Q&A Ccleaner Infected - How to make sure PC is clean?

Joined
Apr 16, 2017
Messages
280
OS
Windows 7
#42
Are there any reports that anti-exploit products other than Cisco's new AMP exploit detection caught this ?
I did a full system scan of a seldom used win7 on 14sep with immunet6 (cisco) and it found 1 bad file ccleaner 5.33 and quarantined it. it's a non essential pc in a different location, and at the time I was unaware of the floxif event and paid little attention. I'll go inspect that pc asap. Maybe by 14sep all the av were aware of this, although BDIS 2017 was on that pc too and no BD alert, but then I think immunet6 found the 5.33 installer with full scan, and a quick scan with BD probably skipped that file. Unclear, but I assume that 5.33 had been running on the pc unstopped by BD(?):oops:. I'll keep reading this thread :cautious:
 

Lockdown

From AppGuard
Developer
Joined
Oct 24, 2016
Messages
3,307
#43
I did a full system scan of a seldom used win7 on 14sep with immunet6 (cisco) and it found 1 bad file ccleaner 5.33 and quarantined it. it's a non essential pc in a different location, and at the time I was unaware of the floxif event and paid little attention. I'll go inspect that pc asap. Maybe by 14sep all the av were aware of this, although BDIS 2017 was on that pc too and no BD alert, but then I think immunet6 found the 5.33 installer with full scan, and a quick scan with BD probably skipped that file. Unclear, but I assume that 5.33 had been running on the pc unstopped by BD(?):oops:. I'll keep reading this thread :cautious:
Signatures for it only started within the past 24 to 36 hours. More than 3/4 of scan engines on Virus Total weren't detecting it 3 or 4 hours ago. BD was not detecting it.

5.33 may have been running, but the backdoor was dead on arrival.

I was interested if any anti-exploit products detected it.
 
Joined
Mar 9, 2014
Messages
68
#45
It was installed before the problem was announced, and nothing was detected by BD Free. All of the exe files (32- and 64-bit) were blocked Comodo FW (set to custom) because I don't want frequent updates. I uninstalled it after hearing the news using Revo and then scanned the system using Malwarebytes and Emsisoft Emergency Kit (both free). Nothing showed up.

Just a few minutes ago, BD saw the installer that I kept in a folder in another HD and quarantined it because it contained the threat Backdoor.Agent.ABXS. I started scanning using BD and just as I'm typing this, it has detected and quarantined the exe (32-bit) because it contains Trojan.PRForm.A. I think I must have installed two versions of the program and the other was still there.
 

TairikuOkami

Level 15
Content Creator
Joined
May 13, 2017
Messages
740
OS
Windows 10
#49
This defies belief!!
After all the commotion Avast still does not pick up that ccsetup533 is infected!!o_O
By doing so, they would admit, that is a dangerous malware, I imagine that managers, who forced them to withheld the information for so long, are also behind that.

I wonder, if anyone, who uses Avast, can detect it at least as PUP, not sure if VT detects PUPs.
 

davisd

Level 16
Joined
Feb 2, 2016
Messages
791
#50
This defies belief!!
After all the commotion Avast still does not pick up that ccsetup533 is infected!!o_O
Look at these VT results:
Antivirus scan for 1a4a5123d7b2c534cb3e3168f7032cf9ebf38b9a2a97226d0fdb7933cf6030ff at 2017-09-19 09:10:06 UTC - VirusTotal
The first thing that comes into my mind is that Avast is behind all this, since they bought Piriform, they just couldn't wait any longer to infiltrate into even more user systems and get something out of it, but this is top paranoid conspiracy theory :ROFLMAO::whistle::rolleyes:
 

venustus

Level 43
Content Creator
Trusted
Joined
Dec 30, 2012
Messages
3,237
OS
Windows 10
Antivirus
Kaspersky
#51
The first thing that comes into my mind is that Avast is behind all this, since they bought Piriform, they just couldn't wait any longer to infiltrate into even more user systems and get something out of it, but this is top paranoid conspiracy theory :ROFLMAO::whistle::rolleyes:
Indeed, this whole fiasco is a bit "fishy"!!!
 

davisd

Level 16
Joined
Feb 2, 2016
Messages
791
#52
Indeed, this whole fiasco is a bit "fishy"!!!
This makes me look at Avast very suspiciously
Avast CTO Ondrej Vlcek says that updating CCleaner to the most recent recent versions fixes any issues, as "the only malware to remove is the one embedded in the CCleaner binary itself."

"We believe that these users are safe now as our investigation indicates we were able to disarm the threat before it was able to do any harm."
I think Avast knows more than anyone else is buzzing around about this security breach. Avast is like, just update guys and move on. 2.27M machines were affected, but no real harm was done to users systems. I think this is not acceptable response from a security company. Like it was all planned out. :rolleyes:
 

L S

Level 5
Joined
Jul 16, 2014
Messages
208
OS
Windows 10
Antivirus
Avast
#53
I've petitioned Heimdal to remove CCleaner from the 'recommended' software you can install and patch from the application.

Ninite already pulled Ccleaner from their listings. This is going to effectively destroy this product IMO.

We used to 'sometimes' use it in cleanups at work on client machines. But effective immediately it's been banned from use within our company and on any client machines. Even portable versions, for quick cleanups.
Every Sites Who Is For Downloading Softwares & Programs Have Pulled The CCleaner v.5.33 (only that version) If Some Sites (like ninite) Pulled CCleaner All Versions = In Time They Will Bring Back The Program - CCleaner - After It's All Clean & Ready.
 
Joined
Jul 7, 2016
Messages
317
OS
Windows 10
Antivirus
AVG
#54
Uninstall CCleaner and restore to a backup. My wife uses it, I uninstalled it and restored via Rollback to her state before she installed it
 
Joined
May 10, 2014
Messages
4
#55
KIS detected too in my pc the Ccleaner, i checkout my conections inbound and outbound and nothing strange, so if the malware is still active, dont have conection like a rootkit, but i think that the malware is embebed in the ccleaner old version, when you update maybe delete them or the registry records dont know
 
Likes: AtlBo

L S

Level 5
Joined
Jul 16, 2014
Messages
208
OS
Windows 10
Antivirus
Avast
#56
KIS detected too in my pc the Ccleaner, i checkout my conections inbound and outbound and nothing strange, so if the malware is still active, dont have conection like a rootkit, but i think that the malware is embebed in the ccleaner old version, when you update maybe delete them or the registry records dont know
Yes - update to new version 5.34 CCleaner , and then Delete the "Agomo" from Registry Editor :
2017-09-18 18_32_56-Registry Editor.png


And that's it !!!
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 

Slyguy

Level 35
Joined
Jan 27, 2017
Messages
2,434
OS
Other OS
#57
I'd format any PC that had this installed. Or, if you use RollbackRX or something, roll it back. I wouldn't ever trust it was fully removed.

Avast are idiots IMO. Who would even trust them after this? Where are the Avast apologists now?
 

Captain Awesome

Level 21
MH Trial
Joined
May 7, 2016
Messages
1,015
OS
Windows 10
Antivirus
Kaspersky
#59
I'd format any PC that had this installed. Or, if you use RollbackRX or something, roll it back. I wouldn't ever trust it was fully removed.

Avast are idiots IMO. Who would even trust them after this? Where are the Avast apologists now?
Stop blaming Avast.It was already on Piriform's servers before Avast took over.They worked immediately with law enforcement to identify the source of the attack.Similar issue happend with Kaspersky before.The sophisticated malware was on their servers for years undetected.(Duqu)
.:)
Kaspersky Lab investigates attack on its own network
 
Last edited:
Joined
Apr 28, 2015
Messages
133
#60
MB 3 also finds this bad reg key:

Registry Key: 1
Trojan.Floxif.Trace, HKLM\SOFTWARE\WOW6432NODE\PIRIFORM\AGOMO

Registry Value: 1
Trojan.Floxif.Trace, HKLM\SOFTWARE\WOW6432NODE\PIRIFORM\AGOMO|TCID

I think this was put there by the bad version of CCleaner Cloud. If one quarantines / deletes this, one will need to log in to the CCleaner Cloud account again, and the key wiill be recreated but without the TCID.

Dunno if compromised ccleaner.exe also created this. Worth checking.
 
Likes: AtlBo and L S
Forgot your password?