How shall I understand the first picture (registry editor) in the article? Is WbemPerf key good or bad? I searched for the files stated therein and found neither one on my machine. Pretty confused ...
I think the picture is as it should be, i.e. you should not have these: HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\001 HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\002 HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\003 HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\004 HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\HBP I also searched for all these and found none.
And so it was 32 - 64 bit aware after all. "The stage 2 installer is GeeSetup_x86.dll. It checks the version of the operating system, and plants a 32-bit or 64-bit version of the Trojan on the system based on the check."
i have it also, but not entry or subfolder - clean as it should be, no reason to delete anything i dont know exactly
I found wbemperf and then it said default regsz and value not set.. I did not find any of the 4 things above. Should i delete what i found or can i leave it there.
hi weird because only under w10 asks me to update , same version under w8.1 or 7 i haven't gotton any advises https://i.imgur.com/Qy1ruIp.png have you noticed the same? thans
If you got infected, at the end of this article there is a list of files that helps to determine "if a stage 2 payload has been planted on the system." Good luck. https://www.ghacks.net/2017/09/21/ccleaner-malware-second-payload-discovered/ Bo
Are the AV companies up to speed on this yet? I would think a scan with most products should clean this up at this point. But that is just an assumption.
Looks like defender did something, though a tad late me thinks. I wasn't using Windows 10 Sept.11-17. Then did updates Sept.18, and then ... On Windows 10 pro-1703, 64bit, WD flagged Ccleaner 5.33 as backdoor floxif and quarantined just the installer - that was Sept.19, then on Sept 20 WD flagged CcleanerSkipUAC and two tasks - see screenshots. Those task {numbers} look different than anything I'm reading here.
A few things: 1). for those Home users that are obsessing, don't. It seems that this supply-chain malware is a continuation of Operation Aurora, which was a Industrial/Governmental info attack that ha been going on for years. Originally implicated was the group Unit 61398 (Comment Crew), supplanted recently by the well funded Axiom Group. These are the same folks responsible for Ghostnet, DarkMoon etc. 2). A better way to check to see if one is infected than checking the registry (you will only know where to look when someone tells you) is by installing and using an application that allows you to see where stuff is connecting to. A good freeware app to do this is Microsoft Network Monitor. For this particular infection, when running MNM you will see that two separate CCleaner are trying to connect out. One will be legit, and the other will attempt to connect to 216.126.225.148, a well known malware C&C based in Los Angeles. Although this particular server has been brought down, within the malware code is the ability to connect to different servers in the future (I don't know if this has been reported as yet). Anyway, a typical Home user has nothing to worry about. Axiom does not even consider Chumps Like Us as being of any value.
This thoughts are same as mine since yesterday. Good thing cause I don't have a clean backup image to restore.
Security Notification for CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 for 32-bit Windows users https://www.wilderssecurity.com/thr...d-v1-07-3191-for-32-bit-windows-users.396778/
I´ve seen several similar posts in this forum about this CCleaner. incident. After all the image preaching that is common here, it seems people don´t even have a one-month-old image to restore. Curious.
Anecdotal evidence based on 1 comment. For all you know most people using imaging are smart enough to know they don't need third party software to clean their machines.
Heimdal Security's analysis: https://heimdalsecurity.com/blog/security-alert-ccleaner-spread-malware/ Edit: prior incorrect link.
Ya, I too think it. But it's anyway much disturbing the idea to have something like it in our system, is it ? I wonder if Antirootkit like PcHunter and PowerTool are good programs to detect this backdoor. And if to uninstall the CCleaner and to clean the system would work to completely delete the backdoor. More curiosity than concern, just to know.
