Fatdcuk

Hi Not 100% sure what has occured for you, possibly if your running MBAM from a limited user account that can sometimes interfere with removals from the HKLM hive. That said we should not be removing that key (It belongs to CCleaner Cloud ops) but only removing the data stored under that key should it be MUID or TCID or NID which are the values set when the affected installer has been run. If none of those values are present then the detection of the key should not occur.

Hi and sorry for the delay in replying as this thread had been overlooked. Avast had purchased Piriform but are keeping the software/company by its original names. Once we became aware of the hack (as the whole industry became aware) we created detection for the bad installer and the compromised software executable file. This would have prompted our software to detect and quarantine those affected files. The removal of ccleaner.exe(32 bit) would break the software operations on 32bit OS's and hence the need to update to the new non affected version. * the 64bit ccleaner.exe executable was not compromised but because of how CCleaner chooses to install then the affected version had both executables present(32 & 64bit). Users using CCleaner on 64 bit OS's would not be affected as it is only the 32bit executable that was compromised and the 64bit OS would not use that executable file when loading the software. We laterly added detection for a registry trace that was only present after the original compromised installer had been run. * This detection would be present on both 32 and 64 bit installs, but it is only 32 bit installs that were potentially compromised. That trace was a "marker" and not an active component part of the compromised version but we decided we would remove it none the less. Back to your initial question(s) then if you have removed the bad 32 executable (ccleaner.exe) then it is no longer an active risk. Were you at risk ? Alas the compromised version was backdoored so everytime the software was previously launched so was the backdoor code. Had the active backdoor been exploited then we cannot tell you the answer to that but all we can advise is as with any potential security breach you change all your passwords from a secure computer .If you have used the affected computer for data sensitive activities such as online banking, online purchasing or sensitive work we would advise you contact your bank and/or work IT to advise them of your potential exposure to a data breach so the appropriate steps can be taken to protect yourself and others.

You are correct and we all feel that same frustration . Alas that is the ongoing problem which is industry wide. In this instance the whole industry was caught out by this trusted chain hack. Unfortunately it is an ongoing game of cat and mouse where the bad actors always get to go first. We all can try to develope new technologies to mitigate risk against attacks but still as of yet there is no mythical silver bullet that can protect 100% on every potential attack scenario.

Hi Dee0900 We created detection for the affected version of CCleaner when it came to light earliar today. https://blog.malwarebytes.com/security-world/2017/09/infected-ccleaner-downloads-from-official-servers/

Yup, i just pushed out the next lot of new defs for today to the database . The faulting def was removed with the previous update cycle (#4) . Again our thanks for reporting this guys and apologies for any inconvenience caused. I will close this topic off now as it is now resolved.

Hi guys We are pushing an update currently to fix this f/p Please can you up update and confirm that the detection no longers occurs. Thanks in advance and our apologies for incovenience caused.

Hi and welcome to the Malwarebytes support forums You will need to restart your computer inorder for Malwarebytes to remove items that are locked up in the quarantine.

Hi Dave Thanks for the update If Malwarebytes experiences the failed to restore from quarantine issue then the computer will need to be restarted first and then the error will no longer occur when attempting to unquarantine items. Additionally an alternative way to configure Malwarebytes to ignore detections is to run a scan(to generate those detections). At the removal screen then make sure all required lines are unchecked and ask us to remove items. A secondary window will then be created where we offer the option to ignore once or ignore always. Selecting ignore always will automatically add items to the ignore list in the software.

Many thanks Kigen for reporting this. Confirmed this is a false positive and it will get fixed on our next database update today.

Hi and welcome to Malwarebytes support forums There are instructions in the following post how "sync-eu.exe.bid" can be added to the ignore list if required with a brief explaination why we alert to it.

Hi Wittmann We currently are detecting certain Auslogics sofwares as PUP. (PUP stands for Potentially Unwanted Program). In your case it is wanted. Please can you update MBAM to the current database and run a new threatscan. This time at the end of the scan make sure all boxes are unchecked (EG empty) and then ask MBAM to remove the items found. This wiil generate a pop up windows asking if you would like to add those detections to the ignore list. Please select "Ignore always" for all detections and then rescan to confirm the items are no longer detected. Thanks in advance

Hi DeanSF and welcome to the Malwarebytes support forums. It seems that the client application is sharing some data with the Mail.ru PUP software (PUP stands for Potentially Unwanted Program). Please can you update MBAM to the current database and run a new threatscan. This time at the end of the scan make sure all boxes are unchecked (EG empty) and then ask MBAM to remove the items found. This wiil generate a pop up windows asking if you would like to add those detections to the ignore list. Please select "Ignore always" for all detections and then rescan to confirm the items are no longer detected. Thanks in advance

Hi AyeAyeCaptain It had been listed because there was a version being pushed on download wrappers back ~ 6months which contained a backdoored driver component. We listed as potentially unwanted at the time because of this and the fact the distributing wrapper was force installing it. However on current review we are no longer seeing the bad version being pushed recently so will delist the detection of the software on the next update cycle today. Thanks for reporting this

Hi JunkTony and welcome to the Malwarebytes support forums. GeekBuddy is a software also distributed by Comodo however your detections are confirmed false positives and will get fixed on the next update cycle today. Thank you for taking the time to report this.

Hi jayman1000 The detection will be fixed on the next update cycle today and should no longer be detected.

Great Maany thanks again for reporting and assisting in fixing this problem. I will now lock the topic as resolved

Hi and thank you for the assist and your patience with this. That detection should be fixed with DB 2017.03.30.08 that just went live. I have just scanned through 4k+ in lines of code looking for any other potential faulting defs. Fingers crossed they are gone now but feeling totally boss-eyed none the less lol If you can update and recheck (and fingers crossed). Thanks in advance.

Many thanks Perski. Yes it was a case of the blacklist( bad URL's) inserted into Prefs.js and we were not differentiating between what was is seen set by the Elex hijacker and what was set by the 3rd party sofware to block them. I have tweaked our defs to take this into account and the adjustments just went live with the last database update. Please can you update the Malwarebytes database and confirm whether the detection(s) still persist. Thanks in advance

Hi Perski and welcome to the Malwarebytes support forums. I am unable to replicate your reported detection so please could you attach a Malwarebytes scan log where the detections are made to a reply. Thank in advance

Hi all This false positive will now be fixed with the most recent database update > 1.0.1404 Again our sincerest apologies on this guys. * As this issue is confirmed to be resolved i will lock the thread now.

Hi all This false positive will now be fixed with the most recent database update > 1.0.1404 for 3.x users & v2017.03.02.8 for 2.x Again our sincerest apologies on this guys. * As this issue is confirmed to be resolved i will lock the thread now.

Hi all This false positive will now be fixed with the most recent database update > 1.0.1404 Again our sincerest apologies on this guys. * As this issue is confirmed to be resolved i will lock the thread now.

Hi all This false positive will now be fixed with the most recent database update > 1.0.1404 Again our sincerest apologies on this guys. * As this issue is confirmed to be resolved i will lock the thread now.

Hi all This false positive will now be fixed with the most recent database update > 1.0.1404 Again our sincerest apologies on this guys. * As this issue is confirmed to be resolved i will lock the thread now.

Hi all This false positive will now be fixed with the most recent database update > 1.0.1404 Again our sincerest apologies on this guys. * As this issue is confirmed to be resolved i will lock the thread now.