bonzaitreekiller Posted September 18, 2017 Share Posted September 18, 2017 You do know that cisco (Talosintellegence.com) is spreading lies and misinformation about this right? (in the comments, specifically Craig Williams). Craig Williams at the blog http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html is telling people the only way to recover from this is a complete format, and of course to download their software after. When I tried to post how easy this was to fix he would not approve my posts and when I took it to twitter he blocked me without reply. You want a suspect with know how, motive, but would not cause lots of damage so if they got caught it wouldn't send anyone to jail? Hmmmmmmm.....and right after you're bought by avast...... Seriously though, barring that insane? thought, they really are spreading lies and hysteria about this. CRAIG WILLIAMSSEPTEMBER 18, 2017 AT 9:50 AM Uninstalling the tool will not remove the malware. To remove the malware you should restore from a previous backup that is known to be clean or try a virus removal tool. Link to comment Share on other sites More sharing options...
kreien Posted September 18, 2017 Share Posted September 18, 2017 Is CCleaner Pro (32 bit) also affected? Link to comment Share on other sites More sharing options...
trparky Posted September 18, 2017 Share Posted September 18, 2017 That's easy enough to test, Go to the CCleaner folder and delete CCleaner.exe, just leaving CCleaner64.exe. Then launch CCleaner from the desktop or taskbar. It still runs even without the 32-bit exe being there at all. So I would say the assumption is wrong. Doing that does break the auto-elevation process though. Link to comment Share on other sites More sharing options...
robertcarroll6 Posted September 18, 2017 Share Posted September 18, 2017 I am not particularly knowledgeable on such situations. I think those who have/may have installed the version identified have many questions. A few I can think of are: 1) Will updating to the latest software version remove the infected files? I assume it will as it were those particular files that were affected. However, what about the "2nd payload" mentioned in the blog post? Was this actually downloaded or just potentially could have been downloaded if set to do so? If it is downloaded somewhere, is it in a separate location as the files affected or in the same location and will it too be removed? Clarification on this would be good. 2) The blog post mentions it is the 32-bit version of Windows that is affected. From the above post I can see that it is the 32-bit version of the CCleaner software that is affected. I assume the 64-bit version isn't affected, however like the above post mentions, their ccsetup5.33 installer has been flagged (mine too). When I read one of the original articles I updated immediately as I had the affected version number in question, however I did not notice if I had the 64-bit or 32. It now says I have the 64-bit latest release. This may sound dumb, but I guess that the updater will not update to 64-bit from 32 and assume I had 64-bit before? If anyone could confirm that would be great. 3) Is there any information on what the 2nd payload did/was supposed to do? I guess what people really want to know is are all my passwords safe? Is my bank info safe? Do I need to change everything? 4) Is there anyway to tell if we were/are infected? Can we see if our PC's contacted this IP or downloaded anything from there? Will the latest updates to scanners detect anything? (See Q5) 5) I assume that all the security packages, malware scanners etc. are now aware of the situation and can scan for anything affected? I guess I should be checking their website for updates as well, but clarification on this would be good. I realise some of these are probably dumb questions, but there maybe people out there who are in the same boat and would like information on this matter to sort the problem or alleviate their own fears. Thanks All pertinent questions that I think many users would like to see answered. Link to comment Share on other sites More sharing options...
oldmanphil Posted September 18, 2017 Share Posted September 18, 2017 What happens to the malware when I uninstall Ccleaner? I uninstalled CCLeaner a week ago because how rarely I used the program. I don't have a restore point from a week to check what version of CCLeaner I was using. Is there any way to check if I was effected by the malware? Will Malwarebytes detect the malware when CCleaner was uninstalled? Update: I realized I had CCleaner64.exe(64bit). Link to comment Share on other sites More sharing options...
crustybread Posted September 18, 2017 Share Posted September 18, 2017 Malwarebytes is calling it a trojan.Floxif Malwarebytes does not show I was infected just that the file ccleaner 5.33 was or is. Your ad states trusted by millions, I say not anymore! Also, clean up your act your Google+ page is advertising 5.33 Thanks piriform. Link to comment Share on other sites More sharing options...
PTDDS Posted September 18, 2017 Share Posted September 18, 2017 Malwarebyteswww.malwarebytes.com-Log Details-Scan Date: 9/19/17Scan Time: 9:00 AMLog File:Administrator: Yes-Software Information-Version: 3.1.2.1733Components Version: 1.0.160Update Package Version: 1.0.2837License: Premium-System Information-OS: Windows 7 Service Pack 1CPU: x86File System: NTFSUser: System-Scan Summary-Scan Type: Threat ScanResult: CompletedObjects Scanned: 264945Threats Detected: 2Threats Quarantined: 2Time Elapsed: 3 min, 53 sec-Scan Options-Memory: EnabledStartup: EnabledFilesystem: EnabledArchives: EnabledRootkits: DisabledHeuristics: EnabledPUP: EnabledPUM: Enabled-Scan Details-Process: 0(No malicious items detected)Module: 0(No malicious items detected)Registry Key: 1Trojan.Floxif.Trace, HKLM\SOFTWARE\PIRIFORM\AGOMO, Quarantined, [8823], [436394],1.0.2837Registry Value: 1Trojan.Floxif.Trace, HKLM\SOFTWARE\PIRIFORM\AGOMO|TCID, Quarantined, [8823], [436394],1.0.2837Registry Data: 0(No malicious items detected)Data Stream: 0(No malicious items detected)Folder: 0(No malicious items detected)File: 0(No malicious items detected)Physical Sector: 0(No malicious items detected)(end) 32 bit ,updated CCleaner one week ago to Hacked version , Currently running new updated version but, im concerned now that after running the hacked version several times last week that my info is leaked . I do not believe that re installing back to older prior Aug 15 will accomplish a satisfactory outcome id current details have already been compromised . Correct me if im wrong but previous scanning with Malwarebytes and Kasperky programs would not have picked up this threat untill they where advised of this threat ????? Advice on where to go from here would be well appreciated >Piriform.. Link to comment Share on other sites More sharing options...
larrylundeen51 Posted September 18, 2017 Share Posted September 18, 2017 Following is a report from scan today on a 64 bit windows 7 desktop. Is this the bugger in question? (see last few lines) Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 9/18/17 Scan Time: 3:45 PM Log File: 01d0e806-9cc3-11e7-b5b0-00ff5b689eef.json Administrator: Yes -Software Information- Version: 3.2.2.2029 Components Version: 1.0.188 Update Package Version: 1.0.2836 License: Trial -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: MININT-LHEJISC\Office -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 319242 Threats Detected: 1 Threats Quarantined: 1 Time Elapsed: 4 min, 36 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 1 Trojan.Floxif, C:\USERS\OFFICE\DOWNLOADS\CCLEANER_V5.33.6162.EXE, Quarantined, [8820], [436382],1.0.2836 Physical Sector: 0 (No malicious items detected) (end) Link to comment Share on other sites More sharing options...
playbook Posted September 19, 2017 Share Posted September 19, 2017 One of my many PC's (an old 32bit windows 10 tablet) was infected. I was able to use malwarebytes to remove the infection, and all other scans with Rkill, JRT, adwcleaner, and defender are all showing up as clean (run multiple times after resets etc..). I have also uninstalled ccleaner on this tablet. Now my question is what should i do next? The compromise could cause the transmission of non-sensitive data (computer name, IP address, list of installed software, list of active software, list of network adapters) to a 3rd party computer server in the USA Based on the information above: Should I be concerned that any logins and passwords for websites or apps (example microsoft account login, steam, origin, netflix, skype, etc..) may be compromised due to this infection? Was it only the infected PC's local network card MAC address that was leaked, or did it also grab the MAC address's of all the PC's connected on my Network?What is the probability of other PC's on my network (which did not have the affected ccleaner) having been compromised just because they are on my network with this one infected tablet? Should i manually change all the MAC address's on all my network attached devices because of this? Finally what can a malicious entity do with the type of information collected due to this infection? Thanks for any help you guys can share on this issue. Really sucks that i have to deal with this problem now all because of one stupid old 32bit windows 10 tablet. Link to comment Share on other sites More sharing options...
Moderators Nergal Posted September 19, 2017 Moderators Share Posted September 19, 2017 Some news I'd not yet seen in this thread. The server which was receiving the stolen data is now down. Source: http://time.com/4946576/ccleaner-malware-hack Edit: it was buried in the first post just didn't catch it I guess. ADVICE FOR USING CCleaner'S REGISTRY INTEGRITY SECTION DON'T JUST CLEAN EVERYTHING THAT'S CHECKED OFF. Do your Registry Cleaning in small bits (at the very least Check-mark by Check-mark) ALWAYS BACKUP THE ENTRY, YOU NEVER KNOW WHAT YOU'LL BREAK IF YOU DON'T. Support at https://support.ccleaner.com/s/?language=en_US Pro users file a PRIORITY SUPPORT via email support@ccleaner.com Link to comment Share on other sites More sharing options...
PTDDS Posted September 19, 2017 Share Posted September 19, 2017 Is it me or am i totally wrong in my approach, CCleaner has been one of several programs used in my arsenal for the sole purposes in the attaining and or achievement of as much privacy and security as reasonably possible . CCleaner usage assists in both cleaning and deleting of web history and remnants of computer useage ,and now further too, being recently acquired by Avast ,who positions itself as an IT security provider. Very ironic that ,now of all times ,we find that CCleaner has been hacked with a trojan ,how incredulous is that ,but wait its only proported to be approx 3 % of the millions of users who have trusted CCleaner and Piriform. I purposely chose to continue with win 7 until its final death due to its stability and the failing issues with upgrades 8 ,8.1 ,10 from microsoft , the same was said for CCleaner ,until now . Performance ,gives credability and integrity to suppliers ,not waiting 5 days or more to notify users via a back door , not to mention the facts that millions,of world wide computers users are NOT all totally knowledgeable of the IT world. At this point i would welcome a clear and definate answer , (have my details been leaked ) and what proceedures should i further take now ,other than a Full scan for Malware Link to comment Share on other sites More sharing options...
c627627 Posted September 19, 2017 Share Posted September 19, 2017 Would you please post if the Slim version was affected? Link to comment Share on other sites More sharing options...
Moderators Nergal Posted September 19, 2017 Moderators Share Posted September 19, 2017 Would you please post if the Slim version was affected?It sounds like it would be, as well as the portable, the malware was in the ccleaner.exe itself and that file is the same in all three builds. ADVICE FOR USING CCleaner'S REGISTRY INTEGRITY SECTION DON'T JUST CLEAN EVERYTHING THAT'S CHECKED OFF. Do your Registry Cleaning in small bits (at the very least Check-mark by Check-mark) ALWAYS BACKUP THE ENTRY, YOU NEVER KNOW WHAT YOU'LL BREAK IF YOU DON'T. Support at https://support.ccleaner.com/s/?language=en_US Pro users file a PRIORITY SUPPORT via email support@ccleaner.com Link to comment Share on other sites More sharing options...
c627627 Posted September 19, 2017 Share Posted September 19, 2017 Thank you. And now the most important clarification question: Even though both CCleaner64.exe and CCleaner.exe are installed on 64-Bt systems. if only the CCleaner desktop shortcut was used, which always points to CCleaner64.exe, then that would mean that CCleaner.exe was never run, therefore really the only systems affected are 32-Bit ONLY systems since it's highly unlikely that someone would go out of their way and actually manually run Ccleaner.exe instead of CCleaner64.exe on a 64-Bit system. Is that correct? Because then most of us on 64-Bit systems have nothing to worry about then, even if we installed the infected version, since the non-64 bit exe was never run. It was installed, but never run, unless we manually went into the folder to run it. And who would do that on a 64-Bit system, almost no one. Correct? Link to comment Share on other sites More sharing options...
Moderators Nergal Posted September 19, 2017 Moderators Share Posted September 19, 2017 Usually the desktop shortcut points to ccleaner.exe which hands it off to ccleaner64. While we've not been informed whether the hand off happens before or after the malware loads, the staff (volunteer moderators) is speaking with Admins (Piriform employees like Tom (OP) in a separate place ADVICE FOR USING CCleaner'S REGISTRY INTEGRITY SECTION DON'T JUST CLEAN EVERYTHING THAT'S CHECKED OFF. Do your Registry Cleaning in small bits (at the very least Check-mark by Check-mark) ALWAYS BACKUP THE ENTRY, YOU NEVER KNOW WHAT YOU'LL BREAK IF YOU DON'T. Support at https://support.ccleaner.com/s/?language=en_US Pro users file a PRIORITY SUPPORT via email support@ccleaner.com Link to comment Share on other sites More sharing options...
c627627 Posted September 19, 2017 Share Posted September 19, 2017 Usually the desktop shortcut points to ccleaner.exe which hands it off to ccleaner64. While we've not been informed whether the hand off happens before or after the malware loads, the staff (volunteer moderators) is speaking with Admins (Piriform employees like Tom (OP) in a separate place I clearly see my Desktop shortcut pointing to the 64-bit exe but rather than going into why my desktop shortcut is pointing to it, instead of as you say, the non-64 bit .exe - would you please instead just take a look at these attached shortcut screenshots and confirm that there is a 100% certainty that running the shortcuts in the screenshots below and those shortcuts only, would *not* have activated the infection in any way? Link to comment Share on other sites More sharing options...
Moderators Nergal Posted September 19, 2017 Moderators Share Posted September 19, 2017 In this case you should be fine ADVICE FOR USING CCleaner'S REGISTRY INTEGRITY SECTION DON'T JUST CLEAN EVERYTHING THAT'S CHECKED OFF. Do your Registry Cleaning in small bits (at the very least Check-mark by Check-mark) ALWAYS BACKUP THE ENTRY, YOU NEVER KNOW WHAT YOU'LL BREAK IF YOU DON'T. Support at https://support.ccleaner.com/s/?language=en_US Pro users file a PRIORITY SUPPORT via email support@ccleaner.com Link to comment Share on other sites More sharing options...
c627627 Posted September 19, 2017 Share Posted September 19, 2017 Thank you. You know I don't know where you are getting that 64_bit system shortcuts are pointing to the non-64-bit exe, but can you investigate this and see if other people's shortcuts also point to 64-bit exe because if they do like on my system, you should probably put that front and center that 64-Bit system users have nothing to worry about. I am just a little concerned about the statement "ccleaner.exe which hands it off to ccleaner64" - can you please confirm that launching CCleaner64.exe does not *ever in any way* launch CCleaner.exe. In other words the infection on 64-Bit systems can only take place if a user actually manually browses to the installation folder and for some strange unknown reason manually activates CCleaner.exe instead of CCleaner64.exe? Link to comment Share on other sites More sharing options...
LordKane Posted September 19, 2017 Share Posted September 19, 2017 Is it me or am i totally wrong in my approach, CCleaner has been one of several programs used in my arsenal for the sole purposes in the attaining and or achievement of as much privacy and security as reasonably possible . CCleaner usage assists in both cleaning and deleting of web history and remnants of computer useage ,and now further too, being recently acquired by Avast ,who positions itself as an IT security provider. Very ironic that ,now of all times ,we find that CCleaner has been hacked with a trojan ,how incredulous is that ,but wait its only proported to be approx 3 % of the millions of users who have trusted CCleaner and Piriform. I purposely chose to continue with win 7 until its final death due to its stability and the failing issues with upgrades 8 ,8.1 ,10 from microsoft , the same was said for CCleaner ,until now . Performance ,gives credability and integrity to suppliers ,not waiting 5 days or more to notify users via a back door , not to mention the facts that millions,of world wide computers users are NOT all totally knowledgeable of the IT world. At this point i would welcome a clear and definate answer , (have my details been leaked ) and what proceedures should i further take now ,other than a Full scan for Malware From my personal research on this issue, its not a trojan in the strictest sense, it had a payload but that payload was not activated, and its ability to be activated has been effectively disabled, and with the update the payload no longer exists so no your information has not been comprised. see the orginal post about this issue and this recent update from Avast: https://blog.avast.com/update-to-the-ccleaner-5.33.1612-security-incident?utm_campaign=socialposts_us&utm_source=twitter&utm_medium=post Link to comment Share on other sites More sharing options...
saurabhdua Posted September 19, 2017 Share Posted September 19, 2017 So the 64 bit version was not affected? Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 9/19/17 Scan Time: 12:48 PM Log File: MBAM.txt Administrator: Yes -Software Information- Version: 3.1.2.1733 Components Version: 1.0.160 Update Package Version: 1.0.2839 License: Free -System Information- OS: Windows 10 (Build 15063.483) CPU: x64 File System: NTFS File: 1 Trojan.Floxif, C:\PROGRAM FILES\CCLEANER\CCLEANER.EXE, No Action By User, [8820], [436381],1.0.2839 Link to comment Share on other sites More sharing options...
ewv Posted September 19, 2017 Share Posted September 19, 2017 You wrote "the MD5 hash of the affected CCleaner.exe is: ef694b89ad7addb9a16bb6f26f1efaf7". The website for Cisco Talos, which discovered the problem, gives three SHA256 hashes at http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html 6F7840C77F99049D788155C1351E1560B62B8AD18AD0E9ADDA8218B9F432F0A9 1a4a5123d7b2c534cb3e3168f7032cf9ebf38b9a2a97226d0fdb7933cf6030ff 36b36ee9515e0a60629d2c722b006b33e543dce1c8c2611053e0651a0bfdb2e9 My 533 installer from 8/17/17 matches the second sha256. My 533 ccleaner.exe matches the first sha256 and your md5. What file is the file corresponding to the third sha256 from cisco? (My current version is 534, but the malware 533 was in use on two machines for almost a month.) Link to comment Share on other sites More sharing options...
Moderators Andavari Posted September 19, 2017 Moderators Share Posted September 19, 2017 What file is the file corresponding to the third sha256 from cisco? Just searched for the hash and it comes up in searches, in particular: * https://www.virustotal.com/en/file/36b36ee9515e0a60629d2c722b006b33e543dce1c8c2611053e0651a0bfdb2e9/analysis/ Link to comment Share on other sites More sharing options...
Aethernaut Posted September 19, 2017 Share Posted September 19, 2017 Is CCleaner Pro (32 bit) also affected? I have a stored copy of the affected Pro installer and I can confirm that is does contain a 32-bit CCleaner.exe with an MD5 that matches the value published at #13 (https://forum.piriform.com/index.php?showtopic=48869&p=286414). Link to comment Share on other sites More sharing options...
Moderators Andavari Posted September 19, 2017 Moderators Share Posted September 19, 2017 It sounds like it would be, as well as the portable, the malware was in the ccleaner.exe itself and that file is the same in all three builds. Yes Portable is also infected. To find out I extracted it from my backup image and these are the ClamWin results: Scan Started Tue Sep 19 05:11:25 2017 ------------------------------------------------------------------------------- C:\Temp\CCleaner.exe: Win.Trojan.Floxif-6336251-0 FOUND ----------- SCAN SUMMARY ----------- Known viruses: 6303670 Engine version: 0.99.1 Scanned directories: 1 Scanned files: 2 Infected files: 1 Data scanned: 0.13 MB Data read: 7.32 MB (ratio 0.02:1) Time: 36.281 sec (0 m 36 s) -------------------------------------- Completed -------------------------------------- Link to comment Share on other sites More sharing options...
IceDog4 Posted September 19, 2017 Share Posted September 19, 2017 So the 64 bit version was not affected? My anti-malware program (Malwarebytes) just removed a trojan file from the PIRIFORM 5.33 64bit version. Registry keys were infected as well. Link to comment Share on other sites More sharing options...
Recommended Posts