Malware found in official Ccleaner installers

JB007

JB007

Level 26
Verified
Top Poster
Well-known
May 19, 2016
1,580
I analysed with HitmanPro :
CCHP1.PNG CCHP2.PNG
Code: 
HitmanPro 3.7.20.286
www.hitmanpro.com

   Computer name . . . . : HOME
   Windows . . . . . . . : 10.0.0.15063.X64/8
   User name . . . . . . : Home\........
   UAC . . . . . . . . . : Enabled
   License . . . . . . . : Paid (295 days left)

   Scan date . . . . . . : 2017-09-23 21:38:26
   Scan mode . . . . . . : Normal
   Scan duration . . . . : 1m 33s
   Disk access mode  . . : Direct disk access (SRB)
   Cloud . . . . . . . . : Internet
   Reboot  . . . . . . . : No

   Threats . . . . . . . : 1
   Traces  . . . . . . . : 2

   Objects scanned . . . : 2 017 696
   Files scanned . . . . : 58 583
   Remnants scanned  . . : 427 534 files / 1 531 579 keys

Malware _____________________________________________________________________

   C:\Program Files\CCleaner\CCleaner.exe
      Size . . . . . . . : 7 680 216 bytes
      Age  . . . . . . . : 51.4 days (2017-08-03 11:42:22)
      Entropy  . . . . . : 6.7
      SHA-256  . . . . . : 6F7840C77F99049D788155C1351E1560B62B8AD18AD0E9ADDA8218B9F432F0A9
      Product  . . . . . : CCleaner
      Publisher  . . . . : Piriform Ltd
      Description  . . . : CCleaner
      Version  . . . . . : 5.33.00.6162
      Copyright  . . . . : Copyright © 2005-2017 Piriform Ltd
      RSA Key Size . . . : 2048
      LanguageID . . . . : 1033
      Authenticode . . . : Valid
    > Bitdefender  . . . : Trojan.PRForm.A
    > Kaspersky  . . . . : Backdoor.Win32.InfeCleaner.a
    > HitmanPro  . . . . : Troj/Mogoa-A
      Fuzzy  . . . . . . : 87.0
      Startup
         C:\WINDOWS\system32\Tasks\CCleanerSkipUAC

The 3 engines of HitmanPro have detected the threat but before this analyse I run a deep scan with Bitdefender and it found nothing !
 

Attachments

  • HitmanPro_20170923_2141.log
    3.2 KB · Views: 477
  • Like
Reactions: lowdetection and Sunshine-boy
Gandalf_The_Grey

Gandalf_The_Grey

Level 83
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,259
JB007 said:
I analysed with HitmanPro :
View attachment 167944 View attachment 167945
Code: 
HitmanPro 3.7.20.286
www.hitmanpro.com

   Computer name . . . . : HOME
   Windows . . . . . . . : 10.0.0.15063.X64/8
   User name . . . . . . : Home\........
   UAC . . . . . . . . . : Enabled
   License . . . . . . . : Paid (295 days left)

   Scan date . . . . . . : 2017-09-23 21:38:26
   Scan mode . . . . . . : Normal
   Scan duration . . . . : 1m 33s
   Disk access mode  . . : Direct disk access (SRB)
   Cloud . . . . . . . . : Internet
   Reboot  . . . . . . . : No

   Threats . . . . . . . : 1
   Traces  . . . . . . . : 2

   Objects scanned . . . : 2 017 696
   Files scanned . . . . : 58 583
   Remnants scanned  . . : 427 534 files / 1 531 579 keys

Malware _____________________________________________________________________

   C:\Program Files\CCleaner\CCleaner.exe
      Size . . . . . . . : 7 680 216 bytes
      Age  . . . . . . . : 51.4 days (2017-08-03 11:42:22)
      Entropy  . . . . . : 6.7
      SHA-256  . . . . . : 6F7840C77F99049D788155C1351E1560B62B8AD18AD0E9ADDA8218B9F432F0A9
      Product  . . . . . : CCleaner
      Publisher  . . . . : Piriform Ltd
      Description  . . . : CCleaner
      Version  . . . . . : 5.33.00.6162
      Copyright  . . . . : Copyright © 2005-2017 Piriform Ltd
      RSA Key Size . . . : 2048
      LanguageID . . . . : 1033
      Authenticode . . . : Valid
    > Bitdefender  . . . : Trojan.PRForm.A
    > Kaspersky  . . . . : Backdoor.Win32.InfeCleaner.a
    > HitmanPro  . . . . : Troj/Mogoa-A
      Fuzzy  . . . . . . : 87.0
      Startup
         C:\WINDOWS\system32\Tasks\CCleanerSkipUAC

The 3 engines of HitmanPro have detected the threat but before this analyse I run a deep scan with Bitdefender and it found nothing !
Click to expand...
You have to update to the latest version of CCleaner v5.35.6210 (20 Sep 2017).
 
  • Like
Reactions: JB007
Av Gurus

Av Gurus

Level 29
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Sep 22, 2014
1,767
You still didn't uninstall Ccleaner?
Why?
 
  • Like
Reactions: JB007
JB007

JB007

Level 26
Verified
Top Poster
Well-known
May 19, 2016
1,580
Gandalf_The_Grey said:
You have to update to the latest version of CCleaner v5.35.6210 (20 Sep 2017).
Click to expand...

Gandalf_The_Grey said:
You still have to update CCleaner to the latest version or uninstall...
Click to expand...

Thanks @Gandalf_The_Grey
I scan with HitmanPro before uninstalling but now CC is uninstalled and I think I will never reinstall it:mad:

Av Gurus said:
You still didn't uninstall Ccleaner?
Why?
Click to expand...
Thanks @Av Gurus
I scan with HitmanPro before uninstalling but now CC is uninstalled and I think I will never reinstall it:mad:

paulderdash said:
CCleaner v5
That is not certain, I found nothing either.

But it is unlikely that you as a consumer are a target, these guys were more targetting the big guys: tech companies, banks, even .gov.

CCleaner v5
Click to expand...
Thanks @paulderdash
I hope you are right.
My problem is that I do not have a copy of my PC before 15/08/2017:(
 
JB007

JB007

Level 26
Verified
Top Poster
Well-known
May 19, 2016
1,580
Hi
I uninstall CC with Revo Pro but after restarting my PC I found remaining registry enters.
Can you help me ?
CCRevo1.PNG CCRevo2.PNG CCRevo3.PNG CCRevo4.PNG
The uninstall seems complete but after restart:
CCRevo5afterrestart.PNG CCRevo6afterrestart.PNG
And after a second restart the sames enters are found:
CCRevo7after2ndrestart.PNG CCRevo8after2ndrestart.PNG
 
  • Like
Reactions: Sunshine-boy
JB007

JB007

Level 26
Verified
Top Poster
Well-known
May 19, 2016
1,580
Marko :) said:
Guys, just reinstall Windows, problem solved. There's no point of trying to clean malware because it can be anywhere. As far as I know, we only know about that one registry key and that's it.
Click to expand...
Thanks @Marko :)
I'm not a geek, so can you explain me an easy way to reinstall Windows alone ?
 
  • Like
Reactions: Marko :)
I

IceLion36

Level 1
Verified
Aug 1, 2017
23
Kaspersky internet Security marked Ccleaner 5.33 32-bit safe when the sha256 matches with the compromised version.
Is there any way to prevent from a similar infection ?
For example with Malwarebytez anti-exploit or Hitman Pro.Alert ?
 
  • Like
Reactions: lowdetection and JB007
Marko :)

Marko :)

Level 23
Verified
Top Poster
Well-known
Aug 12, 2015
1,263
JB007 said:
Thanks @Marko :)
I'm not a geek, so can you explain me an easy way to reinstall Windows alone ?
Click to expand...
If you don't know how to reinstall Windows, don't mess with that. You can mess up whole Windows installation so your PC won't boot. It might be the best to ask someone who knows to install it for you. :)
 
  • Like
Reactions: JB007
JB007

JB007

Level 26
Verified
Top Poster
Well-known
May 19, 2016
1,580
Marko :) said:
If you don't know how to reinstall Windows, don't mess with that. You can mess up whole Windows installation so your PC won't boot. It might be the best to ask someone who knows to install it for you. :)
Click to expand...
OK I'm waiting a friend can do this Windows' reinstall;)
 
  • Like
Reactions: Marko :)
You must log in or register to reply here.

Similar threads

Viking
    • Like
    • Wow
    • Sad
CCleaner confirms data breach via MOVEit attack
Replies
23
Views
3,876
News Archive
Sorrento
Sorrento
Gandalf_The_Grey
    • Like
    • Hundred Points
Malware News LightSpy: Implant for iOS
Replies
0
Views
763
Security News
Gandalf_The_Grey
Gandalf_The_Grey
lokamoka820
    • Like
    • +Reputation
New Update openSUSE Leap Micro 6.0 Launches with Self-Install and Full Disk Encryption Images
Replies
1
Views
141
ChromeOS & Linux
Bot
Bot

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top