CCleaner v5

Discussion in 'other software & services' started by anon, Nov 25, 2014.

  1. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    4,270
  2. pegas

    pegas Registered Member

    Joined:
    May 22, 2008
    Posts:
    2,372
    How shall I understand the first picture (registry editor) in the article? Is WbemPerf key good or bad? I searched for the files stated therein
    and found neither one on my machine. Pretty confused ...
     
  3. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,886
    Location:
    Under a bushel ...
    I think the picture is as it should be, i.e. you should not have these:
    • HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\001
    • HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\002
    • HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\003
    • HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\004
    • HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\HBP
    I also searched for all these and found none.
     
  4. pegas

    pegas Registered Member

    Joined:
    May 22, 2008
    Posts:
    2,372
    Thanks. I thought so but wasn't completely sure.
     
  5. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    And so it was 32 - 64 bit aware after all.

    "The stage 2 installer is GeeSetup_x86.dll. It checks the version of the operating system, and plants a 32-bit or 64-bit version of the Trojan on the system based on the check."
     
  6. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    I just checked and have none of those keys.
     
  7. plat1098

    plat1098 Guest

    I had the WbemPerf key, it was empty. I deleted it
     
  8. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    3,221
    i have it also, but not entry or subfolder - clean as it should be, no reason to delete anything i dont know exactly:rolleyes:
     
  9. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    1,900
    Location:
    Hollow Earth - Telos
    I found wbemperf and then it said default regsz and value not set.. I did not find any of the 4 things above. Should i delete what i found or can i leave it there.
     
  10. anon

    anon Registered Member

    Joined:
    Dec 27, 2012
    Posts:
    6,216
    ^
    ----------------
     
  11. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    4,270
    No need to delete.
     
  12. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    5,617
    hi
    weird because only under w10 asks me to update , same version under w8.1 or 7 i haven't gotton any advises
    https://i.imgur.com/Qy1ruIp.png

    have you noticed the same?
    thans
     
  13. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    1,900
    Location:
    Hollow Earth - Telos
    I had the same message to update with W7.
     
  14. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    5,646
    Location:
    Nicaragua
  15. plat1098

    plat1098 Guest

    You are right. :) I always rummage around in registry, it's back in there anyway :'(.
     
  16. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    5,508
    Location:
    USA
    Are the AV companies up to speed on this yet? I would think a scan with most products should clean this up at this point. But that is just an assumption.
     
  17. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,671
    Looks like defender did something, though a tad late me thinks.
    I wasn't using Windows 10 Sept.11-17. Then did updates Sept.18, and then ...
    On Windows 10 pro-1703, 64bit, WD flagged Ccleaner 5.33 as backdoor floxif and quarantined just the installer - that was Sept.19, then on Sept 20 WD flagged CcleanerSkipUAC and two tasks - see screenshots.
    2017-09-19_23-47-14-BackdoorQuarantined.jpg

    2017-09-20_17-23-02-CC-TasksDetectedToday.jpg

    Those task {numbers} look different than anything I'm reading here.
     
  18. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,431
    Location:
    Paris
    A few things:

    1). for those Home users that are obsessing, don't. It seems that this supply-chain malware is a continuation of Operation Aurora, which was a Industrial/Governmental info attack that ha been going on for years. Originally implicated was the group Unit 61398 (Comment Crew), supplanted recently by the well funded Axiom Group. These are the same folks responsible for Ghostnet, DarkMoon etc.

    2). A better way to check to see if one is infected than checking the registry (you will only know where to look when someone tells you) is by installing and using an application that allows you to see where stuff is connecting to. A good freeware app to do this is Microsoft Network Monitor.

    For this particular infection, when running MNM you will see that two separate CCleaner are trying to connect out. One will be legit, and the other will attempt to connect to 216.126.225.148, a well known malware C&C based in Los Angeles. Although this particular server has been brought down, within the malware code is the ability to connect to different servers in the future (I don't know if this has been reported as yet).

    Anyway, a typical Home user has nothing to worry about. Axiom does not even consider Chumps Like Us as being of any value.
     
  19. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,682
    Location:
    Mexico
    This thoughts are same as mine since yesterday.
    Good thing cause I don't have a clean backup image to restore.
     
  20. anon

    anon Registered Member

    Joined:
    Dec 27, 2012
    Posts:
    6,216
  21. anon

    anon Registered Member

    Joined:
    Dec 27, 2012
    Posts:
    6,216
  22. Robin A.

    Robin A. Registered Member

    Joined:
    Feb 25, 2006
    Posts:
    2,546
    I´ve seen several similar posts in this forum about this CCleaner. incident. After all the image preaching that is common here, it seems people don´t even have a one-month-old image to restore. Curious.
     
  23. elapsed

    elapsed Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    7,076
    Anecdotal evidence based on 1 comment. For all you know most people using imaging are smart enough to know they don't need third party software to clean their machines.
     
  24. Bob D

    Bob D Registered Member

    Joined:
    Apr 18, 2005
    Posts:
    1,192
    Location:
    Mass., USA
    Last edited: Sep 22, 2017
  25. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    3,014
    Location:
    Europe, UE citizen
    Ya, I too think it. But it's anyway much disturbing the idea to have something like it in our system, is it ? I wonder if Antirootkit like PcHunter and PowerTool are good programs to detect this backdoor. And if to uninstall the CCleaner and to clean the system would work to completely delete the backdoor. More curiosity than concern, just to know.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.