Ccleaner Infected - How to make sure PC is clean?

ispx

ispx

Level 13
Verified
Well-known
Jun 21, 2017
616
5

509322

Craig Williams - the manager of the Cisco Talos lab (that discovered the malicious code) states:

Cisco's Talos Intelligence Group Blog: CCleanup: A Vast Number of Machines at Risk

UnknownSeptember 18, 2017 at 9:49 AM
Will simply uninstalling remove this as well?

Craig WilliamsSeptember 18, 2017 at 9:50 AM
Uninstalling the tool will not remove the malware. To remove the malware you should restore from a previous backup that is known to be clean or try a virus removal tool.

Avast - the owner of Piriform states:

CCleaner Delivers Floxif Malware - Adlice Software

Removal
Avast claims updating CCleaner to version 5.34 addresses the issue and removes the malware.

Piriform itself states:

Piriform - Security Notification for CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 for 32-bit Windows users

Users of our cloud version have received an automated update. For all other users, if you have not already done so, we encourage you to update your CCleaner software to version 5.34 or higher, the latest version is available for download here.
 
  • Like
Reactions: simmerskool, frogboy, ElectricSheep and 5 others
Parsh

Parsh

Level 25
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Dec 27, 2016
1,480
giulia said:
hi
today i read about
Piriform - Security Notification for CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 for 32-bit Windows users
&
Piriform - Security Notification for CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 for 32-bit Windows users

eset detects only from today with Update signature 16099 @ 2017-09-18 as
Win32/CCleaner.A
Win32/CCleaner.B

but detects only the old ccleaner installers
i read about ->
today it's 18 ,September ,it's a month
i can't restore an image on 4 machines

what can i do ?
i tried malwarebyte , a full scan , all clean
is there a way to check if i have this malware ,i know about the registry ?
is there something more deep?
have you restored an image?

about virus b.->Virus Bulletin :: Malicious CCleaner update points to a major weakness in our infrastructure

thanks
Click to expand...
Was your installation the same version (v5.33.6162 and 32-bit)?
From the Cisco Talos report, one of the important and most intuitive action is to perform a restore to minimize/remove traces of infection:
If even a small fraction of those systems were compromised an attacker could use them for any number of malicious purposes. Affected systems need to be restored to a state before August 15, 2017 or reinstalled.
Click to expand...
System restores may not always fetch a clean state but those are supposed to be good on paper. Have a clean backup image? Use that.
EDIT: Just read that @Lockdown has already elaborated. We cannot be sure if our (for those in concern) systems were at all exploited. I am yet to read the other threads here in entirety but you can do this for a peace of mind.
 
Last edited:
  • Like
Reactions: AtlBo, simmerskool, frogboy and 3 others
5

509322

Parsh said:
Was your installation the same version (v5.33.6162 and 32-bit)?
From the Cisco Talos report, one of the important and most intuitive action is to perform a restore to minimize/remove traces of infection:

System restores may not always fetch a clean state but those are supposed to be good on paper. Have a clean backup image? Use that.
EDIT: Just read that @Lockdown has already elaborated. We cannot be sure if our (for those in concern) systems were at all exploited. I am yet to read the other threads here in entirety but you can do this for a peace of mind.
Click to expand...

When an infection is first reported in the online media it is not at all unusual to have different parties say different things about it - sometimes the things the different parties state are completely contradictory. One need look no further than the SMB\Eternal Blue\Double Pulsar early reports. It was only a month later that clarity and accurateness was established.

If a system has been compromised, why guess or speculate as to what one should do ? Just do a clean install of the OS and be done with it. Alternatively, you can restore using a clean backup image if you are certain it is clean. There's rollback too if you are using a rollback soft.
 
  • Like
Reactions: Parsh
Parsh

Parsh

Level 25
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Dec 27, 2016
1,480
Lockdown said:
When an infection is first reported in the online media it is not at all unusual to have different parties say different things about it - sometimes the things the different parties state are completely contradictory. One need look no further than the SMB\Eternal Blue\Double Pulsar early reports. It was only a month later that clarity and accurateness was established.

If a system has been compromised, why guess or speculate as to what one should do ? Just do a clean install of the OS and be done with it. Alternatively, you can restore using a clean backup image if you are certain it is clean. There's rollback too if you are using a rollback soft.
Click to expand...
There's no denying that.. While some aspects like the manipulation technicalities are now clear (to me) through the above links & more, it won't be wrong to say that there can be a re-toss and the other side of the coin might surface some time, probably pertaining to the dev's desk (can be anything like irresponsibility to more).. and new debates will emerge then.
 
  • Like
Reactions: AtlBo, Venustus and ispx
5

509322

Parsh said:
There's no denying that.. While some aspects like the manipulation technicalities are now clear (to me) through the above links & more, it won't be wrong to say that there can be a re-toss and the other side of the coin might surface some time, probably pertaining to the dev's desk (can be anything like irresponsibility to more).. and new debates will emerge then.
Click to expand...

Now there is at least one Avast personnel stating that, along with CCleaner, the Avast SecureLine VPN was either compromised or abused to distribute ransomware.

It isn't clear yet.

So in these cases you just have to wait until everything calms down and all the infos get sorted out. That's just how it works because the initial reports are just preliminary with details that are apt to change over time.
 
  • Like
Reactions: bribon77 and Parsh
boredog

boredog

Level 9
Verified
Jul 5, 2016
416
Lockdown

Pretty sure when I installed that version I had Appguard set to allow installs. Would the backdoor then have been detected when set Appguard back to locked down?

Thanks
 
5

509322

boredog said:
Lockdown

Pretty sure when I installed that version I had Appguard set to allow installs. Would the backdoor then have been detected when set Appguard back to locked down?

Thanks
Click to expand...

No... you installed it to System Space and the malicious code was embedded (a PE loader and .dll that run from System Space). It's the same situation with all the other security softs - and that is why it wasn't detected until manually analyzed by Cisco Talos.

You can't do much against embedded malicious code in a soft that is universally trusted by certificate - not unless the malicious code does something that is disallowed or suspicious that security softs will detect\block.

The whole concept of trusted processes is that they are allowed to run unrestricted. All security softs employ the concept of trusted processes to varying degrees.

It's pretty much the same concept as if someone compromised Microsoft, embedded malicious code in a Windows Update, and that update was distributed to systems.

Just be informed and level-headed.
 
Last edited by a moderator:
  • Like
Reactions: Venustus, simmerskool, bribon77 and 2 others
boredog

boredog

Level 9
Verified
Jul 5, 2016
416
Ok so was the backdoor part of the main program or did the main program install a separate back door? Anyone know? If installing the newest version get rid of the infection, I would think the back door was part of the main program.
 
5

509322

boredog said:
Ok so was the backdoor part of the main program or did the main program install a separate back door? Anyone know? If installing the newest version get rid of the infection, I would think the back door was part of the main program.
Click to expand...

Floxif is a file infector.

Read the entire article below.

Cisco's Talos Intelligence Group Blog: CCleanup: A Vast Number of Machines at Risk

The "malicious" CCleaner installer, installed...

"...a PIC (Position Independent Code) PE loader as well as a DLL file that effectively functions as the malware payload." They go one to explain it is loaded into memory and deleted.

The malicious code was detected by Cisco Talos' new AMP exploit detection technology during beta testing on customer systems.

This is what Avast states:

CCleaner Compromised to Distribute Malware for Almost a Month

"the only malware to remove is the one embedded in the CCleaner binary itself."
 
Last edited by a moderator:
  • Like
Reactions: Venustus and Sunshine-boy
5

509322

Are there any reports that anti-exploit products other than Cisco's new AMP exploit detection caught this ?
 
  • Like
Reactions: Sunshine-boy
F

ForgottenSeer 58943

I've petitioned Heimdal to remove CCleaner from the 'recommended' software you can install and patch from the application.

Ninite already pulled Ccleaner from their listings. This is going to effectively destroy this product IMO.

We used to 'sometimes' use it in cleanups at work on client machines. But effective immediately it's been banned from use within our company and on any client machines. Even portable versions, for quick cleanups.
 
  • Like
Reactions: L S, ElectricSheep, Venustus and 2 others
You must log in or register to reply here.

Similar threads

Trident
    • Like
    • +Reputation
    • Thanks
Serious Discussion Decoding the Trend Micro Components and Protection Model
Replies
24
Views
2,983
Other security for Windows, Mac, Linux
Mahesh Sudula
Mahesh Sudula
Bot
    • Like
Announcing Windows 11 Insider Preview Build 23451
Replies
0
Views
785
Windows 11
Bot
Bot
oldschool
    • Like
    • Wow
    • Applause
Windows 10 is a security disaster waiting to happen. How will Microsoft clean up its mess?
Replies
25
Views
4,381
News Archive
Moonhorse
Moonhorse

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top