malika4 Posted September 22, 2017 Share Posted September 22, 2017 yes I would know if really people with windows 64bit, ccleaner 5.3364.exe, without any of the Agomo key, WebemPerf 1-4 or GeeSetup_x86.dll TSMSISrv.dll EFACli64.dll are really safe or not. We have to reinstall OS or restore an image previous of version 5.33? Are our passwords, data safe? Link to comment Share on other sites More sharing options...
peteyt Posted September 22, 2017 Share Posted September 22, 2017 With all these qurstions surely it would make more sense for Piriform/a vast to bring out a standalone tool. It would at least make people feel safer Link to comment Share on other sites More sharing options...
login Posted September 22, 2017 Share Posted September 22, 2017 1. Was there any malicious code in the 64-bit version of CCleaner? 2. Why is a 32-bit exe-file installed on a 64-bit system? 3. Does the 64-bit system always run the 64-bit version of CCleaner? 4. If the 64-bit version is clean, could a Trojan from a 32-bit exe-file get into a 64-bit system? In theory? 5. Why in a 64-bit system when you skip the Account Control for CCleaner, a 32-bit version (CCleaner.exe) is added to the tasks? Link to comment Share on other sites More sharing options...
robertcarroll6 Posted September 22, 2017 Share Posted September 22, 2017 1. Was there any malicious code in the 64-bit version of CCleaner? 2. Why is a 32-bit exe-file installed on a 64-bit system? 3. Does the 64-bit system always run the 64-bit version of CCleaner? 4. If the 64-bit version is clean, could a Trojan from a 32-bit exe-file get into a 64-bit system? In theory? 5. Why in a 64-bit system when you skip the Account Control for CCleaner, a 32-bit version (CCleaner.exe) is added to the tasks? Hi login, thanks for more info on this stuff. I had no idea ccleaner would be scheduled to run on startup. I found Windows 7 64-bit machine - ccleaner.exe (not ccleaner64.exe) scheduled to run on startup Windows 10 64-bit machine - ccleaner64.exe scheduled to run on startup Robert Link to comment Share on other sites More sharing options...
robertcarroll6 Posted September 22, 2017 Share Posted September 22, 2017 Dear Tom Piriform I understand that more information is being uncovered all the time about this incident and that the situation inside piriform must be hectic. However I think we should be given information based on the current knowledge about this incident. Specifically I would appreciate it if an official person from piriform could confirm whether the following statements reflect the current state of knowledge: 1. To date, there is no evidence that the second level pay-load was distributed anywhere other than to a specifically targeted group of users. 2. Users who launch ccleaner by running ccleaner64.exe are not at threat regardless of whether they downloaded and ran ccsetup533.exe or not. The latest information from avast is at https://blog.avast.com/avast-threat-labs-analysis-of-ccleaner-incident Users of limited technical knowledge (like myself) won't get much from that blog entry. However its mentions of 64-bit systems makes me a bit nervous about previous reassurances. Thanks Hi Tom Piriform, Based what I found in my startup scheduled tasks (see previous post) after reading login's post, I now have a third question: 3. Does the fact that ccleaner.exe (contains 32-bit code?) was in my startup scheduled tasks indicate that I was more exposed to the malware? Thanks Link to comment Share on other sites More sharing options...
Guest Stephen CCleaner Posted September 22, 2017 Share Posted September 22, 2017 Hello everyone, As some of you have noted, a new update has been posted on the Avast blog. I have added this to the list of official information on the first page. Avast blog: Investigation Progress Update #2 by Avast Threat Labs team (Thursday, 21 September 2017) This second progress update explains why only part of the command & control server logs were recovered and provides yet deeper technical understanding of the way the malicious code was put together. It also shares some clues as to the identity of the perpetrators. https://blog.avast.com/avast-threat-labs-analysis-of-ccleaner-incident We are working on getting you answers to some of your more technical questions. Link to comment Share on other sites More sharing options...
robertcarroll6 Posted September 22, 2017 Share Posted September 22, 2017 Thanks Stephen You write... "We are working on getting you answers to some of your more technical questions." The avast blog is interesting but far too technical for most of us posting here. It is some of the less technical questions we need answers to. eg (as in my posts above): is the 2nd pay-load a threat to casual users?: is running the 64-bit a reason to feel any more secure?; does having ccleaner.exe as part of startup schedule mean even 64-bit machines are exposed to 32-bit threat. Or should just follow advice from cisco etc and wipe our machines and re-install from scratch? Robert Link to comment Share on other sites More sharing options...
cstivanello Posted September 22, 2017 Share Posted September 22, 2017 This malware issue affected my two 64 bit windows 7 systems. The malware also attempts to change the Internet Explorer Home Page at every new launch of Internet Explorer. The warning that some program is trying to do this appears every time. Uninstalling the malware after using Malwarebytes or Bitdefender eliminates this effect until reboot. I can establish cause and effect here. The way that I discovered it was on Sept 19th, Bitdefender blocked the ccleaner exe. When I rebooted, once the system tray application which runs by default loaded, the problem of the IE homepage hijack returned as well as a subsequent security warning regarding ccleaner. This means that the malware is not only in the install file, but rather running in one or more of the program modules. Only total uninstall eliminated the problem. Additionally, simply because a system is 64 bit and ccleaner installs itself under a 64 bit heading, this does not exclude the fact that 32 bit modules are running. The system tray module is a 32 bit module. Lots of software running on 64 bit OS's is 32 bit in whole or in part. On one of my systems an additional malware was blocked on the program path: backdoor.Agent.ABXS. Nice thing is that one of my systems was a complete system reload, not used for anything of consequence yet, so the ccleaner exploit happened in a rather controlled environment. I have notified http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html of this and made my systems available to them if they want to look since I doubt that we will be receiving any truth from Avast/Piriform. I love the story about them keeping it quiet while working with law enforcement. I called it years ago that this would be the BS excuse for companies to hide security breaches and address the lateness of announcing it to the general public. Link to comment Share on other sites More sharing options...
malika4 Posted September 22, 2017 Share Posted September 22, 2017 In The avast blog update when It talks about The Trojan 32 And 64 bit of The second payload They speak of Windows 7 And xp so It Can be probably that The 32bit Trojan Can activate in a 64 bit system But on 7 or xp (systems that Most companies use yet) Link to comment Share on other sites More sharing options...
robertcarroll6 Posted September 22, 2017 Share Posted September 22, 2017 In The avast blog update when It talks about The Trojan 32 And 64 bit of The second payload They speak of Windows 7 And xp so It Can be probably that The 32bit Trojan Can activate in a 64 bit system But on 7 or xp (systems that Most companies use yet) Not sure if it is relevant to your point, but I did find (see my post above) that it was ccleaner.exe (32-bit?) scheduled to run at start-up on my Windows 7 64-bit machine but on my Windows 10 64-bit machine it was ccleaner64.exe scheduled at start-up Link to comment Share on other sites More sharing options...
robertcarroll6 Posted September 22, 2017 Share Posted September 22, 2017 Not sure if it is relevant to your point, but I did find (see my post above) that it was ccleaner.exe (32-bit?) scheduled to run at start-up on my Windows 7 64-bit machine but on my Windows 10 64-bit machine it was ccleaner64.exe scheduled at start-up Mind you, "login" (post 129 above) found ccleaner.exe in start-up schedule on his Windows 10 64-bit device Link to comment Share on other sites More sharing options...
sjon287612 Posted September 22, 2017 Share Posted September 22, 2017 Guys according to Cisco's Talos (Security Intelligence and Research Group), the installation alone was all that required for the malicious payload to execute. See Craig Williams (Manager of the Talos – Outreach team) response to this very question I posted on September 21, 2017 @ 6:29 PM in the comments section http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html Link to comment Share on other sites More sharing options...
tsunami2311 Posted September 22, 2017 Share Posted September 22, 2017 so what is the on census on what to do it if one had that verison installed? i might have have 5.33 installed on my personal computer dont know i not sure as i not been home in 3 weeks as i do update ccleaner from time to time on machine. and was it or wasnt it the installers that was infected? i usual just get portable or the ccleaner.exe ? and seeing ccleaner.exe launches ccleaner64.exe on 64 bit os was that enough to avoid the issue? I have since deleted ccleaner.exe from this pc and changed all tasks in schedule tasks to start ccleaner64.exe if it didnt already. but i pretty sure my pc uses has 2 task using ccleaner.exe one that skip the uac and another i manully created to automatic run daily to clean out temps/histroy and other custom folders on my pc. IF my pc is using 5.33 which not sure as it could still be using 5.32 i know wont till i go home. what the steps one should use to check if it got infected? i prefer not to format the drive like some sites are say? but if i do it will just give me reason to installed Windows 10 RS3. my computer which also uses avast made no complaint about ccleaner though. Would think Avast who owns ccleaner company would post means to check and clean pc if it was infected, which seem to missing from the initial post Link to comment Share on other sites More sharing options...
Moderators Andavari Posted September 22, 2017 Moderators Share Posted September 22, 2017 With all these qurstions surely it would make more sense for Piriform/a vast to bring out a standalone tool. It would at least make people feel safer I suggested that on day one in a separate area, but supposedly they weren't going to do that. Link to comment Share on other sites More sharing options...
BANGENY Posted September 22, 2017 Share Posted September 22, 2017 Much of this thread is far too technical for me. Here is my situation, simply: - I purchased and installed CCleaner Professional edition on 9/5 - I purchased and installed Malwarebytes the same day - on 9/19 CCleaner disappeared completely from my computer. I reinstalled - on 9/20 and 9/21, i reinstalled again, only to have the program vanish each day, with no warning or message about why it was removed and which program uninstalled it (I assume it was McAfee, see below). - on 9/22 i attempted to reinstall, but McAfee blocked the install.exe from running. I assume the latest (clean) version of CCleaner is on the site as of this morning, yet McAfee is flagging it as a threat and blocking installation. I don't know if I should try to circumvent McAfee, or if the latest version of CCleaner still has a Trojan/threat in it. - throughout this whole process, from 9/5 through today, Malwarebytes has not once detected any malware. it seems McAfee is more sensitive to security risks than Malwarebytes. Will a version be released that is approved for installation by McAfee? Unfortunately, my company has installed McAfee and I have no choice but to run it. My laptop is checked by IT on a regular basis and they've never flagged or asked me to remove CCleaner or Malwarebytes in the past. Any help or advice would be appreciated. If I can't get installation of CCleaner to work without McAfee blocking it, I will have to ask for a refund from my CCleaner purchase. Thanks! Link to comment Share on other sites More sharing options...
Moderators hazelnut Posted September 22, 2017 Moderators Share Posted September 22, 2017 Make sure you are installing the latest version 5.35 from here. https://www.piriform.com/ccleaner/builds Support contact https://support.ccleaner.com/s/contact-form?language=en_US&form=general or support@ccleaner.com Link to comment Share on other sites More sharing options...
robertcarroll6 Posted September 22, 2017 Share Posted September 22, 2017 Congratulations Bangeny. You get the prize for being the only person today to get a question answered by anybody with any connection to pirifrom/avast. Link to comment Share on other sites More sharing options...
Guest Posted September 22, 2017 Share Posted September 22, 2017 I use paid for version v5.35.6210 (64bit) On 20th Sept2017 my Avira detected 2 Trojans can anyone shed some light on this please The auto ccleaner daily update downloaded them Link to comment Share on other sites More sharing options...
Guest Posted September 22, 2017 Share Posted September 22, 2017 CCleanerHked533.1 trojan Link to comment Share on other sites More sharing options...
malika4 Posted September 22, 2017 Share Posted September 22, 2017 Gaz132 what Windows do You have? 7 or xp? On malwearbytes forma user ask about Windows 10 And 64bit version. The expert Said that malwearbytes detect And cancell The Trojan And The registry Key And if The registry Key agomo there isn t on The system The backdoor Not affected The pc Link to comment Share on other sites More sharing options...
malika4 Posted September 22, 2017 Share Posted September 22, 2017 Mind you, "login" (post 129 above) found ccleaner.exe in start-up schedule on his Windows 10 64-bit device Same for me But The directory is C program Files (64bit) Not c program Files x86, so this i importante or Not To execute a 64bit Version? Link to comment Share on other sites More sharing options...
login Posted September 22, 2017 Share Posted September 22, 2017 This malware issue affected my two 64 bit windows 7 systems. The malware also attempts to change the Internet Explorer Home Page at every new launch of Internet Explorer. The warning that some program is trying to do this appears every time. Uninstalling the malware after using Malwarebytes or Bitdefender eliminates this effect until reboot. I can establish cause and effect here. The way that I discovered it was on Sept 19th, Bitdefender blocked the ccleaner exe. When I rebooted, once the system tray application which runs by default loaded, the problem of the IE homepage hijack returned as well as a subsequent security warning regarding ccleaner. This means that the malware is not only in the install file, but rather running in one or more of the program modules. Only total uninstall eliminated the problem. Additionally, simply because a system is 64 bit and ccleaner installs itself under a 64 bit heading, this does not exclude the fact that 32 bit modules are running. The system tray module is a 32 bit module. Lots of software running on 64 bit OS's is 32 bit in whole or in part. On one of my systems an additional malware was blocked on the program path: backdoor.Agent.ABXS. Nice thing is that one of my systems was a complete system reload, not used for anything of consequence yet, so the ccleaner exploit happened in a rather controlled environment. I have notified http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html of this and made my systems available to them if they want to look since I doubt that we will be receiving any truth from Avast/Piriform. I love the story about them keeping it quiet while working with law enforcement. I called it years ago that this would be the BS excuse for companies to hide security breaches and address the lateness of announcing it to the general public. Did you have a registry folder Agomo? HKEY_LOCAL_MACHINE\SOFTWARE\Piriform\Agomo Or one of the listed registry folders? HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\001 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\002 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\003 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\004 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\HBP Link to comment Share on other sites More sharing options...
BANGENY Posted September 22, 2017 Share Posted September 22, 2017 Make sure you are installing the latest version 5.35 from here. https://www.piriform.com/ccleaner/builds I just tried downloading v5.35 from that link, and McAfee is still blocking installation, and calling it a Trojan. Below is the log from McAfee. Please advise. Adaptive Threat Protection Analyzer / Detector Product name McAfee Endpoint Security Product version 10.5.2.2078 Feature name On-Execute Scan Threat Action taken Block Threat category Malware Detected Threat event ID 35104 Threat handled Yes Threat name ATP/Suspect!92fcff26e8c5 Threat severity Critical Threat timestamp 9/22/2017 14:56 Threat type Trojan Source Source process name C:\USERS\xxxxxxx\DOWNLOADS\CCSETUP535.EXE Source user name GLOBAL\xxxxxxx Target Target hash e6f5ad3fd6d0f64ec88357fc481a71ab Target name CCLEANER64.EXE Target path C:\PROGRAM FILES\CCLEANER Target signer Symantec Class 3 SHA256 Code Signing CA Other Vector type Local System Description Adaptive Threat Protection Detection Link to comment Share on other sites More sharing options...
Moderators hazelnut Posted September 22, 2017 Moderators Share Posted September 22, 2017 Download the slim build from that link. Support contact https://support.ccleaner.com/s/contact-form?language=en_US&form=general or support@ccleaner.com Link to comment Share on other sites More sharing options...
glitterfalls Posted September 22, 2017 Share Posted September 22, 2017 This is really pissing me off. Like I said on another thread, I was able to run a scan of MSE and delete the trojan. But there's still something very wrong. And the thing that drives me up the wall is I ran another scan of MSE and the system's clear. Hell, I even redownloaded Malwarebytes to run for one scan only (the new upgrade from this year didn't sound like it gelled well with the computer I have and that's why I had to get rid of it). Anyway, that scan came out clean. There's still something wrong with MSE because I'm getting errors when I try and click on "help". It's an application not found error and I got errors this morning and yesterday if I updated the virus and spyware definitions. I literally don't know what to do. And I sure as hell don't have the money to pay for somebody else's *uck up. I'm careful with the stuff I download and the sites I visit and here this crap's been undetected for a month. This was a program I'd had for many years but this whopper has pretty much cut my trust for the program. Not to mention my "security" programs that made me have the false believe the system was clean. It's very unfortunate that this program was one I always followed the 'nags' over about a new update being released. Idk if I'm keeping this program after this has blown over. I need help. If nobody here can help, please point me to a direction where I can possibly get some help without making the already bad problem even worse. Oh, and I did download the latest install of CCleaner. I'm gonna cool off and come back later. Link to comment Share on other sites More sharing options...
Recommended Posts