Nikilet

CCleaner hack

Recommended Posts

2 computers: 32 bit desktop          64 bit laptop          Both Windows 10 Home

I'm making this post on my 64-bit laptop.

I just updated CCleaner on both computers because I always update as soon as advised that one is available. I'm pretty sure, but not positive, that I ran CCleaner on both computers immediately after updating. 

On my 32 bit desktop, when I tried to open CCleaner last night I received the attached popup from mbam. After receiving I could no longer even open CCleaner. I received a message that the program the shortcut was referring to had either been moved or deleted. I then uninstalled CCleaner using RevoUninstaller.

On 64 bit laptop I got the same mbam popup, but was still able to open CCleaner. 

I also received information that those running Emsisoft were protected against this threat and I run Emsisoft on both computers, along with mbam. 

I missed it when the news came out that Avast had purchased CCleaner, but I no longer intend to use the program.

My question is, was I protected against this and am I sitting in a safe place or an infected place? Do I even need to make a post in the form "Help! My computer is infected"?

Trojan.Floxif.JPG
Download Image

Share this post


Link to post
Share on other sites

I just got this and Emsisoft blocked  it but I can still open Ccleaner, so i'm a little confused. I'm using Emsisoft and Comodo Firewall.

Share this post


Link to post
Share on other sites

When you say Emsisoft blocked it, do you mean you were warned when you downloaded it?     EIS doesn't usually usually stop you from running an application, especially if you've already marked it trusted etc, but might produce alerts when the application tries to do something, eg change/delete registry keys.  I'm not sure whether even that would be alerted for for a trusted app especially if you've previously had such alerts from CCleaner and allowed them...   Maybe I'm confused too.

Share this post


Link to post
Share on other sites

If you're sure that the version you have isn't the hacked one, I expect you could define it as an exclusion then unquarantine it.   if you're not sure then it's not a good idea to run it... 

Share this post


Link to post
Share on other sites

Jeremy, are you replying to me or to Lynk? Lynk, could I ask that you open your own link so that this doesn't become so confusing?

I am pretty sure that the version of CCleaner is the version that was hacked. I understand that supposedly it did not affect 64 bit systems. Maybe that is why even though I got the warning of quarantine on my 64-bit laptop, I was still able to open the program.

However, on my 32-bit desktop I was not able to open the program and so I uninstalled it. Not being able to open it, I can only be 99.9% certain it was the hacked version. 

This morning when I came back to my desktop, which I leave on, there was a warning that an mbam scan had been done and quarantined objects. When I clicked on it I discovered that two more of these Floxif items had been quarantined. on 9-18 it quarantined a file: C:\Program Files\CCleaner\CCleaner.exe. On 9-19 it quarantined two more trace registry values. See screenshot.

So what do I need to do with regard to this on my 32-bit desktop and my 64-bit laptop?

Floxif.JPG
Download Image

Share this post


Link to post
Share on other sites
44 minutes ago, Nikilet said:

So what do I need to do with regard to this on my 32-bit desktop and my 64-bit laptop?

Open regedit and check your registry: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Piriform\Agomo

If the Agomo entry is there then you are probably infected (your PC, that is). Just delete the Agomo key and install the latest CCleaner which will overwrite the infected .exe. A full PC scan can't hurt either. If Agomo is not there, you should be fine.

https://www.ghacks.net/2017/09/18/ccleaner-compromised-better-check-your-pc/

Share this post


Link to post
Share on other sites

Nikilet, sorry, yes I was replying to Lynk's comment. 

 

You say "I am pretty sure that the version of CCleaner is the version that was hacked";  in the reports I've seen the version number of the hacked version is clearly stated.  Does a quarantined object in mbam not have a way of displaying any of the object's properties, eg file version, hash etc?

Share this post


Link to post
Share on other sites
13 minutes ago, CBMman said:

If the Agomo entry is there then you are probably infected (your PC, that is). Just delete the Agomo key and install the latest CCleaner which will overwrite the infected .exe. A full PC scan can't hurt either. If Agomo is not there, you should be fine.

https://www.ghacks.net/2017/09/18/ccleaner-compromised-better-check-your-pc/

I do not find this in my registry at HKEY_LOCAL_MACHINE\SOFTWARE\Piriform\Agomo 

Share this post


Link to post
Share on other sites
3 minutes ago, JeremyNicoll said:

Nikilet, sorry, yes I was replying to Lynk's comment. 

 

You say "I am pretty sure that the version of CCleaner is the version that was hacked";  in the reports I've seen the version number of the hacked version is clearly stated.  Does a quarantined object in mbam not have a way of displaying any of the object's properties, eg file version, hash etc?

 

Share this post


Link to post
Share on other sites

As I stated in my first post, when I tried to open CCleaner after receiving the mbam notice of quarantine it stated that the program the shortcut was referring to had either been moved or deleted.

Share this post


Link to post
Share on other sites

Presumably it was moved into mbam's quarantine folder?   Can't it be examined in there via the mbam GUI?    

In the past when I've had security products that quarantined something, I have unquarantined them to examine them.   But I can not suggest that you do that if you're not certain that you could do it safely.    [Un-quarantining stuff is usually possible, so that files quarantined by mistake can be recovered.]         

Share this post


Link to post
Share on other sites

I would not want to try and un-quarantine it. I really am almost 100% sure it was the infected version because that Trojan.Floxif is associated with the CCleaner hack if you Google it.

The article I read about this from PC Pitstop stated it was recommended you restore your computer to an earlier date from a saved backup, or reinstall Windows. I can't hardly believe that is necessary and I'm trying to find out from someone who knows more than I do if I'm ok now that I've quarantined the infection and uninstalled the program. 

And what about my Macrium backup stored on my external. Is that now all infected and no good?

Does all this need to be submitted to the malware forum?

Share this post


Link to post
Share on other sites

I'm not sure what you should do.    If your Macrium backup was made while the infected program was on your system then it's clearly likely to be infected too, though that might not make it totally useless.   If eg you had a disk failure and restored from that Macrium image, the restored system would be infected... but most/all of the other files would possibly be ok.   It'd be better than no backup at all,  just not the best one to use. 

Share this post


Link to post
Share on other sites
15 hours ago, Nikilet said:

My question is, was I protected against this and am I sitting in a safe place or an infected place? Do I even need to make a post in the form "Help! My computer is infected"?

Emsisoft Anti-Malware and Emsisoft Internet Security will detect and block the compromised version of CCleaner, however please note that the malicious code was not in the 64-bit version of CCleaner, and if the 32-bit version of CCleaner was executed on a 64-bit edition of Windows then it wouldn't work. So only 32-bit editions of Windows were effected by this.

If your computer has been effected by this compromised version of CCleaner, then all you have to do is install the latest version of CCleaner in order to get rid of the infected version (no infection will be left behind after that):
https://www.piriform.com/ccleaner/download

Alternatively you can uninstall CCleaner if you don't want to keep it, and no infected files should be left behind after uninstalling.

For more information, I recommend the following article, as it quickly covers everything that is currently known and explains what you should do if you were effected by this:
https://www.bleepingcomputer.com/how-to/security/ccleaner-malware-incident-what-you-need-to-know-and-how-to-remove/

Avast has released some information about how they believe this happened, and there is a short timeline detailing when everything happened at the following link:
https://www.bleepingcomputer.com/news/security/avast-clarifies-details-surrounding-ccleaner-malware-incident/

Also one of the original stories about the issue, which goes into more detail, can be found at the following link:
https://www.bleepingcomputer.com/news/security/ccleaner-compromised-to-distribute-malware-for-almost-a-month/

Share this post


Link to post
Share on other sites

Antimalware caught the file on one of my computers. So if you got a popup about, then it is gone. You can then download 5.34 and be ok.

Share this post


Link to post
Share on other sites

Must be magic, I guess. It did kill it. I don't care what anyone else says. Same way all responses about a Level 3 router problem said 'no way' and

it was.

Share this post


Link to post
Share on other sites
5 hours ago, Nikilet said:

Thank you very much for this excellent answer and information.

Can you tell me, because I am confused ... Who owns CCleaner -- Avast or Piriform?

From one of the links in GT500's post.....

July 3 - Evidence suggests hackers breached Piriform's IT systems.
July 18 - Avast decides to buy Piriform, the company behind CCleaner.
August 15 - Piriform, now part of Avast, releases CCleaner 5.33. The 32-bit version (CCleaner 5.33.6162) included the Floxif trojan.
August 20 and 21 - Morphisec's security product detects first instances of malicious activity (malware was collecting device details and sending the data to a remote server), but Morphisec does not notify Avast.
August 24 - Piriform releases CCleaner Cloud v1.07.3191 that also includes the Floxif trojan.
September 11 - Morphisec customers share detection logs detailing CCleaner-related malicious activity with the company's engineers.
September 12 - Morphisec notifies Avast and Cisco of the suspicious CCleaner activity. Avast starts its own investigation and also notifies US law enforcement. Cisco also starts its own investigation.
September 14 - Cisco notifies Avast of its own findings.
September ?? - Cisco had registered, in the meantime, all the domains that the malware would have used in the future to determine and calculate the C&C server IP address.
September 15 - Following a collaboration between Avast and law enforcement, the malware's C&C server was taken down.
September 15 - Avast releases CCleaner 5.34 and CCleaner Cloud 1.07.3214 that remove the Floxif malware.
September 18 - CCleaner incident becomes public following Cisco, Morphisec, and Avast/Piriform reports.

https://www.bleepingcomputer.com/news/security/avast-clarifies-details-surrounding-ccleaner-malware-incident/

Share this post


Link to post
Share on other sites
16 hours ago, Nikilet said:

Can you tell me, because I am confused ... Who owns CCleaner -- Avast or Piriform?

Avast owns Piriform, so all Piriform software and property is now owned by Avast.

Share this post


Link to post
Share on other sites

Hi sorry for add me but for  me thats no t give me peace on mind. For a few days i install the infected versions of ccleaner on my laptop whith emsi, emsi does not detect nothing i use 64 bit system. I format my pc and defender catch the installer  and then i go to forums to see what happen. Now ¿Is recomended changue my passwords?.  I changue my passwords during the hacking 10 to 20 of september. Am i hacked? i run full scans i dont think have any trace of that thing but maybe my data are transfer to that servers. I feel nerveous.

Share this post


Link to post
Share on other sites
18 hours ago, Kevinaktiff said:

For a few days i install the infected versions of ccleaner on my laptop whith emsi, emsi does not detect nothing i use 64 bit system.

The 64-bit version of CCleaner was not effected by this, and is clean. Only the 32-bit version of CCleaner had malicious code injected into it, and that malicious code would only execute on a 32-bit version of Windows.

 

18 hours ago, Kevinaktiff said:

Now ¿Is recomended changue my passwords?.  I changue my passwords during the hacking 10 to 20 of september. Am i hacked? i run full scans i dont think have any trace of that thing but maybe my data are transfer to that servers. I feel nerveous.

Changing passwords is not a bad idea, however if you do have a 64-bit version of Windows then you don't have to worry about this particular issue.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.