Announcement: Security Notification for CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191

[malika4]

Does the Trojan work only when running the 32-bit version? The CCleaner installer does not start the Trojan? I correctly understand that the Trojan could get into the 64-bit system only if you manually run the CCleaner.exe (x32)?

 

Il You manually run The x32 It Will be open The 64bit version because The sistem i 64bit.

 

In what registry folder can this be checked?

 

You Can open prompt And copy The Key if The reply is error or Not found It s ok

 

Files are in the root of folder C, or are you talking about searching the entire directory? Can there be a specific folder where the Trojan is saved?

I search on all The c folder

[PTDDS]

Yes this makes we feel real happy (NOT) .The latest from Avast the now parent company states ,the 2nd payload was delivered , we are still investigating ,and the form of malware  is very complex ,initiated with a high degree of sophistication  by the perps.

 

This latest update totally refutes all previous media notifications as to the severity and infiltrations of this malware

.

Further i have instigated every means that i know of available ,with my limited IT knowledge as to checking /cleaning /scanning /registry checking .

Yes i updated ,when advised by CCleaner to V5.3 early Sept ,then updated when notified to V5.4  and now to the latest .Even when running full versions of Kasperky Total,, Malwarebytes ,Superantispyware,RKill ,none of these picked it up until after CCleaners initial advice was released to the public.

 

My machine looks clean NOW but,am i confident ,NO not on your nellie ,Do i fully believe what im being told  NO ! Did i have all my passwords accessable ? , No they where encrypted behind a manager but my confidence is shot as to Piriform .

I can feel a Class Action ,somewhere here.  Signed signature , Lack of urgency ,Lack of information , Incorrect information, none disclosure ETC ETC.

 

Tom,there are 2.7 million people out here with possible major implications due to your lack of proceedures and protocols .Piriform was highly respected and obviously had a huge following ?????

[login]

If the system is 64-bit (Windows 10), does this mean that the Trojan could not get into the system?

[jonmar]

For info: I'm using Windows 10 x64, and always ran CCleaner from my task bar shortcut, so I think it always ran in 64-bit mode. But I never paid any attention to it before so I can't be 100% sure on that. I know it always installed in C:\Program Files\ and not C:\Program Files x86\.

 

Could someone clarify something for me? When uninstalling CCleaner, does the uninstall process delete the Agomo registry key?

The reason I'm asking is because I had updated from version 5.33 to version 5.34 before I knew about the attack. Then when I learned of the attack the first thing I did was uninstall CCleaner. At this point I didn't know about the Agomo registry key or the two trojan dll files or that only the 32-bit exe was infected.

I performed full scans with Windows Defender and Malwarebytes and even Spybot S&D and all results were completely clean. I then read this thread and some articles and learned about the Agomo registry key and the dlls. I checked for the registry key and it wasn't there. I also checked for the .dll files and they aren't on my machine either. I know Defender and Malwarebytes never removed them because all scans have been clean.

 

So is it possible, that I was infected and had the Agomo key in my registry, and uninstalling CCleaner deleted it, or have I never had it in the first place and therefore was never infected?

 

I've read posts where people have updated to 5.34 and still had the Agomo key left over in their registry. But that's after updating, not a complete uninstall.

 

If I had known about all this before uninstalling, I would have checked for the registry key and the dll files, and whether or not the app ran in x64 mode, before I uninstalled. But since I didn't, I can't be sure so I'd appreciate if someone could answer these questions for me.

 

Thanks.

[Cerberus8]

Have a win 7 x64 bit and a win 10 x64 bit - on both machines malwarebytes found infection.

 

No agomo in registry on either machine. 

 

Did the virus get into the system? I have to assume yes, otherwise malware would not have detected it. So the x64 not infected is a myth?

 

As a rule I always wait to download new versions, updates etc for 2 to 3 weeks. Looks like I have to extend the waiting period. How long did it take equifax to go public with their mess?? 

 

Also wondering why trend micro did not pick up on this. Malware or Kapersky a better choice? Never had virus issues in many years, it is too bad that now even trusted sources are questionable..

 

.. Cer ..

 

[Nergal]

@Cerberus8 the 64 bit version was in fact virus free, the problem is the 32bit is included in a install. On your computer it looks like you deleted ccleaner.exe manually and sent it to the recycle bin (that's shown on your screenshot under location). It is postulated that the handoff from ccleaner.exe to ccleaner64.exe takes place before the trojan is up and running.

[Cerberus8]

@Cerberus8 the 64 bit version was in fact virus free, the problem is the 32bit is included in a install. On your computer it looks like you deleted ccleaner.exe manually and sent it to the recycle bin (that's shown on your screenshot under location). It is postulated that the handoff from ccleaner.exe to ccleaner64.exe takes place before the trojan is up and running.

 

Thanks for reply. Usually I delete most downloads of anything when new versions replace outdated versions.

 

..

[francky]

Hi, I'm a Win7-Pro 64bit SP1 urser from the Netherlands, with the setting "Automatically check for updates to Ccleaner" for my (64b) free Ccleaner.

1. Yesterday (2017-09-20) I got the system-tray notification "New version 535 - install now?", Yes, I did. After a moment, installation was ready, version 535, everything worked, looked fine, no security warnings.
2. Today, all of a sudden my Windows Defender gave an alarm: "The ccsetup533.exe file contains malware (Backdoor:Win32/Floxif); severe threat; remove immediately" (or words like that), with a link to the explication: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Backdoor%3aWin32%2fFloxif&threatid=2147723494&enterprise=0.
3. Maybe a false positive? So I checked Malwarebytes on this file; same result: "infected with Floxid; quarantine?".
4. Decided to orientate myself first, and Googled along - lots of information on Piriform, Avast and numerous other sites!
5. Then I checked all files in my updated Ccleaner program directory, with Window Defender as well as with MBAM. Result: all clean, no infections (not in the new 5.35.0.6210 version of the 32bit CCleaner.exe, nor in the 64bit CCleaner64.exe, nor in all other files).
6. So only the install-file was infected, and it wasn't the announced 535-setup-file!
7. Deleted the install-file with Windows Defender.
8. Downloaded today a fresh install-file from the Piriform-download page, in order to see what would happen. Aha, WinDef and MBAM did not alarm anymore for this setup version (in the meantime 5.35.0.6210 !).

For all security I made a full pc-scan with Malwarebytes: nothing found (and registry fine). - Now I'm quite sure I wasn't infected (as 64bit user!) and will not be infected.

 

Remaining questions: was the infected setup-file for the 533-version temporary wrong (directing to the good 535-exe files) but now updated? And: why didn't I read something about that in all Piriform information? - Or did I miss something?

[Nergal]

Hi, I'm a Win7-Pro 64bit SP1 urser from the Netherlands, with the setting "Automatically check for updates to Ccleaner" for my (64b) free Ccleaner.

Yesterday (2017-09-20) I got the system-tray notification "New version 535 - install now?", Yes, I did. After a moment, installation was ready, version 535, everything worked, looked fine, no security warnings.

Today, all of a sudden my Windows Defender gave an alarm: "The ccsetup533.exe file contains malware (Backdoor:Win32/Floxif); severe threat; remove immediately" (or words like that), with a link to the explication: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Backdoor%3aWin32%2fFloxif&threatid=2147723494&enterprise=0.

Maybe a false positive? So I checked Malwarebytes on this file; same result: "infected with Floxid; quarantine?".

Decided to orientate myself first, and Googled along - lots of information on Piriform, Avast and numerous other sites!

Then I checked all files in my updated Ccleaner program directory, with Window Defender as well as with MBAM. Result: all clean, no infections (not in the new 5.35.0.6210 version of the 32bit CCleaner.exe, nor in the 64bit CCleaner64.exe, nor in all other files).

So only the install-file was infected, and it wasn't the announced 535-setup-file!

Deleted the install-file with Windows Defender.

Downloaded today a fresh install-file from the Piriform-download page, in order to see what would happen. Aha, WinDef and MBAM did not alarm anymore for this setup version (in the meantime 5.35.0.6210 !).

For all security I made a full pc-scan with Malwarebytes: nothing found (and registry fine). - Now I'm quite sure I wasn't infected (as 64bit user!) and will not be infected.

 

Remaining questions: was the infected setup-file for the 533-version temporary wrong (directing to the good 535-exe files) but now updated? And: why didn't I read something about that in all Piriform information? - Or did I miss something?

The Version your antivirus captured was the trojan'd version 5.33, the setup for which you still had on your pc somewhere.

[sjon287612]

Nergal,

 

Is the process of installing ccleaner alone enough to execute the malicious payload or would the 32bit executable of ccleaner.exe itself have to be executed post-installation?

[peteyt]

One thing I found today confused me on an article 

https://www.ghacks.net/2017/09/21/ccleaner-malware-second-payload-discovered/

 

 

The stage 2 installer is GeeSetup_x86.dll. It checks the version of the operating system, and plants a 32-bit or 64-bit version of the trojan on the system based on the check. Read also: BitLocker bypass on Windows 10 through upgrades The 32-bit trojan is TSMSISrv.dll, the 64-bit trojan is EFACli64.dll.

 

This seems to state a 64-bit trojan exists which contradicts the fact that it only infected 32-bit OS's

[Nergal]

Nergal,

 

Is the process of installing ccleaner alone enough to execute the malicious payload or would the 32bit executable of ccleaner.exe itself have to be executed post-installation?

I believe ccleaner (32bit) had to completely load (show the ccleaner window) and, if on 64bit machine, the handoff from ccleaner.exe to ccleaner64.exe was not enough for the backdoor to load.

 

Please note this is my personal understanding based on what has been told to us and articles readily available to the public. It should not be confused for malware advice, if you feel you may be infected you should seek help at a reputable security website.

[rexg]

Ok...First time user so bear with me.

I'm at my wits end about this...please some guidance.

CCleaner's been removed (as well as Defraggler). NOD32 picked it up and removed it. I uninstalled it completely using Revo Uninstaller.

 

I've read all the articles now about the second "payload" so this now concerns me more.

I don't have a system restore date (July/August) that I can restore back to. For some reason they don't exist, Only one's back in 2014 !! Thats probably a separate issue

 

BUT I run Win7 64bit.

I have been running Malwarebytes and NOD32 twice a day....Nothing there

 

I have followed Bleeping Computers guide.....Nothing there. Not one of the apps/programs found a single thing.

https://www.bleepingcomputer.com/virus-removal/remove-floxif-ccleaner-trojan

 

After reading the article from GHacks

https://www.ghacks.net/2017/09/21/ccleaner-malware-second-payload-discovered/

and Avast

https://blog.avast.com/progress-on-ccleaner-investigation

 

I have searched my computer for these dlls they mention. In fact I did a search using ".dll" for the whole computer and it found over 70 thousand of them. I then reorganized them by name and looked for these files.

Not one found

I also looked in the Registry for the key (“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WbemPerf\00[1-4])

Again nothing there. There was a WbemPerf with a default key but no keys labeled 1 to 4

 

So after all this can anyone at Piriform please tell me my machine is safe.

[Nergal]

@rexg

I'd at least say you've done as much as anyone could do. While I can't guarantee that something else won't come up, but you sound like you've got a handle on it.

[Nergal]

SYMANTEC and maybe Norton too, users may find a dll with the name of the 64bit second payload. Choose file insight or virus total to make sure it's valid or not

 

my virus total

https://www.virustotal.com/#/file/3a1bd821724b6da69011f9cf7b162e14d5f1c4f30c2c9897a751761db03a2d9c/detection

[Nergal]

To those worried about the newly released 2nd stage. It looks like it was very limited

 

Talos says that it only discovered 20 machines that received the specialized secondary attack.

http://bgr.com/2017/09/21/avast-ccleaner-backdoor-hack-malware/

 

From September 12 to September 16, the highly advanced second stage was reserved for computers inside 20 companies or Web properties, including Cisco, Microsoft, Gmail, VMware, Akamai, Sony, and Samsung. The 20 computers that installed the payload were from eight of those targeted organizations, Avast said, without identifying which ones. Again, because the data covers only a small fraction of the time the backdoor was active, both Avast and Talos believe the true number of targets and victims was much bigger.

https://arstechnica.com/information-technology/2017/09/ccleaner-malware-outbreak-is-much-worse-than-it-first-appeared/

[Emrah]

What's all this about the second payload?

 

Info: windows 10 64 bit and win 10 defender detected and quarantined the ccleaner virus. I uninstalled ccleaner with revo uninstaller. Did an advance scan and delete on all registry keys.

 

Reinstalled ccleaner the latest version.

 

Ran a scan with win 10 defender and malwarebyte, adware cleaner and superspyware kill (whatever its called) and nothing was detected.

 

Am I safe from everything? Please tell me as my whole business relies on my PC and I have a lot of confidential files stored on it. Never had a problem with viruses in about 5 years...

 

Thank you!

[Emrah]

"Finally, it is extremely important to us to resolve the issue on customer machines. For consumers, we stand by the recommendation to upgrade CCleaner to the latest version (now 5.35, after we have revoked the signing certificate used to sign the impacted version 5.33) and use a quality antivirus product, such as Avast Antivirus. For corporate users, the decision may be different and will likely depend on corporate IT policies. At this stage, we cannot state that the corporate machines could not be compromised, even though the attack was highly targeted."

 

Even includes a call to action to download and use avast security software...

 

I may be wrong but this sounds like Avast did this to make more sales...

[Nergal]

@Emrah earlier today a second stage was found on a small number of computers at a select number of big companies. For more info read the links in my previous post

[Emrah]

@Emrah earlier today a second stage was found on a small number of computers at a select number of big companies. For more info read the links in my previous post

 

Thank you for the reply! Could you please tell me, if following the instructions from this article https://www.ghacks.net/2017/09/21/ccleaner-malware-second-payload-discovered/#comment-4229234 and I don't have any of those registry keys or dll files installed on my system that I'm 100% safe and don't need to reinstall windows as I don't even have any restore points saved..

 

Thanks!

[Nergal]

@Emrah I wouldn't be able to tell you or anyone 100% but those are the steps I took and am (until further news is released) confident in my safeness.

[Emrah]

@Emrah I wouldn't be able to tell you or anyone 100% but those are the steps I took and am (until further news is released) confident in my safeness.

Thank you Nergal! I'm no expert in IT.. could you please clarify for me if I'm checking those the correct way?

 

For the .dll files

 

• GeeSetup_x86.dll (Hash: dc9b5e8aa6ec86db8af0a7aa897ca61db3e5f3d2e0942e319074db1aaccfdc83)
• EFACli64.dll (Hash: 128aca58be325174f0220bd7ca6030e4e206b4378796e82da460055733bb6f4f )
• TSMSISrv.dll (Hash: 07fb252d2e853a9b1b32f30ede411f2efbb9f01e4a7782db5eacf3f55cf34902 )
• DLL in Registry: f0d1f88c59a005312faad902528d60acbf9cd5a7b36093db8ca811f763e1292a
• Stage 2 Payload: dc9b5e8aa6ec86db8af0a7aa897ca61db3e5f3d2e0942e319074db1aaccfdc83

 

I'm opening windows explorer and doing a search on "this PC". The advanced search options I have checked is "system files" so i'm searching system files only.

 

In the search bar do I copy and paste "GeeSetup_x86.dll" or the whole name like "

• GeeSetup_x86.dll (Hash: dc9b5e8aa6ec86db8af0a7aa897ca61db3e5f3d2e0942e319074db1aaccfdc83)

Or just the number in brackets?

 

For the last two "dll in registry" and "second payload" do I just copy and past the numbers into "search this pc"?

 

I really appreciate your help! 

 

Thank you

[Nergal]

@Emrah just the name geesetup_x86.dll, though I even just did geesetup and had it search for that everywhere on my harddrive.

 

As far as the last two I had no clue what they meant so I just ignored them

[Emrah]

@Emrah just the name geesetup_x86.dll, though I even just did geesetup and had it search for that everywhere on my harddrive. As far as the last two I had no clue what they meant so I just ignored them

Thanks!

[robertcarroll6]

Dear Tom Piriform

 

I understand that more information is being uncovered all the time about this incident and that the situation inside piriform must be hectic.  However I think we should be given information based on the current knowledge about this incident.

 

Specifically I would appreciate it if an official person from piriform could confirm whether the following statements reflect the current state of knowledge:

 

1.   To date, there is no evidence  that the second level pay-load was distributed anywhere other than to a specifically targeted group of users.

 

2.    Users  who launch ccleaner by running ccleaner64.exe  are not at threat regardless of whether they downloaded and ran ccsetup533.exe or not. 

 

 

The latest information from avast is at  https://blog.avast.com/avast-threat-labs-analysis-of-ccleaner-incident

 

Users of limited technical knowledge (like myself) won't get much from that blog entry.  However its mentions of 64-bit systems makes me a bit nervous about previous reassurances. 

 

Thanks