CCleaner

Anyone using versions: v5.33.6162 and CCleaner Cloud v1.07.3191 is advised to download new versions.

August download has been hacked.

 

Details:
http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html

 

priscus, thanks for the update, I use an older version of ccleaner, 5.26.5937 with auto updates disabled, and monitoring disabled,

 

Can XP even run 5x versions of Ccleaner?

 

I have gone with this version since an upgrade to anything after version 5.26.5937, did not play well with xp. cannot remember what issues I had,

 

Your lucky.

Have got six devices, running ver5.34. but they HAVE previously run 5.33!

According to blog referenced above, these require either system restore to date prior to when 5.33 ran, or re-install.

Have only just finished wrapping up final tail ends associated with last herculean task of re-installing OS.

And my restore point of 9th Aug for two of my XP systems appeared to be a solution, but ten minutes into the process, it terminates with message that it cannot complete restore to that date.

So, I will have to live with the infected systems until one of the malware programs offers a solution: it seems to date, only one in sixty four of them are detecting it!

 

1. I do not use system restore and have disabled it on all my pc's and use ERUNT which makes a new registry restore point with each restart.

2. Even with a full clean install sometimes I will get a "cannot complete restore" unless I do the restore from safe mode, A safe mode restore has not ever failed, yet,

3. if you have completed a reinstall with a full drive wipe then your system should be clean, I use Darik's (dban) everytime I reinstall as it does a better wipe then the normal wipe done at the beginning of installation, and if you use xp's wipe do not use the quick wipe,(or quick format)

4. go with the older version, and as I am sure you do this regularly , as do I, always save downloads to desktop and scan with antivirus and with malwarebytes free. This way you have a 99% chance of catching anything before it is released onto the pc.

 

Malwarebytes found Trojan: 'Floxif' (potentially dangerous) on two of my machines.

I cannot prove they had been left as a consequence of the toxic payload enabled by the malware in Ccleaner, but it would appear to be the only thing which the two machines have in common, and neither had visited any dodgy sites, or had any unknown material clicked upon.

 

but your machines are clean now, yes??

 

Well......

Malwarebytes has removed Floxif from both machines, and is finding no other issues. Neither is Avast on the XP machine, or Windows Defender on the W10 machine.

However, at least as of yesterday, NONE of the regular AV (except clamav) are yet recognising the malware in CC 5.33, Article cites very low rate of detection: one in sixty-four.

Although, it was Floxif that clamav had detected in their screenshot.

So I will run av scans every session of using these machines just to ensure that there is not still a viable source of entry for malicious code.

There are still three machines which I have not yet checked, and I am too busy to do so at present, so they will remain unused until I have the opportunity to deal with them.

ps On W10, Windows Defender failed to find the instance of Floxif which was discovered by Malwarebytes, and 'Bootime'scan performed by Avast also failed to detect it on the XP machine.

 

it would be best to never depend on one scanner, I have malwarebytes as an on demand scanner and 360TSE as a real time antivirus and when I feel that there is something wonky on my pc I might run an online scan with kaspersky or eset, but I am not sure that they do it for xp anymore. but generally these two scanners keep my pc clean,

 

Search engines list a number of specific 'Floxif' removal tools. Don't know how good they be. Have set this one to work, but has been scanning for nearly three hours now, which is just too long for regular use.

https://www.avg.com/en-gb/remove-win32-floxif

 

https://www.bleepingcomputer.com/ho...dent-what-you-need-to-know-and-how-to-remove/

bleeping computer shows which registry keys to remove for this threat

==============

I have tried to see if the avg removal tool would run on xp but I have not gotten anywhere in my searches, and I am not sure if avg is supporting xp still?

 

Haven't tried it on the XP system yet. Was on the W10, that it took three hours to scan, and found no re-occurrence.

 

https://www.wired.com/story/ccleaner-malware-targeted-tech-firms/

Is beginning to make more sense now: someone went to a lot of trouble to try to sneak this through as an undetectable plant.

Although version 5.34 has only been out for a matter of days, (They have been in the habit of updating on a monthly basis) Piriform have released version 5.35.

 

@priscus:-

Do be aware that ClamAV has a very high rate of 'false positives', so that screenshot shouldn't be taken too seriously.....

One of the reasons nobody much uses it on the Linux side of the fence, either. Most folks I know prefer to use Comodo's 'AV for Linux' instead.


Mike.

 

Maybe, but not a falsey in this case.

Both Malwarebytes and Avast now also detecting 'Floxif': just they have taken their time getting around to doing so.

My first attempt at removal with Malwarebytes appeared successful and system tested clear, However it was not, and after a later switch-on, a re-occurrence was detected.

Second attempt to rid of Floxif seems to have worked, and have purged the registry entries. (note the ver 5.35 of CCleaner does not have the 'Agomo' file so can safely eliminate its entries in registry.)

Apparently the malware raged unchallenged for best part of a month because its certification was valid: now revoked, so hopefully AV will now, in general, be detecting it.

The advice to restore or re-install, is because it is not known if any home users have received a secondary payload package of malware/spyware, as has been reported to have happened to the Tech. firm targets.

 

priscus: just a note, I have a flashdrive with all the installers for the programs I use (firefox, ccleaner, defraggler, erunt, etc) and in the versions I use so that when I reinstall xp, I use the flashdrive for the programs and do not go online and download the program, and also since flash drives are a big problem with installing viruses (especially if autorun and autoplay are not disabled) it is very helpful that 360 total security essentials, will scan a flashdrive the second you plug it in before it will let you open it.

just another way to be safe,

 

It would seem that the makers of A/V ware do NOT respond to emergent threats with anything like the haste that their hype would have us believe.

In this case, it appears that the damage has been done by the time a user becomes aware of the infection, and even then, a significant window of opportunity exists before A/V is offering any protection.

I guess that is why the advice given was to isolate any infected machine from any network connection until machine has been 'sanitised'.

 

need some bleach?