Security Notification for CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 for 32-bit Windows users

It is understandable that people are in a "state of denial" over this. Again, read the Cisco blog posting on what the malware does. Next, realize this malware has been sitting on your device for a month and your "worst fears" have been manifested. Then do what Cisco recommends which I posted previously.

 

So far there is not much info. Cisco report shows that malware included in that version collects some data and sends it to some servers that were apparently taken down. There was no additional malware downloaded and run and no autorun entries added to system. So malware runs only that time when Ccleaner (older version) is running. As soon as Ccleaner is updated, infection is more or less gone. At least that's how I read their analysis.
I will wait for some more information.

 

While practically speaking that is correct cuz action has been taken to defeat the malware's communicating with its server, technically speaking it is not correct. It appears that the now ineffective backdoor would still remain:

https://www.wilderssecurity.com/thr...-bit-windows-users.396778/page-2#post-2706896

https://www.wilderssecurity.com/thr...-bit-windows-users.396778/page-2#post-2706889

Virus Bulletin:

"Malicious CCleaner update points to a major weakness in our infrastructure...

...it remains important for infected users to follow the advice from Cisco: reinstall machines or roll back to a previous version."

https://www.virusbulletin.com/blog/...ate-points-major-weakness-our-infrastructure/

 

hi
eset detects only the old version of ccleaner , nothing else
i guess malwarebyte is good start at least scans registry and all the files

 

You mean a DLL file that no process will load after updating CCleaner or something else?

 

dunno -- just know what I have read

"...it remains important for infected users to follow the advice from Cisco: reinstall machines or roll back to a previous version."

https://www.virusbulletin.com/blog/...ate-points-major-weakness-our-infrastructure/

 

Does 5.34 indeed remove the key that indicated the 5.33 infection?

If true, how can you still discover whether your system was infected, if you already upgraded to 5.34 before this news was released?

 

OK, misunderstanding by me, sorry stapp.

 

I would really like to know this as well.

 

I've tested it in VM and installing 5.34 over 5.33 doesn't remove that key. So it will probably be present on systems that got infected.

 

Yes it does. One x.32 system at my home had Ccleaner 5.33.6162 installed and MBAM 3.1.2 found the trojan this morning. On installing 5.34 the registry key had been corrected. Ran another MBAM scan after that and it ran clean. I am still debating as to whether I should also go to a restore to be safe - according to Avast there is no other payload to be worried about.

 

I am running 5.34 and do not have that key, can't say if it was present in previous version.

 

I installed 5.33, waited 10 minutes and got a key. Then I updated to 5.34 (installed it over the top of previous version) and key is still there:

 

So, Minimalist says no, but emmjay says yes.

 

This is starting to trickle down into the mainstream news. Today is a somber day at avast/Piriform.

http://www.businessinsider.com/avast-piriform-ccleaner-hijacked-trojan-malware-2017-9

By the way, I had the 64 bit version of the 5.33 6162. No such key in the registry.

 

By the running the 32 bit version, right?

 

Yes it's 32 bit OS so only 32 bit version was installed.

 

According to Bleeping Computer, the malware also quit execution if the user was not using an administrator account. May be the reason why users are experiencing different results.

 

Yep, same here. Uninstalling ALL Software from Piriform permanently.

 

Yes, the key is still there:

Additionally the execution is delayed for at least 600 seconds, to evade analysys.

 

CCleaner Malware Incident - What You Need to Know and How to Remove:
https://www.bleepingcomputer.com/ho...dent-what-you-need-to-know-and-how-to-remove/

 

Did two offline scans (attaching the hdd to another pc), one using Eset's online scanner and Immunet:
No file or threat found.

The reg key I deleted it loading the hive.

 

Just by running v3.54 won't suffice. The reg key is still there, it remains either way.