Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

CCleaner trojan: how to be sure I'm not infected


  • Please log in to reply
6 replies to this topic

#1 saluqi

saluqi

  • Members
  • 653 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:southern San Joaquin Valley, Calfornia
  • Local time:04:56 PM

Posted 22 September 2017 - 11:20 PM

3 devices: 1 desktop computer, 1 laptop computer, 1 Android smartphone.  CCleaner Professional installed on all 3 (subscription to Piriform Pro Package, now in second year).

 

Desktop computer: Dell XPS 8700, Windows 10 Professional 64 bit, version 1703, fully updated.  Avast Premier, Malwarebytes Premium, WinPatrol, SpywareBlaster, etc. etc. 

Laptop computer: Dell Inspiron 5537, Windows 10 Home 64 bit, version 1703, fully updated.  Avast Premier, Malwarebytes Premium, WinPatrol, SpywareBlaster, etc. etc.

Smartphone: Samsung Galaxy S5, T-Mobile, fully updated, Avast Mobile Security. CCleaner last used 7/28/2017, not sure how to bring up version information

 

Updated CCleaner on both computers as soon as the news came out.  A second update came through shortly afterward and I installed that too on both systems.  Currently have v. 5.35.6210 (64 bit) on both machines.

 

So . . . my understanding of this critter is that the initial payload executed only on 32 bit systems, and that the really nasty secondary payload affected only systems on which the first payload had executed.  In that case, 64 bit systems should have remained unaffected throughout.  Key question: is that correct?

 

Some people reported MWB as reporting a Trojan.  MWB scans on both desktop and laptop find nothing.

 

So I am greatly suspecting that both computers are clean and nothing to worry about there.  What about the smartphone?  I am a water district manager and use it as a tool, not as an instrument of social display, so it is long on GPS, navigation, Internet, E-mail etc. and short to nonexistent on Facebook and the like.

 

Question arising: would it be advisable, and sufficient, to open CCleaner on the smartphone and update it?  And would that be sufficient, or would it be better to uninstall and reinstall it?

 

And, anything else I have overlooked?

 

Thanks as always for enlightenment!


Edited by britechguy, 23 September 2017 - 11:38 AM.
Duplicate threads merged and duplicated post removed


BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,504 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:06:56 PM

Posted 23 September 2017 - 08:03 AM

Per latest info you are okay with the 64 bit computers....malware didn't activate and you have the latest CCleaner program.

 

As to the Android smart phone...suggest updating it and I don't know if the malware was planted in earlier CCleaner program for Android.

CCleaner - Android Apps on Google Play

Updated
September 22, 2017
Installs
50,000,000 - 100,000,000
Current Version
v1.20.91
 
EDIT: CCleaner hack affects 2.27 million computers, including yours? - CNET

QUOTE:

How do I know if I have the corrupted version?

The versions that were affected are CCleaner v5.33.6162 or CCleaner Cloud v1.07.3191 for 32-bit Windows PCs. The Android version for phones doesn't seem to be affected. As of Sept. 19, Avast says that 730,000 users are still using the affected version.


Edited by buddy215, 23 September 2017 - 08:09 AM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 britechguy

britechguy

    Been there, done that, got the T-shirt


  • Moderator
  • 9,860 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Staunton, VA
  • Local time:07:56 PM

Posted 23 September 2017 - 11:34 AM

You've now done what I'd do.

 

This issue is now known to every antivirus/antimalware scanner on the planet, or I'd have to believe it is.  If your various scanning tools are not finding a problem then there is almost certainly no problem to be found.  Windows Defender identified the issue in the setup executable on my machine which, luckily, I hadn't run for version 5.33.

 

I haven't read anything about this infection affecting any platform besides Windows.  (No surprise there, it's by far the favorite target of hackers, nefarious and otherwise, around the globe).


Brian  AKA  Bri the Tech Guy (website in my user profile) - Windows 10 Home, 64-Bit, Version 1809, Build 17763 

Travel is fatal to prejudice, bigotry, and narrow-mindedness, and many of our people need it sorely on these accounts.  Broad, wholesome, charitable views of men and things cannot be acquired by vegetating in one little corner of the earth all one's lifetime.

       ~ Mark Twain

 

 

 

              

 


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,076 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:56 PM

Posted 25 September 2017 - 05:35 PM

I posted this in a related topic.

Security Notification for CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 for 32-bit Windows users
Short summary of the CCleaner incident

...updating CCleaner to the most recent recent versions fixes any issues, as "the only malware to remove is the one embedded in the CCleaner binary itself."..."The affected software (CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191) has been installed on 2.27M machines from its inception up until now,"..."We believe that these users are safe now as our investigation indicates we were able to disarm the threat before it was able to do any harm." "There is no indication or evidence that any additional "malware" has been delivered through the backdoor,"...

CCleaner Compromised to Distribute Malware for Almost a Month

There is an ongoing discussion in this CCleaner issue topic where you can read more information.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 BethE006

BethE006

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:56 PM

Posted 25 September 2017 - 09:48 PM

Hi -

 Just to add a bit of a twist here, I updated my CCleaner 64 bit edition August 3rd, 2017; then properties shows it was modified August 18th, 2017 and my MWB detected 2 Trojan.Floxif files in:

C:\PROGRAM FILES\CCLEANERCCLEANER.EXE

 

C:\USERS\BETHE\DOWNLOADS\CC_SETUP533.EXE

 

I'm running Windows 7 Professional, 64 bit -

 

I update my virus definitions daily before I do anything. The last MWB scan I ran was 9 days ago and it caught nothing which seems really odd.  (it seems long but I'm not always on my personal laptop. and from here on out I plan to run daily scans). MS Security Essentials is, achem - essentially USELESS. I think it's mostly decorative, like as a pretty icon in my system tray bc it catches nothing, ever.

 

Two Qs:

1) Is it really impt / needed to run all the anti-malware, anti-adware, anti-virus programs as laid out under the self-help removal instructions?  I've always had great trust in MWB. I can see running a few of them... but should I be really worried? 

 

2) If this Trojan only affected 32 bit OS what does it mean that my MWB found it?!!  And, I installed the v533 PRIOR to the infection dates that have been published of August 13, 2017 - Sept 12 (?), 2017.

 

I only mention the date I installed v533 as a precaution to others. I'm going to update my CCleaner immediately and I'm really glad I haven't run it since I updated it on 8/3/17.

 

Any thoughts? feedback?

Thanks in advance!!



#6 buddy215

buddy215

  • Moderator
  • 13,504 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:06:56 PM

Posted 26 September 2017 - 06:50 AM

The malware installer was in the CCleaner.exe...regardless of whether the computer used to download CCleaner was a 32 bit or 64 bit. As stated earlier...

the malware did not activate on 64 bit computers according to all available info. MBAM...in your case...removed the malware install files from CCleaner's installer.


Edited by buddy215, 26 September 2017 - 06:52 AM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#7 BethE006

BethE006

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:56 PM

Posted 09 October 2017 - 05:41 PM

Thanks a lot BC Advisor!!  appreciate the confirmation that I was understanding this threat correctly.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users