Jump to content
CCleaner Community Forums
Stray_Trons

Piriform Website causes AV Alert for JV/Faceliker.ag Trojan

Recommended Posts

Not sure what is going on but Piriform may have gotten hacked again. My McAfee AV hit on a Tojan in CCleaner last night. This morning I woke up to a missing CCleaner and a popup telling me "The product is not permitted for use in your current location".  Gone, done & dusted. Not a trace of CCleaner to be found on the machine.

So I figure something sent wahoonie shaped and I'll need to reinstall CCleaner, right after I run a fill AV scan to see if something else did not get past my firewalls. As soon as I load the Piriform page my AV pops up again and I get a warning:

10/7/2018 11:13:54 AM Deleted  [REDACTED]C:\Program Files\Internet Explorer\iexplore.exe C:\Users\[REDACTED]\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\W147MR22\addthis_widget[1].js JS/Faceliker.ag (Trojan) 64e780aad3077cffdb6279619950440f (MD5)

McAfee AV locks up the page like it should and I'm left scratching my head. So can someone (Piriform...) tell me just what the bloody hell is going on? :huh:

Share this post


Link to post
Share on other sites

Please post the address of the Piriform page you are using.

If I go here

https://www.ccleaner.com

or here

https://www.ccleaner.com/ccleaner/builds

I have no problems at all.

If I scan the page using VirusTotal it comes up clean

https://www.virustotal.com/#/url/459623a3db78c0f30d15701a3564bd33577d40214919fdd8e174a3ef685e1960/detection

Share this post


Link to post
Share on other sites

The website is https://www.ccleaner.com/

My AV is continually warning about the faceliker.ag on each attempt to reach that page.

There is a possibility that there is a Facebook add-in buried in the html. It is possibly malicious, but I'm not taking a chance. I'll be contacting Piriform Corporate Tuesday AM to discuss this.

The info on faceliker.ag is here: https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-labs-faceliker-surge-manipulates-facebook-likes-promote-news-content/

Share this post


Link to post
Share on other sites

"The product is not permitted for use in your current location"  is a known CCleaner issue.

Certain countries have banned the use of CCleaner, and the detection of if a PC is in one of those countries has gone a bit awry.
The Developers are working on a fix.

As for "Faceliker".

If you had read that linked McAfee article fully you would have seen that 'Faceliker' is not on the CCleaner webpage - it's on your computer already.
It is trying to redirect you when you visit websites, in your case when you try to visit ccleaner.com, which is when your AV sees what it is trying to do and blocks it.

(PS. I've just used Firefox Web Developer tools to look at the source HTML of the ccleaner webpage and can't see anything odd there).

Faceliker is not usually too bad as infections go, it has been around for years and is an advertising hack to click lots of facebook 'likes' without you knowing (normally).
Certain strains will also try to redirect your browser elsewhere, usually to advertising pages, which is what you seem to be seeing (or would if your AV wasn't blocking the redirect).

You usually get infected through a browser extension, specifically Chrome extensions. Have you added any browser extensions recently?
https://www.bleepingcomputer.com/news/security/sudden-rise-detected-in-faceliker-malware-that-manipulates-facebook-likes-/

I'd say it came through that javascript file "addthis_widget[1].js" which your McAfee seems to have already removed.
(Note though that the [1] indicates that that is/was the second copy of "addthis_widget.js" that is or has been on your machine).
Not all "addthis_widget.js" files are malicious, it's a commonly used filename in js.

A full scan with Malwarebytes, or possibly ADWcleaner should check for any left overs, rouge registry entries, etc.

I strongly suggest that you get your computer checked and cleaned of malware ASAP.

We are not allowed to give more detailed malware removal help on this forum, but if you look at item 10 of the forum rules there are links to where you can get FREE 1-to-1 help to check and clean your computer:
https://forum.piriform.com/announcement/15-forum-rules/

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×