MBAM3 prevented upgrade to CCleaner

[mightaswell]

(Win10 Pro 1703) 
Whilst attempting to upgrade manually to the latest version of CCleaner  I received the message "error writing file to  C: /........../ccleaner64" and a few options for what to do none of which was successful. Remembering that mbamservice had locked files for opening Procmon64 recently( in the temp folder) I used Process explorer and searched for a handle related to ccleaner64.exe and mbamservice was locking it. I used Procexplorer to close the handle with mbamservice and was then able to upgrade. Had not had this before.

This is now the second time a known legitimate process has been locked by Malwarebytes and usual functionality prevented from working. 

Is this a known problem? 

 

[Metallica]

Hi,

Not sure if it is related, but it might be:

http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html

" For a period of time, the legitimate signed version of CCleaner 5.33 being distributed by Avast also contained a multi-stage malware payload that rode on top of the installation of CCleaner."

[mightaswell]

@Metallica my CCleaner version is the latest 5.34 and I had not installed 5.33 at any stage- fortunately by what your article suggests. Also at no stage of installing CC 5.34 did MB3 or Avast (with hardened mode aggressive) raise any flags or warnings.

[Metallica]

That's a relief.

I have not heard of other circumstances that this might happen.

Can you give me your version info for Malwarebytes, please? (From  Settings > About)

And I will ask around if anyone else might be able to help.

[mightaswell]

@Metallica yes good news and I believe it only affected 32bit systems - mine 64X.

Malwarebytes 3.2.2.2018  CP 1.0.188

[Metallica]

That is weird. CCleaner were whitelisted before this incident and you are using the latest version. So I have no idea how this could happen. Will ask though and let you know.

 

[Metallica]

If you ever run into such a situation again, can you disable Ransomware protection (Settings > Protection) and try again? 

Let us know please. It's the only module that could be responsible in our opinion. And if this is the case we would like to figure out why it does this in some rare occasions. Your help would be very much appreciated.

 

[longbeachlouise]

Is CCleaner Free Version 5.22.5724 (64 bit) before the sale of CCleaner to Avast? That is my version. Maybe I'll hang on, before updating.

[Porthos]

5 minutes ago, longbeachlouise said:

Is CCleaner Free Version 5.22.5724 (64 bit) before the sale of CCleaner to Avast? That is my version. Maybe I'll hang on, before updating.

5.34 is clean and the issue fixed.

[longbeachlouise]

Thx.

[happyboy7]

I wanted to add to this issue.  I had the CCleaner version 5.33, but it was the 64-bit version and my computer was not infected.  I verified this by looking in the registry and did not find the additional registry values that the malware creates.  I uninstalled CCleaner, then downloaded and installed the clean version 5.34.  When I attempted to run CCleaner, I received a popup from Malwarebytes that it blocked the program due to malware, and my choices were to allow or quarantine.  

My version is:

Malwarebytes Premium version 3.2.2.2018
Component package version 1.0.188
Update package version 1.0.2836

[Firefox]

1 hour ago, happyboy7 said:

 I had the CCleaner version 5.33, but it was the 64-bit version and my computer was not infected

the 64bit version was not affected, the malware was only on the 32bit version

[skcusime]

I have Malwarebytes 3.2.2 using Win 10 64 bit, and Malwarbytes found trojan.floxif on my 64 bit version. It's now quarantined, and Ccleaner uninstalled.

 

[prombamuser]

Is the portable version affected?

[skcusime]

52 minutes ago, prombamuser said:

Is the portable version affected?

Probably not, as nothing would be written to the registry.

[sunsets]

Using Win 7 64 bit. This morning as soon as I read about the ccleaner hack, I updated it. It works fine. This evening when I did my nightly Malwarebytes scan, it found trojan.floxif 533.exe on my desktop. Whenever I update ccleaner, I always have it downloaded to my desktop. Then, click on it to install the updates. I quarantined it. Do I need to do anything else?

[Antec]

Hello,

@skcusime

But no, you need to install Ccleaner 5.34

 

To find out if you have been infected, take a look at the registry. If you find the following key,

HKEY_LOCAL_MACHINE\SOFTWARE\Piriform\CCleaner\agomo

 

Source : http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html

 

Thank you very much Team Mbam

FJ

[Antec]

Ccleaner Update 5.35

Edited September 20, 2017 by Antec

[bru]

Piriform has stated "Your anti-virus will flag this regardless of whether you're running the 32-bit or 64-bit version".  I have 64-bit systems and Trojan.Floxif was detected and removed by Windows Defender.  MBAM did not find it or flag it  .   I do not have the registry entries so am pretty sure I was never really infected but I wonder why MBAM did not find it?  Sounds like it did for others.

 

Edited September 21, 2017 by bru

[jsljustin]

On 9/19/2017 at 12:07 AM, Metallica said:

If you ever run into such a situation again, can you disable Ransomware protection (Settings > Protection) and try again? 

Let us know please. It's the only module that could be responsible in our opinion. And if this is the case we would like to figure out why it does this in some rare occasions. Your help would be very much appreciated.

 

I was getting the error (failed installation) of CCleaner when trying to upgrade it to version 5.35. Tried disabling ransomware protection, but that didn't work.

In the end, shutting down Malwarebytes (premium) completely enabled me to install the CCleaner upgrade.

It seems something else with MBAM is blocking the install of CCleaner. I am on 64 bit Windows 10.

Hope that helps. Thanks.

[mightaswell]

An attempt to update ccleaner to latest 5.35 was blocked as above and once again after closing the mbamservice handle (Using Process explorer) on ccleaner64.exe I could update.  I also noticed handles for other programs ie Acrord32,  cs.exe. outlook.exe, winword.exe, adwcleaner.exe and avastUI.exe . Many of these programs were not running at the time. After updating I remembered your request to disable ransomware protection so after rebooting and ccleaner64.exe was back as locked I disabled the protection but did not remove the handle. 

Affected Malwarebytes version 3.2.2.2018  CP 1.0.188

Edited September 30, 2017 by mightaswell

[Telos]

On 9/18/2017 at 8:52 PM, prombamuser said:

Is the portable version affected?

 

On 9/18/2017 at 9:45 PM, skcusime said:

Probably not, as nothing would be written to the registry.

The portable version WAS affected .

[Hawaii_Beach]

it's not only cc

[mightaswell]

@Hawaii_Beach quite true.

Even Avast Instup.exe and Avastui.exe and iexplore.exe are "locked" on the Win10 PC. Seems strange that it only seems to affect the Win 10.  On Win 7 machines ProcExplorer does not find any of the non MB3 related exe files "locked" to MBAMService on the Win 10. 

[dcollins]

A few things:

1. After disabling Ransomware Protection, did you try rebooting? If you have stuck handles, just stopping the protection may not solve the issue
2. What version of MB3 are you using? We released component package version 1.0.207 last week designed to solve the issue of keeping open handles

Edited October 2, 2017 by dcollins