Ccleaner Infected - How to make sure PC is clean?

darko999

Level 17
Verified
Well-known
Oct 2, 2014
805
G-Data detected the backdoor in my computer as the image below:
MVzZVsb.png
 

simmerskool

Level 31
Verified
Top Poster
Well-known
Apr 16, 2017
2,094
Are there any reports that anti-exploit products other than Cisco's new AMP exploit detection caught this ?

I did a full system scan of a seldom used win7 on 14sep with immunet6 (cisco) and it found 1 bad file ccleaner 5.33 and quarantined it. it's a non essential pc in a different location, and at the time I was unaware of the floxif event and paid little attention. I'll go inspect that pc asap. Maybe by 14sep all the av were aware of this, although BDIS 2017 was on that pc too and no BD alert, but then I think immunet6 found the 5.33 installer with full scan, and a quick scan with BD probably skipped that file. Unclear, but I assume that 5.33 had been running on the pc unstopped by BD(?):oops:. I'll keep reading this thread :cautious:
 
5

509322

I did a full system scan of a seldom used win7 on 14sep with immunet6 (cisco) and it found 1 bad file ccleaner 5.33 and quarantined it. it's a non essential pc in a different location, and at the time I was unaware of the floxif event and paid little attention. I'll go inspect that pc asap. Maybe by 14sep all the av were aware of this, although BDIS 2017 was on that pc too and no BD alert, but then I think immunet6 found the 5.33 installer with full scan, and a quick scan with BD probably skipped that file. Unclear, but I assume that 5.33 had been running on the pc unstopped by BD(?):oops:. I'll keep reading this thread :cautious:

Signatures for it only started within the past 24 to 36 hours. More than 3/4 of scan engines on Virus Total weren't detecting it 3 or 4 hours ago. BD was not detecting it.

5.33 may have been running, but the backdoor was dead on arrival.

I was interested if any anti-exploit products detected it.
 

monkeylove

Level 10
Verified
Well-known
Mar 9, 2014
489
It was installed before the problem was announced, and nothing was detected by BD Free. All of the exe files (32- and 64-bit) were blocked Comodo FW (set to custom) because I don't want frequent updates. I uninstalled it after hearing the news using Revo and then scanned the system using Malwarebytes and Emsisoft Emergency Kit (both free). Nothing showed up.

Just a few minutes ago, BD saw the installer that I kept in a folder in another HD and quarantined it because it contained the threat Backdoor.Agent.ABXS. I started scanning using BD and just as I'm typing this, it has detected and quarantined the exe (32-bit) because it contains Trojan.PRForm.A. I think I must have installed two versions of the program and the other was still there.
 
  • Like
Reactions: AtlBo and frogboy

Dave Russo

Level 21
Verified
Top Poster
Well-known
May 26, 2014
1,041
Do you have a system restore point or back up before your install? or refresh your computer ,gl
 
  • Like
Reactions: AtlBo

TairikuOkami

Level 35
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,452
This defies belief!!
After all the commotion Avast still does not pick up that ccsetup533 is infected!!o_O
By doing so, they would admit, that is a dangerous malware, I imagine that managers, who forced them to withheld the information for so long, are also behind that.

I wonder, if anyone, who uses Avast, can detect it at least as PUP, not sure if VT detects PUPs.
 
D

Deleted Member 3a5v73x

This defies belief!!
After all the commotion Avast still does not pick up that ccsetup533 is infected!!o_O
Look at these VT results:
Antivirus scan for 1a4a5123d7b2c534cb3e3168f7032cf9ebf38b9a2a97226d0fdb7933cf6030ff at 2017-09-19 09:10:06 UTC - VirusTotal
The first thing that comes into my mind is that Avast is behind all this, since they bought Piriform, they just couldn't wait any longer to infiltrate into even more user systems and get something out of it, but this is top paranoid conspiracy theory :ROFLMAO::whistle::rolleyes:
 

Venustus

Level 59
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Dec 30, 2012
4,809
The first thing that comes into my mind is that Avast is behind all this, since they bought Piriform, they just couldn't wait any longer to infiltrate into even more user systems and get something out of it, but this is top paranoid conspiracy theory :ROFLMAO::whistle::rolleyes:
Indeed, this whole fiasco is a bit "fishy"!!!
 
D

Deleted Member 3a5v73x

Indeed, this whole fiasco is a bit "fishy"!!!
This makes me look at Avast very suspiciously
Avast CTO Ondrej Vlcek says that updating CCleaner to the most recent recent versions fixes any issues, as "the only malware to remove is the one embedded in the CCleaner binary itself."

"We believe that these users are safe now as our investigation indicates we were able to disarm the threat before it was able to do any harm."
I think Avast knows more than anyone else is buzzing around about this security breach. Avast is like, just update guys and move on. 2.27M machines were affected, but no real harm was done to users systems. I think this is not acceptable response from a security company. Like it was all planned out. :rolleyes:
 

L S

Level 5
Verified
Well-known
Jul 16, 2014
215
I've petitioned Heimdal to remove CCleaner from the 'recommended' software you can install and patch from the application.

Ninite already pulled Ccleaner from their listings. This is going to effectively destroy this product IMO.

We used to 'sometimes' use it in cleanups at work on client machines. But effective immediately it's been banned from use within our company and on any client machines. Even portable versions, for quick cleanups.

Every Sites Who Is For Downloading Softwares & Programs Have Pulled The CCleaner v.5.33 (only that version) If Some Sites (like ninite) Pulled CCleaner All Versions = In Time They Will Bring Back The Program - CCleaner - After It's All Clean & Ready.
 

JHomes

Level 7
Verified
Well-known
Jul 7, 2016
339
Uninstall CCleaner and restore to a backup. My wife uses it, I uninstalled it and restored via Rollback to her state before she installed it
 
  • Like
Reactions: AtlBo and Venustus

Rodrigo

Level 1
May 10, 2014
5
KIS detected too in my pc the Ccleaner, i checkout my conections inbound and outbound and nothing strange, so if the malware is still active, dont have conection like a rootkit, but i think that the malware is embebed in the ccleaner old version, when you update maybe delete them or the registry records dont know
 
  • Like
Reactions: AtlBo

L S

Level 5
Verified
Well-known
Jul 16, 2014
215
KIS detected too in my pc the Ccleaner, i checkout my conections inbound and outbound and nothing strange, so if the malware is still active, dont have conection like a rootkit, but i think that the malware is embebed in the ccleaner old version, when you update maybe delete them or the registry records dont know
Yes - update to new version 5.34 CCleaner , and then Delete the "Agomo" from Registry Editor :
2017-09-18 18_32_56-Registry Editor.png


And that's it !!!
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 
  • Like
Reactions: AtlBo and Venustus
F

ForgottenSeer 58943

I'd format any PC that had this installed. Or, if you use RollbackRX or something, roll it back. I wouldn't ever trust it was fully removed.

Avast are idiots IMO. Who would even trust them after this? Where are the Avast apologists now?
 

Captain Awesome

Level 23
Verified
Top Poster
Well-known
May 7, 2016
1,285
I'd format any PC that had this installed. Or, if you use RollbackRX or something, roll it back. I wouldn't ever trust it was fully removed.

Avast are idiots IMO. Who would even trust them after this? Where are the Avast apologists now?
Stop blaming Avast.It was already on Piriform's servers before Avast took over.They worked immediately with law enforcement to identify the source of the attack.Similar issue happend with Kaspersky before.The sophisticated malware was on their servers for years undetected.(Duqu)
.:)
Kaspersky Lab investigates attack on its own network
 
Last edited:

paulderdash

Level 6
Verified
Well-known
Apr 28, 2015
271
MB 3 also finds this bad reg key:

Registry Key: 1
Trojan.Floxif.Trace, HKLM\SOFTWARE\WOW6432NODE\PIRIFORM\AGOMO

Registry Value: 1
Trojan.Floxif.Trace, HKLM\SOFTWARE\WOW6432NODE\PIRIFORM\AGOMO|TCID

I think this was put there by the bad version of CCleaner Cloud. If one quarantines / deletes this, one will need to log in to the CCleaner Cloud account again, and the key wiill be recreated but without the TCID.

Dunno if compromised ccleaner.exe also created this. Worth checking.
 
  • Like
Reactions: AtlBo and L S

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top