CCleaner trojan\backdoor

[4wd]

Just reading this

http://forum.notebookreview.com/thr...illion-downloads-2-3-million-infected.809062/

Looks like anything is possible these days :-( One of my prefered tools (but using an earlier version, not affected).
Maybe some here got this version of the very popular program on the pc. Time to check.

And not every antivirus detects it, a guy on notebookreview did a check > VirusTotal

 

[Topper]

Yes I spotted this yesterday evening whilst setting up my replacement workstation in the study, I have finally retired the XP model. I also use CCleaner on a regular basis, I had that version on my laptop but my lappy is locked down tight so it seems to be unaffected however I am just running a full scan with Avast at the moment.

 

[Topper]

Ok well it has recognised the download as a threat which is good so have set it to deep scan prior to booting. It could be a long job

 

[jeallen01]

4wd

Many Thanks for the alert - I think my previous version was 5.33 installed on 2 Sept, but Kaspersky prompted me to install the latest version this morning and it's now 5.34.6207.
Nevertheless, will run deep scans with Kaspersky & Malwarebytes to see if anything nasty has been left behind!

BTW: here is a snapshot of the list of apps and malware found when Virus Total scanned ccsetup533.exe, and the Virus Total page is here

 

[jeallen01]

BTW2: do you think the problem might have been the site from which 5.33 was downloaded, if it were not the original Piriform site?

Update: this page on howtogeek tells how you can look in the Registry and find out if you had the infected version on your m/c at sometime, and says that
"If that version is before version 5.33.6162, then you are not affected, and you should manually download the latest version now. If that version is 5.34 or later, your current version isn’t affected, but if you updated CCleaner in between August 15th and September 12th, and are on a 32-bit system, you may still have been affected. (If you’re comfortable going into the registry, you can open Registry Editor and navigate to HKLM\SOFTWARE\Piriform and see if there is a key labeled Agomo:MUID . If that key exists, it means you had the infected software on your system at one point in time.)"

- just checked the Registry on my main laptop (it's 64 bit, so should be OK anyway) and there's no sign of Agomo:MUID !

 

[Topper]

BTW: here is a snapshot of the list of apps and malware found when Virus Total scanned ccsetup533.exe, and the Virus Total page is here

Can I just correct you, I believe the posted pic is a list of the av engines that could and could not find the trojan, 40 did but a lot more did not

 

[jeallen01]

Topper

Maybe you are correct, and I misinterpreted the page info.

 

[jeallen01]

Update
Did two full scans:
- Malwarebytes found nothing,
- Kaspersky found and deleted the downloaded setup file ("ccsetup533.exe//CCleaner.exe") for version 5.33

So looks like the latest and updated Malwarebytes Free did not, but Kaspersky did, find the malware files shown here on the Virus Total website page

 

[Terryl]

My paid version of Malwarebytes found it on one of my 32 bit PC's and dumped it.

 

[jeallen01]

My paid version of Malwarebytes found it on one of my 32 bit PC's and dumped it.

Was it found "automatically" during the download, or only when you initiated a scan (as I did with Kaspersky)?

 

[Terryl]

It scanned the computer at a pre-set time, (2 AM) it found it automatically, I don't use that PC that much so it waited till I logged on and I saw the warning.

 

[Topper]

Yes Avast missed it in the download but picked it up when I initiated a full scan....poor

 

[dig deep]

Used it for many years but always downloaded from official homepage

 

[4wd]

but always downloaded from official homepage

What makes this case so special is that it's the official download server that got infected, owned and run by an established and well reputated antivirus company, ridiculous situation of not detecting their 'own' virus and allowing millions of downloads before realizing.

 

[Topper]

Yes I spotted this yesterday evening whilst setting up my replacement workstation in the study, I have finally retired the XP model. I also use CCleaner on a regular basis, I had that version on my laptop but my lappy is locked down tight so it seems to be unaffected however I am just running a full scan with Avast at the moment.

To correct my earlier statement my lappie uses the 64bit version which was supposed to be unaffected, yet the file containing a trojan was found in my downloads directory

 

[jeallen01]

To correct my earlier statement my lappie uses the 64bit version which was supposed to be unaffected, yet the file containing a trojan was found in my downloads directory

Actually it was a similar situation here, but the file in question was "Saved as" in a sub-folder in the Ccleaner folder when I downloaded it - I suspect that the same setup file was used for both 32 & 64 bit O/S but was only "activated" when installed on the former.

More info on what appears to have happened is on the Tom's Hardware site here

 

[Topper]

Yep a lot of unhappy bunnies in the world who will never trust either Avast or CCleaner again, perhaps it was a disgruntled employee who lost his/her job when Avast took over, also seems odd that the certification was correct

 

[Channel Hopper]

At the end of last week I found that ccleaner had already released 5.34, if so, why would 5.33 still be promoted as current?

 

[jeallen01]

At the end of last week I found that ccleaner had already released 5.34, if so, why would 5.33 still be promoted as current?

CH:
From what I read, 5.33 is still "current" for those people who are using the free version which has to be updated manually - and so theirs won't update unless they manually trigger it, whereas those with paid-for subscriptions will get it automatically. Also, for PCs running a 32 bit OS, 5.33 appears to leave a Trojan entry in the Registry which 5.34 does not then seem to remove - see Post #5 above.

 

[PaulR]

Phew! Glad I'm 64 bit.