Our questions aren't that technical.  My summary of the questions is:
 
does the  32-bit/64-bit distinction still hold? 
does having ccleaner.exe in scheduled startup mean we  were exposed to 32-bit threats even on 64-bit devices?
has the 2nd payload been found anywhere other than servers on the target list?
 
 
and another question, if we don 't have the Agomo key in registry are we safe for the 1 payload?
if the one payload was not activated there is possibility that the second yes? or if we don't have the WbemPerf 1-4 and the GeeSetup_x86.dll TSMSISrv.dll EFACli64.dll we are safe?
Please someone reply
Is good enough a restore point or not? In my laptop I have do this in a date pre 5.33 but in my desktop
I have no restore point systems to a pre-ccsetup533.exe so in case I have to format and reinstall Windows
in many site like Avast forum, Bleepingcomputer and Majorjeeks said that if there aren't any of the malicious keys and files on the pc, the pc is clean and safe from the trojan infection
and another question, if we don 't have the Agomo key in registry are we safe for the 1 payload?
if the one payload was not activated there is possibility that the second yes? or if we don't have the WbemPerf 1-4 and the GeeSetup_x86.dll TSMSISrv.dll EFACli64.dll we are safe?
Please someone reply
Is good enough a restore point or not? In my laptop I have do this in a date pre 5.33 but in my desktop
I have no restore point systems to a pre-ccsetup533.exe so in case I have to format and reinstall Windows
I, too, would like to see a reply and/or statement from Piriform with regards to the infiltration of servers and the version 5.33 security breach, the subsequent potential risks to users, and what action you believe is necessary for users to take.
However, I get the impression Piriform are laying low...
Hello Piriform, is anyone there? We would like to hear from you!
"...Warren Mercer, a technical leader at Cisco Talos, recommends wiping or reimaging all infected systems to ensure that any malware that may have been installed by the trojanized CCleaner is completely eradicated."
The last post from a piriform employee was from Stephen nearly 24 hours ago (post #131). It was disingenuous at best: he posted a link to an extremely technical avast blog post and then said he was working on answers to our more technical questions.
The thing is they have to get permission before answering questions about it. Some stuff the moderation staff was asking about in a separate private area couldn't be answered either because they had to get permission first and all of that takes time. Frustrating yes, however we're all in the same boat and waiting for information that is hopefully not overly technical.
OK, we are good here now. Just did a fresh install of the 32 bit of version 5.35.6210 on my Windows Business Vista computer, and there is no infection.
I received when buying my license is still active and (per filename, obviously) points to compromised v5.33 CCleaner installer. That is most likely what Edweather downloaded, as his link is problably active aswell.
Also, would it be possible for anyone from Piriform to officially confirm that on x64 systems (Windows 7 in my case) no parts of the malware get/got to execute (activate) and no unauthorized changes (no matter how insignificant) could be done to the system, regardless of which file (CCleaner.exe/CCleaner64.exe) is/was being run?
Since people at Talos "dissected" the malware, I'm preety sure Piriform/Avast did the same and someone knows the answer.
Other than the long gone v5.33 CCleaner.exe file, neither my AV Suite (ESET and Malwarebytes) nor I have found any other indicators of compromise, however, one could argue that the malware was/(is?) sneakily covering its tracks. I'm really sorry I do realize it sounds bit paranoid, its just that this is the first piece of malware I've had on any of my systems in ~20 or so years.
Previous posters seem to ponder at the exact same question, that's why I think addressing this issue will be most appreciated.
Thank you very much!
Like I was saying on my posts, something clearly happened on my computer and I'm on a 64. My antivirus was doing fine until this s**t popped up. I'm waiting for help on another site and hopefully I'll get it back to being fine.
The thing is they have to get permission before answering questions about it. Some stuff the moderation staff was asking about in a separate private area couldn't be answered either because they had to get permission first and all of that takes time. Frustrating yes, however we're all in the same boat and waiting for information that is hopefully not overly technical.
Regardless of who's making the decisions, the lack of response to (or even acknowledgement of) some very straightforward questions being asked here is disrespectful and particularly so given that piriform has delivered some pretty dangerous software to our devices.
Regardless of who's making the decisions, the lack of response to (or even acknowledgement of) some very straightforward questions being asked here is disrespectful and particularly so given that piriform has delivered some pretty dangerous software to our devices.
I have tried today to get someone from Piriform on forum but so far have had no success. I will keep trying.
Regardless of who's making the decisions, the lack of response to (or even acknowledgement of) some very straightforward questions being asked here is disrespectful and particularly so given that piriform has delivered some pretty dangerous software to our devices.
Agreed. I'm always careful with my computer and watch the sites I go to like a hawk, use the proper programs regularly enough to keep it in healthy condition. We didn't pick this *hit up from a seedy website, we got it through a program we really thought we could trust. And my guess is that it was a program that many of us used for years. This is bad. This isn't something small like "Your program's getting a bit sluggish. Still works, just seems sluggish." And for the time period this went undetected makes it even worse.
And I don't mean to seem *itchy to the people on this forum that volunteer to reply to posts or answer questions. It's nice that there's some of you out there doing that. It's just your company is leaving you high and dry from my point of view. I'm still pissed that I have to deal with this hassle I don't need and I'm worried about the whole damn thing. Can I make my computer safe again? Will I have to lose everything on the computer and have to reinstall everything?
I have win 7 x64, recommend change to windows 10? I do not know what to do, they do not give answers, I can not format my pc since I do not have the windows disk to do it, we need answers
If you have 64 bit Windows, make sure you update your ccleaner to the latest version (5.35 at the time of this post). If you are very worried you can follow the steps in https://www.ghacks.net/2017/09/21/ccleaner-malware-second-payload-discovered/ However the malware normally does not have the time to activate between the time ccleaner.exe (32bit) hands off to ccleaner64.exe.
Thanks for these suggestions Nergal but they raise a couple more questions:
1. You write "If you have 64 bit Windows, make sure you update your ccleaner to the latest version (5.35 at the time of this post)".. Are you suggesting people with 32-bit window shouldn't update to 5.35?
In the article you link to it says "Talos Group suggested to restore the computer system using a backup that was created prior to the infection. The new evidence reinforces this, and the researchers suggest strongly that it may not be enough to simply update CCleaner to get rid of the malware". Are you now suggesting we follow this advice (because a lot of us are, indeed, very worried)?
3. You write " the malware normally does not have the time to activate between the time ccleaner.exe (32bit) hands off to ccleaner64.exe.". Can you please clarify what "normally" means in this context. Under what "non-normal" circumstances would the malware have been activated?
Thanks for these suggestions Nergal but they raise a couple more questions: 1. You write "If you have 64 bit Windows, make sure you update your ccleaner to the latest version (5.35 at the time of this post)".. Are you suggesting people with 32-bit window shouldn't update to 5.35? 2, You write "If you are very worried you can follow the steps in the article you link to it says "Talos Group suggested to restore the computer system using a backup that was created prior to the infection. The new evidence reinforces this, and the researchers suggest strongly that it may not be enough to simply update CCleaner to get rid of the malware". Are you now suggesting we follow this advice (because a lot of us are, indeed, very worried)? 3. You write " the malware normally does not have the time to activate between the time ccleaner.exe (32bit) hands off to ccleaner64.exe.". Can you please clarify what "normally" means in this context. Under what "non-normal" circumstances would the malware have been activated? ThanksRobert
1. the "if you're 64bit" the you was directed at the previous poster. Everyone should update to 5.35.
2. no, just meant to look for and remove the files and registry suggested in the article.
3. I may have been unclear. Certain researchers have discovered that the first payload did not begin until ccleaner.exe (32bit) had been open for roughly 10 minutes. I have seen this timing in action but am waiting on another piriform moderator to speak with me before posting it (s/he lives in the UK so I think it's still late there). But, my mispeak was to use normal when no evidence points to any non-normal situation.
I've had to register in this forum just to get peace of mind. I never wanted ccleaner on my system in the first place. I missed a step to uncheck a box when installing recuva. But now I find myself with this malware on my machine.
I am running 64bit win 10. The Microsoft defender caught the malware and then I immediately uninstalled ccleaner as I never even wanted it in in the first place, but I never checked my registry before removing. I don't know if I was hacked, only that defender caught it.
I took the drastic step to completely format my machine. I did a USB boot into windows installer, deleted all c: drive partitions and created a new partition on the whole disk and installed fresh windows.
Does this mean I am 100% protected now? Is there a chance that there could be any hardware/bios virus or malware remaining?
@nocluez there are not components thus far discovered that would survive all the steps you took. That said that's a bit overkill based on all the research that has been done (to the time of this post).
to my external drives but actually installed V5.34.
Do the uninstalled downloads require quarantine or can they be deleted to keep my sytem clean in the future?
If you never installed the infected v5.33 you can simply delete it from your external drives. If you have a file shredding/secure delete software perhaps shred it so that it can never be recovered.