login123 Posted October 8, 2017 Share Posted October 8, 2017 Nergal has said the most important thing: AVs will now flag the infected installers. Avast just went panicky here when I tried to submit that installer to Virustotal. I don't know what IOC means. I don't know what "1st question: get these official checksums." means. 2nd question: The hash for CCleaner533_slim is the 7th one down on that list. 4f8f49e4fc71142036f5788219595308266f06a6a737ac942048b15d8880364a It isn't listed by that name, it is just called CCleaner - installer (v5.33.0.6162) I checked it. Its slow to check all those manually, but if you have a SHA256 hash you want to check you can submit it to Virustotal. You can also submit a questionable file, or you can scan the file with an av to see if it is safe. The CCleaner SLIM version is always released a bit after any new version; when it is it will be HERE :-) Pssssst: ... It isn't really a cloud. Its a bunch of big, giant servers. Link to comment Share on other sites More sharing options...
NonConvergentWaveform Posted October 8, 2017 Share Posted October 8, 2017 IOCs https://en.wikipedia.org/wiki/Indicator_of_compromise Link to comment Share on other sites More sharing options...
login123 Posted October 8, 2017 Share Posted October 8, 2017 Thanks. Good to know. I couldn't decide between that and inversion of control. I had pretty well ruled out International Olive Council. The CCleaner SLIM version is always released a bit after any new version; when it is it will be HERE :-) Pssssst: ... It isn't really a cloud. Its a bunch of big, giant servers. Link to comment Share on other sites More sharing options...
JDPower Posted October 8, 2017 Share Posted October 8, 2017 Thanks. Good to know. I couldn't decide between that and inversion of control. I had pretty well ruled out International Olive Council. Ruled out??? Aw man, I've completely misunderstood this issue Link to comment Share on other sites More sharing options...
login123 Posted October 9, 2017 Share Posted October 9, 2017 I didn't mean for post 279 to sound as sarcastic as it does when I re-read it. It as a pitiable attempt at humor. Someday I'll learn . . . Anyway, maybe "1st Question ..." is asking how to calculate hash sums? Great software for calculating hash sums offline is Nirsoft's Hash My Files. Free, no installation, fast. The CCleaner SLIM version is always released a bit after any new version; when it is it will be HERE :-) Pssssst: ... It isn't really a cloud. Its a bunch of big, giant servers. Link to comment Share on other sites More sharing options...
NonConvergentWaveform Posted October 10, 2017 Share Posted October 10, 2017 I didn't mean for post 279 to sound as sarcastic as it does when I re-read it. It as a pitiable attempt at humor. Someday I'll learn . . . Anyway, maybe "1st Question ..." is asking how to calculate hash sums? Great software for calculating hash sums offline is Nirsoft's Hash My Files. Free, no installation, fast. 7-zip can do it in the context menu (does SHA-1 and SHA-256, but not md5 -- but who uses md5 any more these days?) Sigcheck from sysinternals can also do it (command line only). It also does a better job of checking digital signatures than the windows interface. Link to comment Share on other sites More sharing options...
Moderators Andavari Posted October 10, 2017 Moderators Share Posted October 10, 2017 I use HashTab (free, but has to be installed). Just wish something like it was included with Windows by default. Unfortunately some sites still list only the MD5, but it's better than nothing at all. Link to comment Share on other sites More sharing options...
mrdimly Posted October 10, 2017 Share Posted October 10, 2017 Hi, I'm learnig too, all things considered, that on 2017-09-18 I had a very competent AV keeping me safe with the CCeaner533 standard download, which was flagged at that time only by some AVs, among which mine, ( https://virustotal.com/en/file/36b36ee9515e0a60629d2c722b006b33e543dce1c8c2611053e0651a0bfdb2e9/analysis/1505759047/ ). Now, I'll try to get it back and updated really. For checksum's calculating at home, I found "MD5 & SHA Checksum Utility" (not verified, no need of installation SHA-1 4B70B5213249014C3785460720B81B5F9BEABEC3, SHA-256 D3D6F3597AEBA37312F61E59BA465E57B19140CC9A4517C7F9C49461F1D0A4BB), but we may need cheksums from the vendor itself for next versions of CCleaner; hope this'll be possible to stay in full confidence; what I mean is "as official checksums". Link to comment Share on other sites More sharing options...
Moderators Andavari Posted October 11, 2017 Moderators Share Posted October 11, 2017 but we may need cheksums from the vendor itself for next versions of CCleaner; hope this'll be possible to stay in full confidence; what I mean is "as official checksums". That has already been suggested to them, however it's entirely up to them if they supply the hashes/checksums. Link to comment Share on other sites More sharing options...
cstivanello Posted October 11, 2017 Share Posted October 11, 2017 Did you have a registry folder Agomo? HKEY_LOCAL_MACHINE\SOFTWARE\Piriform\Agomo Or one of the listed registry folders? HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\001 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\002 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\003 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\004 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\HBP none of the above folders are present, however they could have been removed by either Malwarebytes or Bitdefender. Link to comment Share on other sites More sharing options...
mrdimly Posted October 15, 2017 Share Posted October 15, 2017 It seems that some HKLM Agomo leftover registry key values would be found, after install-uninstall of CCleaner533 on x64 running computers , that belong to CCleaner Cloud (since 2017-09-18) and therefore aren't deleted by the most competent AVs. Vendor's statement about this would be of great interest. Here's how a competent AV sorts these out: https://forums.malwarebytes.com/topic/210927-ccleaner-hack/ Link to comment Share on other sites More sharing options...
Spiffy Posted October 19, 2017 Share Posted October 19, 2017 Why are there no updates on this? How did the malware version of CCleaner get published?... specifically, did someone at the company intentionally insert the malicious code, was a computer a the company compromised, or was there some other cause for the code getting into the published version? What was the country of origin of whoever setup the malware? While the server controlling the malware was taken down and CCleaner updated, can the stolen data be used to effect any of the compromised computers? What is being done with the data that was on the server? Other than the previously mentioned registry changes/files added by the malware, has anything else been found to have been modified? Link to comment Share on other sites More sharing options...
Moderators mta Posted October 19, 2017 Moderators Share Posted October 19, 2017 I'm not sure what else can be said that hasn't already been covered in depth already. My guess is they (Piriform/Avast) have moved past the "let's report it and fix it" stage and are now in the "how, who" stage and that won't get reported, then there's the whole litigation cause and effect to consider. There would be a lot they won't say and even more they can't say. All I need to know is that the current version is safe. Backup now & backup often.It's your digital life - protect it with a backup.Three things are certain; Birth, Death and loss of data. You control the last. Link to comment Share on other sites More sharing options...
ggcleaner Posted October 19, 2017 Share Posted October 19, 2017 I hope they give news soon, because not talking about the subject so that "forget" is a very bad decision Link to comment Share on other sites More sharing options...
Moderators Nergal Posted October 19, 2017 Moderators Share Posted October 19, 2017 Honestly, I think they've provided as much as they're going to. The data from the first phase was used already to identify the computers they were spearing for. The attackers had foreknowledge (I assume) that the target corperations used ccleaner (more specifically ccleaner cloud). The backdoor was inserted in the compile phase of the affected executable. Everything else you've asked for either won't be known or will be used in investigation to corral the who. ADVICE FOR USING CCleaner'S REGISTRY INTEGRITY SECTION DON'T JUST CLEAN EVERYTHING THAT'S CHECKED OFF. Do your Registry Cleaning in small bits (at the very least Check-mark by Check-mark) ALWAYS BACKUP THE ENTRY, YOU NEVER KNOW WHAT YOU'LL BREAK IF YOU DON'T. Support at https://support.ccleaner.com/s/?language=en_US Pro users file a PRIORITY SUPPORT via email support@ccleaner.com Link to comment Share on other sites More sharing options...
Guest Stephen CCleaner Posted October 24, 2017 Share Posted October 24, 2017 Version 5.36 is now out. As requested, a list of file hashes for this new version can be found here: https://forum.piriform.com/index.php?showtopic=49067 FWIW, I've been impressed by HashMyFiles. A fairly simple tool with drag-and-drop functionality that does perfectly well for checking hashes. Link to comment Share on other sites More sharing options...
mrdimly Posted October 26, 2017 Share Posted October 26, 2017 Hi, Thanks for CClaner536 checksums, I'm looking for CCleaner536_slim later. As far I'm concerned, I use MD5_&_SHA_Checksums_Utility which shows MD5, SHA-1, SHA-256, SHA-512 (free version) with verifying function; it doesn't need installation and I downloaded from https://raylin.wordpress.com/downloads/md5-sha-1-checksum-utility/ (Publisher gives checksums). No competent AV flags it when downloaded on the above. Link to comment Share on other sites More sharing options...
mykeprime Posted October 27, 2017 Share Posted October 27, 2017 So after reading this whole thread, I’m pretty confused. I attended to two machines as soon as I got home from work the evening that the problem was reported; 1) 64 bit Updated cccleaner straight away, then uninstalled. Bullguard and malwarebytes found nothing. Could not find the mentioned registry entries. 2) 64 bit Updated cccleaner straight away, then uninstalled. Bullguard and malwarebytes found nothing, except the downloaded installer file in the downloads folder, which I then deleted. Could not find the mentioned registry entries. Can I assume that these machines are ok? I don’t particularly want to nuke them... Would the trace registry entries have been removed when updating/uninstalling? I don’t know how else to see if I’m safe or not... Link to comment Share on other sites More sharing options...
Moderators mta Posted October 27, 2017 Moderators Share Posted October 27, 2017 g'day @mykeprime and welcome to the forums, based on 2 security scans finding nothing, no reg keys found, and that you had the safe 64bit version then Yes, you can assume you are OK. all you need to do is replace v5.33 with any of the newer ones. Backup now & backup often.It's your digital life - protect it with a backup.Three things are certain; Birth, Death and loss of data. You control the last. Link to comment Share on other sites More sharing options...
ggcleaner Posted October 28, 2017 Share Posted October 28, 2017 The key "WbemPerf" Is windows default key or was created when installing the infected ccleaner? Link to comment Share on other sites More sharing options...
APMichael Posted October 28, 2017 Share Posted October 28, 2017 Yes, the key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WbemPerf" is a Windows default key. Only the mentioned subkeys (\001 to \004) are created by the malware. Link to comment Share on other sites More sharing options...
ggcleaner Posted October 29, 2017 Share Posted October 29, 2017 Yes, the key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WbemPerf" is a Windows default key. Only the mentioned subkeys (\001 to \004) are created by the malware. ty Link to comment Share on other sites More sharing options...
Sparta Posted November 1, 2017 Share Posted November 1, 2017 Haven't read the hundreds of posts but must say I'm a bit surprised that we were told it was a PUA/Wrong detection.This implies that Piriform simply wrote it off as bogus without even checking the validity of the warnings from various AV vendors.Thank god I didn't trust it and did not update past version 5.32 on our thousands of client PC's. But this should be a learning curve for Piriform to check detection's validity a bit better.Still liking the product of course. Just raising frustration at how the initial reporting was handled/fobbed off as wrong detection. Link to comment Share on other sites More sharing options...
Moderators Nergal Posted November 1, 2017 Moderators Share Posted November 1, 2017 at no point, with this version, was it called a false positive, at least not on purpose. ADVICE FOR USING CCleaner'S REGISTRY INTEGRITY SECTION DON'T JUST CLEAN EVERYTHING THAT'S CHECKED OFF. Do your Registry Cleaning in small bits (at the very least Check-mark by Check-mark) ALWAYS BACKUP THE ENTRY, YOU NEVER KNOW WHAT YOU'LL BREAK IF YOU DON'T. Support at https://support.ccleaner.com/s/?language=en_US Pro users file a PRIORITY SUPPORT via email support@ccleaner.com Link to comment Share on other sites More sharing options...
Guest Stephen CCleaner Posted November 2, 2017 Share Posted November 2, 2017 (edited) Haven't read the hundreds of posts but must say I'm a bit surprised that we were told it was a PUA/Wrong detection. This implies that Piriform simply wrote it off as bogus without even checking the validity of the warnings from various AV vendors. Thank god I didn't trust it and did not update past version 5.32 on our thousands of client PC's. But this should be a learning curve for Piriform to check detection's validity a bit better. Still liking the product of course. Just raising frustration at how the initial reporting was handled/fobbed off as wrong detection. I would be interested in seeing where you got this information. Neither Piriform nor Avast has communicated that 5.33 detections (or 5.34 revoked certificate detections) were a false positive. Edited November 3, 2017 by Stephen Piriform Typo: should say OR 5.34 revoked certificate detections Link to comment Share on other sites More sharing options...
Recommended Posts