Jump to content
Piriform Community Forums
Tom Piriform

Announcement: Security Notification for CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191

Recommended Posts

yes I would know if really people with windows 64bit, ccleaner 5.3364.exe, without any of the Agomo key, WebemPerf 1-4 or GeeSetup_x86.dll

TSMSISrv.dll EFACli64.dll are really safe or not. We have to reinstall OS or restore an image previous of version 5.33? Are our passwords, data safe?

Share this post


Link to post
Share on other sites

With all these qurstions surely it would make more sense for Piriform/a vast to bring out a standalone tool. It would at least make people feel safer

Share this post


Link to post
Share on other sites

1. Was there any malicious code in the 64-bit version of CCleaner?

 

2. Why is a 32-bit exe-file installed on a 64-bit system?

 

0d552a4f453fd6ec4e126e5571ead0c5.png

 

3. Does the 64-bit system always run the 64-bit version of CCleaner?

 

4. If the 64-bit version is clean, could a Trojan from a 32-bit exe-file get into a 64-bit system? In theory?

 

5. Why in a 64-bit system when you skip the Account Control for CCleaner, a 32-bit version (CCleaner.exe) is added to the tasks?

 

fe1817cdf0306381b2dd3c3ed1891e2b.png

Share this post


Link to post
Share on other sites

1. Was there any malicious code in the 64-bit version of CCleaner?

 

2. Why is a 32-bit exe-file installed on a 64-bit system?

 

0d552a4f453fd6ec4e126e5571ead0c5.png

 

3. Does the 64-bit system always run the 64-bit version of CCleaner?

 

4. If the 64-bit version is clean, could a Trojan from a 32-bit exe-file get into a 64-bit system? In theory?

 

5. Why in a 64-bit system when you skip the Account Control for CCleaner, a 32-bit version (CCleaner.exe) is added to the tasks?

 

fe1817cdf0306381b2dd3c3ed1891e2b.png

 

 

 

Hi login,  thanks for more info on this stuff.  I had no idea ccleaner would be scheduled to run on startup.  I found

 

Windows 7 64-bit machine      -    ccleaner.exe  (not  ccleaner64.exe)   scheduled to run on startup

Windows 10 64-bit machine    -    ccleaner64.exe scheduled to run on startup

 

 

Robert

Share this post


Link to post
Share on other sites

Dear Tom Piriform

 

I understand that more information is being uncovered all the time about this incident and that the situation inside piriform must be hectic.  However I think we should be given information based on the current knowledge about this incident.

 

Specifically I would appreciate it if an official person from piriform could confirm whether the following statements reflect the current state of knowledge:

 

1.   To date, there is no evidence  that the second level pay-load was distributed anywhere other than to a specifically targeted group of users.

 

2.    Users  who launch ccleaner by running ccleaner64.exe  are not at threat regardless of whether they downloaded and ran ccsetup533.exe or not. 

 

 

The latest information from avast is at  https://blog.avast.com/avast-threat-labs-analysis-of-ccleaner-incident

 

Users of limited technical knowledge (like myself) won't get much from that blog entry.  However its mentions of 64-bit systems makes me a bit nervous about previous reassurances. 

 

Thanks 

 

 

Hi Tom Piriform,

 

Based what I found in my startup scheduled tasks (see previous post) after reading login's post,  I now have a third question:

 

 

3.    Does the fact that ccleaner.exe  (contains 32-bit code?)  was in my startup scheduled tasks indicate that  I was more exposed to the malware?

 

Thanks

Share this post


Link to post
Share on other sites

Hello everyone,


 


As some of you have noted, a new update has been posted on the Avast blog. I have added this to the list of official information on the first page.


 


Avast blog: Investigation Progress Update #2 by Avast Threat Labs team (Thursday, 21 September 2017)


This second progress update explains why only part of the command & control server logs were recovered and provides yet deeper technical understanding of the way the malicious code was put together. It also shares some clues as to the identity of the perpetrators. 


https://blog.avast.com/avast-threat-labs-analysis-of-ccleaner-incident


 


 


We are working on getting you answers to some of your more technical questions.


Share this post


Link to post
Share on other sites

Thanks Stephen

 

You write...   "We are working on getting you answers to some of your more technical questions."

 

The avast blog is interesting but far too technical for most of us posting here.

It is some of the less technical questions we need answers to.  eg (as in my posts above):

 

is the 2nd pay-load a threat to casual users?:  

is running the 64-bit a reason to feel any more secure?;

does  having ccleaner.exe as part of startup schedule mean even 64-bit machines are exposed to 32-bit threat.

 

Or should just follow advice from cisco etc and wipe our machines and re-install from scratch?

 

Robert

Share this post


Link to post
Share on other sites

This malware issue affected my two 64 bit windows 7 systems.  The malware also attempts to change the Internet Explorer Home Page at every new launch of Internet Explorer.  The warning that some program is trying to do this appears every time.  Uninstalling the malware after using Malwarebytes or Bitdefender eliminates this effect until reboot.  I can establish cause and effect here.  The way that I discovered it was on Sept 19th, Bitdefender blocked the ccleaner exe.  When I rebooted, once the system tray application which runs by default loaded, the problem of the IE homepage hijack returned as well as a subsequent security warning regarding ccleaner.  This means that the malware is not only in the install file, but rather running in one or more of the program modules.  Only total uninstall eliminated the problem.  Additionally, simply because a system is 64 bit and ccleaner installs itself under a 64 bit heading, this does not exclude the fact that 32 bit modules are running.  The system tray module is a 32 bit module.  Lots of software running on 64 bit OS's is 32 bit in whole or in part.

 

On one of my systems an additional malware was blocked on the program path: backdoor.Agent.ABXS.

 

Nice thing is that one of my systems was a complete system reload, not used for anything of consequence yet, so the ccleaner exploit happened in a  rather controlled environment.

 

I have notified http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html of this and made my systems available to them if they want to look since I doubt that we will be receiving any truth from Avast/Piriform. 

 

I love the story about them keeping it quiet while working with law enforcement.  I called it years ago that this would be the BS excuse for companies to hide security breaches and address the lateness of announcing it to the general public.

Share this post


Link to post
Share on other sites

In The avast blog update when It talks about The Trojan 32 And 64 bit of The second payload They speak of Windows 7 And xp so It Can be probably that The 32bit Trojan Can activate in a 64 bit system But on 7 or xp (systems that Most companies use yet)

Share this post


Link to post
Share on other sites

In The avast blog update when It talks about The Trojan 32 And 64 bit of The second payload They speak of Windows 7 And xp so It Can be probably that The 32bit Trojan Can activate in a 64 bit system But on 7 or xp (systems that Most companies use yet)

 

Not sure if it is relevant to your point,  but I did find (see my post above) that it was ccleaner.exe (32-bit?) scheduled to run  at start-up on my Windows 7 64-bit machine but  on my Windows 10 64-bit machine it was ccleaner64.exe scheduled at start-up

Share this post


Link to post
Share on other sites

Not sure if it is relevant to your point,  but I did find (see my post above) that it was ccleaner.exe (32-bit?) scheduled to run  at start-up on my Windows 7 64-bit machine but  on my Windows 10 64-bit machine it was ccleaner64.exe scheduled at start-up

 

 

Mind you,  "login"  (post 129 above) found ccleaner.exe in start-up schedule on his Windows 10 64-bit device

Share this post


Link to post
Share on other sites

Guys according to Cisco's Talos (Security Intelligence and Research Group), the installation alone was all that required for the malicious payload to execute.  See Craig Williams (Manager of the Talos – Outreach team) response to this very question I posted on September 21, 2017 @ 6:29 PM in the comments section http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html

Share this post


Link to post
Share on other sites

so what is the on census on what to do it if one had that verison installed? i might have have 5.33 installed on my personal computer dont know i not sure as i not been home in 3 weeks as i do update ccleaner from time to time on machine. and was it or wasnt it the installers that was infected? i usual just get portable or the ccleaner.exe ? and seeing ccleaner.exe launches ccleaner64.exe on 64 bit os was that enough to avoid the issue?

 

I have since deleted ccleaner.exe from this pc and changed all tasks in schedule tasks to start ccleaner64.exe if it didnt already. but i pretty sure my pc uses has 2 task using ccleaner.exe  one that skip the uac and another i manully created to  automatic  run daily to clean out temps/histroy and other custom folders on my pc.

 

IF my pc is using 5.33 which not sure as it could still be using 5.32 i know wont till i go home. what the steps one should use to check if it got infected? i prefer not to format  the drive like some sites are say? but if i do it will just give me reason to  installed Windows 10 RS3. my computer which also uses avast made no complaint about ccleaner though.

 

Would think Avast who owns ccleaner company would post means to check and clean pc if it was infected,  which seem to  missing from the  initial post

 

Share this post


Link to post
Share on other sites

With all these qurstions surely it would make more sense for Piriform/a vast to bring out a standalone tool. It would at least make people feel safer

 

I suggested that on day one in a separate area, but supposedly they weren't going to do that.

Share this post


Link to post
Share on other sites

Much of this thread is far too technical for me. Here is my situation, simply:

 

- I purchased and installed CCleaner Professional edition on 9/5

- I purchased and installed Malwarebytes the same day

- on 9/19 CCleaner disappeared completely from my computer. I reinstalled

- on 9/20 and 9/21, i reinstalled again, only to have the program vanish each day, with no warning or message about why it was removed and which program uninstalled it (I assume it was McAfee, see below). 

- on 9/22 i attempted to reinstall, but McAfee blocked the install.exe from running. I assume the latest (clean) version of CCleaner is on the site as of this morning, yet McAfee is flagging it as a threat and blocking installation. I don't know if I should try to circumvent McAfee, or if the latest version of CCleaner still has a Trojan/threat in it. 

- throughout this whole process, from 9/5 through today, Malwarebytes has not once detected any malware. it seems McAfee is more sensitive to security risks than Malwarebytes. 

 

Will a version be released that is approved for installation by McAfee? Unfortunately, my company has installed McAfee and I have no choice but to run it. My laptop is checked by IT on a regular basis and they've never flagged or asked me to remove CCleaner or Malwarebytes in the past. 

 

Any help or advice would be appreciated. If I can't get installation of CCleaner to work without McAfee blocking it, I will have to ask for a refund from my CCleaner purchase. 

 

Thanks!

Share this post


Link to post
Share on other sites

I use paid for version v5.35.6210 (64bit)

 

On 20th Sept2017 my Avira detected 2 Trojans

can anyone shed some light on this please

The auto ccleaner daily update downloaded them

post-80067-0-32818500-1506103137_thumb.png

post-80067-0-88997100-1506103159_thumb.png

Share this post


Link to post
Share on other sites

Gaz132 what Windows do You have? 7 or xp?

 

On malwearbytes forma user ask about Windows 10 And 64bit version. The expert Said that malwearbytes detect And cancell The Trojan And The registry Key And if The registry Key agomo there isn t on The system The backdoor Not affected The pc

Share this post


Link to post
Share on other sites

Mind you, "login" (post 129 above) found ccleaner.exe in start-up schedule on his Windows 10 64-bit device

Same for me But The directory is C program Files (64bit) Not c program Files x86, so this i importante or Not To execute a 64bit Version?

Share this post


Link to post
Share on other sites

This malware issue affected my two 64 bit windows 7 systems.  The malware also attempts to change the Internet Explorer Home Page at every new launch of Internet Explorer.  The warning that some program is trying to do this appears every time.  Uninstalling the malware after using Malwarebytes or Bitdefender eliminates this effect until reboot.  I can establish cause and effect here.  The way that I discovered it was on Sept 19th, Bitdefender blocked the ccleaner exe.  When I rebooted, once the system tray application which runs by default loaded, the problem of the IE homepage hijack returned as well as a subsequent security warning regarding ccleaner.  This means that the malware is not only in the install file, but rather running in one or more of the program modules.  Only total uninstall eliminated the problem.  Additionally, simply because a system is 64 bit and ccleaner installs itself under a 64 bit heading, this does not exclude the fact that 32 bit modules are running.  The system tray module is a 32 bit module.  Lots of software running on 64 bit OS's is 32 bit in whole or in part.

 

On one of my systems an additional malware was blocked on the program path: backdoor.Agent.ABXS.

 

Nice thing is that one of my systems was a complete system reload, not used for anything of consequence yet, so the ccleaner exploit happened in a  rather controlled environment.

 

I have notified http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html of this and made my systems available to them if they want to look since I doubt that we will be receiving any truth from Avast/Piriform. 

 

I love the story about them keeping it quiet while working with law enforcement.  I called it years ago that this would be the BS excuse for companies to hide security breaches and address the lateness of announcing it to the general public.

 

 

Did you have a registry folder Agomo?

HKEY_LOCAL_MACHINE\SOFTWARE\Piriform\Agomo

Or one of the listed registry folders?

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\001
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\002
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\003
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\004
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\HBP

Share this post


Link to post
Share on other sites

Make sure you are installing the latest version 5.35 from here.

 

https://www.piriform.com/ccleaner/builds

 

I just tried downloading v5.35 from that link, and McAfee is still blocking installation, and calling it a Trojan. Below is the log from McAfee. Please advise.

 

 

Adaptive Threat Protection       Analyzer / Detector   Product name McAfee Endpoint Security Product version 10.5.2.2078 Feature name On-Execute Scan     Threat   Action taken Block Threat category Malware Detected Threat event ID 35104 Threat handled Yes Threat name ATP/Suspect!92fcff26e8c5 Threat severity Critical Threat timestamp 9/22/2017 14:56 Threat type Trojan     Source   Source process name C:\USERS\xxxxxxx\DOWNLOADS\CCSETUP535.EXE Source user name GLOBAL\xxxxxxx     Target   Target hash e6f5ad3fd6d0f64ec88357fc481a71ab Target name CCLEANER64.EXE Target path C:\PROGRAM FILES\CCLEANER Target signer Symantec Class 3 SHA256 Code Signing CA     Other   Vector type Local System Description Adaptive Threat Protection Detection  

 

Share this post


Link to post
Share on other sites
This is really pissing me off. Like I said on another thread, I was able to run a scan of MSE and delete the trojan. But there's still something very wrong. And the thing that drives me up the wall is I ran another scan of MSE and the system's clear. Hell, I even redownloaded Malwarebytes to run for one scan only (the new upgrade from this year didn't sound like it gelled well with the computer I have and that's why I had to get rid of it). Anyway, that scan came out clean. There's still something wrong with MSE because I'm getting errors when I try and click on "help". It's an application not found error and I got errors this morning and yesterday if I updated the virus and spyware definitions.

 

I literally don't know what to do. And I sure as hell don't have the money to pay for somebody else's *uck up. I'm careful with the stuff I download and the sites I visit and here this crap's been undetected for a month. This was a program I'd had for many years but this whopper has pretty much cut my trust for the program. Not to mention my "security" programs that made me have the false believe the system was clean. It's very unfortunate that this program was one I always followed the 'nags' over about a new update being released. Idk if I'm keeping this program after this has blown over. 

 

I need help. If nobody here can help, please point me to a direction where I can possibly get some help without making the already bad problem even worse.

 

Oh, and I did download the latest install of CCleaner. I'm gonna cool off and come back later. 

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

×