Jump to content
Piriform Community Forums
lmacri

Traces of Floxif Malware From Infected CCleaner v5.33 Installer

Recommended Posts

I believe I was one of the 32-bit CCleaner users infected by the Floxif malware that was bundled with the previous v5.33 installer but the new v5.34 installer does not appear to be removing all traces of this malware off my system.  How do I ensure that sure that this malware has been completely removed, short of restoring my system to a state prior to 15-Aug-2017?

_________________________________

 

Last week I posted in geekandglitter's thread Trojan.Rozena.Win32.59165 found by Zillya! about downloading two  different installers for CCleaner Free v3.34 from the official Piriform site (cc_setup534.exe @ 9,954 KB versus the ccsetup534.exe @ 9,597 KB) but my post in that thread was deleted by one of the forum mods on 13-Sep-2017.

I just read today's Piriform blog entry Security Notification for CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 for 32-bit Windows users as well as the bleepingcomputer article CCleaner Malware Incident - What You Need to Know and How to Remove about Piriform's infected 32-bit v5.33 installer.  The bleepingcomputer article states that "The malware was embedded in the CCleaner executable itself. Updating CCleaner to v5.34 removes the old executable and the malware."

I wiped CCleaner v5.34 (originally installed 13-Sep-207) off my system today with the Free Revo Uninstaller v2.0.3 (advanced mode) and reinstalled with a fresh copy of ccsetup534.exe downloaded from the Piriform site (http:// download.piriform.com/ccsetup534.exe @ 9,597 KB) but the Agomo registry entry at HKEY_LOCAL_MACHINE\SOFTWARE\Piriform\Agomo still persists.

 

post-28709-0-11773700-1505763635_thumb.png

 

Should I be deleting this Agomo registry entry manually, and what other registry entries and files might have been missed by the v5.34 installer?

-----------
32-bit Vista Home Premium SP2 * Firefox ESR v52.3.0 * NS Premium v22.10.0.10 * MB Premium v3.2.2 * CCleaner Free v5.34.6207

Share this post


Link to post
Share on other sites

I believe I was one of the 32-bit CCleaner users infected by the Floxif malware that was bundled with the previous v5.33 installer but the new v5.34 installer does not appear to be removing all traces of this malware off my system.  How do I ensure that sure that this malware has been completely removed, short of restoring my system to a state prior to 15-Aug-2017?

_________________________________

 

Last week I posted in geekandglitter's thread Trojan.Rozena.Win32.59165 found by Zillya! about downloading two  different installers for CCleaner Free v3.34 from the official Piriform site (cc_setup534.exe @ 9,954 KB versus the ccsetup534.exe @ 9,597 KB) but my post in that thread was deleted by one of the forum mods on 13-Sep-2017.

 

I just read today's Piriform blog entry Security Notification for CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 for 32-bit Windows users as well as the bleepingcomputer article CCleaner Malware Incident - What You Need to Know and How to Remove about Piriform's infected 32-bit v5.33 installer.  The bleepingcomputer article states that "The malware was embedded in the CCleaner executable itself. Updating CCleaner to v5.34 removes the old executable and the malware."

 

I wiped CCleaner v5.34 (originally installed 13-Sep-207) off my system today with the Free Revo Uninstaller v2.0.3 (advanced mode) and reinstalled with a fresh copy of ccsetup534.exe downloaded from the Piriform site (http:// download.piriform.com/ccsetup534.exe @ 9,597 KB) but the Agomo registry entry at HKEY_LOCAL_MACHINE\SOFTWARE\Piriform\Agomo still persists.

 

attachicon.gifWindows Registry CCleaner Agomo Post 5_34 Reinstall 18 Sep 2017.png

 

Should I be deleting this Agomo registry entry manually, and what other registry entries and files might have been missed by the v5.34 installer?

-----------

32-bit Vista Home Premium SP2 * Firefox ESR v52.3.0 * NS Premium v22.10.0.10 * MB Premium v3.2.2 * CCleaner Free v5.34.6207

 

in the bleeping article this is stated: "Please note. as seen below, upgrading to version 5.34 will not remove the Agomo key from the Windows registry. It will only replace the malicious executables with legitimate ones so that the malware is no longer present."

 

so I think you can just safely delete the offending entry, if it reappears then you have a problem.

Share this post


Link to post
Share on other sites

Today I performed a scan with MalWareBytes (free) and it notified I was also infected with Floxif Malware (see scan result attached)

 

I am using CCleaner 5.34.6207 Professional and I did not receive such a notification when I did a scan only last week. I am not sure when my CCleaner was upgraded to 5.34 but I can only assume that it was done automatically with me being aware.

 

Since I instructed MWbytes to remove the offending entries I am hoping that I don't get the same result next tine I do a scan.

 

If the malware was included with the CCleaner upgrade then how did it get into the system?

 

Sorry about the omission of the uploaded file - my inexperience as a newbie  :unsure: 

 

It is attached now...

post-58519-0-14199300-1505900774_thumb.jpg

Share this post


Link to post
Share on other sites

Today I performed a scan with MalWareBytes (free) and it notified I was also infected with Floxif Malware (see scan result attached)

 

I am using CCleaner 5.34.6207 Professional and I did not receive such a notification when I did a scan only last week. I am not sure when my CCleaner was upgraded to 5.34 but I can only assume that it was done automatically with me being aware.

 

Since I instructed MWbytes to remove the offending entries I am hoping that I don't get the same result next tine I do a scan.

 

If the malware was included with the CCleaner upgrade then how did it get into the system?

 

sadly your results are not attached so I am going to assume it just found the left over registry keys.

Share this post


Link to post
Share on other sites

Today I performed a scan with MalWareBytes (free) and it notified I was also infected with Floxif Malware (see scan result attached)

 

I updated to CCleaner Free v5.34 on my 32-bit OS on 13-Sep-2017 and when I ran a Threat Scan yesterday with Malwarebytes Premium v3.2.2 (database v1.0.2835) my scan was clean.

 

After reading rherber1's post I just repeated another Malwarebytes Threat Scan today (database v1.0.2843) and it finally detected the following stray registry entries left behind by the Floxif malware that was embedded in the 32-bit ccleaner.exe executable for v5.33:

 

Registry Value: 2

  Trojan.Floxif.Trace, HKLM\SOFTWARE\PIRIFORM\AGOMO|MUID, Quarantined, [8813], [436740],1.0.2843

  Trojan.Floxif.Trace, HKLM\SOFTWARE\PIRIFORM\AGOMO|TCID, Quarantined, [8813], [436739],1.0.2843

 

Both Malwarebytes scan reports are attached.

A - MB Threat Scan Agomo Not Detected 18 Sep 2017.txt

B - MB Threat Scan Agomo Detected 19 Sep 2017.txt

 

Here's my next question.  The logs for my Norton Smart Firewall activity (Security | History | Show | Firewall Activities) only go back a few weeks so I'm not sure how I can determine if any connections were made to the rogue servers at IP address 216.126.x.x.  Given the infected 32-bit ccleaner.exe executable for v5.33 was signed by Piriform with a valid digital certificate, whitelisted by Norton and then given full access through my firewall between 15-Aug-2017 and 13-Sep-2017, is there any way of determining if data from my computer was sent back to these rogue servers?

_______________

 

...and if anyone from Piriform is following this thread it might be helpful if you update the change log for CCleaner v5.34 at http://www.piriform.com/ccleaner/version-history.  "Minor GUI improvements and bug fixes" doesn't really cut it for all the current 32-bit CCleaner Free v5.33 users who don't receive automatic updates and still haven't heard about this Floxif malware.

-----------

32-bit Vista Home Premium SP2 * Firefox ESR v52.3.0 * NS Premium v22.10.0.10 * MB Premium v3.2.2 * CCleaner Free v5.34.6207

Share this post


Link to post
Share on other sites

I updated to CCleaner Free v5.34 on my 32-bit OS on 13-Sep-2017 and when I ran a Threat Scan yesterday with Malwarebytes Premium v3.2.2 (database v1.0.2835) my scan was clean.

 

After reading rherber1's post I just repeated another Malwarebytes Threat Scan today (database v1.0.2843) and it finally detected the following stray registry entries left behind by the Floxif malware that was embedded in the 32-bit ccleaner.exe executable for v5.33:

 

Registry Value: 2

  Trojan.Floxif.Trace, HKLM\SOFTWARE\PIRIFORM\AGOMO|MUID, Quarantined, [8813], [436740],1.0.2843

  Trojan.Floxif.Trace, HKLM\SOFTWARE\PIRIFORM\AGOMO|TCID, Quarantined, [8813], [436739],1.0.2843

 

Both Malwarebytes scan reports are attached.

attachicon.gifA - MB Threat Scan Agomo Not Detected 18 Sep 2017.txt

attachicon.gifB - MB Threat Scan Agomo Detected 19 Sep 2017.txt

 

Here's my next question.  The logs for my Norton Smart Firewall activity (Security | History | Show | Firewall Activities) only go back a few weeks so I'm not sure how I can determine if any connections were made to the rogue servers at IP address 216.126.x.x.  Given the infected 32-bit ccleaner.exe executable for v5.33 was signed by Piriform with a valid digital certificate, whitelisted by Norton and then given full access through my firewall between 15-Aug-2017 and 13-Sep-2017, is there any way of determining if data from my computer was sent back to these rogue servers?

_______________

 

...and if anyone from Piriform is following this thread it might be helpful if you update the change log for CCleaner v5.34 at http://www.piriform.com/ccleaner/version-history.  "Minor GUI improvements and bug fixes" doesn't really cut it for all the current 32-bit CCleaner Free v5.33 users who don't receive automatic updates and still haven't heard about this Floxif malware.

-----------

32-bit Vista Home Premium SP2 * Firefox ESR v52.3.0 * NS Premium v22.10.0.10 * MB Premium v3.2.2 * CCleaner Free v5.34.6207

 

while I am not Piriform, probably not, the process only took a few seconds, but those servers are now under the control of Cisco and law enforcement and have been since about sept 12 or so, even then it only gathered specific data from your PC like its name, installed software, mac addresses what type of windows it was 32 or 64 bit, so the hacker or hackers where looking for a particular profile (no one knows what that is yet, its doubtful we ever will unless the author or authors are arrested or come forward.)

Share this post


Link to post
Share on other sites

Hi Guys.

 

Even if you're on the 5.33 version, you're no longer at risk but we are trying to get everyone updateded as soon as possible. All AV programs will likely flag CCleaner 5.33 and 5.34 now however they are safe to use. We're working on resolving this so there are no false readings. Thanks for your patience.

 

At this time all the information I have available is on our blog post: http://www.piriform.com/news/blog/2017/9/18/security-notification-for-ccleaner-v5336162-and-ccleaner-cloud-v1073191-for-32-bit-windows-users

Share this post


Link to post
Share on other sites

Even if you're on the 5.33 version, you're no longer at risk ...

 

Hi Tom Piriform:

 

The Avast blog entry Update to the CCleaner 5.33.6162 Security Incident states:

 

"...we released a fixed version 5.33.6163, identical to 5.33.6162 but with the backdoor removed, and pushed this version as a lightweight automatic update to CCleaner... (unfortunately, we weren’t able to update the free CCleaner users automatically as the free version doesn’t contain the auto-update functionality).

 

That same blog entry also states:

 

"...as soon as we became aware of this issue, we engaged and solved it. Within approximately 72 hours of discovery, the issue was resolved by Avast with no known harm to our Piriform customers."

 

Unfortunately it was a full month month before Avast and Piriform even discovered their v5.33 32-bit ccleaner.exe executable (released 15-Aug-2017) contained a Floxif backdoor trojan.  Unless Avast has firm evidence that there was no information harvested from infected 32-bit computers in that one-month period that could be used for future hacking attempts the phrase "no known harm" doesn't give me much comfort.

 

Is there any way I can determine if my computer ever made a connection to the rogue servers at IP address 216.126.x.x before the servers were taken down on 15-Sep-2017?  As far as I can tell any executable like ccleaner.exe that is digitally signed by Piriform and whitelisted by Symantec will have full (unrestricted)  access through my Norton Smart Firewall and those "safe" connections will not be logged in my firewall activity log.

-----------

32-bit Vista Home Premium SP2 * Firefox ESR v52.3.0 * NS Premium v22.10.0.10 * MB Premium v3.2.2 * CCleaner Free v5.34.6207

Share this post


Link to post
Share on other sites

Hi,

 

Can I refer you to this quote from our CTO:

 

 

 

About 30% of CCleaner users also run Avast security software, which enables us to analyze behavioral, traffic and file/registry data from those machines. Based on the analysis of this data, we believe that the second stage payload never activated, i.e. the only malicious code present on customer machines was the one embedded in the ccleaner.exe binary.

 

You can read the full article here: https://blog.avast.com/update-to-the-ccleaner-5.33.6162-security-incident

 

Tom

Share this post


Link to post
Share on other sites

Can I refer you to this quote from our CTO:

 

"About 30% of CCleaner users also run Avast security software, which enables us to analyze behavioral, traffic and file/registry data from those machines. Based on the analysis of this data, we believe that the second stage payload never activated, i.e. the only malicious code present on customer machines was the one embedded in the ccleaner.exe binary."

 

Hi Tom Piriform:

 

Perhaps I misunderstood, but when I originally read that statement I assumed it meant that no additional malware (i.e., "a second-stage payload") had been uploaded from the rogue servers at IP address 216.126.x.x to infected 32-bit computers via an incoming connection. If that had happened I suspect my Norton Security antivirus would have been raising red flags as soon as these hackers tried to upload unknown / unsigned files onto my computer.

 

I am more concerned about data collected from my own machine (e.g., MAC address, computer name, list of installed programs, etc.) by the code embedded in the compromised 32-bit ccleaner.exe executable that was sent back to the rogue servers via an outgoing connection, which is what this particular variant of the Floxif backdoor trojan was apparently designed to do.

 

According to the timeline posted by bleepingcomputer's Catalin Cimpanu at Avast Clarifies Details Surrounding CCleaner Malware Incident (which is based on details provided by Avast) it was users of Morphisec's security product who first detected instances of malicious activity (i.e, that the malware was collecting device details and sending the data to a remote server) and notified Avast and Cisco.

-----------

32-bit Vista Home Premium SP2 * Firefox ESR v52.3.0 * NS Premium v22.10.0.10 * MB Premium v3.2.2 * CCleaner Free v5.34.6207

Share this post


Link to post
Share on other sites

Perhaps I misunderstood, but when I originally read that statement I assumed it meant that no additional malware (i.e., "a second-stage payload") had been uploaded from the rogue servers at IP address 216.126.x.x to infected 32-bit computers via an incoming connection....

 

...and further to this discussion about Phase 1 / Phase 2 of the attack, here is additional information about the data collected from infected 32-bit computers (e.g., MAC address, computer name, list of installed programs, etc.) according to the 19-Sep-2017 Security Now article CCleaner Infection Reveals Sophisticated Hack:

 

"Phase one transmitted this information to a third-party server in the US, which was taken down by Avast on Friday. Apparently, no further information was transmitted to this server after phase one. Paul Yung, vice president of products at Piriform, said in a statement "...that the threat has now been resolved in the sense that the rogue server is down," but there was no additional available information about whether users' computers had been affected after the server shut-down with anything more than the initial data grab."

-----------

32-bit Vista Home Premium SP2 * Firefox ESR v52.3.0 * NS Premium v22.10.0.10 * MB Premium v3.2.2 * CCleaner Free v5.34.6207

Share this post


Link to post
Share on other sites

Hi,

 

Can I refer you to this quote from our CTO:

Quote

About 30% of CCleaner users also run Avast security software, which enables us to analyze behavioral, traffic and file/registry data from those machines. Based on the analysis of this data, we believe that the second stage payload never activated, i.e. the only malicious code present on customer machines was the one embedded in the ccleaner.exe binary.

 

 

You can read the full article here: https://blog.avast.com/update-to-the-ccleaner-5.33.6162-security-incident

 

Tom

So what would prevent the malware server (which the infected ccleaner told what software we are running) from NOT deploying phase/stage 2 to ANY of those computers running avast?

Share this post


Link to post
Share on other sites

Can I refer you to this quote from our CTO:

 

"About 30% of CCleaner users also run Avast security software, which enables us to analyze behavioral, traffic and file/registry data from those machines. Based on the analysis of this data, we believe that the second stage payload never activated, i.e. the only malicious code present on customer machines was the one embedded in the ccleaner.exe binary."

 

From Martin Brinkmann's 21-Sep-2017 ghacks.net article CCleaner Malware Second Payload Discovered:

 

"A new report by Cisco's Talos Group suggests that the CCleaner hack was more sophisticated than initially thought. The researchers found evidence of a second payload during their analysis of the malware which targeted very specific groups based on domains....The researchers suggest that the attacker was after intellectual property based on the list of domains that belong to high profile tech companies."

 

Cisco's 20-Sep-2017 preliminary technical analysis about this second payload can be found at CCleaner Command and Control Causes Concern.

 

Kudos to user ALF60 for posting <here> on the Norton Tech Outpost about Martin Brinkmann's article.

 

EDIT:

 

Additional information about this second payload was posted today on the HelpNetSecurity article Hackers behind CCleaner compromise were after Intel, Microsoft, Cisco.

-----------

32-bit Vista Home Premium SP2 * Firefox ESR v52.3.0 * NS Premium v22.10.0.10 * MB Premium v3.2.2 * CCleaner Free 5.35.6210

Edited by lmacri

Share this post


Link to post
Share on other sites

Hi,

After reading lmacri's post about different Ccleaner 5.34 32 bit versions, I checked mine downloaded directly from piriform.com (ccsetup534 version 5.34.0.6207) and find out it's rated at 9.37GB (9 826 968 byte). So, which is the original one among theese "official" 3 ? It would be useful to know the hash rates and the time stamp of the exe for best trustworthiness. Same for the 5.33 32 bit slim version I submitted at Virustotal: their time stamp is very different from mine, albeit they said I submitted their own version, with surprisingly same hash rates.

Very, very confusing facts for a normal user.

Thanks for some advice.

Share this post


Link to post
Share on other sites

After reading lmacri's post about different Ccleaner 5.34 32 bit versions, I checked mine downloaded directly from piriform.com (ccsetup534 version 5.34.0.6207) and find out it's rated at 9.37GB (9 826 968 byte). So, which is the original one among theese "official" 3 ? It would be useful to know the hash rates and the time stamp of the exe for best trustworthiness. Same for the 5.33 32 bit slim version I submitted at Virustotal: their time stamp is very different from mine, albeit they said I submitted their own version, with surprisingly same hash rates.

 

Hi mrdimly:

 

I can give you version numbers and release dates, but don't have "official" SHA-256 hashes for the older ccsetup53x.exe installers or the 32-bit ccleaner.exe executables so someone else would have to provide that information.  As far as I know, the 32-bit ccleaner.exe v5.33.6162 executable was the only CCleaner executable infected with the Floxif backdoor trojan.

  • v5.33.6162 (rel.15-Aug-2017, only version with backdoor trojan)
  • v5.34.6207 (rel.12-Sep-2017, no trojan)
  • v5.33.6163 (rel.15-Sep-2017, trojan removed, pushed to v5.33 Professional users via automatic update)
  • v5.35.6210 (rel. 20-Sep-2017, no trojan, updated digital certificates)

I've deleted all the older installers from my hard drive, but here are links to the VirusTotal.com reports for my current CCleaner Free v5.35.6210 files.  SHA-256 hashes are listed at the top of each report. Note that these results are for the Standard installer, not the Portable or Slim installers available at http://www.piriform.com/ccleaner/builds.

 

ccsetup535.exe installer downloaded from http://www.piriform.com/ccleaner/download (1/62 detection rate):

    https://www.virustotal.com/#/file/85d5309373cd1713eeb2416b4767c653e96a9e9cef3689dbb8f548cd23494319/detection

 

32-bit ccleaner.exe v5.35.6210 executable installed at C:\Program Files\CCleaner (0/64 detection rate):

    https://www.virustotal.com/#/file/478262a5d9d72bf339bd9b17261fea42dfdf0e36e4f233bbf7d6c6e9de0b0dc8/detection

 

 

On the VirusTotal.com site, the Last Analysis date isn't critical because the SHA-256 hash is like a fingerprint (digital ID) for a file.  If VirusTotal finds an exact match for the SHA-256 hash of the file you uploaded you can be confident that the analysis results are relevant.  If you want to double-check and have VirusTotal.com run a new analysis then click button with the 3 dots in the top right corner of the results page and choose "Reanalyze" to resubmit the SHA-256 hash for an updated analysis with the latest available malware definitions for the ~ 60 antivirus scan engines.

 

post-28709-0-78940900-1506516435_thumb.png

-----------

32-bit Vista Home Premium SP2 * Firefox ESR v52.3.0 * NS Premium v22.10.0.10 * MB Premium v3.2.2 * CCleaner Free 5.35.6210

Share this post


Link to post
Share on other sites

Hi,

It remains that 3 CCleaner 5.34 installers downloaded at diferent dates from official site (standard installers) have varying KB rates by some margin.I can only submit mine I downloaded only once. For the CCleaner 5.33 slim installer,I also donwloaded only once, installed then uninstalled, Virus Total shows same SHA for slim and portable versions, I submitted slim, and they respond for portable, how does that match ? Have slim and portable the same digital signature by Symantec CA ?

Thanks for your response.

Share this post


Link to post
Share on other sites

It remains that 3 CCleaner 5.34 installers downloaded at diferent dates from official site (standard installers) have varying KB rates by some margin.

 

Hi mrdimly:

 

In my original 18-Sep-2017 post <here> I stated:

 

Last week I posted in geekandglitter's thread Trojan.Rozena.Win32.59165 found by Zillya! about downloading two  different installers for CCleaner Free v3.34 from the official Piriform site (cc_setup534.exe @ 9,954 KB versus the ccsetup534.exe @ 9,597 KB) but my post in that thread was deleted by one of the forum mods on 13-Sep-2017.

 

Keep in mind that Piriform occasionally bundles low-risk PUPs (potentially unwanted programs) like browser toolbars in the Standard installers.  Two installers downloaded from Piriform on different days might both be named ccsetup534.exe but have completely different sizes and SHA-256 hashes because only one of the installers has a bundled PUP, or because the installers are bundled with different PUPs on different days.  As a general rule, these lower risk PUPs are sometimes detected by an anti-malware/anti-spyware scanner like Malwarebytes or SUPERAntiSpyware but are often ignored by antivirus programs like Norton, Kaspersky, etc. that are designed to scan for higher risk malware.

 

I scanned the larger cc_setup534.exe installer from Piriform (note the "_" underline in the file name) with my Norton Security and Malwarebytes and no threats were detected, but when I searched for the SHA-256 hash (eb32922f1043ad5d956891b7e5aeae9f337be4baea12e3ce709acf6a5a37f8d1) of this installer on VirusTotal at https://www.virustotal.com/#/home/search the report at https://www.virustotal.com/#/file/eb32922f1043ad5d956891b7e5aeae9f337be4baea12e3ce709acf6a5a37f8d1/detection showed that the ESET-NOD32 scan engine flagged this installer as potentially unsafe for Win32/Bundled.Toolbar.Google.D. I didn't use that larger v5.34 installer but I'm guessing it was bundled with the Google Toolbar.

 

When installing any software it's always a good practice to choose the advanced options in the installation wizard and make sure you decline the installation of any bundled PUPs, especially if you are using the free version of a manufacturer's software.

 

...installed then uninstalled, Virus Total shows same SHA for slim and portable versions, I submitted slim, and they respond for portable, how does that match ? Have slim and portable the same digital signature by Symantec CA ?

 

I'm not certain if I follow what you did, but you might be confusing the self-extracting installer (e.g., ccsetup534.exe) with the actual 32-bit CCleaner.exe executable.  If you go to http://www.piriform.com/ccleaner/builds:

  • CCleaner Standard (ccsetup535.exe) is the "normal" installer that can be bundled with a low-risk PUP like a browser toolbar.
  • CCleaner Portable (ccsetup535.zip) is technically not an installer.  It's a zipped archive that can be downloaded to a USB thumb drive.  Once the archive is unzipped the user has all the files necessary to run CCleaner from the USB drive (e.g., CCleaner.exe for 32-bit OS, CClearner64.exe for 64-bit) without having to install the program on the hard drive in C:\Program Files\CCleaner.  See the support article How to Run CCleaner From a USB Drive.
  • CCleaner Slim (ccsetup535_slim.exe) is the "clean" installer usually released a few days after the CCleaner Standard installer and is guaranteed not to include bundled PUPs.

These self-extracting installers might all have different sizes and different SHA-256 hashes but all should contain the same the 32-bit CCleaner.exe executable (i.e., the same 7,506 KB size and SHA-256 hash) that launches the v5.35.6210 CCleaner program.

-----------

32-bit Vista Home Premium SP2 * Firefox ESR v52.3.0 * NS Premium v22.10.0.10 * MB Premium v3.2.2 * CCleaner Free 5.35.6210

Share this post


Link to post
Share on other sites

Hi lmacri,

 

I always downloaded and/or installed the slim version of different CCleaner versions apart from the 5.34 standard version I never installed, only saved for examination purpose; I never dowloaded and/or executed a portable version. So the files I submitted on Virus Total were the self-extracting exe files fore CCleaner 5.33 and 5.34. Some confusion comes from the analysis response of Virus Total which always says "The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem" ( https://www.virustotal.com/fr/file/4f8f49e4fc71142036f5788219595308266f06a6a737ac942048b15d8880364a/analysis/1506631637/ ).

The digital key chains are different between my uploaded self-extracting 5.33 slim and their portable 5.33 Win32 EXE file.

For the 5.34 version, I don't have the cc_setup534.exe, mine is self-extracting ccsetup534.exe preventing any comparison, but the problem may be the same as they say on Virus Total "The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem" ( https://www.virustotal.com/fr/file/cbc2f423d035cf315ac724e61287420013c517cf3d95dbdfa673179436184e64/analysis/ ). 

So analysis results on Virus Total are more confusing than informative as they never gave SHA256 hash for the submitted self-extracting exe files of CCleaner.

And what about Agomo related registry keys coming with Floxif ? Isn't Agomo part of CCleaner Cloud ? Meaning that the bundle of the CCleaner 5.33 Win 32 EXE should have something to do with CCleaner Cloud ? Even more confusing ! Hope I'm wrong there !

Share this post


Link to post
Share on other sites

Why are you confused by the simple fact that both ccleaner 5.33 and cloud 1.07.3191 both were infected. Yes agomo is ccleaner cloud, which, I assume, made that all the harder for cloud users to know the infection happened.

Share this post


Link to post
Share on other sites

Hi Nergal,

 

I remain confused because I can't get a relevant response after analysis of my CCleaner 5.33 self-extracting EXE upload to Virus total and it seems I could assume the Agomo registry key files, if somewhere on any computer, are there after installing CCleaner 5.33 self-extracting  EXE slim without even knowing anything about CCleaner Coud or that it  only exists. 

Share this post


Link to post
Share on other sites

why doesn't piriform use virus total to see what needs to be removed and remove anything that comes up as a potential virus or malware? also, is the slim version still available for download? when i go to builds it does not seem to be available. does anyone use older builds and do they seem more effective for cleaning? it seems like the free version has been limited more and more over the years. 

Share this post


Link to post
Share on other sites
2 hours ago, moderation said:

why doesn't piriform use virus total to see what needs to be removed and remove anything that comes up as a potential virus or malware? also, is the slim version still available for download?...

Hi moderation:

VirusTotal.com is simply an aggregate web site that uses the scan engines of ~ 60 popular antivirus scan engines (e.g., McAfee, Norton, etc.) and shows the user how many antivirus programs rate the file as "suspicious"  (e.g., a VirusTotal rating of 15/60 means 15 scan engines think the file is suspicious, 45 think it is safe).

Before Piriform releases any new installer they run quality assurance tests, add their digital certificate and provide the SHA-256 / MD5 hash (essentially a digital fingerprint of the file) to antivirus companies like McAfee, Norton, etc. so that they can automatically whitelist the installer as a "safe" file prior to its release.  The infected 32-bit ccleaner.exe executable for v5.33 was not caught by Piriform during their quality assurance testing and was not initially flagged by any of the ~ 60 antivirus scan engines used on VirusTotal because Piriform incorrectly certified their v5.33 installer was free of malware.  Once the embedded Floxif backdoor trojan was discovered the v5.33 installer was removed from the Piriform download servers and antivirus companies were notified that the installer should be blacklisted, and only then did VirusTotal begin flagging the v5.33 files as suspicious/malicious.

In the past it's always been normal for the slim build of any CCleaner installer to be posted at http://www.piriform.com/ccleaner/builds about a week or so after the standard and portable builds are released, but Avast (who recently purchased Piriform) are "testing" a new policy to delay release of the portable build as well - see the discussion in Special's thread where's the portable version?. As Stephen Piriform noted <here>, both the slim and portable builds for v5.38 were just released today.
-----------
32-bit Vista Home Premium SP2 * Firefox ESR v52.5.2 * NS Premium v22.11.2.7 * MB Premium v3.3.1 * CCleaner Free Portable v5.38.6357

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×