Announcement: Security Notification for CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191

[rexg]

glitterfalls

 

I agree...I am also in need of help.

My heads doing me in on this.......!!!

Do i reinstall windows (no option to restore to earlier time as they seem to be deleted) or not

 

PLEASE someone from either Piriform or Avast make it CLEAR what we need to do.

 

I have searched my computer for these dlls they mention.

stage 2 installer is          GeeSetup_x86.dll

The 32-bit trojan is        TSMSISrv.dll

the 64-bit trojan is         EFACli64.dll

 

as well as….

VirtCDRDrv

SymEFA

 

Cant find any of these.

 

I also looked in the Registry for the keys

HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\001

HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\002

HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\003

HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\004

HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\HBP

 

Again nothing there. There was a WbemPerf with a default key but no keys labelled 1 to 4.

From my understanding and investigation there will be a “default” key there with no value.

 

SO does that mean I am OK ?? or not ??

 

PLEASE someone from either Piriform or Avast make it CLEAR what we need to do.

 

There seems to be a LOT of confusing messages out there.

A LOT of technical sites and jargon that newbies like me, just don't understand.

 

I'm careful to with what I download but now........I dont know.

[glitterfalls]

glitterfalls

 

I agree...I am also in need of help.

My heads doing me in on this.......!!!

Do i reinstall windows (no option to restore to earlier time as they seem to be deleted) or not

 

PLEASE someone from either Piriform or Avast make it CLEAR what we need to do.

 

I have searched my computer for these dlls they mention.

stage 2 installer is          GeeSetup_x86.dll

The 32-bit trojan is        TSMSISrv.dll

the 64-bit trojan is         EFACli64.dll

 

as well as….

VirtCDRDrv

SymEFA

 

Cant find any of these.

 

I also looked in the Registry for the keys

HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\001

HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\002

HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\003

HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\004

HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\HBP

 

Again nothing there. There was a WbemPerf with a default key but no keys labelled 1 to 4.

From my understanding and investigation there will be a “default” key there with no value.

 

SO does that mean I am OK ?? or not ??

 

PLEASE someone from either Piriform or Avast make it CLEAR what we need to do.

 

There seems to be a LOT of confusing messages out there.

A LOT of technical sites and jargon that newbies like me, just don't understand.

 

I'm careful to with what I download but now........I dont know.

 

Somehow I doubt we'll get help from CCleaner. I'm gonna see if I can get help on the Microsoft community. That's about the only place I can turn to.

 

I'm glad you mentioned restore points. I was thinking this morning about restoring if I possibly could. With what you said, it doesn't sound like that's an option. Plus I'd be wary even the stuff from before this s**t Trojan got on there could've infected even the good restore points. 

 

I hope I can find another alternative to CCleaner. I did like the program. But this is just too much. I can see picking up Trojans if I'm browsing porn sites or something like that. I'm not. Maybe I'm wrong thinking this way, it almost seems like I'm expecting perfection. It's just that CCleaner has been something that's been on my computers for years. I do hold them to higher regard. For something like this to pass through and for it to take so long for anybody to notice, it really bugs me and makes me strongly distrust anything else the company puts out. 

 

I wish you the best of luck. Same goes for anybody else that's been impacted by this. This is a huge worry and causing the users a lot of stress. I'm just gonna come up with my other message and shut down for a few hours so I won't be tempted to keep on checking it every 2 minutes. 

 

And I'm really crossing my fingers I don't have to do a full wipe and start from 0. There's a few things on my computer I don't have backed up. Hell, I don't even know if I can trust those files even if I did get out the external hard drive to back them up. They might screw up everything good on the external hard drive.

[Nergal]

@rexg as I already told you you seem to have checked all that is known to be checked at this stage. I'm sorry that I'm not officially with piriform, as an employee, but as a moderator I would hope that my words would've been enough.

Right now, everything that's been disclosed you have done to protect your PC.

 

The second stage stuff you were looking for has ONLY been noted of the computers of large influential companies - and only on 20 pcs out of hundreds or more checked at those organizations. Avast and Piriform are taking this seriously and they and cisco are working in tandem. All three of those (Avast, Piriform, Cisco/talos) are publicizing what they know as they know it. If more is discovered then and only then might your safeness level rise to looking for more.

 

If you've rid yourself of the 5.33, if you've checked for the rare chance that you have second stage files and/or registry, then you've done all you can for now.

 

[jonmar]

@rexg as I already told you you seem to have checked all that is known to be checked at this stage. I'm sorry that I'm not officially with piriform, as an employee, but as a moderator I would hope that my words would've been enough. Right now, everything that's been disclosed you have done to protect your PC. The second stage stuff you were looking for has ONLY been noted of the computers of large influential companies - and only on 20 pcs out of hundreds or more checked at those organizations. Avast and Piriform are taking this seriously and they and cisco are working in tandem. All three of those (Avast, Piriform, Cisco/talos) are publicizing what they know as they know it. If more is discovered then and only then might your safeness level rise to looking for more. If you've rid yourself of the 5.33, if you've checked for the rare chance that you have second stage files and/or registry, then you've done all you can for now.

 

Correct me if I'm wrong but the number of 20 PCs infected with the stage 2 payload is from the database of the seized CnC server. But the database only had data from a few days starting from sept. 12th to about the 15th? All of the data that was on there from aug. 15th to sept. 11th had been wiped, so there could be many more computers infected with the stage 2 payload.

[Nergal]

@jonmar that is why it's suggested to check your pc for signs of payload 2. But the likelihood is high that only those corporations are targeted by the attack.

Am not suggesting that people shouldn't be vigilant but that an entire wipe is likely overkill. As attacks go, this one seems to be small. I've rarely seen a virus/malware that would require such a drastic measure.

[edweather]

FWIW I just downloaded a fresh install of CCleaner tonight at 11pm from the Piriform site, and instantly scanned it with Malwarebytes, and it found 2 malware infections.  You folks have some work to do, and in the mean time I'm uninstalling CCleaner from our three computers.

[malika4]

today I read an article of Sky Tg24 (italian page http://tg24.sky.it/tecnologia/2017/09/21/attacco-ccleaner-grandi-aziende.html?social=facebook_skytg24) when they write that the malware was directed to Windows 7 and Xp pc of important companies so I think that the malware that is in the 32bit version of cclenaer 5.33 can exsecute on a 64bit version of Windows 7 (not in windows 10)

 

So I ask at people with 64bit that have found the malware if they have Windows 7 and they found the Agomo registry key and the WbemPerf 1-4 registry key

 

 

thanks

 

p.s. Is from monday that I'm anxious and nervous for this question

[jonmar]

FWIW I just downloaded a fresh install of CCleaner tonight at 11pm from the Piriform site, and instantly scanned it with Malwarebytes, and it found 2 malware infections.  You folks have some work to do, and in the mean time I'm uninstalling CCleaner from our three computers.

 

What is the name of  the file you downloaded and scanned? I just downloaded the current installer, ccsetup535.exe, and scanned it with Windows Defender, Spybot and Malwarebytes and all scans were clean.

[patrykr]

Hello,

 

I would like to notify Piriform Admins/Moderators, that the (most likely custom) link:

 

https://dl.cleverbridge.com/502/(...)/ccsetup533_be.exe   (link broken on purpose)

 

I received when buying my license is still active and (per filename, obviously) points to compromised v5.33 CCleaner installer. That is most likely what Edweather downloaded, as his link is problably active aswell.

 

Also, would it be possible for anyone from Piriform to officially confirm that on x64 systems (Windows 7 in my case) no parts of the malware get/got to execute (activate) and no unauthorized changes (no matter how insignificant) could be done to the system, regardless of which file (CCleaner.exe/CCleaner64.exe) is/was being run?

 

Since people at Talos "dissected" the malware, I'm preety sure Piriform/Avast did the same and someone knows the answer.

 

Other than the long gone v5.33 CCleaner.exe file, neither my AV Suite (ESET and Malwarebytes) nor I have found any other indicators of compromise, however, one could argue that the malware was/(is?) sneakily covering its tracks. I'm really sorry I do realize it sounds bit paranoid, its just that this is the first piece of malware I've had on any of my systems in ~20 or so years.

 

Previous posters seem to ponder at the exact same question, that's why I think addressing this issue will be most appreciated.

 

Thank you very much!

Edited September 23, 2017 by patrykr

[robertcarroll6]

@rexg as I already told you you seem to have checked all that is known to be checked at this stage. I'm sorry that I'm not officially with piriform, as an employee, but as a moderator I would hope that my words would've been enough. Right now, everything that's been disclosed you have done to protect your PC.

 

 

Nergal,  your work as a volunteer is very much appreciated.  However it appears you are relying on the same avast/piriform blogs and press releases as the rest of us for your information and these blogs etc leave many straightforward questions unanswered.

 

Several people are asking the same questions.  Given the seriousness of the threat to our systems we really should be getting answers from piriform employees based on their current knowledge. 

 

The last post from a piriform employee was from Stephen  nearly 24  hours ago (post #131).  It was disingenuous at best:  he posted a link to an extremely technical avast blog post and then said  he was working on answers to our more technical questions.  

 

Our questions aren't that technical.  My summary of the questions is:

 

does the  32-bit/64-bit distinction still hold? 

does having ccleaner.exe in scheduled startup mean we  were exposed to 32-bit threats even on 64-bit devices?

has the 2nd payload been found anywhere other than servers on the target list?

 

Others have been posting similar questions - none of which seem that technical. 

 

The other service piriform/avast could usefully provide their users with is a forum on how to reformat/restore/recover their systems to a pre-ccsetup533.exe state.  Such a forum could be provided on a non-prejudicial basis for users who voluntarily decide to go that that road. 

[malika4]

Our questions aren't that technical.  My summary of the questions is:

 

does the  32-bit/64-bit distinction still hold? 

does having ccleaner.exe in scheduled startup mean we  were exposed to 32-bit threats even on 64-bit devices?

has the 2nd payload been found anywhere other than servers on the target list?

 

 

 

 

and another question, if we don 't have the Agomo key in registry are we safe for the 1 payload?

if the one payload was not activated there is possibility that the second yes? or if we don't have the WbemPerf 1-4 and the GeeSetup_x86.dll TSMSISrv.dll EFACli64.dll we are safe?

 

Please someone reply

 

Is good enough a restore point or not? In my laptop I have do this in a date pre 5.33 but in my desktop

I have no restore point systems to a pre-ccsetup533.exe so in case I have to format and reinstall Windows

 

in many site like Avast forum, Bleepingcomputer and Majorjeeks said that if there aren't any of the malicious keys and files on the pc, the pc is clean and safe from the trojan infection

 

https://www.ghacks.net/2017/09/21/ccleaner-malware-second-payload-discovered/

 

http://www.majorgeeks.com/news/story/how_to_tell_if_you_were_infected_by_the_ccleaner_malware_issue.html

 

https://forum.avast.com/index.php?topic=208612.45

 

https://www.bleepingcomputer.com/how-to/security/ccleaner-malware-incident-what-you-need-to-know-and-how-to-remove/

[Fraggled]

 

 

and another question, if we don 't have the Agomo key in registry are we safe for the 1 payload?

if the one payload was not activated there is possibility that the second yes? or if we don't have the WbemPerf 1-4 and the GeeSetup_x86.dll TSMSISrv.dll EFACli64.dll we are safe?

 

Please someone reply

 

Is good enough a restore point or not? In my laptop I have do this in a date pre 5.33 but in my desktop

I have no restore point systems to a pre-ccsetup533.exe so in case I have to format and reinstall Windows

 

I, too, would like to see a reply and/or statement from Piriform with regards to the infiltration of servers and the version 5.33 security breach, the subsequent potential risks to users, and what action you believe is necessary for users to take. 

 

However, I get the impression Piriform are laying low... 

 

Hello Piriform, is anyone there? We would like to hear from you!

 

 

"...Warren Mercer, a technical leader at Cisco Talos, recommends wiping or reimaging all infected systems to ensure that any malware that may have been installed by the trojanized CCleaner is completely eradicated."

 

https://www.bankinfosecurity.com/trojanized-avast-ccleaner-attack-targeted-major-tech-firms-a-10328

 

https://www.bleepingcomputer.com/news/security/info-on-ccleaner-infections-lost-due-to-malware-server-running-out-of-disk-space/

 

https://arstechnica.com/information-technology/2017/09/ccleaner-malware-outbreak-is-much-worse-than-it-first-appeared/

 

http://gearsofbiz.com/avast-takes-dig-at-cisco-thanks-morphisec-for-uncovering-ccleaner-compromise/72181

[Andavari]

I would like to notify Piriform Admins/Moderators, that the (most likely custom) link:

 

https://dl.cleverbridge.com/502/(...)/ccsetup533_be.exe   (link broken on purpose)

 

I received when buying my license...

 

I've made a note for the admins to see your post, so that it isn't overlooked.

[Andavari]

The last post from a piriform employee was from Stephen  nearly 24  hours ago (post #131).  It was disingenuous at best:  he posted a link to an extremely technical avast blog post and then said  he was working on answers to our more technical questions.

 

The thing is they have to get permission before answering questions about it. Some stuff the moderation staff was asking about in a separate private area couldn't be answered either because they had to get permission first and all of that takes time. Frustrating yes, however we're all in the same boat and waiting for information that is hopefully not overly technical.

[malika4]

yes the point is the infected machine are the pc with the maliciuos key and files? they need to be restored or reinstalling windows?

 

if in the pc there aren t those keys/files it's ok and no need to be restored reinstalling windows or there are other problems?

[edweather]

OK, we are good here now.  Just did a fresh install of the 32 bit of version 5.35.6210 on my Windows Business Vista computer, and there is no infection.

[kardmania]

In migrating to a new computer I downloaded 

CCleaner v5.33.6162

to my external drives but actually installed V5.34.

 

Do the uninstalled downloads require quarantine or can they be deleted to keep my sytem clean in the future?

[glitterfalls]

Hello,

 

I would like to notify Piriform Admins/Moderators, that the (most likely custom) link:

 

https://dl.cleverbridge.com/502/(...)/ccsetup533_be.exe   (link broken on purpose)

 

I received when buying my license is still active and (per filename, obviously) points to compromised v5.33 CCleaner installer. That is most likely what Edweather downloaded, as his link is problably active aswell.

 

Also, would it be possible for anyone from Piriform to officially confirm that on x64 systems (Windows 7 in my case) no parts of the malware get/got to execute (activate) and no unauthorized changes (no matter how insignificant) could be done to the system, regardless of which file (CCleaner.exe/CCleaner64.exe) is/was being run?

 

Since people at Talos "dissected" the malware, I'm preety sure Piriform/Avast did the same and someone knows the answer.

 

Other than the long gone v5.33 CCleaner.exe file, neither my AV Suite (ESET and Malwarebytes) nor I have found any other indicators of compromise, however, one could argue that the malware was/(is?) sneakily covering its tracks. I'm really sorry I do realize it sounds bit paranoid, its just that this is the first piece of malware I've had on any of my systems in ~20 or so years.

 

Previous posters seem to ponder at the exact same question, that's why I think addressing this issue will be most appreciated.

 

Thank you very much!

 

Like I was saying on my posts, something clearly happened on my computer and I'm on a 64. My antivirus was doing fine until this s**t popped up.  I'm waiting for help on another site and hopefully I'll get it back to being fine.

[robertcarroll6]

The thing is they have to get permission before answering questions about it. Some stuff the moderation staff was asking about in a separate private area couldn't be answered either because they had to get permission first and all of that takes time. Frustrating yes, however we're all in the same boat and waiting for information that is hopefully not overly technical.

 

 

Regardless of who's making the decisions, the lack of response to (or even acknowledgement of) some very straightforward questions being asked here is disrespectful and particularly so given that piriform has delivered some pretty dangerous software to our devices. 

[hazelnut]

Regardless of who's making the decisions, the lack of response to (or even acknowledgement of) some very straightforward questions being asked here is disrespectful and particularly so given that piriform has delivered some pretty dangerous software to our devices. 

 

I have tried today to get someone from Piriform on forum but so far have had no success. I will keep trying.

[glitterfalls]

Regardless of who's making the decisions, the lack of response to (or even acknowledgement of) some very straightforward questions being asked here is disrespectful and particularly so given that piriform has delivered some pretty dangerous software to our devices. 

Agreed. I'm always careful with my computer and watch the sites I go to like a hawk, use the proper programs regularly enough to keep it in healthy condition. We didn't pick this *hit up from a seedy website, we got it through a program we really thought we could trust. And my guess is that it was a program that many of us used for years. This is bad. This isn't something small like "Your program's getting a bit sluggish. Still works, just seems sluggish." And for the time period this went undetected makes it even worse. 

 

And I don't mean to seem *itchy to the people on this forum that volunteer to reply to posts or answer questions. It's nice that there's some of you out there doing that. It's just your company is leaving you high and dry from my point of view. I'm still pissed that I have to deal with this hassle I don't need and I'm worried about the whole damn thing. Can I make my computer safe again? Will I have to lose everything on the computer and have to reinstall everything? 

[login123]

Strolling through this topic one reads posts that communicate uncertainty about this situation.
As there are two and a quarter million people potentially affected, it would be good to provide peace of mind.

 

Quite likely Piriform is not keeping its head down nor dragging its feet, but rather is waiting to be certain before speaking.

 

It would be really great if Tom Piriform would edit that first post with a prominent line about "How to be sure your computer is fixed".

Or maybe someone would create a standalone locked sitcky by that name. 
Simple stuff, like "Here's how to fix this infection if you think you have it." 

 

AND (not or) something about "Here's how to manually verify that it is fixed".  What to look for in the registry, what DLLs to look for, etc. 

 

Just my opinion, as a NTTMM (Not Too Tekkie Mere Mortal).

[ggcleaner]

I have win 7 x64, recommend change to windows 10? I do not know what to do, they do not give answers, I can not format my pc since I do not have the windows disk to do it, we need answers

[Nergal]

If you have 64 bit Windows, make sure you update your ccleaner to the latest version (5.35 at the time of this post). If you are very worried you can follow the steps in https://www.ghacks.net/2017/09/21/ccleaner-malware-second-payload-discovered/

 

However the malware normally does not have the time to activate between the time ccleaner​.exe (32bit) hands off to ccleaner64.exe.

[robertcarroll6]

If you have 64 bit Windows, make sure you update your ccleaner to the latest version (5.35 at the time of this post). If you are very worried you can follow the steps in https://www.ghacks.net/2017/09/21/ccleaner-malware-second-payload-discovered/ However the malware normally does not have the time to activate between the time ccleaner​.exe (32bit) hands off to ccleaner64.exe.

 

 

Thanks for these suggestions Nergal but they raise a couple more questions:

 

1.   You write "If you have 64 bit Windows, make sure you update your ccleaner to the latest version (5.35 at the time of this post)"..  Are you suggesting people with 32-bit window shouldn't update to 5.35?

 

2,    You write   "If you are very worried you can follow the steps in https://www.ghacks.net/2017/09/21/ccleaner-malware-second-payload-discovered/ "

In the article you link to it says  "Talos Group suggested to restore the computer system using a backup that was created prior to the infection. The new evidence reinforces this, and the researchers suggest strongly that it may not be enough to simply update CCleaner to get rid of the malware".  Are you now suggesting we follow this advice  (because a lot of us are, indeed, very worried)?

 

3.  You write " the malware normally does not have the time to activate between the time ccleaner​.exe (32bit) hands off to ccleaner64.exe.".  Can you please clarify what "normally" means in this context. Under what "non-normal" circumstances would the malware have been activated?

 

Thanks

Robert