Make sure you are installing the latest version 5.35 from here.
Congratulations Bangeny. You get the prize for being the only person today to get a question answered by anybody with any connection to pirifrom/avast.
I use paid for version v5.35.6210 (64bit)
On 20th Sept2017 my Avira detected 2 Trojans
can anyone shed some light on this please
The auto ccleaner daily update downloaded them
CCleanerHked533.1 trojan
Gaz132 what Windows do You have? 7 or xp?
On malwearbytes forma user ask about Windows 10 And 64bit version. The expert Said that malwearbytes detect And cancell The Trojan And The registry Key And if The registry Key agomo there isn t on The system The backdoor Not affected The pc
Mind you, "login" (post 129 above) found ccleaner.exe in start-up schedule on his Windows 10 64-bit device
Same for me But The directory is C program Files (64bit) Not c program Files x86, so this i importante or Not To execute a 64bit Version?
This malware issue affected my two 64 bit windows 7 systems. The malware also attempts to change the Internet Explorer Home Page at every new launch of Internet Explorer. The warning that some program is trying to do this appears every time. Uninstalling the malware after using Malwarebytes or Bitdefender eliminates this effect until reboot. I can establish cause and effect here. The way that I discovered it was on Sept 19th, Bitdefender blocked the ccleaner exe. When I rebooted, once the system tray application which runs by default loaded, the problem of the IE homepage hijack returned as well as a subsequent security warning regarding ccleaner. This means that the malware is not only in the install file, but rather running in one or more of the program modules. Only total uninstall eliminated the problem. Additionally, simply because a system is 64 bit and ccleaner installs itself under a 64 bit heading, this does not exclude the fact that 32 bit modules are running. The system tray module is a 32 bit module. Lots of software running on 64 bit OS's is 32 bit in whole or in part.
On one of my systems an additional malware was blocked on the program path: backdoor.Agent.ABXS.
Nice thing is that one of my systems was a complete system reload, not used for anything of consequence yet, so the ccleaner exploit happened in a rather controlled environment.
I have notified http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html of this and made my systems available to them if they want to look since I doubt that we will be receiving any truth from Avast/Piriform.
I love the story about them keeping it quiet while working with law enforcement. I called it years ago that this would be the BS excuse for companies to hide security breaches and address the lateness of announcing it to the general public.
Did you have a registry folder Agomo?
HKEY_LOCAL_MACHINE\SOFTWARE\Piriform\Agomo
Or one of the listed registry folders?
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\001 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\002 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\003 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\004 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\HBP
Make sure you are installing the latest version 5.35 from here.
I just tried downloading v5.35 from that link, and McAfee is still blocking installation, and calling it a Trojan. Below is the log from McAfee. Please advise.
Adaptive Threat Protection Analyzer / Detector Product name McAfee Endpoint Security Product version 10.5.2.2078 Feature name On-Execute Scan Threat Action taken Block Threat category Malware Detected Threat event ID 35104 Threat handled Yes Threat name ATP/Suspect!92fcff26e8c5 Threat severity Critical Threat timestamp 9/22/2017 14:56 Threat type Trojan Source Source process name C:\USERS\xxxxxxx\DOWNLOADS\CCSETUP535.EXE Source user name GLOBAL\xxxxxxx Target Target hash e6f5ad3fd6d0f64ec88357fc481a71ab Target name CCLEANER64.EXE Target path C:\PROGRAM FILES\CCLEANER Target signer Symantec Class 3 SHA256 Code Signing CA Other Vector type Local System Description Adaptive Threat Protection Detection
Download the slim build from that link.
This is really pissing me off. Like I said on another thread, I was able to run a scan of MSE and delete the trojan. But there's still something very wrong. And the thing that drives me up the wall is I ran another scan of MSE and the system's clear. Hell, I even redownloaded Malwarebytes to run for one scan only (the new upgrade from this year didn't sound like it gelled well with the computer I have and that's why I had to get rid of it). Anyway, that scan came out clean. There's still something wrong with MSE because I'm getting errors when I try and click on "help". It's an application not found error and I got errors this morning and yesterday if I updated the virus and spyware definitions.
I literally don't know what to do. And I sure as hell don't have the money to pay for somebody else's *uck up. I'm careful with the stuff I download and the sites I visit and here this crap's been undetected for a month. This was a program I'd had for many years but this whopper has pretty much cut my trust for the program. Not to mention my "security" programs that made me have the false believe the system was clean. It's very unfortunate that this program was one I always followed the 'nags' over about a new update being released. Idk if I'm keeping this program after this has blown over.
I need help. If nobody here can help, please point me to a direction where I can possibly get some help without making the already bad problem even worse.
Oh, and I did download the latest install of CCleaner. I'm gonna cool off and come back later.
glitterfalls
I agree...I am also in need of help.
My heads doing me in on this.......!!!
Do i reinstall windows (no option to restore to earlier time as they seem to be deleted) or not
PLEASE someone from either Piriform or Avast make it CLEAR what we need to do.
I have searched my computer for these dlls they mention.
stage 2 installer is GeeSetup_x86.dll
The 32-bit trojan is TSMSISrv.dll
the 64-bit trojan is EFACli64.dll
as well as….
VirtCDRDrv
SymEFA
Cant find any of these.
I also looked in the Registry for the keys
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\001
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\002
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\003
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\004
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\HBP
Again nothing there. There was a WbemPerf with a default key but no keys labelled 1 to 4.
From my understanding and investigation there will be a “default” key there with no value.
SO does that mean I am OK ?? or not ??
PLEASE someone from either Piriform or Avast make it CLEAR what we need to do.
There seems to be a LOT of confusing messages out there.
A LOT of technical sites and jargon that newbies like me, just don't understand.
I'm careful to with what I download but now........I dont know.
glitterfalls
I agree...I am also in need of help.
My heads doing me in on this.......!!!
Do i reinstall windows (no option to restore to earlier time as they seem to be deleted) or not
PLEASE someone from either Piriform or Avast make it CLEAR what we need to do.
I have searched my computer for these dlls they mention.
stage 2 installer is GeeSetup_x86.dll
The 32-bit trojan is TSMSISrv.dll
the 64-bit trojan is EFACli64.dll
as well as….
VirtCDRDrv
SymEFA
Cant find any of these.
I also looked in the Registry for the keys
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\001
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\002
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\003
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\004
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\HBP
Again nothing there. There was a WbemPerf with a default key but no keys labelled 1 to 4.
From my understanding and investigation there will be a “default” key there with no value.
SO does that mean I am OK ?? or not ??
PLEASE someone from either Piriform or Avast make it CLEAR what we need to do.
There seems to be a LOT of confusing messages out there.
A LOT of technical sites and jargon that newbies like me, just don't understand.
I'm careful to with what I download but now........I dont know.
Somehow I doubt we'll get help from CCleaner. I'm gonna see if I can get help on the Microsoft community. That's about the only place I can turn to.
I'm glad you mentioned restore points. I was thinking this morning about restoring if I possibly could. With what you said, it doesn't sound like that's an option. Plus I'd be wary even the stuff from before this s**t Trojan got on there could've infected even the good restore points.
I hope I can find another alternative to CCleaner. I did like the program. But this is just too much. I can see picking up Trojans if I'm browsing porn sites or something like that. I'm not. Maybe I'm wrong thinking this way, it almost seems like I'm expecting perfection. It's just that CCleaner has been something that's been on my computers for years. I do hold them to higher regard. For something like this to pass through and for it to take so long for anybody to notice, it really bugs me and makes me strongly distrust anything else the company puts out.
I wish you the best of luck. Same goes for anybody else that's been impacted by this. This is a huge worry and causing the users a lot of stress. I'm just gonna come up with my other message and shut down for a few hours so I won't be tempted to keep on checking it every 2 minutes.
And I'm really crossing my fingers I don't have to do a full wipe and start from 0. There's a few things on my computer I don't have backed up. Hell, I don't even know if I can trust those files even if I did get out the external hard drive to back them up. They might screw up everything good on the external hard drive.
@rexg as I already told you you seem to have checked all that is known to be checked at this stage. I'm sorry that I'm not officially with piriform, as an employee, but as a moderator I would hope that my words would've been enough.
Right now, everything that's been disclosed you have done to protect your PC.
The second stage stuff you were looking for has ONLY been noted of the computers of large influential companies - and only on 20 pcs out of hundreds or more checked at those organizations. Avast and Piriform are taking this seriously and they and cisco are working in tandem. All three of those (Avast, Piriform, Cisco/talos) are publicizing what they know as they know it. If more is discovered then and only then might your safeness level rise to looking for more.
If you've rid yourself of the 5.33, if you've checked for the rare chance that you have second stage files and/or registry, then you've done all you can for now.
@rexg as I already told you you seem to have checked all that is known to be checked at this stage. I'm sorry that I'm not officially with piriform, as an employee, but as a moderator I would hope that my words would've been enough. Right now, everything that's been disclosed you have done to protect your PC. The second stage stuff you were looking for has ONLY been noted of the computers of large influential companies - and only on 20 pcs out of hundreds or more checked at those organizations. Avast and Piriform are taking this seriously and they and cisco are working in tandem. All three of those (Avast, Piriform, Cisco/talos) are publicizing what they know as they know it. If more is discovered then and only then might your safeness level rise to looking for more. If you've rid yourself of the 5.33, if you've checked for the rare chance that you have second stage files and/or registry, then you've done all you can for now.
Correct me if I'm wrong but the number of 20 PCs infected with the stage 2 payload is from the database of the seized CnC server. But the database only had data from a few days starting from sept. 12th to about the 15th? All of the data that was on there from aug. 15th to sept. 11th had been wiped, so there could be many more computers infected with the stage 2 payload.
@jonmar that is why it's suggested to check your pc for signs of payload 2. But the likelihood is high that only those corporations are targeted by the attack.
Am not suggesting that people shouldn't be vigilant but that an entire wipe is likely overkill. As attacks go, this one seems to be small. I've rarely seen a virus/malware that would require such a drastic measure.
FWIW I just downloaded a fresh install of CCleaner tonight at 11pm from the Piriform site, and instantly scanned it with Malwarebytes, and it found 2 malware infections. You folks have some work to do, and in the mean time I'm uninstalling CCleaner from our three computers.
today I read an article of Sky Tg24 (italian page http://tg24.sky.it/tecnologia/2017/09/21/attacco-ccleaner-grandi-aziende.html?social=facebook_skytg24) when they write that the malware was directed to Windows 7 and Xp pc of important companies so I think that the malware that is in the 32bit version of cclenaer 5.33 can exsecute on a 64bit version of Windows 7 (not in windows 10)
So I ask at people with 64bit that have found the malware if they have Windows 7 and they found the Agomo registry key and the WbemPerf 1-4 registry key
thanks
p.s. Is from monday that I'm anxious and nervous for this question
FWIW I just downloaded a fresh install of CCleaner tonight at 11pm from the Piriform site, and instantly scanned it with Malwarebytes, and it found 2 malware infections. You folks have some work to do, and in the mean time I'm uninstalling CCleaner from our three computers.
What is the name of the file you downloaded and scanned? I just downloaded the current installer, ccsetup535.exe, and scanned it with Windows Defender, Spybot and Malwarebytes and all scans were clean.
Hello,
I would like to notify Piriform Admins/Moderators, that the (most likely custom) link:
https://dl.cleverbridge.com/502/(...)/ccsetup533_be.exe (link broken on purpose)
I received when buying my license is still active and (per filename, obviously) points to compromised v5.33 CCleaner installer. That is most likely what Edweather downloaded, as his link is problably active aswell.
Also, would it be possible for anyone from Piriform to officially confirm that on x64 systems (Windows 7 in my case) no parts of the malware get/got to execute (activate) and no unauthorized changes (no matter how insignificant) could be done to the system, regardless of which file (CCleaner.exe/CCleaner64.exe) is/was being run?
Since people at Talos "dissected" the malware, I'm preety sure Piriform/Avast did the same and someone knows the answer.
Other than the long gone v5.33 CCleaner.exe file, neither my AV Suite (ESET and Malwarebytes) nor I have found any other indicators of compromise, however, one could argue that the malware was/(is?) sneakily covering its tracks. I'm really sorry I do realize it sounds bit paranoid, its just that this is the first piece of malware I've had on any of my systems in ~20 or so years.
Previous posters seem to ponder at the exact same question, that's why I think addressing this issue will be most appreciated.
Thank you very much!
@rexg as I already told you you seem to have checked all that is known to be checked at this stage. I'm sorry that I'm not officially with piriform, as an employee, but as a moderator I would hope that my words would've been enough. Right now, everything that's been disclosed you have done to protect your PC.
Nergal, your work as a volunteer is very much appreciated. However it appears you are relying on the same avast/piriform blogs and press releases as the rest of us for your information and these blogs etc leave many straightforward questions unanswered.
Several people are asking the same questions. Given the seriousness of the threat to our systems we really should be getting answers from piriform employees based on their current knowledge.
The last post from a piriform employee was from Stephen nearly 24 hours ago (post #131). It was disingenuous at best: he posted a link to an extremely technical avast blog post and then said he was working on answers to our more technical questions.
Our questions aren't that technical. My summary of the questions is:
does the 32-bit/64-bit distinction still hold?
does having ccleaner.exe in scheduled startup mean we were exposed to 32-bit threats even on 64-bit devices?
has the 2nd payload been found anywhere other than servers on the target list?
Others have been posting similar questions - none of which seem that technical.
The other service piriform/avast could usefully provide their users with is a forum on how to reformat/restore/recover their systems to a pre-ccsetup533.exe state. Such a forum could be provided on a non-prejudicial basis for users who voluntarily decide to go that that road.