nocluez Posted September 26, 2017 Share Posted September 26, 2017 https://d2wqgvap25i10a.cloudfront.net/monthly_2017_09/image.png.9dca49c1c337b7a6ea175e55ed7db80a.png I had this. Where does that fall in the guidelines? Link to comment Share on other sites More sharing options...
malika4 Posted September 26, 2017 Share Posted September 26, 2017 If you are on a windows 64-bit be sure to check the 32-bit registry as if a 32-bit program wrote to:HKEY_LOCAL_MACHINE\SOFTWARE\Piriform\Agomoand you checked it with regedit it would actually end up here:HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Piriform\Agomo Hi, I don't have any Piriform folder on HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node on my desktop, in my husband's laptop there is but Agomo there isn'tand in HKEY_LOCAL_MACHINE\SOFTWARE\Piriform\ no AgomoOn all my 3 pcs Windows 10 64bit I have thisYes Task CCleanerSkipUAC Piriform Ltd "C:\Program Files\CCleaner\CCleaner.exe" $(Arg0)and is like this by default (I haven't modified this) so I think that if this task can activeted the trojan all the 64bits systems will be affected because I read that all 64bit version have the task like this but on Avast Blog there is write that The total number of unique PCs (unique MAC addresses) that communicated with the CnC server was 1,646,536 Link to comment Share on other sites More sharing options...
login Posted September 26, 2017 Share Posted September 26, 2017 https://d2wqgvap25i10a.cloudfront.net/monthly_2017_09/image.png.9dca49c1c337b7a6ea175e55ed7db80a.png I had this. Where does that fall in the guidelines? What version of the operating system are you using? 32 bit or 64 bit? ----------------------------------------------- Question for administrators or people close to the topic: Were there any cases of infection of 64-bit computers or not? If so, under what conditions 64-bit computers could infect? Link to comment Share on other sites More sharing options...
jonmar Posted September 26, 2017 Share Posted September 26, 2017 Before installing the latest version of CCleaner (5.35), I checked my registry and there were some entries left over from 5.34 in HKLM/SOFTWARE/Piriform. In there I saw default and CR (or was it CZ? I can't remember now). I deleted HKLM/SOFTWARE/Piriform, rebooted, and then installed 5.35. I checked the registry again but this time I saw only default in there. What is the CR entry? Is it something legit or connected to the attack somehow? I haven't seen it mentioned anywhere in connection to this attack but I just wanted to make sure. Thanks. Link to comment Share on other sites More sharing options...
malika4 Posted September 26, 2017 Share Posted September 26, 2017 ----------------------------------------------- Question for administrators or people close to the topic: Were there any cases of infection of 64-bit computers or not? If so, under what conditions 64-bit computers could infect? on the piriform zendesk there is write: Who was affected? This issue was isolated to two versions: Cleaner v5.33.6162 for 32-bit Windows users and CCleaner Cloud v1.07.3191 (if you are using CCleaner Cloud, the 32-bit version runs on 64-bit machines). All builds on these version numbers were affected: Free, Professional, Slim, Portable, Business and Technician versions of CCleaner. so a 64bit windows if has the ccleaner cloud version it runs the ccleaner.exe (32bit version) Link to comment Share on other sites More sharing options...
WNT Posted September 26, 2017 Share Posted September 26, 2017 My apologies if these questions have already been covered. Apparently, the ccleaner attack resulted in two found malwares, Nyetya and Floxif. Are they the same malware with different names or totally different? According to sources, under the stage 1 attack, the attackers received the following, name of computer, active software, MAC Addresses and Network Adapters. Is this a concern and is there risk of the MAC addresses and Network Adapters being hacked and compromised in the future? Link to comment Share on other sites More sharing options...
patrykr Posted September 26, 2017 Share Posted September 26, 2017 Question for administrators or people close to the topic:Were there any cases of infection of 64-bit computers or not? If so, under what conditions 64-bit computers could infect? I think it depends on how you define "infection", because, technically anyone using v5.33 was infected. The thing is, 64 bit systems were not affected by the infection (allegedly, as I have not seen official confirmation or better yet - an explanation). They were not, because the infected file CCleaner.exe does not normally run on 64 systems. It just runs for a little while (or not at all, depending on your UAC configuration), perhaps not enough for the virus to execute? - I'm sorry this is the part I got no answer to, despite of asking. After that, the file that really runs and works is the not-infected CCleaner64.exe. If you somehow managed to keep CCleaner.exe open instead of CCleaner64.exe (which does not normally happen, probably could if you first deleted CCleaner64.exe) you would surely be both infected and affected by the infection. the following, name of computer, active software, MAC Addresses and Network Adapters. Is this a concern and is there risk of the MAC addresses and Network Adapters being hacked and compromised in the future? That information is non-sensitive. It can help in preparing a highly targeted attack against you, but as long as there are no apparent vulnerabilities in your system configuration, it is, in the worst case scenario extremely hard (when you're careful). Also, no one can hack your Network Adapter just by knowing the MAC address, there has to be an exploitable vulnerability first (note, that sometimes you see MAC addresses on outer boxes of the hardware you buy). Perhaps the question you should be asking yourself is, did the infection leave your system vulnerable. The general consensus is - no. However, some state that yes, everyone should reinstall their systems. Decision is yours to make. All the above are just my opinions. I am not an expert. Perhaps a power-user (at best). Hello, my question for Piriform/Avast concerning CCleaner v5.33 infection: Is the Business Edition installer (ccsetup533_be.exe, MD5: 60f18d92353d46dfc715ffd9fbefecfc) affected like the other ones, i.e. the executable of the installer itself is malware-free, and only installs trojanized CCleaner.exe file? Thank you very much for your time! Link to comment Share on other sites More sharing options...
nocluez Posted September 26, 2017 Share Posted September 26, 2017 @login I'm running 64bit win10 What does the UAC stuff mean? My version of ccleaner was downloaded when I was installing Recuva. No idea what version that means it is Link to comment Share on other sites More sharing options...
Guest Stephen CCleaner Posted September 26, 2017 Share Posted September 26, 2017 My apologies if these questions have already been covered. Apparently, the ccleaner attack resulted in two found malwares, Nyetya and Floxif. Are they the same malware with different names or totally different? Hi WNT I'll try to clear this up. Nyetya is a type of malware completely unrelated to the malware seen in CCleaner v5.33.6162. Nyetya was discovered in late June 2017 by the Talos research team (Cisco) and was delivered via Ukrainian accounting software called M.E.Doc. In their first blogpost on the CCleaner malware investigation, Talos reference Nyetya as an example of "how potent [a supply chain attack] can be". Separately, on the day the security vulnerability was disclosed, Malwarebytes initially detected v5.33.6162 of ccleaner.exe as 'Trojan.Nyetya'. The malware that was injected into the CCleaner v5.33.6162 32-bit binary is completely unrelated and does not behave like Nyetya. MalwareBytes later changed this definition to 'Trojan.Floxif'. 'Trojan.Floxif' is a term given to a group of malware that uses Windows executable and DLL files to infect a system and then download additional malicious files. This term goes back to 2009 and is not used ubiquitously by all threat researchers. Various antivirus solutions will detect CCleaner v5.33.6162 under other names (e.g. Kaspersky calls it "Backdoor.Win32.InfeCleaner.a", Avast calls it "Win32:TlsHack-A [Trj]"). The reason many people refer to this as 'Floxif' is because Cisco Talos researchers updated their ClamAV software to detect the malware in CCleaner and took a screenshot of this detection before publishing their article. The screenshot shows the malware was detected as 'Windows.Trojan.Floxif'. Bleeping Computer published one of the earliest articles on the incident and their article was fastest trending on Reddit. In addition to Cisco and MalwareBytes, Windows Defender also refers to this malware as 'Floxif'. -- We are working on responses for many of your other questions and will update you as soon as we are able. Link to comment Share on other sites More sharing options...
patrykr Posted September 26, 2017 Share Posted September 26, 2017 What does the UAC stuff mean? UAC (User Account Control) is basically the pop-up question you see when opening certain applications or most installers. It says something like: "Do you want to let this program make changes to your computer". CCleaner has an convenient setting (Advanced -> "skip UAC warning") allowing you to skip that pop-up question. The way it relates to the infection incident and 64 bit systems is as follows: - there are two files in install directory (infected CCleaner.exe and non-infected CCleaner64.exe) - when the setting is disabled, only the non-infected CCleaner64.exe gets executed and CCleaner.exe is just sitting there completely dormant (so is the virus) - when the setting is enabled (by default I think), both files get executed, but the infected CCleaner.exe just "for a little while", and that is exactly what raises questions and/or doubts Again, please note, I am not an expert and can be wrong. Hello, my question for Piriform/Avast concerning CCleaner v5.33 infection: Is the Business Edition installer (ccsetup533_be.exe, MD5: 60f18d92353d46dfc715ffd9fbefecfc) affected like the other ones, i.e. the executable of the installer itself is malware-free, and only installs trojanized CCleaner.exe file? Thank you very much for your time! Link to comment Share on other sites More sharing options...
Moderators Nergal Posted September 26, 2017 Moderators Share Posted September 26, 2017 @patrykr you got it mostly correct except for skip uac being default it isn't. I also think the shortcuts on recycle bin also first call ccleaner.exe ADVICE FOR USING CCleaner'S REGISTRY INTEGRITY SECTION DON'T JUST CLEAN EVERYTHING THAT'S CHECKED OFF. Do your Registry Cleaning in small bits (at the very least Check-mark by Check-mark) ALWAYS BACKUP THE ENTRY, YOU NEVER KNOW WHAT YOU'LL BREAK IF YOU DON'T. Support at https://support.ccleaner.com/s/?language=en_US Pro users file a PRIORITY SUPPORT via email support@ccleaner.com Link to comment Share on other sites More sharing options...
malika4 Posted September 26, 2017 Share Posted September 26, 2017 @patrykr you got it mostly correct except for skip uac being default it isn't. I also think the shortcuts on recycle bin also first call ccleaner.exe Is enables by default, in all My 3 pcs Is Like this And after reinstalled ccleaner Is enables by default Link to comment Share on other sites More sharing options...
Moderators Nergal Posted September 26, 2017 Moderators Share Posted September 26, 2017 @patrykr Is enables by default, in all My 3 pcs Is Like this And after reinstalled ccleaner Is enables by defaultThat's because you reinstalled it, your settings were still in registry/ccleaner.ini ADVICE FOR USING CCleaner'S REGISTRY INTEGRITY SECTION DON'T JUST CLEAN EVERYTHING THAT'S CHECKED OFF. Do your Registry Cleaning in small bits (at the very least Check-mark by Check-mark) ALWAYS BACKUP THE ENTRY, YOU NEVER KNOW WHAT YOU'LL BREAK IF YOU DON'T. Support at https://support.ccleaner.com/s/?language=en_US Pro users file a PRIORITY SUPPORT via email support@ccleaner.com Link to comment Share on other sites More sharing options...
jonmar Posted September 26, 2017 Share Posted September 26, 2017 That's because you reinstalled it, your settings were still in registry/ccleaner.ini It was also enabled by default for me. That's after first uninstalling CCleaner completely before installing 5.35. I've also never enabled that setting in the past so it can't have been remembered from past settings. Link to comment Share on other sites More sharing options...
pearshaped Posted September 27, 2017 Share Posted September 27, 2017 You can click "Restore default settings" in order to be sure what the default values are in CCleaner (unless Piriform changed them in the latest version). On an unrelated note, why does CCleaner 5.35 try to connect to 151.101.112.64 when I run it? Is it a Piriform/Avast server? Link to comment Share on other sites More sharing options...
NonConvergentWaveform Posted September 27, 2017 Share Posted September 27, 2017 [...] On an unrelated note, why does CCleaner 5.35 try to connect to 151.101.112.64 when I run it? Is it a Piriform/Avast server? It comes back to a company called "Fastly" in San Francisco, CA. They are listed only by a PO Box. Their allocation is named "SKYCA-3". Never heard of them. https://whois.arin.net/rest/net/NET-151-101-0-0-1/pft?s=151.101.112.64 Link to comment Share on other sites More sharing options...
Moderators hazelnut Posted September 28, 2017 Moderators Share Posted September 28, 2017 Fastly is a Content Dellivery Network provider. Old thread here but still relevant https://forum.piriform.com/index.php?showtopic=42539&do=findComment&comment=257266 Support contact https://support.ccleaner.com/s/contact-form?language=en_US&form=general or support@ccleaner.com Link to comment Share on other sites More sharing options...
Guest Stephen CCleaner Posted September 28, 2017 Share Posted September 28, 2017 hazelnut is correct. We use Fastly for a number of things, including web caching. Link to comment Share on other sites More sharing options...
Guest Stephen CCleaner Posted September 28, 2017 Share Posted September 28, 2017 Hey guys, NonConvergentWaveform has deduced some of this already, but I wanted to confirm the behaviour on 64-bit systems to provide a greater understanding. Our investigations show that the compromised code was only present in the 32-bit binaries (CCleaner.exe) and not the 64-bit binaries (CCleaner64.exe). Regardless of system architecture, CCleaner v5.33 installs both CCleaner.exe and CCleaner64.exe. The application shortcut created on install points to the executable appropriate for the system architecture (e.g. on a 64-bit system, the CCleaner shortcut points to CCleaner64.exe). When the installation finishes the final button 'Run CCleaner' will launch the binaries appropriate for the system architecture. In some cases, the 32-bit executable may be launched on a 64-bit system. For example, the CCleaner cleaning scheduler points to CCleaner.exe regardless of system architecture. If the 32-bit executable is launched, it goes through the following sequence: 1. Check the operating system architecture 2.a. If 32-bit: continue through CCleaner.exe initialisation sequence 2.b. If 64-bit: search for the existence of CCleaner64.exe in the CCleaner folder 2.b.i. If CCleaner64.exe exists: attempt to launch it and immediately close the current instance of CCleaner.exe (do not wait for any callback) 2.b.ii. If CCleaner64.exe does not exist: continue through CCleaner.exe initialisation sequence The malware was injected early in the initialisation code of the 32-bit binary and runs on a separate thread parented to the 32-bit instance. When the malicious code is run, first it records the system time, then it waits 601 seconds before performing any other operation. On a 64-bit system, the 32-bit instance will typically terminate in fractions of a second, long before the 601-second 'sleep' window has expired. Unless the code ran on a 64-bit system long enough for the delayed action to be triggered, assuming the installation was not corrupt or the CCleaner64.exe binaries modified in any way, we believe a 64-bit system should not have received the second payload. Link to comment Share on other sites More sharing options...
malika4 Posted September 28, 2017 Share Posted September 28, 2017 So a 64bit system has Clean And safe? Hasn t received The first payload You would Tell? "Unless the code ran on a 64-bit system long enough for the delayed action to be triggered, assuming the installation was not corrupt or the CCleaner64.exe binaries modified in any way, we believe a 64-bit system should not have received the second payload." It s correct that if The Agomo Keys aren t in The registry The backdoor was Not activated? And a 64bit syste without Agomo Keys i Clean And Not compromises? Link to comment Share on other sites More sharing options...
patrykr Posted September 28, 2017 Share Posted September 28, 2017 So a 64bit system has Clean And safe? Hasn t received The first payload You would Tell? Hello, no one can confirm that for you with 100% certainty. Piriform, forum moderators and members provide the relevant information, the rest is up to you to figure out based on your knowledge of your system. There are some unusual and highly unlikely conditions which, when met, could get your system infected with the first payload. Let me tell you this, if I were in Millionaires, and the last $1.000.000 question would be "Did malika4 get infected with the first stage payload during the CCleaner v5.33 infection incident?", and one of the answers would be "No", I would (based on info you provided, x64, no Agomo keys etc) certainly choose "No" as that is simply the most probable answer. Hello, my question for Piriform/Avast concerning CCleaner v5.33 infection: Is the Business Edition installer (ccsetup533_be.exe, MD5: 60f18d92353d46dfc715ffd9fbefecfc) affected like the other ones, i.e. the executable of the installer itself is malware-free, and only installs trojanized CCleaner.exe file? Thank you very much for your time! Link to comment Share on other sites More sharing options...
Guest Stephen CCleaner Posted September 29, 2017 Share Posted September 29, 2017 Hi patrykr Is the Business Edition installer (ccsetup533_be.exe, MD5: 60f18d92353d46dfc715ffd9fbefecfc) affected like the other ones, i.e. the executable of the installer itself is malware-free, and only installs trojanized CCleaner.exe file? That's correct. Your antivirus solution should detect this. We recommend that you remove the installer (or allow your antivirus to remove it) whether it has been launched or not. The MD5 and SHA-256 hashes for the latest versions of Business Edition are as follows: ccsetup535_be.exe - CCleaner Business Edition Installer MD5: a4764ceac2ea72ce6045367c0e59b6eb SHA256: 40e18acdda6b3d58665f58231c700a1f15e1dbbcd8f7f56b5e8f94cca115652f ccsetup535_be.msi - CCleaner Business Edition MSI Installer MD5: f16911c5aaf026e189705f06d9da41ee SHA256: 7f6c24f459725110d714fa5324cfd7a57afb24245c9cc358b7f2b724a64763d6 ccsetup535_be_trial.exe - CCleaner Business Edition Trial Installer MD5: f545db13ed4833821266f1a740d83bfe SHA256: 04ff4c729fc93a97688602f83fa4603cb2d0913bdc7538fa7e69b098f4307402 Link to comment Share on other sites More sharing options...
malika4 Posted September 29, 2017 Share Posted September 29, 2017 In some cases, the 32-bit executable may be launched on a 64-bit system. For example, the CCleaner cleaning scheduler points to CCleaner.exe regardless of system architecture. If the 32-bit executable is launched, it goes through the following sequence: 1. Check the operating system architecture 2.a. If 32-bit: continue through CCleaner.exe initialisation sequence 2.b. If 64-bit: search for the existence of CCleaner64.exe in the CCleaner folder 2.b.i. If CCleaner64.exe exists: attempt to launch it and immediately close the current instance of CCleaner.exe (do not wait for any callback) 2.b.ii. If CCleaner64.exe does not exist: continue through CCleaner.exe initialisation sequence the ccleaner scheduler is the automatic cleaning of the system option? (Run ccleaner on a schedule?) i haven t this option activated Link to comment Share on other sites More sharing options...
kleonmon Posted October 1, 2017 Share Posted October 1, 2017 Hello, I have upgraded yesterday, I do not know from which version, to 535. I have not noticed yesterday that ccleaner was not running. Today I noticed that it was not running, I am using the free version, I uninstalled from apps and features, windows 10 x64, and tried installing 535 version, which failed with an error about "ccleaner64.exe". I tried deleting this file in "program files/ccleaner" folder that it says I need to be an administrator, which I am. I tried running force delete from cmd as administrator and failed again. Then I noticed that Windows Defender and Malwarebytes Anti-Malware had quarantined 533 setup file earlier in the month. How do I delete "ccleaner64.exe"? How do I check if my computer is infected by this virus/malware? Please advise. Link to comment Share on other sites More sharing options...
mrdimly Posted October 2, 2017 Share Posted October 2, 2017 Hi patrykr That's correct. Your antivirus solution should detect this. We recommend that you remove the installer (or allow your antivirus to remove it) whether it has been launched or not. The MD5 and SHA-256 hashes for the latest versions of Business Edition are as follows: ccsetup535_be.exe - CCleaner Business Edition Installer MD5: a4764ceac2ea72ce6045367c0e59b6eb SHA256: 40e18acdda6b3d58665f58231c700a1f15e1dbbcd8f7f56b5e8f94cca115652f ccsetup535_be.msi - CCleaner Business Edition MSI Installer MD5: f16911c5aaf026e189705f06d9da41ee SHA256: 7f6c24f459725110d714fa5324cfd7a57afb24245c9cc358b7f2b724a64763d6 ccsetup535_be_trial.exe - CCleaner Business Edition Trial Installer MD5: f545db13ed4833821266f1a740d83bfe SHA256: 04ff4c729fc93a97688602f83fa4603cb2d0913bdc7538fa7e69b098f4307402 Hi Stephen Piriform, Would be nice to give us MD5, SHA-1 and SHA-256 hashes for CCleaner 5.33 standard, slim, and portable versions for verifying purposes, as still having a 5.33_slim installer archived (downloaded 01 Sept 2017), although I uninstalled it successfully as it seems. I didn't find those anywhere and as many people am very curious to know about. Link to comment Share on other sites More sharing options...
Recommended Posts