c627627 Posted September 19, 2017 Share Posted September 19, 2017 Well see that's why it's important to clarify that. CCleaner.exe is infected and Ccleaner64.exe is not. Why does 64-Bit version even install CCleaner.exe if it is not used at all on 64-Bit systems which use Ccleaner64.exe instead? If CCleaner.exe is never launched there there is no infection. But why is Ccleaner.exe even there on 64-Bit systems, what is its purpose, if it's never launched by the Desktop shortcut which clearly points to Ccleaner64.exe? Link to comment Share on other sites More sharing options...
Hijin25 Posted September 19, 2017 Share Posted September 19, 2017 I have windows 7 64-bit and yesterday when running ccleaner my antivirus eset smart security notified me of this threat: Hour; 9/18/2017 1:32:40 p.mScan module; Memory scanType of object; archiveObject; Operating Memory = CCleaner.exe (1124)Threat; a variant of Win32 / CCleaner.B TrojanAction; disinfected - contained infected filesUser;Information;Hash; 38365DFEDF883AB2CF0F21434686BF58B8FAE5F6First seen here That's how I found out about the problem. Link to comment Share on other sites More sharing options...
Dennis2 Posted September 19, 2017 Share Posted September 19, 2017 So you guys talked about the manual execution of the 32-bit-file and how unlikely this is. As stated in a former post, i probably opened CCleaner.exe instead of CCleaner64.exe as i used the portable version of 5.33.6162 on my 64-bit Windows 10. I did not take notice about it, because no matter what, CCleaner always ran in 64-bit-mode on my system. The question now is, am i affected by this issue as i opened CCleaner.exe manually on my 64-bit-system? Could Pirisoft clarify? What do others think? Dennis2 Link to comment Share on other sites More sharing options...
simprove Posted September 19, 2017 Share Posted September 19, 2017 I doubt CCleaner64.exe was not infected, indirectly or otherwise. I have suffered two separate credit card fraud attacks during the period version 5.33 was active. No such problem for years previously in any of my online banking transactions. Possibly a coincidence, but I don't think that's likely. Link to comment Share on other sites More sharing options...
S_M_101 Posted September 19, 2017 Share Posted September 19, 2017 There's a severe lack of communication here... I think we need answers as soon as possible. At least an update if more information is to come. Link to comment Share on other sites More sharing options...
rguilmette Posted September 19, 2017 Share Posted September 19, 2017 This is what my Symantec Cloud reported this morning. Filename: ccsetup533.exe Threat name: Trojan.SibakdiFull Path: c:\users\rong\downloads\ccsetup533.exe ____________________________ ____________________________ On computers as of 8/23/2017 at 8:52:17 AM Last Used 9/19/2017 at 9:25:41 AM Startup Item No Launched No Threat type: Virus. Programs that infect other programs, files, or areas of a computer by inserting themselves or attaching themselves to that medium. ____________________________ ccsetup533.exe Threat name: Trojan.Sibakdi Locate Many Users Hundreds of thousands of users in the Symantec Community have used this file. Mature This file was released 1 month ago. High This file risk is high. ____________________________ http://dl2.filehippo.com/95c2a01bfa5c40f5998fd4fd92ab6a85/ccsetup533.exe?ttl=1503518014&token=f33dfe236594a1abd16ca3d5ba14b18d Downloaded File from filehippo.com Source: External Media ccsetup533.exe ____________________________ File Actions File: c:\users\rong\downloads\ ccsetup533.exe Removed ____________________________ File Thumbprint - SHA: 1a4a5123d7b2c534cb3e3168f7032cf9ebf38b9a2a97226d0fdb7933cf6030ff File Thumbprint - MD5: 75735db7291a19329190757437bdb847 Link to comment Share on other sites More sharing options...
Moderators nukecad Posted September 19, 2017 Moderators Share Posted September 19, 2017 The question now is, am i affected by this issue as i opened CCleaner.exe manually on my 64-bit-system? Could Pirisoft clarify? What do others think? According to this article on bleepingcomputer there will be a registry entry left behind if you were actually infected. https://www.bleepingcomputer.com/how-to/security/ccleaner-malware-incident-what-you-need-to-know-and-how-to-remove/ I have checked my 64-bit Windows 10 and even though I do have the compromised installer (I've still got it saved) and did install 5.33 I do not have that registry entry. So the answer seems to be to check for this registry entry. If you do not have this registry entry then you were not infected. *** Out of Beer Error ->->-> Recovering Memory *** Worried about 'Tracking Files'? Worried about why some files come back after cleaning? See this link:https://community.ccleaner.com/topic/52668-tracking-files/?tab=comments#comment-300043 Link to comment Share on other sites More sharing options...
kpcannon Posted September 19, 2017 Share Posted September 19, 2017 My wife's PC was hit with a similar problem this morning when she started it up. ZoneAlarm caught it and treated it. Problem is, is that it is a Windows Home 7 SP1 64-bit machine running Ccleaner Pro 64-bit (and, yes, now that it hit me a few minutes ago, I went back to her PC and it was running 6162 which I have now upgraded). However, my similar machine got hit some 4 hours later, ZoneAlarm caught it and I was able to catch some info before I had to reboot after ZA treated something called "Backdoor.Win32.Infecleaner.a When you reboot, before complete startup, I got prompted to let Piriform start up the Ccleaner monitor (never asked before). I said "NO" and am now running normally without the Ccleaner monitor running. My PC is Windows 8 64-bit OS. Starting Ccleaner from the desktop reveals it is: 6162 bit version. I have attached 2 printscreens...hope they come through to you. Am going to update Ccleaner. Link to comment Share on other sites More sharing options...
kpcannon Posted September 19, 2017 Share Posted September 19, 2017 Further to my last post....it now appears that my Ccleaner's ability to update has been damaged (see printscreens). I will continue to try to get it done. Link to comment Share on other sites More sharing options...
Moderators nukecad Posted September 19, 2017 Moderators Share Posted September 19, 2017 Statement from Avast: https://blog.avast.com/update-to-the-ccleaner-5.33.1612-security-incident *** Out of Beer Error ->->-> Recovering Memory *** Worried about 'Tracking Files'? Worried about why some files come back after cleaning? See this link:https://community.ccleaner.com/topic/52668-tracking-files/?tab=comments#comment-300043 Link to comment Share on other sites More sharing options...
Moderators Nergal Posted September 19, 2017 Moderators Share Posted September 19, 2017 @kpcannon if it does not work go to piriform.com/ccleaner/builds download the portable version Copy ccleaner.exe and ccleaner64.exe from the zip to c:\Program Files\ccleaner (or where your ccleaner is if you customized the install path), Overwriting the .33 files with .34 ADVICE FOR USING CCleaner'S REGISTRY INTEGRITY SECTION DON'T JUST CLEAN EVERYTHING THAT'S CHECKED OFF. Do your Registry Cleaning in small bits (at the very least Check-mark by Check-mark) ALWAYS BACKUP THE ENTRY, YOU NEVER KNOW WHAT YOU'LL BREAK IF YOU DON'T. Support at https://support.ccleaner.com/s/?language=en_US Pro users file a PRIORITY SUPPORT via email support@ccleaner.com Link to comment Share on other sites More sharing options...
ewv Posted September 19, 2017 Share Posted September 19, 2017 Just searched for the hash and it comes up in searches, in particular: * https://www.virustotal.com/en/file/36b36ee9515e0a60629d2c722b006b33e543dce1c8c2611053e0651a0bfdb2e9/analysis/ That is identified as ccleaner.exe, too. Why are there two bad ccleaner.exe's with different hashes and only one bad installer? Link to comment Share on other sites More sharing options...
Moderators Nergal Posted September 19, 2017 Moderators Share Posted September 19, 2017 Just searched for the hash and it comes up in searches, in particular: * https://www.virustotal.com/en/file/36b36ee9515e0a60629d2c722b006b33e543dce1c8c2611053e0651a0bfdb2e9/analysis/ That is identified as ccleaner.exe, too. Why are there two bad ccleaner.exe's with different hashes and only one bad installer? Not sure I understand the last part of what you said, what "bad installer" what is the two bad ccleaner.exe only 5.33 was affected. ADVICE FOR USING CCleaner'S REGISTRY INTEGRITY SECTION DON'T JUST CLEAN EVERYTHING THAT'S CHECKED OFF. Do your Registry Cleaning in small bits (at the very least Check-mark by Check-mark) ALWAYS BACKUP THE ENTRY, YOU NEVER KNOW WHAT YOU'LL BREAK IF YOU DON'T. Support at https://support.ccleaner.com/s/?language=en_US Pro users file a PRIORITY SUPPORT via email support@ccleaner.com Link to comment Share on other sites More sharing options...
splunge Posted September 19, 2017 Share Posted September 19, 2017 Hello all! My Avira antivirus today reported finding TR/RedCap.zioqa in ccleaner.exe and moved it to quarantine. I'm running the 64 bit version of CCleaner, installed it this september. I did a malwarebytes scan after this, and it found no malware. I didnt use CCleaner for the past few days, so today, after receiving the notification about the trojan, I opened it and it notified me about the update, so I applied it. I also read the Avast blog about the security issue. I see that some people posted about having differently named malware in their systems. Is the TR/RedCap.zioqa just a different name for the same thing? Does that also mean that CCleaner is now ok and I don't need to do anything else? Link to comment Share on other sites More sharing options...
ewv Posted September 19, 2017 Share Posted September 19, 2017 Not sure I understand the last part of what you said, what "bad installer" what is the two bad ccleaner.exe only 5.33 was affected. There appear to be two files, identifiable by their hashes as compromised, the 5.33 version of ccleaner.exe and the installer ccsetup533.exe. But there are three hashes given, with two different values for ccleaner.exe. Link to comment Share on other sites More sharing options...
Moderators Andavari Posted September 19, 2017 Moderators Share Posted September 19, 2017 I see that some people posted about having differently named malware in their systems. Is the TR/RedCap.zioqa just a different name for the same thing? Does that also mean that CCleaner is now ok and I don't need to do anything else? Different anti-virus/anti-malware vendors will give the same infection a different name for the detection, so it's not universally named between different vendors. Link to comment Share on other sites More sharing options...
splunge Posted September 19, 2017 Share Posted September 19, 2017 OK, thanks! Link to comment Share on other sites More sharing options...
login123 Posted September 20, 2017 Share Posted September 20, 2017 Hi all, The only version affected is the 32-bit binary of CCleaner v5.33.6162. It was the application that was the issue, not the installer. If you’re using a 64-bit version of CCleaner, then you’re unaffected although we recommend updating to the latest version. There is also no effect to the Mac or Android versions. At this time, we won’t be releasing a detection tool as the issue was in CCleaner itself, so uninstalling or updating the software removes the risk. You can download directly for free from here: www.piriform.com/ccleaner/download/standard For those interested, the MD5 hash of the affected CCleaner.exe is: ef694b89ad7addb9a16bb6f26f1efaf7 Thanks - Tom I have a file called ccsetup533.exe which was downloaded on 08 sep 17 with these hashes as computed by Nirsoft's HashMyFiles. md5: 75735db7291a19329190757437bdb847 sha256:1a4a5123d7b2c534cb3e3168f7032cf9ebf38b9a2a97226d0fdb7933cf6030ff Avast alarms on this file and also on the slim version and the portable version downloaded the same date. Just an FYI. The CCleaner SLIM version is always released a bit after any new version; when it is it will be HERE :-) Pssssst: ... It isn't really a cloud. Its a bunch of big, giant servers. Link to comment Share on other sites More sharing options...
Moderators hazelnut Posted September 20, 2017 Moderators Share Posted September 20, 2017 Avast (owner of Piriforms's CCleaner) published this timeline of events... https://www.bleepingcomputer.com/news/security/avast-clarifies-details-surrounding-ccleaner-malware-incident/ July 3 - Evidence suggests hackers breached Piriform's IT systems.July 18 - Avast decides to buy Piriform, the company behind CCleaner.August 15 - Piriform, now part of Avast, releases CCleaner 5.33. The 32-bit version (CCleaner 5.33.6162) included the Floxif trojan.August 20 and 21 - Morphisec's security product detects first instances of malicious activity (malware was collecting device details and sending the data to a remote server), but Morphisec does not notify Avast.August 24 - Piriform releases CCleaner Cloud v1.07.3191 that also includes the Floxif trojan.September 11 - Morphisec customers share detection logs detailing CCleaner-related malicious activity with the company's engineers.September 12 - Morphisec notifies Avast and Cisco of the suspicious CCleaner activity. Avast starts its own investigation and also notifies US law enforcement. Cisco also starts its own investigation.September 14 - Cisco notifies Avast of its own findings.September ?? - Cisco had registered, in the meantime, all the domains that the malware would have used in the future to determine and calculate the C&C server IP address.September 15 - Following a collaboration between Avast and law enforcement, the malware's C&C server was taken down.September 15 - Avast releases CCleaner 5.34 and CCleaner Cloud 1.07.3214 that remove the Floxif malware.September 18 - CCleaner incident becomes public following Cisco, Morphisec, and Avast/Piriform reports. Support contact https://support.ccleaner.com/s/contact-form?language=en_US&form=general or support@ccleaner.com Link to comment Share on other sites More sharing options...
Admin Tom CCleaner Posted September 20, 2017 Author Admin Share Posted September 20, 2017 Good morning all. Apologies for the lack of communication. I hope that you can understand that it's been an incredibly busy time for our Customer Support team and given how quickly we identified the issue and made the announcement, we didn't have time to arrange extra support. I'm going to attempt to answer a couple of the main questions that you all have. I would like to ask that if you have more questions, please read our blog post before asking as this may enable you to find the answer first You can find this here: http://www.piriform.com/news/blog/2017/9/18/security-notification-for-ccleaner-v5336162-and-ccleaner-cloud-v1073191-for-32-bit-windows-users In addition to this, I'm not able to provide any more information than what is in any of the Piriform/Avast public statements although I can clarify the points to help with confusion. The main question that people are asking seems to be "Am I affected if I'm using the 64-bit, what happens because the 32-bit is installed? What happens if I ran the 32-bit version?" The answer to this is that no matter which .exe you run, if 64-bit can be run on your machine, it will be the one that runs. Opening the 32-bit will just launch the 64-bit version so you really shouldn't worry. "Is the Pro or slim affected" Any version with the number 5.33.6162 is affected. This includes Free, Slim, Portable, Pro, Business and Technician Edition. You're also asking "Am I still infected?" Well the problem was in the CCleaner.exe. This means that if you're removed this version then you're no longer at risk. In addition, as stated previously, the remote server has been shut down which means that even if the infected application is try to communicate - it can't. That being said, we're still encouraging everyone to update to the latest version. You can download this here: www.piriform.com/ccleaner/download/standard I hope this clears things up a little. Thanks - Tom Edit to add: Please note that it is only CCleaner and CCleaner Cloud that were affected by this. Speccy, Defraggler, Recuva, CCleaner Network and CCleaner Android are unaffected. Link to comment Share on other sites More sharing options...
bru20 Posted September 20, 2017 Share Posted September 20, 2017 edit: When I open the program it clearly shows "(64-bit)" after the version. So I am indeed running the 64-bit version yet I was infected. You need to immediately retract your statement that only 32-bit systems were infected.If this trojan was only included in the 32-bit download of 5.33 someone please explain why ALL of my 64-bit systems were infected? My 64-bit systems are monitored and cleaned regularly. Yesterday, every one of them showed the Floxif trojan.I think someone needs to reevaluate what information is being put out as you are falsely implying people were not compromised when they clearly were.edit: I see posts saying that even if the 32-bit version is downloaded, it should run 64-bit when executed and therefore there would not have been an infection. As I stated all of my systems are 64-bit yet I was infected. I download my CCleaner direct from Piriform. Am I not getting the correct version for my systems? I don't see multiple versions. The main question that people are asking seems to be "Am I affected if I'm using the 64-bit, what happens because the 32-bit is installed? What happens if I ran the 32-bit version?" The answer to this is that no matter which .exe you run, if 64-bit can be run on your machine, it will be the one that runs. Opening the 32-bit will just launch the 64-bit version so you really shouldn't worry. Like I said, all my systems are 64-bit and ALL were infected. So clearly there is something not right with either your program or your thinking the 64-bit version was safe. This is where I download the program. I see no 32 or 64-bit options.https://www.piriform.com/ccleaner/download or https://www.piriform.com/ccleaner Link to comment Share on other sites More sharing options...
malika4 Posted September 20, 2017 Share Posted September 20, 2017 Bru20, You antivirus found The Trojan that is ccleaner5.33.exe Even if You have 64bit in The program folder there is ccleaner5.33.exe And 5.3364.exe. do You have The registry Key agomo? If there is You are really infected. Do You have The installer? The antivirus Can sign this like compromise object Link to comment Share on other sites More sharing options...
Admin Tom CCleaner Posted September 20, 2017 Author Admin Share Posted September 20, 2017 Hi again, Your anti-virus will flag this regardless of whether you're running the 32-bit or 64-bit version as it is the entire version that has been balcklisted. There are no options when you download, CCleaner runs the correct version for your PC. Tom Link to comment Share on other sites More sharing options...
bru20 Posted September 20, 2017 Share Posted September 20, 2017 Bru20, You antivirus found The Trojan that is ccleaner5.33.exe Even if You have 64bit in The program folder there is ccleaner5.33.exe And 5.3364.exe. do You have The registry Key agomo? If there is You are really infected. Do You have The installer? The antivirus Can sign this like compromise object I cleaned the Trojan. When I check the Registry I see no "Agomo". Hi again, Your anti-virus will flag this regardless of whether you're running the 32-bit or 64-bit version as it is the entire version that has been balcklisted. There are no options when you download, CCleaner runs the correct version for your PC. Tom If I am understanding correct you are saying my AV flagged this trojan because the entire version was blacklisted. Yet because I am running the 64-bit my system was not infected. So you are telling me to ignore my AV and be assured I am not infected. Sorry, but that's a big leap of faith you are asking me to take. Link to comment Share on other sites More sharing options...
Admin Tom CCleaner Posted September 20, 2017 Author Admin Share Posted September 20, 2017 Hi, I've suggested already to everyone that you download the latest version which we know to be clean and not use version 5.33, even if it is 64-bit. You can download the latest CCleaner here: www.piriform.com/ccleaner/download/standard Thanks. Link to comment Share on other sites More sharing options...
Recommended Posts