PTDDS Posted September 25, 2017 Share Posted September 25, 2017 Well said Patryk R, The silence from Piriform/Avast is deafening, Where is their integrity and responsibility to their clients/customers. I too am absolutely gobsmacked at this level of non assistance .. Most responsible suppliers/manufacturers /developers would be trying to assist their global base of users ,so as to at least be seen as co-operating. (1) Too much non specific and generalized opinions being released by press and media outlets. (2) Most previous info releases via Piriform has been outdated and or not totally correct . Piriform can no longer leave this forums moderators to answer and assist in an issue that is obviously well outside of their ability to answer. Am i Frustrated (yes) It would seem as though Piriform previous owners have their money covering their ears ,and Avast are playing the (its not our fault ) card. I too have regular backups to a seperate HD,automated as full systems ,but the time and losses to approx July August Sept data is huge,seeing as i updated CCleaner at every version release. Link to comment Share on other sites More sharing options...
robertcarroll6 Posted September 25, 2017 Share Posted September 25, 2017 Well said Patryk R, The silence from Piriform/Avast is deafening, Where is their integrity and responsibility to their clients/customers. I too am absolutely gobsmacked at this level of non assistance .... ...I too have regular backups to a seperate HD,automated as full systems ,but the time and losses to approx July August Sept data is huge,seeing as i updated CCleaner at every version release. Lots of users waiting for some clarity from Piriform before making decisions on restoring/re-imaging. As of now: 1. the moderators seem to be saying restoring is overkill because installing 5.35 etc magicks problems away 2. the youtube video*** the mods are so anxious for us to view seems to be saying re-imaging is a waste of time since we are already "owned" by the hackers. 3. our best hope seems to be that the hackers will be too busy tussling with microsoft and google etc to bother with anything they got from our systems *** "https://www.youtube.com/watch?v=i1u0LqZLDvc&feature=youtu.be" It's ironic that mods on a piriform-ponsored forum are linking to a clip called "The Horrors of Ccleaner". It has cool music Link to comment Share on other sites More sharing options...
BANGENY Posted September 25, 2017 Share Posted September 25, 2017 Slim build is available here, just scroll down a little: https://www.piriform.com/ccleaner/builds Thank you for the better link. Unfortunately, McAfee blocks the installation of the slim version as well. So, I am still unable to use CCleaner. Link to comment Share on other sites More sharing options...
Guest Stephen CCleaner Posted September 25, 2017 Share Posted September 25, 2017 Hi again everyone, Avast have published some more information from the investigation. I'll share more information when I'm able. Avast blog: Investigation Progress Update #3 by Avast Threat Labs team (Monday, 25 September 2017) This third progress confirms how many and which companies were specifically targeted by the attack and present a hypothesis on the origin of the perpetrator(s). The blogpost also contains a full list of IOCs (Indicators of Compromise - in this case a list of files whose existence show that a system has at one time been compromised by this attack). https://blog.avast.com/additional-information-regarding-the-recent-ccleaner-apt-security-incident Link to comment Share on other sites More sharing options...
malika4 Posted September 25, 2017 Share Posted September 25, 2017 I Read The news in The avast blog And It confirms that The Trojan create The Agomo Keys in registry so without Them The system was Not affected, right? Link to comment Share on other sites More sharing options...
mafinokc Posted September 25, 2017 Share Posted September 25, 2017 Using Ccleaner on an HP laptop running Win 10 build 15063. On 9/25/17 IObit Malware Fighter Pro 5.2 picked up Backdoor.Agent.ABXS in the installation file ccsetup533.exe (screenshot attached). Link to comment Share on other sites More sharing options...
malika4 Posted September 25, 2017 Share Posted September 25, 2017 All antivirus Now detect The backdoor on The 5.33 installer Link to comment Share on other sites More sharing options...
Guest Stephen CCleaner Posted September 25, 2017 Share Posted September 25, 2017 I Read The news in The avast blog And It confirms that The Trojan create The Agomo Keys in registry so without Them The system was Not affected, right? Some antivirus software have been updated to remove these keys, so this is not necessarily true. However, if your antivirus solution has not flagged these keys to you before removing, then it suggests no communication from your system was made to the command and control server. Link to comment Share on other sites More sharing options...
Guest Stephen CCleaner Posted September 25, 2017 Share Posted September 25, 2017 Piriform: Can you please provide cryptographic hashes of the compromised installers and the infected CCleaner.exe binaries for versions of CCleaner 5.33.6162 and CCleaner Cloud 1.07.3191 and list them on your security notification page (https://www.piriform.com/news/blog/2017/9/18/security-notification-for-ccleaner-v5336162-and-ccleaner-cloud-v1073191-for-32-bit-windows-users). Maybe MD5, SHA1, and SHA256. Hashes and other FAQs: https://piriform.zendesk.com/hc/en-us/articles/115001699371 Indicators of Compromise (IOCs) are in the latest Avast blogpost: https://blog.avast.com/additional-information-regarding-the-recent-ccleaner-apt-security-incident Link to comment Share on other sites More sharing options...
Guest Stephen CCleaner Posted September 25, 2017 Share Posted September 25, 2017 IMF Ccl 533 message.jpgUsing Ccleaner on an HP laptop running Win 10 build 15063. On 9/25/17 IObit Malware Fighter Pro 5.2 picked up Backdoor.Agent.ABXS in the installation file ccsetup533.exe (screenshot attached). As has been mentioned, all reputable antivirus solutions have been updated to detect CCleaner v5.33 as containing malicious code. This includes the v5.33 installer file that may still have been present on your system from the initial download. Link to comment Share on other sites More sharing options...
jonmar Posted September 25, 2017 Share Posted September 25, 2017 Hashes and other FAQs: https://piriform.zendesk.com/hc/en-us/articles/115001699371 Indicators of Compromise (IOCs) are in the latest Avast blogpost: https://blog.avast.com/additional-information-regarding-the-recent-ccleaner-apt-security-incident You continue to use confusing language like "all users with the 32-bit version". That's literally ALL users because the same installer is used for both 64-bit and 32-bit systems and on a 64-bit system both executable files are installed. Could we get some clarification on this? If 64-bit systems were not affected by the malware then why not? What prevented the malware from executing? Link to comment Share on other sites More sharing options...
malika4 Posted September 25, 2017 Share Posted September 25, 2017 Some antivirus software have been updated to remove these keys, so this is not necessarily true. However, if your antivirus solution has not flagged these keys to you before removing, then it suggests no communication from your system was made to the command and control server. when the notice of the trojan was comunicate last monday I just have installed version 5.34, my antivirus only detected the installer that I have on Document folder. I searched the keys on the registry but there weren t and not Kis2017 or Malwearebytes detected them on my system. I have windows 10 64bit and ccleaner 64bit Link to comment Share on other sites More sharing options...
NonConvergentWaveform Posted September 25, 2017 Share Posted September 25, 2017 I Read The news in The avast blog And It confirms that The Trojan create The Agomo Keys in registry so without Them The system was Not affected, right? As long as the 2nd stage virus (and any other viruses it downloaded later) didn't delete that key and/or itself before you checked. Didn't run CCleaner v5.33.0.6162 (or CCleanerCloud v1.7.0.3191) at any point = not infected Installed but didn't run CCleaner v5.33.0.6162 (or CCleanerCloud v1.7.0.3191) before September 16th = not infected (this assumes the installer doesn't run the main exe files at all after installing) Installed and ran CCleaner v5.33.0.6162 before September 16th, but firewall rules denied CCleaner.exe all network access = not infected Installed and ran CCleaner v5.33.0.6162 (or CCleanerCloud v1.7.0.3191) after September 15th = not infected (malware server disabled) CCleanerCloud users (64-bit and 32-bit OSes): Installed and ran CCleanerCloud v1.7.0.3191 before September 16th = Stage 2 possible 64-bit users: Installed and ran CCleaner v5.33.0.6162 before September 16th, but did not use the skip User Account Control (UAC) feature and did not run the 32-bit main exe = not infected Installed and ran CCleaner v5.33.0.6162 before September 16th, and did use the skip User Account Control (UAC) feature OR ran the 32-bit main exe = status unclear (see note A1) Note A1: If the tampered 32-bit main exe file (CCleaner.exe) exits after running the untampered 64-bit main exe = not infected Note A1_*_: If the tampered 32-bit main exe file (CCleaner.exe) persists while waiting for the 10 minute delay after passing control to the untampered 64-bit main exe = Stage 2 possible _*_ -- There is no way (currently known) for the line above happen in any normal situation. 32-bit users: Installed and ran CCleaner v5.33.0.6162 before September 16th = Stage 2 possible If Stage 2 possible: The attackers probably decided not to infect your computer. They had the option to infect you, but they passed. (this info comes from the attacker's captured server, info could have been tampered with) For those few machines that were passed stage 2, this malware could have taken any action(s), including downloading more malware, stealing info, and deleting all traces of infection. Link to comment Share on other sites More sharing options...
robertcarroll6 Posted September 25, 2017 Share Posted September 25, 2017 As long as the 2nd stage virus (and any other viruses it downloaded later) didn't delete that key and/or itself before you checked. Didn't run ccleaner v5.33.0.6162 at any point = not infected... .... .... If Stage 2 possible: The attackers probably decided not to infect your computer. They had the option to infect you, but they passed. (this info comes from the attacker's captured server, info could have been tampered with) For those few machines that were passed stage 2, this malware could have taken any action(s), including downloading more malware, stealing info, and deleting all traces of infection. Useful summary. Thanks Link to comment Share on other sites More sharing options...
malika4 Posted September 25, 2017 Share Posted September 25, 2017 64bit users Installed and ran ccleaner v5.33.0.6162 before September 16th, and did use the skip User Account Control (UAC) feature But run only 64bit version? I only use 64bit version But have The Uac feature active But don t have any Agomo Keys or Webemperf 1-4 Link to comment Share on other sites More sharing options...
Moderators Nergal Posted September 25, 2017 Moderators Share Posted September 25, 2017 64bit users Installed and ran ccleaner v5.33.0.6162 before September 16th, and did use the skip User Account Control (UAC) feature But run only 64bit version? I only use 64bit version But have The Uac feature active But have any Agomo Keys or Webemperf 1-4 Do you mean you do have those keys or don't have? ADVICE FOR USING CCleaner'S REGISTRY INTEGRITY SECTION DON'T JUST CLEAN EVERYTHING THAT'S CHECKED OFF. Do your Registry Cleaning in small bits (at the very least Check-mark by Check-mark) ALWAYS BACKUP THE ENTRY, YOU NEVER KNOW WHAT YOU'LL BREAK IF YOU DON'T. Support at https://support.ccleaner.com/s/?language=en_US Pro users file a PRIORITY SUPPORT via email support@ccleaner.com Link to comment Share on other sites More sharing options...
malika4 Posted September 25, 2017 Share Posted September 25, 2017 Not have,sorry But My Phone has italian dictionary. I don t have any of that keys And My antivirus kis2017 And malwearbytes haven t detected Them Link to comment Share on other sites More sharing options...
Moderators Nergal Posted September 25, 2017 Moderators Share Posted September 25, 2017 Not have,sorry But My Phone has italian dictionary. I don t have any of that keys And My antivirus kis2017 And malwearbytes haven t detected ThemSounds like you are not infected (based on the information we have on the infection thus far) ADVICE FOR USING CCleaner'S REGISTRY INTEGRITY SECTION DON'T JUST CLEAN EVERYTHING THAT'S CHECKED OFF. Do your Registry Cleaning in small bits (at the very least Check-mark by Check-mark) ALWAYS BACKUP THE ENTRY, YOU NEVER KNOW WHAT YOU'LL BREAK IF YOU DON'T. Support at https://support.ccleaner.com/s/?language=en_US Pro users file a PRIORITY SUPPORT via email support@ccleaner.com Link to comment Share on other sites More sharing options...
ggcleaner Posted September 25, 2017 Share Posted September 25, 2017 I hope that since now are not 100% targeted to help companies but also normal users, we need an AFFIRMATION by avast / piriform if removing ccleaner533 we are already safe. Although the 2nd stage of malware has not been downloaded Link to comment Share on other sites More sharing options...
Thomas_1 Posted September 25, 2017 Share Posted September 25, 2017 I'm running v. 5.35621 64bit and just got a virus detection from my Defender. I did an update a while back and thought it was safe, guess not. Link to comment Share on other sites More sharing options...
ggcleaner Posted September 25, 2017 Share Posted September 25, 2017 I'm running v. 5.35621 64bit and just got a virus detection from my Defender. I did an update a while back and thought it was safe, guess not. the antivirus detected the installer of the previous ccleaner to me also I detect the malwarebytes Link to comment Share on other sites More sharing options...
peteyt Posted September 25, 2017 Share Posted September 25, 2017 As long as the 2nd stage virus (and any other viruses it downloaded later) didn't delete that key and/or itself before you checked. Didn't run ccleaner v5.33.0.6162 at any point = not infected Installed but didn't run ccleaner v5.33.0.6162 before September 16th = not infected (this assumes the installed doesn't run the main exe files at all after installing) Installed and ran ccleaner v5.33.0.6162 before September 16th, but firewall rules denied CCleaner.exe all network access = not infected Installed and ran ccleaner v5.33.0.6162 after September 15th = not infected (malware server disabled) 64-bit users: Installed and ran ccleaner v5.33.0.6162 before September 16th, but did not use the skip User Account Control (UAC) feature and did not run the 32-bit main exe = not infected Installed and ran ccleaner v5.33.0.6162 before September 16th, and did use the skip User Account Control (UAC) feature OR ran the 32-bit main exe = status unclear (see note A1) Note A1: If the tampered 32-bit main exe file (CCleaner.exe) exits after running the untampered 64-bit main exe = not infected Note A1: If the tampered 32-bit main exe file (CCleaner.exe) persists while waiting for the 10 minute delay after passing control to the untampered 64-bit main exe = Stage 2 possible 32-bit users: Installed and ran ccleaner v5.33.0.6162 before September 16th = Stage 2 possible If Stage 2 possible: The attackers probably decided not to infect your computer. They had the option to infect you, but they passed. (this info comes from the attacker's captured server, info could have been tampered with) For those few machines that were passed stage 2, this malware could have taken any action(s), including downloading more malware, stealing info, and deleting all traces of infection. I read an article that states a 32 bit and 64 bit trojan existed. This is what has confused me as it was stated it only affected 32 bit machines yet it says something different if a 64 bit existed. Was this 64 bit trojan for the second stage? Link to comment Share on other sites More sharing options...
Moderators Nergal Posted September 25, 2017 Moderators Share Posted September 25, 2017 I'm running v. 5.35621 64bit and just got a virus detection from my Defender. I did an update a while back and thought it was safe, guess not. You have the installer for the malicious ccleaner. Look at your image closer and notice the captured file is from the downloads folder. ADVICE FOR USING CCleaner'S REGISTRY INTEGRITY SECTION DON'T JUST CLEAN EVERYTHING THAT'S CHECKED OFF. Do your Registry Cleaning in small bits (at the very least Check-mark by Check-mark) ALWAYS BACKUP THE ENTRY, YOU NEVER KNOW WHAT YOU'LL BREAK IF YOU DON'T. Support at https://support.ccleaner.com/s/?language=en_US Pro users file a PRIORITY SUPPORT via email support@ccleaner.com Link to comment Share on other sites More sharing options...
JDPower Posted September 25, 2017 Share Posted September 25, 2017 Those PCMatic guys being classy again at the merest hint of blood in a competitor - CCleaner "RIDDLED With Malware". "2 Billion devices exposed" Surely this being emailed out to millions today, when the facts proving it wrong were available a week ago ("2.27 million people used the affected software" - Piriform blog, September 18, 2017) is borderline defamation? Link to comment Share on other sites More sharing options...
NonConvergentWaveform Posted September 25, 2017 Share Posted September 25, 2017 64bit users Installed and ran ccleaner v5.33.0.6162 before September 16th, and did use the skip User Account Control (UAC) feature But run only 64bit version? I only use 64bit version But have The Uac feature active But don t have any Agomo Keys or Webemperf 1-4 If you are on a windows 64-bit be sure to check the 32-bit registry as if a 32-bit program wrote to: HKEY_LOCAL_MACHINE\SOFTWARE\Piriform\Agomo and you checked it with regedit it would actually end up here: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Piriform\Agomo Link to comment Share on other sites More sharing options...
Recommended Posts