5.33 infection incident?", and one of the answers would be "No", I would (based on info you provided, x64, no Agomo keys etc) certainly choose "No" as that is simply the most probable answer.
  2. UAC (User Account Control) is basically the pop-up question you see when opening certain applications or most installers. It says something like: "Do you want to let this program make changes to your computer". CCleaner has an convenient setting (Advanced -> "skip UAC warning") allowing you to skip that pop-up question. The way it relates to the infection incident and 64 bit systems is as follows: - there are two files in install directory (infected CCleaner.exe and non-infected CCleaner64.exe) - when the setting is disabled, only the non-infected CCleaner64.exe gets executed and CCleaner.exe is just sitting there completely dormant (so is the virus) - when the setting is enabled (by default I think), both files get executed, but the infected CCleaner.exe just "for a little while", and that is exactly what raises questions and/or doubts Again, please note, I am not an expert and can be wrong.
  3. I think it depends on how you define "infection", because, technically anyone using v5.33 was infected. The thing is, 64 bit systems were not affected by the infection (allegedly, as I have not seen official confirmation or better yet - an explanation). They were not, because the infected file CCleaner.exe does not normally run on 64 systems. It just runs for a little while (or not at all, depending on your UAC configuration), perhaps not enough for the virus to execute? - I'm sorry this is the part I got no answer to, despite of asking. After that, the file that really runs and works is the not-infected CCleaner64.exe. If you somehow managed to keep CCleaner.exe open instead of CCleaner64.exe (which does not normally happen, probably could if you first deleted CCleaner64.exe) you would surely be both infected and affected by the infection. That information is non-sensitive. It can help in preparing a highly targeted attack against you, but as long as there are no apparent vulnerabilities in your system configuration, it is, in the worst case scenario extremely hard (when you're careful). Also, no one can hack your Network Adapter just by knowing the MAC address, there has to be an exploitable vulnerability first (note, that sometimes you see MAC addresses on outer boxes of the hardware you buy). Perhaps the question you should be asking yourself is, did the infection leave your system vulnerable. The general consensus is - no. However, some state that yes, everyone should reinstall their systems. Decision is yours to make. All the above are just my opinions. I am not an expert. Perhaps a power-user (at best).
  4. Dear Piriform/Avast Administrators/Programmers/Employees, I am really sorry you got hacked, I truly am. I have no idea what it must be like for you trying to scramble in the wake of huge corporations being affected. That being said, considerable base of smaller users is affected as well. These are likely users of all sorts, home users, power users, maybe even experts. Some might still be using trojanized v5.33 version and be completely unaffected (like for example my grandma would be, as she doesn't even own an email account). Some might just not care at all. Some might suffer from OCD and want to nuke their systems because of the sheer thought of having your products installed. The spreading misinformation is hurting everyone. Some people say everything is just fine, while other, like Craig Williams of Talos, recommend re-installing systems and claim you're affected just by running the installer (see comments @ Talos blogpost). The whole situation has even spawned vultures trying to plug in as many programs into their removal-guides as possible. Like in bleepingcomputer.com guide they use 5 apps to quote remove Floxif CCleaner Trojan unquote. Like, seriously? That's the pinnacle of irresponsibility. I personally think it is your responsibility to end speculation and provide as much information as possible to satisfy users of all levels. That responsibility is so much more pronounced, given the fact that Avast now owns Piriform. Me myself, I own 3 separate CCleaner Business Edition licenses, each valid for one computer. Yes, like many other users, I too want to avoid all the work and hassle associated with having to reinstall my systems. However, I also do important work and can't afford to risk it. So it all boils down to the fact, that most of all, I would like to make an informed decision about it, one way or another. Again, here are my concerns/questions, I am using 64 bit system: 1. Installer (ccsetup533_be.exe, MD5: 60f18d92353d46dfc715ffd9fbefecfc). On one of my licenses was bought just recently, and I was using different (Business Edition), I assume less popular installer than most users. Is that installer affected the same way as the other, more popular ones, i.e. the executable of the installer itself is malware-free, and only installs trojanized CCleaner.exe file. Businesses were the main target, so now I worry, that the executable of business installer itself might have been compromised aswell. 2. CCleaner.exe/CCleaner64.exe files. I run 64 bit systems. I do know (easy to check with SysInternals Process Monitor, which I did) that no matter what file I run, or what file the shortcut points to - both are being executed. I don't know how this works, but assume it has something to do with auto-privilege elevation. So, on x64 systems, is the execution of CCleaner.exe "deep enough" to reach the embedded malware code or not? 3. x64 systems safety in case of malware code execution. If the malware code executes on x64 systems, what exactly is it, that makes x64 systems safe? Is it the fact that the malware is dependant on CCleaner.exe being active, and since CCleaner.exe is short-lived, so is the malware? Also, can I be 100% sure that during this presumed partial malware execution, it (the malware) has done no changes to my filesystem/registry etc? If any changes were made, what were they? Are they easy to fix like deleting a file or registry entry, or are they more complex than that. I believe my questions are clear, valid and have not been properly addressed thus far. I would really, really appreciate an answer. Thank you very much for your work and support. Patryk R.
  5. But, what if they didn't fry the bigger ones? Wouldn't that live them in pursuit of smaller fry? Just sayin! What if Craig Williams of Talos is right about stealthiness and sophistication, and, I dont know, the malware left some huge black gaping hole in affected systems just waiting for someone to exploit
  6. Hello, how it works is only dependent on how it was programmed to work and the environment (system) it works within. There is a 10-minute pause/delay programmed into the malware before it dials-out. It was stated by people who reverse-engineered it, and also proven in the video you posted link to. The only question is, does the malware process gain independence after being loaded into memory, or is it still dependent on the main CCleaner process being active. It is super-easy to answer if someone wanted and had time to check. All one had to do is repeat the steps in the video, but close CCleaner before the 10 minutes elapsed. Would it still "call home" or not? Believe me, I wish it did. It would mean the malware process gains independence from CCleaner and in consequence support the theory that x64 systems are safe because it (the malware part) does not execute at all.
  7. Hello, do you know of any researchers other than Talos Group stating this? If that is true, it is worh noticing that 32-bit system CCleaner users, who were using it on as-needed basis could have avoided complete malware execution aswell. All one had to do was run and close CCleaner (without leaving in tray) within 10-minute window. It is how I've always been using it myself and 10 minute margin means it is more than doable. The first stage was meant to be spray-and-pray, that is why I would consider the above as a flaw in the malware, limiting (possibly) its reach. Talos states that the malware starts but delays/pauses its operation by ~10 minutes. If that 10 minute wait period is dependent on main CCleaner process being active, it would confirm the above. Too bad the video posted by Hazelnut does not answer this. Personally I'm still hoping to officially learn that on x64 systems the malware did not execute in any capacity at all.
  8. Hello, I would like to notify Piriform Admins/Moderators, that the (most likely custom) link: https://dl.cleverbridge.com/502/(...)/ccsetup533_be.exe (link broken on purpose) I received when buying my license is still active and (per filename, obviously) points to compromised v5.33 CCleaner installer. That is most likely what Edweather downloaded, as his link is problably active aswell. Also, would it be possible for anyone from Piriform to officially confirm that on x64 systems (Windows 7 in my case) no parts of the malware get/got to execute (activate) and no unauthorized changes (no matter how insignificant) could be done to the system, regardless of which file (CCleaner.exe/CCleaner64.exe) is/was being run? Since people at Talos "dissected" the malware, I'm preety sure Piriform/Avast did the same and someone knows the answer. Other than the long gone v5.33 CCleaner.exe file, neither my AV Suite (ESET and Malwarebytes) nor I have found any other indicators of compromise, however, one could argue that the malware was/(is?) sneakily covering its tracks. I'm really sorry I do realize it sounds bit paranoid, its just that this is the first piece of malware I've had on any of my systems in ~20 or so years. Previous posters seem to ponder at the exact same question, that's why I think addressing this issue will be most appreciated. Thank you very much!
  • Create New...