Emsisoft Employee
  • Content count

  • Joined

  • Last visited

  • Days Won


GT500 last won the day on September 15

GT500 had the most liked content!

Community Reputation

369 Excellent

1 Follower

About GT500

  • Rank
    Emsisoft Support
  • Birthday 10/22/84

Contact Methods

  • Website URL

Profile Information

  • Gender
  • Location
    Fortville, IN, USA
  • Interests
    Computers, security, amino acids, fructose malabsorption, liberty, firearms, John Calvin, etc.

Recent Profile Visitors

41701 profile views
  1. I haven't read anything specifically about changes to Internet Explorer proxy settings. Regardless, if the settings are for a proxy server at localhost (, then removing the infected copy of CCleaner would render it harmless. Resetting Internet Explorer settings back to default settings, or manually changing the proxy settings would resolve this without the need for additional malware scanners.
  2. Not updated

    Is this working OK now for everyone else? If it is, then there's no need for any more logs. All we needed was a traceroute to send to our CDN provider to help in identifying the server that was having the issue, and I managed to get one of those the other day.
  3. It might have prevented FRST from getting Windows Firewall rule information, however that information is not necessary to determine if there's an infection.
  4. More than likely not (it isn't possible for malware to modify files in Emsisoft Anti-Malware's folder). If you want to make sure, then we can get a log from FRST. You can download Farbar Recovery Scan Tool (FRST) from one of the following links, and save it to your Desktop (please note that some web browsers will automatically save all downloads in your Downloads folder, so in those cases please move the download to your desktop): For 32-bit (x86) editions of Windows: For 64-bit (x64) editions of Windows: Note: You need to run the version compatible with your computer. If you are not sure which version applies to your computer, then download both of them and try to run them. Only one of them will run on your computer, and that will be the right version. Run the FRST download that works on your computer (for Windows Vista, Windows 7, and Windows 8 please right-click on the file and select Run as administrator). When the tool opens click Yes for the disclaimer in order to continue using FRST. Press the Scan button. When the scan is done, it will save a log as a Text Document named FRST in the same place the tool was run from (if you had saved FRST on your desktop, then the FRST log will be saved there). Please attach the FRST log file to a reply using the More Reply Options button to the lower-right of where you type in your reply to access the attachment controls. The first time the FRST tool is run it saves another log (a Text Document named Addition - also located in the same place as the FRST tool was run from). Please also attach that log file along with the FRST log file to your reply.
  5. Your IP address is in the logs of every website you visit. HTTP servers automatically log that, and quite a bit more, for debugging and statics purposes. Your IP address isn't generally visible to random visitors to a website, but most forum software (including ours) will show it to administrators and moderators. That's understandable. I imagine it will take a long time for Avast to restore peoples' trust in CCleaner (if it happens at all). That's because it isn't necessary. At least not for the compromised version of CCleaner (there were no other infected files associated with it, only the copy of ccleaner.exe that had the malicious code in it). I haven't seen an analysis of the second-stage payload yet, but it sounds like only large tech companies had to worry about that to begin with, so home users aren't going to need a removal tool. They can just uninstall CCleaner, or install the new version, and the infected copy of ccleaner.exe is gone.
  6. Reinstalling EAM could do it. Clearing the Quarantine and the logs could as well. Normally you don't have corruption of both the Quarantine files and the logs database file, however it is technically possible for it to happen (although you'd be having other problems if that many files were suddenly corrupted on your hard drive).
  7. Not updated

    There seems to be an issue with Highwinds CDN servers in Brazil. They're returning an HTTP 504 status code, which means "Gateway Timeout". Probably a configuration issue on the servers. I've asked our management if we can contact Highwinds and ask them to look into it.
  8. Not updated

    Can you download our diagnostic tool at the following link?
  9. You should be OK then. Once the infected copy of CCleaner is gone, the infection is gone. So far there's no evidence that a second-stage payload was ever delivered to non-corporate victims.
  10. The log shows it was the Behavior Blocker that took action. If the file in question was not digitally signed and did not have enough of a reputation for an automatic decision to be made, then the Behavior Blocker would have quarantined it for performing any behavior that is monitored for. The file could be legitimate, and simply not be well known enough to have established a solid reputation. You can try restoring the file from the Quarantine, and then uploading it to VirusTotal to get an analysis of it. You can post the link to the analysis here for me to take a look at.
  11. According to the analysis done by Cisco's Talos team, the malicious code was not only not present in the 64-bit version of CCleaner, but wouldn't execute on 64-bit editions of Windows even if you ran the 32-bit version of CCleaner on a 64-bit OS. Because the malicious code was in the CCleaner executable, so either removing it or replacing it with a clean copy is all that is needed to get rid of the infection. That being said, Cisco's Talos team has identified a second-stage payload was indeed installed on at least 20 computers. It appeared to specifically target corporate systems, however the data from the C&C server from before September 12th was missing (presumably deleted to keep it out of the hands of researchers), so they don't know what happened before September 12th. The scope could have been far larger, and there could have been far more targets than what has thus far been discovered. Obviously, if you had the effected version of CCleaner installed, then take the common precautions of changing passwords just in case.
  12. Ransomware .MIXI extension

    We have a few articles on ransomware, including where it comes from, how it works, and how to prevent it: Spotlight on ransomware: Ransomware encryption methods Spotlight on Ransomware: How ransomware works How to remove ransomware the right way: A step-by-step guide How to identify your ransomware infection to find the right decrypter tool The big ‘R’: Ransomware. Why businesses and institutions are at risk and what to do about it Ransomware for Hire: 3 Steps to Keeping Your Data Safe It's important to keep in mind that different ransomwares are different, however here are some common ways this sort of infection spreads: Through e-mail. It's very common to receive e-mails that have malicious attachments, and with certain ransomwares (especially Locky) they like to send an e-mail pretending to be information (such as an invoice) from a shipping company or something similar. In the case of Locky the malicious file is inside a ZIP archive, so you don't know what it is before you download it and extract it. Online advertisements. It is not abnormal for people with malicious intent to abuse advertisements on legitimate websites in order to spread infections. One of the worst cases of this happened several years ago where a ransomware (I would believe CryptoWall) was being spread through advertisements on several of Yahoo!'s websites in advertisements. The criminal behind CryptoWall had paid to put advertisements on Yahoo!'s websites, and the advertising company that Yahoo! uses didn't notice that the advertisements contained malicious code that I would believe was from an exploit kit (exploit kits allow automated installation of infections when people visit a webpage where the exploit kit is present). Direct hacking. While I often hesitate to use the word "hack" here, it is how most people would understand it. What happens is that scripts being run by criminals scan the Internet looking for computers with certain open ports in firewalls that allow them access to vulnerable services. When the script finds computers with vulnerable ports, the information is logged, and an actual person will select computers from the list of potentially vulnerable systems that were found and begin trying to gain access to them. A particular favorite, since it usually means they found a business they can extort for money, is Microsoft's Remote Desktop (RDP), which if they find an open port for they will try to brute force the password for administrator accounts and see if they can get in. If they manage to get in, they will then manually disable any security software and manually execute their ransomware on the victim's computer. Obviously there are other ways you can run in to ransomware as well. Downloading files from unsafe websites and/or file sharing networks for instance. As for online advertisements, we usually recommend uBlock Origin to block those. You can get uBlock Origin for Mozilla Firefox and Microsoft Edge. For Google Chrome and Vivaldi I recommend both uBlock Origin and uBlock Origin Extra to help avoid advertisements that would otherwise circumvent uBlock Origin's protection. I also highly recommend uninstalling or disabling the Adobe Flash Player, as well as uninstalling or disabling Java (if you need Java for some sort of application or game that does not run in your web browser, then disabling the Java plugin is enough to protect your web browser). Yes, ID Ransomware is maintained by Michael Gillespie, who works closely with our team and with on ransomware analysis, as well as creation of free decryption tools.
  13. Without more information, it sounds like it might be a variant of BTCWare. I recommend checking with ID Ransomware at the following link to verify that: You can copy and paste the link to the results into a reply for me to review as well.
  14. Maybe a service or driver entry in the registry was not being removed completely after the uninstall, and needed to be deleted manually. Our diagnostic tool can actually check for that, but since you've already fixed it then there's no need to run that tool. Regardless, I'm glad to hear that the issue has been resolved.
  15. CCleaner hack

    Avast owns Piriform, so all Piriform software and property is now owned by Avast.