CCleaner malware - some questions

[Flintheart]

I'm on a 64-bit OS, I regularly update CCleaner so I must have had the infected version installed at some point. I also went from Win 7 x64 to Win 10 x64 a few weeks ago (15. or 16. of August after some digging, I kept all my programs in the upgrade process). I have now uninstalled CCleaner, I don't have the Agomo entry in my registry and I have scanned with Malwarebytes, portable ClamAV, SUPERAntiSpyware without any infections found.

Is it safe to assume that I've never been infected? My understanding is that this only affected 32-bit OS but I want to be 100% sure.

 

A friend of mine has Windows 10 32-bit and he had the infected version installed. Malwarebytes indentified "Floxif". Today I'm reading that the attack was more severe and people are recommended to format, is this the only way? Will the "reset this PC" option in Windows 10 be sufficient?

Thank you for advice!

Edited September 22, 2017 by Flintheart

[Aura]

Hi Flintheart

If the Agomo key wasn't created on your system, it means that you weren't hit with the primary payload that was executed on 32-bit systems. Which means you should be okay right now. And from my understanding, a second payload was only delivered on a system if it was part of a certain domain (mostly big tech companies like Cisco, Samsung, etc.).

[Flintheart]

Thank you for the answer.

I came to think about one thing, I checked for the registry key after I uninstalled CCleaner. Is it safe to assume that the uninstall would leave the Agomo key alone?

[Aura]

Yes, uninstalling CCleaner doesn't delete that key, hence why if it isn't there, and it wasn't removed by your security product (Antivirus, Antimalware), it's quite safe to assume that it was never created.

[Flintheart]

Great, thank you.

My friend who has been infected, do you recommend a full format? The reset option in Windows 10 is really nice since programs and files are kept, would this be sufficient?

[Aura]

Is this is work computer (that is part of a domain), or his personal computer?

[Flintheart]

Personal home computer, alone on a isolated network connected to the internet. Only other connected device would be an Android phone.

Edited September 22, 2017 by Flintheart

[Aura]

In that case he's fine. The second payload was only targetting computers that were part of a domain, and ones that matched a list of domains. He should remove the infected version, let Malwarebytes delete the Agomo keys and install the latest CCleaner version (if he's still willing to use the product).

[Flintheart]

I visited my friend today, I helped him scan the machine with Sophos Virus Removal Tool in safe mode, it didn't find anything. I saw this program recommended in another thread, we also did a complete scan with McAfee, again nothing.

I found the infected installer in my backup, so I had the infected version installed at some point but the 64-bit saved me. PHEW.

[Flintheart]

Interesting read:

https://blog.avast.com/update-to-the-ccleaner-5.33.6162-security-incident

Some media reports suggest that the affected systems needed to be restored to a pre-August 15^th state or reinstalled/rebuilt. We do not believe this is necessary. About 30% of CCleaner users also run Avast security software, which enables us to analyze behavioral, traffic and file/registry data from those machines. Based on the analysis of this data, we believe that the second stage payload never activated, i.e. the only malicious code present on customer machines was the one embedded in the ccleaner.exe binary. Therefore, we consider restoring the affected machines to the pre-August 15 state unnecessary. By similar logic, security companies are not usually advising customers to reformat their machines after a remote code execution vulnerability is identified on their computer.

[Aura]

Exactly. There has been a lot of miscommunication/misinformation about the CCleaner incident. Some medias were reporting false information and giving wrong instructions. Personally, if you had CCleaner on Windows 64-bit, and the Agomo key was never created in your Registry, you shouldn't have to do anything. Simply update to the latest CCleaner version (or drop it altogether) and move on.

[Aura]

Hi Flintheart,

Are you still with me?

[Aura]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!