- Jun 21, 2017
- 616
floxif is in the user's system.
it is not supposed to harm the system.
yes you are. ccleaner is the host floxif is the malware that piggybacks on the host. you uninstall the host & you believe floxif is gone?
Ccleaner Infected - How to make sure PC is clean?
- Thread starter giulia
- Start date
floxif is in the user's system.
it is not supposed to harm the system.
yes you are. ccleaner is the host floxif is the malware that piggybacks on the host. you uninstall the host & you believe floxif is gone?
- Jun 21, 2017
- 616
Craig Williams - the manager of the Cisco Talos lab (that discovered the malicious code) states:
Cisco's Talos Intelligence Group Blog: CCleanup: A Vast Number of Machines at Risk
UnknownSeptember 18, 2017 at 9:49 AM
Will simply uninstalling remove this as well?
Craig WilliamsSeptember 18, 2017 at 9:50 AM
Uninstalling the tool will not remove the malware. To remove the malware you should restore from a previous backup that is known to be clean or try a virus removal tool.
Avast - the owner of Piriform states:
CCleaner Delivers Floxif Malware - Adlice Software
Removal
Avast claims updating CCleaner to version 5.34 addresses the issue and removes the malware.
Piriform itself states:
Piriform - Security Notification for CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 for 32-bit Windows users
Users of our cloud version have received an automated update. For all other users, if you have not already done so, we encourage you to update your CCleaner software to version 5.34 or higher, the latest version is available for download here.
Cisco's Talos Intelligence Group Blog: CCleanup: A Vast Number of Machines at Risk
UnknownSeptember 18, 2017 at 9:49 AM
Will simply uninstalling remove this as well?
Craig WilliamsSeptember 18, 2017 at 9:50 AM
Uninstalling the tool will not remove the malware. To remove the malware you should restore from a previous backup that is known to be clean or try a virus removal tool.
Avast - the owner of Piriform states:
CCleaner Delivers Floxif Malware - Adlice Software
Removal
Avast claims updating CCleaner to version 5.34 addresses the issue and removes the malware.
Piriform itself states:
Piriform - Security Notification for CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 for 32-bit Windows users
Users of our cloud version have received an automated update. For all other users, if you have not already done so, we encourage you to update your CCleaner software to version 5.34 or higher, the latest version is available for download here.
- Dec 27, 2016
- 1,480
Was your installation the same version (v5.33.6162 and 32-bit)?
From the Cisco Talos report, one of the important and most intuitive action is to perform a restore to minimize/remove traces of infection:
System restores may not always fetch a clean state but those are supposed to be good on paper. Have a clean backup image? Use that.
EDIT: Just read that @Lockdown has already elaborated. We cannot be sure if our (for those in concern) systems were at all exploited. I am yet to read the other threads here in entirety but you can do this for a peace of mind.
Last edited:
- Jun 21, 2017
- 616
When an infection is first reported in the online media it is not at all unusual to have different parties say different things about it - sometimes the things the different parties state are completely contradictory. One need look no further than the SMB\Eternal Blue\Double Pulsar early reports. It was only a month later that clarity and accurateness was established.
If a system has been compromised, why guess or speculate as to what one should do ? Just do a clean install of the OS and be done with it. Alternatively, you can restore using a clean backup image if you are certain it is clean. There's rollback too if you are using a rollback soft.
- Jul 16, 2014
- 215
You don't need to do anything in system32 ! ..... When you update to new version ccleaner it's delete the previous version, soo only in Registry Editor have traces "Agomo"
- Dec 27, 2016
- 1,480
There's no denying that.. While some aspects like the manipulation technicalities are now clear (to me) through the above links & more, it won't be wrong to say that there can be a re-toss and the other side of the coin might surface some time, probably pertaining to the dev's desk (can be anything like irresponsibility to more).. and new debates will emerge then.
Now there is at least one Avast personnel stating that, along with CCleaner, the Avast SecureLine VPN was either compromised or abused to distribute ransomware.
It isn't clear yet.
So in these cases you just have to wait until everything calms down and all the infos get sorted out. That's just how it works because the initial reports are just preliminary with details that are apt to change over time.
No... you installed it to System Space and the malicious code was embedded (a PE loader and .dll that run from System Space). It's the same situation with all the other security softs - and that is why it wasn't detected until manually analyzed by Cisco Talos.
You can't do much against embedded malicious code in a soft that is universally trusted by certificate - not unless the malicious code does something that is disallowed or suspicious that security softs will detect\block.
The whole concept of trusted processes is that they are allowed to run unrestricted. All security softs employ the concept of trusted processes to varying degrees.
It's pretty much the same concept as if someone compromised Microsoft, embedded malicious code in a Windows Update, and that update was distributed to systems.
Just be informed and level-headed.
Last edited by a moderator:
Floxif is a file infector.
Read the entire article below.
Cisco's Talos Intelligence Group Blog: CCleanup: A Vast Number of Machines at Risk
The "malicious" CCleaner installer, installed...
"...a PIC (Position Independent Code) PE loader as well as a DLL file that effectively functions as the malware payload." They go one to explain it is loaded into memory and deleted.
The malicious code was detected by Cisco Talos' new AMP exploit detection technology during beta testing on customer systems.
This is what Avast states:
CCleaner Compromised to Distribute Malware for Almost a Month
"the only malware to remove is the one embedded in the CCleaner binary itself."
Last edited by a moderator:
Are there any reports that anti-exploit products other than Cisco's new AMP exploit detection caught this ?
Not to state the obvious, but if you did not install the 5.33 32-bit version (meaning you always install the 64-bit versions), then you weren't infected.
- Aug 30, 2017
- 69
Bitdefender blocked Ccleaner.exe but that prob didnt get rid of the backdoor 
I've petitioned Heimdal to remove CCleaner from the 'recommended' software you can install and patch from the application.
Ninite already pulled Ccleaner from their listings. This is going to effectively destroy this product IMO.
We used to 'sometimes' use it in cleanups at work on client machines. But effective immediately it's been banned from use within our company and on any client machines. Even portable versions, for quick cleanups.
Ninite already pulled Ccleaner from their listings. This is going to effectively destroy this product IMO.
We used to 'sometimes' use it in cleanups at work on client machines. But effective immediately it's been banned from use within our company and on any client machines. Even portable versions, for quick cleanups.
