CCleaner: A Vast Number of Machines at Risk

warwagon · 22 Sep 2017

What I don't understand is that the second play load checks for 32bit or 64bit and gets either a 32bit or 64bit dll. But on a 64bit system, the 64bit ccleaner isn't infected just the ccleaner.exe. (32bit version).

I'm also wondering if the virus is active only when ccleaner is running in the system tray and if the first and second payload is even able to drop if ccleaner on a 32bit machine isn't running in the system tray and that feature is turned off. As this is the first feature of ccleaner I turn off upon installation.

I'm also wondering if it even goes through with the 2nd payload if the IP address it collects from the user in stage 1 doesn't match a large tech company.

vgchat · 22 Sep 2017

For anyone using ccleaner, make sure to remove this after you make it upgrade.

CCleaner: A Vast Number of Machines at Risk-2017-09-22.png

And this is using the 64 bit version only btw.

CCleaner: A Vast Number of Machines at Risk-2017-09-22-1-.png

warwagon · 23 Sep 2017

vgchat said:

For anyone using ccleaner, make sure to remove this after you make it upgrade.

And this is using the 64 bit version only btw.

That's because the 32bit and 64bit are packaged in the same installer. It unpacked the installer and flagged ccleaner (32bit). it's also just in your temporary internet folder from downloading ccleaner. Probably wouldn't do any harm just sitting there. Only if you run it.

MeAndMyComputer · 24 Sep 2017

I've read all of the posts and the only the CCleaner 32-bit v5.33 is supposed to be affected.
I picked up a 64-bit desktop last week and turned it on yesterday and it has CCleaner 64-bit v5.35 with Floxif on it.
When I booted up the computer, Windows Defender notified me and I let WD remove it after taking the following screenshots.
In post #113, it's mentioned ""That's because the 32bit and 64bit are packaged in the same installer. It unpacked the installer and flagged ccleaner (32bit). I suspect that's possible, but that just proves a 64bit can be affected.
I don't recall which posts it has been mentioned, but it seems v5.35 is supposed to remove whichever infection from v5.33 is included.
That didn't happen on the computer I picked up.
Anyway I immediately had Windows Defender remove Floxif but didn't read all of the posts until the computer was cleaned out.

CCleaner: A Vast Number of Machines at Risk-64-bit-ccleaner-v5_35-floxif-sep-23.png

Josey Wales · 24 Sep 2017

JohnBurns said:

I agree, with CC and recently Kaspersky AntiVirus I have made decisions for myself, which many users in these forums disagree with. It's all personal judgment and none of us seem to be perfect in that lol. None of the apps are perfect either, I guess.

Kaspersky AV is OK to use. The story about them is BS.

f14tomcat · 24 Sep 2017

MeAndMyComputer said:

I've read all of the posts and the only the CCleaner 32-bit v5.33 is supposed to be affected.
I picked up a 64-bit desktop last week and turned it on yesterday and it has CCleaner 64-bit v5.35 with Floxif on it.
When I booted up the computer, Windows Defender notified me and I let WD remove it after taking the following screenshots.
In post #113, it's mentioned ""That's because the 32bit and 64bit are packaged in the same installer. It unpacked the installer and flagged ccleaner (32bit). I suspect that's possible, but that just proves a 64bit can be affected.
I don't recall which posts it has been mentioned, but it seems v5.35 is supposed to remove whichever infection from v5.33 is included.
That didn't happen on the computer I picked up.
Anyway I immediately had Windows Defender remove Floxif but didn't read all of the posts until the computer was cleaned out.

You're fine now. 5.35 was issued only because the package was re-certified with a new signed certificate. The one from previous versions had the old certification signature from Symantec.

bobad · 24 Sep 2017

The portable version of CCleaner is safe. I don't see why anyone would use the install version... and that goes for lots of other software.

ICIT2LOL · 24 Sep 2017

Josey Wales said:

Kaspersky AV is OK to use. The story about them is BS.

Agreed I have used Kaspersky for the last seven years and apart for a little dummy spit once with the trial version of MBAM not a hint of anything crap. I have yet to try out the free version but from what I can make of it it lacks only a few features of the paid for and some of those I don't use anyway.

DC10 · 24 Sep 2017

ICIT2LOL said:

Agreed I have used Kaspersky for the last seven years and apart for a little dummy spit once with the trial version of MBAM not a hint of anything crap. I have yet to try out the free version but from what I can make of it it lacks only a few features of the paid for and some of those I don't use anyway.

ICIT, I've had Kaspersky for a few years now and my experience has been very good just like yours.

ICIT2LOL · 25 Sep 2017

DC10 said:

ICIT, I've had Kaspersky for a few years now and my experience has been very good just like yours.

Yes mate I have had no issues with it really and it is so cheap and I keep thinking I should try the free version because looking at it there are very few features it doesn't have that are in the paid for and rankly I don't use.