CCLeaner hack

[Nikilet]

2 computers: 32 bit desktop          64 bit laptop          Both Windows 10 Home

I just updated CCleaner on both computers because I always update as soon as advised that one is available. I'm pretty sure, but not positive, that I ran CCleaner on both computers immediately after updating. 

On my 32 bit desktop, when I later tried to open CCleaner I received the attached popup from mbam. I could no longer even open CCleaner. I received a message that the program the shortcut was referring to had either been moved or deleted. I then uninstalled CCleaner using RevoUninstaller.

On 64 bit laptop I got the same mbam popup, but was still able to open CCleaner. 

I also received information that those running Emsisoft were protected against this threat and I run Emsisoft on both computers, along with mbam. 

I missed it when the news came out that Avast had purchased CCleaner, but I no longer intend to use the program.

My question is, was I protected against this and am I sitting in a safe place or an infected place?

[fredvries]

CCleaner v5.33.6162 for 32-bit Windows users was indeed compromised. See here. Malwarebytes detected this threat as Trojan.Floxif.

The suspicious code was hidden in the application’s initialization code called CRT (Common Runtime) that is normally inserted during compilation by the compiler. This code modification was executed by the following function calls (functions marked by red represent the CRT modifications):

 

The guys at Piriform have released a new version that has the malware removed. Simply download CCleaner v5.34.6207 and you're fine again.

.

[migs]

I'm running 5.34.6207, and Malwarebytes has reported the infected .exe file during an overnight scan. I have a 64bit system, which allegedly isn't compromised, but I'm not convinced

Is CCleaner still an issue?

[Nikilet]

migs: could you please start your own post so that the questions and answers don't become mixed up and unclear as to whose problem is being dealt with. Your problem might progress differently than mine.

This morning when I came back to my 32-bit desktop, which I leave on, there was a warning that an mbam scan had been done and quarantined objects. When I clicked on it I discovered that two more of these Floxif items had been quarantined. on 9-18 it quarantined a file: C:\Program Files\CCleaner\CCleaner.exe. On 9-19 it quarantined two more trace registry values. See screenshot.

So, do I need to post in the infection forum for this for either or both of my computers ... or what?

Edited September 19, 2017 by Nikilet

[Nikilet]

7 hours ago, fredvries said:

CCleaner v5.33.6162 for 32-bit Windows users was indeed compromised. See here. Malwarebytes detected this threat as Trojan.Floxif.

The suspicious code was hidden in the application’s initialization code called CRT (Common Runtime) that is normally inserted during compilation by the compiler. This code modification was executed by the following function calls (functions marked by red represent the CRT modifications):

 

The guys at Piriform have released a new version that has the malware removed. Simply download CCleaner v5.34.6207 and you're fine again.

.

you say the guys at Piriform have released a new version. Who is doing CCleaner? Is it Piriform or Avast? In any event, I do not plan on using CCleaner any longer because I no longer trust it.

Edited September 19, 2017 by Nikilet

[migs]

Nikilet, surely it would make sense for all information  to be included in one thread, rather than have 50 threads all with the same info.

Fredvries stated that 5.34.6207 is clean, when Malwarebytes clearly thinks it isn't. My reply is directly relevant to your post and the reply given by Fredvries.

No wonder the internet is as clogged up as it is.

[Nikilet]

12 minutes ago, migs said:

Nikilet, surely it would make sense for all information  to be included in one thread, rather than have 50 threads all with the same info.

Fredvries stated that 5.34.6207 is clean, when Malwarebytes clearly thinks it isn't. My reply is directly relevant to your post and the reply given by Fredvries.

No wonder the internet is as clogged up as it is.

I disagree. Many forums will ask you not to post on another's post but to start your own. 

[Ezrway]

Hello, I'm hoping this is the right area to post this question about the CCleaner Hack and the results of a Malwarebytes Threat Scan on my PC. 

First of all I'm running Windows 7 64-bit.  I have a subscription to CCleaner and frequently click on the "check for updates" link.

When I entered my password and unlocked the PC on 9/19/2017, there were 2 different Malwarebytes screens that read a threat, or threats, had been found and the PC needed to be rebooted.  So I rebooted it.  When the reboot completed I looked in Malwarebytes under Quarantine and there were 2 entries, similar to the lines below. I deleted them immediately.

From Threat Scan Log and also the same entries I deleted from Malwarebytes Quarantine:

Trojan.Floxif.Trace, HKLM\SOFTWARE\WOW6432NODE\PIRIFORM\AGOMO

Trojan.Floxif.Trace, HKLM\SOFTWARE\WOW6432NODE\PIRIFORM\AGOMO|TCID

In the Threat Scan Log it showed Registry Key: 1 couldn't be deleted:

Registry Key: 1
Trojan.Floxif.Trace, HKLM\SOFTWARE\WOW6432NODE\PIRIFORM\AGOMO, Removal Failed, [8823], [436394],1.0.2838

Registry Value: 1
Trojan.Floxif.Trace, HKLM\SOFTWARE\WOW6432NODE\PIRIFORM\AGOMO|TCID, Quarantined, [8823], [436394],1.0.2838

I currently have CCleaner v5.35.6210 (64-bit) installed.  I have run another Threat Scan since then and it found no threats.  I attached the complete threat scan log to this post.

Here's what I'm wondering:

1. Why couldn't Malwarebytes delete the Registry Key?
2. Should I have deleted the quarantined items?
3. Did deleting the quarantined items get rid of the problem completely? 
4. Is the PC safe now?

Thanks!

 

 

MBAM CCleaner Registry Keys Removal 20170918.txt

[Nikilet]

Looks like it doesn't matter who posts here because no one is going to respond anyway.

[Fatdcuk]

10 hours ago, Nikilet said:

Looks like it doesn't matter who posts here because no one is going to respond anyway.

Hi and sorry for the delay in replying as this thread had been overlooked.

Avast had purchased Piriform but are keeping the software/company by its original names.

Once we became aware of the hack (as the whole industry became aware) we created detection for the bad installer and the compromised software executable file.

This would have prompted our software to detect and quarantine those affected files. The removal of ccleaner.exe(32 bit) would break the software operations on 32bit OS's and hence the need to update to the new non affected version.

* the 64bit ccleaner.exe executable was not compromised but because of how CCleaner chooses to install then the affected version had both executables present(32 & 64bit).

Users using CCleaner on 64 bit OS's would not be affected as it is only the 32bit executable that was compromised and the 64bit OS would not use that executable file when loading the software.

We laterly added detection for a registry trace that was only present after the original compromised installer had been run.

* This detection would be present on both 32 and 64 bit installs, but it is only 32 bit  installs that were potentially compromised.

That trace was a "marker" and not an active component part of the compromised version but we decided we would remove it none the less.

Back to your initial question(s) then if you have removed the bad 32 executable (ccleaner.exe) then it is no longer an active risk.

Were you at risk ?

Alas the compromised version was backdoored so everytime the software was previously launched so was the backdoor code.

Had the active backdoor been exploited then we cannot tell you the answer to that but all we can advise is as with any potential security breach you change all your passwords from a secure computer .If you have used the affected computer for data sensitive activities such as online banking, online purchasing or sensitive work we would advise you contact your bank and/or work IT to advise them of your potential exposure to a data breach so the appropriate steps can be taken to protect yourself and others.

[Ezrway]

20 hours ago, Ezrway said:

Registry Key: 1
Trojan.Floxif.Trace, HKLM\SOFTWARE\WOW6432NODE\PIRIFORM\AGOMO, Removal Failed, [8823], [436394],1.0.2838

Registry Value: 1
Trojan.Floxif.Trace, HKLM\SOFTWARE\WOW6432NODE\PIRIFORM\AGOMO|TCID, Quarantined, [8823], [436394],1.0.2838

Thank you for responding to my post.  Do you have any idea why Malwarebytes was unable to remove the item identified as "Registry Key: 1" in the quoted text from my original post?

Thanks again!

 

[Fatdcuk]

2 hours ago, Ezrway said:

Thank you for responding to my post.  Do you have any idea why Malwarebytes was unable to remove the item identified as "Registry Key: 1" in the quoted text from my original post?

Thanks again!

 

Hi

 

Not 100% sure what has occured for you, possibly if your running MBAM from a limited user account that can sometimes interfere with removals from the HKLM hive.

That said we should not be removing that key (It belongs to CCleaner Cloud ops) but only removing the data stored under that key should it be MUID or TCID or NID which are the values set when the affected installer has been run.

If none of those values are present then the detection of the key should not occur.

Edited September 21, 2017 by Fatdcuk

[Ezrway]

OK. Thanks!