Jump to content
Piriform Community Forums
Tom Piriform

Announcement: Security Notification for CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191

Recommended Posts

You do know that cisco (Talosintellegence.com) is spreading lies and misinformation about this right? (in the comments, specifically Craig Williams).  Craig Williams at the blog http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html is telling people the only way to recover from this is a complete format, and of course to download their software after.  When I tried to post how easy this was to fix he would not approve my posts and when I took it to twitter he blocked me without reply.  You want a suspect with know how, motive, but would not cause lots of damage so if they got caught it wouldn't send anyone to jail?  Hmmmmmmm.....and right after you're bought by avast......

Seriously though, barring that insane? thought, they really are spreading lies and hysteria about this.

 

 

Uninstalling the tool will not remove the malware. To remove the malware you should restore from a previous backup that is known to be clean or try a virus removal tool.

Share this post


Link to post
Share on other sites

That's easy enough to test,

 

Go to the CCleaner folder and delete CCleaner.exe, just leaving CCleaner64.exe.

 

Then launch CCleaner from the desktop or taskbar.

 

It still runs even without the 32-bit exe being there at all.

 

So I would say the assumption is wrong.

 

Doing that does break the auto-elevation process though.

Share this post


Link to post
Share on other sites

I am not particularly knowledgeable on such situations. 

 

I think those who have/may have installed the version identified have many questions. A few I can think of are:

 

1) Will updating to the latest software version remove the infected files? I assume it will as it were those particular files that were affected. However, what about the "2nd payload" mentioned in the blog post? Was this actually downloaded or just potentially could have been downloaded if set to do so? If it is downloaded somewhere, is it in a separate location as the files affected or in the same location and will it too be removed? Clarification on this would be good. 

 

2) The blog post mentions it is the 32-bit version of Windows that is affected. From the above post I can see that it is the 32-bit version of the CCleaner software that is affected. I assume the 64-bit version isn't affected, however like the above post mentions, their ccsetup5.33 installer has been flagged (mine too). When I read one of the original articles I updated immediately as I had the affected version number in question, however I did not notice if I had the 64-bit or 32. It now says I have the 64-bit latest release. This may sound dumb, but I guess that the updater will not update to 64-bit from 32 and assume I had 64-bit before? If anyone could confirm that would be great.

 

3) Is there any information on what the 2nd payload did/was supposed to do? I guess what people really want to know is are all my passwords safe? Is my bank info safe? Do I need to change everything?

 

4) Is there anyway to tell if we were/are infected? Can we see if our PC's contacted this IP or downloaded anything from there? Will the latest updates to scanners detect anything? (See Q5)

 

5) I assume that all the security packages, malware scanners etc. are now aware of the situation and can scan for anything affected? I guess I should be checking their website for updates as well, but clarification on this would be good. 

 

I realise some of these are probably dumb questions, but there maybe people out there who are in the same boat and would like information on this matter to sort the problem or alleviate their own fears. 

 

Thanks

 

 

All pertinent  questions that I think many users would like to see answered. 

Share this post


Link to post
Share on other sites

What happens to the malware when I uninstall Ccleaner? I uninstalled CCLeaner a week ago because how rarely I used the program. I don't have a restore point from a week to check what version of CCLeaner I was using.

 

Is there any way to check if I was effected by the malware? Will Malwarebytes detect the malware when CCleaner was uninstalled?

 

 

Update: I realized I had CCleaner64.exe(64bit).

Share this post


Link to post
Share on other sites

Malwarebytes is calling it a trojan.Floxif

 

Malwarebytes does not show I was infected just that the file ccleaner 5.33 was or is.

 

Your ad states trusted by millions, I say not anymore!

 

Also, clean up your act your Google+ page is advertising 5.33

 

Thanks piriform.  

Share this post


Link to post
Share on other sites

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 9/19/17
Scan Time: 9:00 AM
Log File:
Administrator: Yes

-Software Information-
Version: 3.1.2.1733
Components Version: 1.0.160
Update Package Version: 1.0.2837
License: Premium

-System Information-
OS: Windows 7 Service Pack 1
CPU: x86
File System: NTFS
User: System

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 264945
Threats Detected: 2
Threats Quarantined: 2
Time Elapsed: 3 min, 53 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 1
Trojan.Floxif.Trace, HKLM\SOFTWARE\PIRIFORM\AGOMO, Quarantined, [8823], [436394],1.0.2837

Registry Value: 1
Trojan.Floxif.Trace, HKLM\SOFTWARE\PIRIFORM\AGOMO|TCID, Quarantined, [8823], [436394],1.0.2837

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)


(end)

32 bit ,updated CCleaner one week ago to Hacked version , Currently running new updated version but, im concerned now that after running the hacked version several times last week that my info is leaked . I do not believe that re installing back to older prior Aug 15 will accomplish a satisfactory outcome id current details have already been compromised . Correct me if im wrong but previous scanning with Malwarebytes and Kasperky programs would not have picked up this threat untill they where advised of this threat ?????

Advice on where to go from here would be well appreciated >Piriform..

Share this post


Link to post
Share on other sites
Following is a report from scan today on a 64 bit windows 7 desktop. Is this the bugger in question? (see last few lines)

 

 

Malwarebytes

www.malwarebytes.com

 

-Log Details-

Scan Date: 9/18/17

Scan Time: 3:45 PM

Log File: 01d0e806-9cc3-11e7-b5b0-00ff5b689eef.json

Administrator: Yes

 

-Software Information-

Version: 3.2.2.2029

Components Version: 1.0.188

Update Package Version: 1.0.2836

License: Trial

 

-System Information-

OS: Windows 7 Service Pack 1

CPU: x64

File System: NTFS

User: MININT-LHEJISC\Office

 

-Scan Summary-

Scan Type: Threat Scan

Result: Completed

Objects Scanned: 319242

Threats Detected: 1

Threats Quarantined: 1

Time Elapsed: 4 min, 36 sec

 

-Scan Options-

Memory: Enabled

Startup: Enabled

Filesystem: Enabled

Archives: Enabled

Rootkits: Disabled

Heuristics: Enabled

PUP: Detect

PUM: Detect

 

-Scan Details-

Process: 0

(No malicious items detected)

 

Module: 0

(No malicious items detected)

 

Registry Key: 0

(No malicious items detected)

 

Registry Value: 0

(No malicious items detected)

 

Registry Data: 0

(No malicious items detected)

 

Data Stream: 0

(No malicious items detected)

 

Folder: 0

(No malicious items detected)

 

File: 1

Trojan.Floxif, C:\USERS\OFFICE\DOWNLOADS\CCLEANER_V5.33.6162.EXE, Quarantined, [8820], [436382],1.0.2836

 

Physical Sector: 0

(No malicious items detected)

 

 

(end)

Share this post


Link to post
Share on other sites
One of my many PC's (an old 32bit windows 10 tablet) was infected.
 
I was able to use malwarebytes to remove the infection, and all other scans with Rkill, JRT, adwcleaner, and defender are all showing up as clean (run multiple times after resets etc..). I have also uninstalled ccleaner on this tablet. 
 

Now my question is what should i do next?

 

The compromise could cause the transmission of non-sensitive data (computer name, IP address, list of installed software, list of active software, list of network adapters) to a 3rd party computer server in the USA

 

 

Based on the information above:

  • Should I be concerned that any logins and passwords for websites or apps (example microsoft account login, steam, origin, netflix, skype, etc..) may be compromised due to this infection? 
  •  Was it only the infected PC's local network card MAC address that was leaked, or did it also grab the MAC address's of all the PC's connected on my Network?
  • What is the probability of other PC's on my network (which did not have the affected ccleaner) having been compromised just because they are on my network with this one infected tablet? 
  • Should i manually change all the MAC address's on all my network attached devices because of this? 
  • Finally what can a malicious entity do with the type of information collected due to this infection?
 
Thanks for any help you guys can share on this issue.
Really sucks that i have to deal with this problem now all because of one stupid old 32bit windows 10 tablet. 

Share this post


Link to post
Share on other sites

Some news I'd not yet seen in this thread. The server which was receiving the stolen data is now down. Source: http://time.com/4946576/ccleaner-malware-hack

 

Edit: it was buried in the first post just didn't catch it I guess.

Share this post


Link to post
Share on other sites

Is it me or am i totally wrong in my approach, CCleaner has been one of several programs used in my arsenal for the sole purposes in the  attaining and or achievement of as much privacy and security as reasonably  possible .

CCleaner usage assists in both cleaning and deleting of web history and remnants of computer useage ,and now further too, being recently acquired  by Avast ,who positions itself as an IT  security provider.

 

Very ironic that ,now of all times ,we find that CCleaner has been hacked with a trojan ,how incredulous is that ,but wait its only proported to be approx 3 % of the millions of users who have trusted CCleaner and Piriform.

I purposely chose to continue with win 7 until its final death due to its stability and the failing issues with upgrades 8 ,8.1 ,10  from microsoft , the same was  said for CCleaner ,until now .

 

Performance ,gives credability and integrity to suppliers ,not waiting 5 days or more to notify users via a back door  , not to mention the facts that millions,of  world wide  computers users are NOT all totally knowledgeable  of the IT world.

 

At this point i would welcome a clear and definate answer , (have my details been leaked ) and what proceedures should i further take now ,other than a Full  scan  for Malware

Share this post


Link to post
Share on other sites
Would you please post if the Slim version was affected?
It sounds like it would be, as well as the portable, the malware was in the ccleaner.exe itself and that file is the same in all three builds.

Share this post


Link to post
Share on other sites

Thank you. And now the most important clarification question: Even though both CCleaner64.exe and CCleaner.exe are installed on 64-Bt systems. if only the CCleaner desktop shortcut was used, which always points to CCleaner64.exe, then that would mean that CCleaner.exe was never run, therefore really the only systems affected are 32-Bit ONLY systems since it's highly unlikely that someone would go out of their way and actually manually run Ccleaner.exe instead of CCleaner64.exe on a 64-Bit system. Is that correct?

 

Because then most of us on 64-Bit systems have nothing to worry about then, even if we installed the infected version, since the non-64 bit exe was never run. It was installed, but never run, unless we manually went into the folder to run it. And who would do that on a 64-Bit system, almost no one. Correct?

Share this post


Link to post
Share on other sites

Usually the desktop shortcut points to ccleaner.exe which hands it off to ccleaner64. While we've not been informed whether the hand off happens before or after the malware loads, the staff (volunteer moderators) is speaking with Admins (Piriform employees like Tom (OP) in a separate place

Share this post


Link to post
Share on other sites

Usually the desktop shortcut points to ccleaner.exe which hands it off to ccleaner64. While we've not been informed whether the hand off happens before or after the malware loads, the staff (volunteer moderators) is speaking with Admins (Piriform employees like Tom (OP) in a separate place

 

I clearly see my Desktop shortcut pointing to the 64-bit exe but rather than going into why my desktop shortcut is pointing to it, instead of as you say, the non-64 bit .exe -  would you please instead just

take a look at these attached shortcut screenshots and confirm that there is a 100% certainty that running the shortcuts in the screenshots below and those shortcuts only, would *not* have activated the infection in any way?

post-1261-0-12629700-1505795333_thumb.png

post-1261-0-34786400-1505795554_thumb.png

Share this post


Link to post
Share on other sites

In this case you should be fine

Share this post


Link to post
Share on other sites

Thank you. You know I don't know where you are getting that 64_bit system shortcuts are pointing to the non-64-bit exe, but can you investigate this and see if other people's shortcuts also point to 64-bit exe because if they do like on my system, you should probably put that front and center that 64-Bit system users have nothing to worry about.

 

 

I am just a little concerned about the statement "ccleaner.exe which hands it off to ccleaner64" - can you please confirm that launching CCleaner64.exe does not *ever in any way* launch CCleaner.exe.

In other words the infection on 64-Bit systems can only take place if a user actually manually browses to the installation folder and for some strange unknown reason manually activates CCleaner.exe instead of CCleaner64.exe?

Share this post


Link to post
Share on other sites

Is it me or am i totally wrong in my approach, CCleaner has been one of several programs used in my arsenal for the sole purposes in the  attaining and or achievement of as much privacy and security as reasonably  possible .

CCleaner usage assists in both cleaning and deleting of web history and remnants of computer useage ,and now further too, being recently acquired  by Avast ,who positions itself as an IT  security provider.

 

Very ironic that ,now of all times ,we find that CCleaner has been hacked with a trojan ,how incredulous is that ,but wait its only proported to be approx 3 % of the millions of users who have trusted CCleaner and Piriform.

I purposely chose to continue with win 7 until its final death due to its stability and the failing issues with upgrades 8 ,8.1 ,10  from microsoft , the same was  said for CCleaner ,until now .

 

Performance ,gives credability and integrity to suppliers ,not waiting 5 days or more to notify users via a back door  , not to mention the facts that millions,of  world wide  computers users are NOT all totally knowledgeable  of the IT world.

 

At this point i would welcome a clear and definate answer , (have my details been leaked ) and what proceedures should i further take now ,other than a Full  scan  for Malware

 

From my personal research on this issue, its not a trojan in the strictest sense, it had a payload but that payload was not activated, and its ability to be activated has been effectively disabled, and with the update the payload no longer exists so no your information has not been comprised.

 

see the orginal post about this issue and this recent update from Avast: https://blog.avast.com/update-to-the-ccleaner-5.33.1612-security-incident?utm_campaign=socialposts_us&utm_source=twitter&utm_medium=post

Share this post


Link to post
Share on other sites

So the 64 bit version was not affected?

Malwarebytes
www.malwarebytes.com
 
-Log Details-
Scan Date: 9/19/17
Scan Time: 12:48 PM
Log File: MBAM.txt
Administrator: Yes
 
-Software Information-
Version: 3.1.2.1733
Components Version: 1.0.160
Update Package Version: 1.0.2839
License: Free
 
-System Information-
OS: Windows 10 (Build 15063.483)
CPU: x64
File System: NTFS
 
 
File: 1
Trojan.Floxif, C:\PROGRAM FILES\CCLEANER\CCLEANER.EXE, No Action By User, [8820], [436381],1.0.2839

Share this post


Link to post
Share on other sites

You wrote "the MD5 hash of the affected CCleaner.exe is: ef694b89ad7addb9a16bb6f26f1efaf7".

 

The website for Cisco Talos, which discovered the problem, gives three SHA256 hashes at http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html

         6F7840C77F99049D788155C1351E1560B62B8AD18AD0E9ADDA8218B9F432F0A9
         1a4a5123d7b2c534cb3e3168f7032cf9ebf38b9a2a97226d0fdb7933cf6030ff
         36b36ee9515e0a60629d2c722b006b33e543dce1c8c2611053e0651a0bfdb2e9

 

My 533 installer from 8/17/17 matches the second sha256.

My 533 ccleaner.exe matches the first sha256 and your md5.

 

What file is the file corresponding to the third sha256 from cisco?

 

(My current version is 534, but the malware 533 was in use on two machines for almost a month.)

 

 

 

Share this post


Link to post
Share on other sites

It sounds like it would be, as well as the portable, the malware was in the ccleaner.exe itself and that file is the same in all three builds.

 

Yes Portable is also infected. To find out I extracted it from my backup image and these are the ClamWin results:


Scan Started Tue Sep 19 05:11:25 2017
-------------------------------------------------------------------------------


C:\Temp\CCleaner.exe: Win.Trojan.Floxif-6336251-0 FOUND
----------- SCAN SUMMARY -----------
Known viruses: 6303670
Engine version: 0.99.1
Scanned directories: 1
Scanned files: 2
Infected files: 1

Data scanned: 0.13 MB
Data read: 7.32 MB (ratio 0.02:1)
Time: 36.281 sec (0 m 36 s)

--------------------------------------
Completed
--------------------------------------

Share this post


Link to post
Share on other sites

So the 64 bit version was not affected?

 

My anti-malware program (Malwarebytes) just removed a trojan file from the PIRIFORM 5.33 64bit version. Registry keys were infected as well.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

×