Ccleaner Infected - How to make sure PC is clean?

darko999 · Sep 18, 2017

G-Data detected the backdoor in my computer as the image below:

simmerskool · Sep 18, 2017

Lockdown said:
Are there any reports that anti-exploit products other than Cisco's new AMP exploit detection caught this ?

I did a full system scan of a seldom used win7 on 14sep with immunet6 (cisco) and it found 1 bad file ccleaner 5.33 and quarantined it. it's a non essential pc in a different location, and at the time I was unaware of the floxif event and paid little attention. I'll go inspect that pc asap. Maybe by 14sep all the av were aware of this, although BDIS 2017 was on that pc too and no BD alert, but then I think immunet6 found the 5.33 installer with full scan, and a quick scan with BD probably skipped that file. Unclear, but I assume that 5.33 had been running on the pc unstopped by BD(?)

. I'll keep reading this thread

509322 · Sep 18, 2017

simmerskool said:
I did a full system scan of a seldom used win7 on 14sep with immunet6 (cisco) and it found 1 bad file ccleaner 5.33 and quarantined it. it's a non essential pc in a different location, and at the time I was unaware of the floxif event and paid little attention. I'll go inspect that pc asap. Maybe by 14sep all the av were aware of this, although BDIS 2017 was on that pc too and no BD alert, but then I think immunet6 found the 5.33 installer with full scan, and a quick scan with BD probably skipped that file. Unclear, but I assume that 5.33 had been running on the pc unstopped by BD(?). I'll keep reading this thread

Signatures for it only started within the past 24 to 36 hours. More than 3/4 of scan engines on Virus Total weren't detecting it 3 or 4 hours ago. BD was not detecting it.

5.33 may have been running, but the backdoor was dead on arrival.

I was interested if any anti-exploit products detected it.

509322 · Sep 18, 2017

darko999 said:
G-Data detected the backdoor in my computer as the image below:

The backdoor was dead upon arrival.

monkeylove · Sep 19, 2017

It was installed before the problem was announced, and nothing was detected by BD Free. All of the exe files (32- and 64-bit) were blocked Comodo FW (set to custom) because I don't want frequent updates. I uninstalled it after hearing the news using Revo and then scanned the system using Malwarebytes and Emsisoft Emergency Kit (both free). Nothing showed up.

Just a few minutes ago, BD saw the installer that I kept in a folder in another HD and quarantined it because it contained the threat Backdoor.Agent.ABXS. I started scanning using BD and just as I'm typing this, it has detected and quarantined the exe (32-bit) because it contains Trojan.PRForm.A. I think I must have installed two versions of the program and the other was still there.

TairikuOkami · Sep 19, 2017

Free Virus Scan | Online Virus Scan from ESET will do just fine, if you do want to install anything.

It has even removed my backup setup, I have forgotten about.

Dave Russo · Sep 19, 2017

Do you have a system restore point or back up before your install? or refresh your computer ,gl

Venustus · Sep 19, 2017

This defies belief!!
After all the commotion Avast still does not pick up that ccsetup533 is infected!!

Look at these VT results:
Antivirus scan for 1a4a5123d7b2c534cb3e3168f7032cf9ebf38b9a2a97226d0fdb7933cf6030ff at 2017-09-19 09:10:06 UTC - VirusTotal

TairikuOkami · Sep 19, 2017

venustus said:
This defies belief!!
After all the commotion Avast still does not pick up that ccsetup533 is infected!!

By doing so, they would admit, that is a dangerous malware, I imagine that managers, who forced them to withheld the information for so long, are also behind that.

I wonder, if anyone, who uses Avast, can detect it at least as PUP, not sure if VT detects PUPs.

Deleted Member 3a5v73x · Sep 19, 2017

venustus said:
This defies belief!!
After all the commotion Avast still does not pick up that ccsetup533 is infected!!
Look at these VT results:
Antivirus scan for 1a4a5123d7b2c534cb3e3168f7032cf9ebf38b9a2a97226d0fdb7933cf6030ff at 2017-09-19 09:10:06 UTC - VirusTotal

The first thing that comes into my mind is that Avast is behind all this, since they bought Piriform, they just couldn't wait any longer to infiltrate into even more user systems and get something out of it, but this is top paranoid conspiracy theory

Venustus · Sep 19, 2017

davisd said:
The first thing that comes into my mind is that Avast is behind all this, since they bought Piriform, they just couldn't wait any longer to infiltrate into even more user systems and get something out of it, but this is top paranoid conspiracy theory

Indeed, this whole fiasco is a bit "fishy"!!!

Deleted Member 3a5v73x · Sep 19, 2017

venustus said:
Indeed, this whole fiasco is a bit "fishy"!!!

This makes me look at Avast very suspiciously

Avast CTO Ondrej Vlcek says that updating CCleaner to the most recent recent versions fixes any issues, as "the only malware to remove is the one embedded in the CCleaner binary itself."

"We believe that these users are safe now as our investigation indicates we were able to disarm the threat before it was able to do any harm."

I think Avast knows more than anyone else is buzzing around about this security breach. Avast is like, just update guys and move on. 2.27M machines were affected, but no real harm was done to users systems. I think this is not acceptable response from a security company. Like it was all planned out.

L S · Sep 19, 2017

ForgottenSeer 58943 said:
I've petitioned Heimdal to remove CCleaner from the 'recommended' software you can install and patch from the application.

Ninite already pulled Ccleaner from their listings. This is going to effectively destroy this product IMO.

We used to 'sometimes' use it in cleanups at work on client machines. But effective immediately it's been banned from use within our company and on any client machines. Even portable versions, for quick cleanups.

Every Sites Who Is For Downloading Softwares & Programs Have Pulled The CCleaner v.5.33 (only that version) If Some Sites (like ninite) Pulled CCleaner All Versions = In Time They Will Bring Back The Program - CCleaner - After It's All Clean & Ready.

JHomes · Sep 19, 2017

Uninstall CCleaner and restore to a backup. My wife uses it, I uninstalled it and restored via Rollback to her state before she installed it

Rodrigo · Sep 19, 2017

KIS detected too in my pc the Ccleaner, i checkout my conections inbound and outbound and nothing strange, so if the malware is still active, dont have conection like a rootkit, but i think that the malware is embebed in the ccleaner old version, when you update maybe delete them or the registry records dont know

L S · Sep 19, 2017

Rodrigo said:
KIS detected too in my pc the Ccleaner, i checkout my conections inbound and outbound and nothing strange, so if the malware is still active, dont have conection like a rootkit, but i think that the malware is embebed in the ccleaner old version, when you update maybe delete them or the registry records dont know

Yes - update to new version 5.34 CCleaner , and then Delete the "Agomo" from Registry Editor :

And that's it !!!
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

ForgottenSeer 58943 · Sep 19, 2017

I'd format any PC that had this installed. Or, if you use RollbackRX or something, roll it back. I wouldn't ever trust it was fully removed.

Avast are idiots IMO. Who would even trust them after this? Where are the Avast apologists now?

boredog · Sep 19, 2017

ForgottenSeer 58943 said:
I'd format any PC that had this installed. Or, if you use RollbackRX or something, roll it back. I wouldn't ever trust it was fully removed.

Avast are idiots IMO. Who would even trust them after this? Where are the Avast apologists now?

Sounds like it was on Piriform's servers before Avast took over.

Captain Awesome · Sep 19, 2017

ForgottenSeer 58943 said:
I'd format any PC that had this installed. Or, if you use RollbackRX or something, roll it back. I wouldn't ever trust it was fully removed.

Avast are idiots IMO. Who would even trust them after this? Where are the Avast apologists now?

Stop blaming Avast.It was already on Piriform's servers before Avast took over.They worked immediately with law enforcement to identify the source of the attack.Similar issue happend with Kaspersky before.The sophisticated malware was on their servers for years undetected.(Duqu)
.

Kaspersky Lab investigates attack on its own network

paulderdash · Sep 19, 2017

MB 3 also finds this bad reg key:

Registry Key: 1
Trojan.Floxif.Trace, HKLM\SOFTWARE\WOW6432NODE\PIRIFORM\AGOMO

Registry Value: 1
Trojan.Floxif.Trace, HKLM\SOFTWARE\WOW6432NODE\PIRIFORM\AGOMO|TCID

I think this was put there by the bad version of CCleaner Cloud. If one quarantines / deletes this, one will need to log in to the CCleaner Cloud account again, and the key wiill be recreated but without the TCID.

Dunno if compromised ccleaner.exe also created this. Worth checking.

Search

Ccleaner Infected - How to make sure PC is clean?

darko999

Level 17

simmerskool

Level 37

509322

509322

monkeylove

Level 12

TairikuOkami

Level 37

Attachments

Dave Russo

Level 22

Venustus

Level 59

TairikuOkami

Level 37

Deleted Member 3a5v73x

Venustus

Level 59

Deleted Member 3a5v73x

L S

Level 5

JHomes

Level 7

Rodrigo

Level 1

L S

Level 5

ForgottenSeer 58943

boredog

Level 9

Captain Awesome

Level 24

paulderdash

Level 6

Similar threads