Stray_Trons Posted October 7, 2018 Share Posted October 7, 2018 Not sure what is going on but Piriform may have gotten hacked again. My McAfee AV hit on a Tojan in CCleaner last night. This morning I woke up to a missing CCleaner and a popup telling me "The product is not permitted for use in your current location". Gone, done & dusted. Not a trace of CCleaner to be found on the machine. So I figure something sent wahoonie shaped and I'll need to reinstall CCleaner, right after I run a fill AV scan to see if something else did not get past my firewalls. As soon as I load the Piriform page my AV pops up again and I get a warning: 10/7/2018 11:13:54 AM Deleted [REDACTED]C:\Program Files\Internet Explorer\iexplore.exe C:\Users\[REDACTED]\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\W147MR22\addthis_widget[1].js JS/Faceliker.ag (Trojan) 64e780aad3077cffdb6279619950440f (MD5) McAfee AV locks up the page like it should and I'm left scratching my head. So can someone (Piriform...) tell me just what the bloody hell is going on? Link to comment Share on other sites More sharing options...
Moderators hazelnut Posted October 7, 2018 Moderators Share Posted October 7, 2018 Please post the address of the Piriform page you are using. If I go here https://www.ccleaner.com or here https://www.ccleaner.com/ccleaner/builds I have no problems at all. If I scan the page using VirusTotal it comes up clean https://www.virustotal.com/#/url/459623a3db78c0f30d15701a3564bd33577d40214919fdd8e174a3ef685e1960/detection Support contact https://support.ccleaner.com/s/contact-form?language=en_US&form=general or support@ccleaner.com Link to comment Share on other sites More sharing options...
Stray_Trons Posted October 7, 2018 Author Share Posted October 7, 2018 The website is https://www.ccleaner.com/ My AV is continually warning about the faceliker.ag on each attempt to reach that page. There is a possibility that there is a Facebook add-in buried in the html. It is possibly malicious, but I'm not taking a chance. I'll be contacting Piriform Corporate Tuesday AM to discuss this. The info on faceliker.ag is here: https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-labs-faceliker-surge-manipulates-facebook-likes-promote-news-content/ Link to comment Share on other sites More sharing options...
Moderators nukecad Posted October 7, 2018 Moderators Share Posted October 7, 2018 "The product is not permitted for use in your current location" is a known CCleaner issue. Certain countries have banned the use of CCleaner, and the detection of if a PC is in one of those countries has gone a bit awry. The Developers are working on a fix. As for "Faceliker". If you had read that linked McAfee article fully you would have seen that 'Faceliker' is not on the CCleaner webpage - it's on your computer already. It is trying to redirect you when you visit websites, in your case when you try to visit ccleaner.com, which is when your AV sees what it is trying to do and blocks it. (PS. I've just used Firefox Web Developer tools to look at the source HTML of the ccleaner webpage and can't see anything odd there). Faceliker is not usually too bad as infections go, it has been around for years and is an advertising hack to click lots of facebook 'likes' without you knowing (normally). Certain strains will also try to redirect your browser elsewhere, usually to advertising pages, which is what you seem to be seeing (or would if your AV wasn't blocking the redirect). You usually get infected through a browser extension, specifically Chrome extensions. Have you added any browser extensions recently?https://www.bleepingcomputer.com/news/security/sudden-rise-detected-in-faceliker-malware-that-manipulates-facebook-likes-/ I'd say it came through that javascript file "addthis_widget[1].js" which your McAfee seems to have already removed. (Note though that the [1] indicates that that is/was the second copy of "addthis_widget.js" that is or has been on your machine). Not all "addthis_widget.js" files are malicious, it's a commonly used filename in js. A full scan with Malwarebytes, or possibly ADWcleaner should check for any left overs, rouge registry entries, etc. I strongly suggest that you get your computer checked and cleaned of malware ASAP. We are not allowed to give more detailed malware removal help on this forum, but if you look at item 10 of the forum rules there are links to where you can get FREE 1-to-1 help to check and clean your computer:https://forum.piriform.com/announcement/15-forum-rules/ *** Out of Beer Error ->->-> Recovering Memory *** Worried about 'Tracking Files'? Worried about why some files come back after cleaning? See this link:https://community.ccleaner.com/topic/52668-tracking-files/?tab=comments#comment-300043 Link to comment Share on other sites More sharing options...
bengoerz Posted October 8, 2018 Share Posted October 8, 2018 There are reports that this is a false-positive detection by a faulty McAfee DAT. See: Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now