loki Posted September 23, 2017 Share Posted September 23, 2017 The popular CCleaner utility was recently the victim of a hacking attack that infected the 32 bit version 5.33. It doesn't look like the 64 bit version was affected. https://www.bleepingcomputer.com/how-to/security/ccleaner-malware-incident-what-you-need-to-know-and-how-to-remove/ https://arstechnica.com/information-technology/2017/09/ccleaner-malware-outbreak-is-much-worse-than-it-first-appeared/ If you were infected it appears that the only sure way to recover is by wiping and reinstalling Windows. Link to comment Share on other sites More sharing options...
il88pp Posted September 24, 2017 Share Posted September 24, 2017 Thank you for the warning. I use Win7-x64-Home Premium. CCleaner installed is also x64. [ I double-checked, and it is in "Program Files", and not in "Program Files (x86) ]. Also, no Agomo reg key under 'Piriform'. Only the two regular CCleaner and Speccy keys. From what I read that means I'm safe. (I updated to 5.34 a few days ago, but had 5.33 before that.) One thing I wonder is, in C:/program Files/CCleaner are both versions: CCleaner.exe and CCleaner64.exe (Same goes for Speccy) I think that means that even on a x64 system, the 32bit version gets installed as well anyway. In the "Program Files" folder. (reiterating, it's NOT in the "Program Files (x86)" folder.) I read here that this may be because the installer doesn't select one file, and just installs both for simplicity. But I'm not sure the 32 bit ever runs or does anything in that location. https://forums.techguy.org/threads/solved-why-two-versions-of-the-same-program.1059413/ At the moment I have the new 5.34 version. I tested running CCleaner, and only had the x64 version was running in task manager. But I don't know if the compromised version was the same. Or if that somehow forced the "CCleaner.exe" to run. Could you share your thoughts on that please? Thanks very much loki. Scary this could go unnoticed that long. I'll inform people I know that they may need to take action. [sIGPIC][/sIGPIC] Link to comment Share on other sites More sharing options...
CRJ_simpilot Posted September 24, 2017 Share Posted September 24, 2017 Been using version 4.xx. Have no need to update. And System Ninja will find a hell of a lot more temp files. This is exactly why you watch your server access logs. OOM errors? Read this. What the squawk? An awesome weather website with oodles of Info. and options. Wile E. Coyote would be impressed. Link to comment Share on other sites More sharing options...
loki Posted September 24, 2017 Author Share Posted September 24, 2017 From what I have read it looks like you are okay if you only ran the 64 bit version. On the other hand the full extent of what the infection did still isn't clear. Link to comment Share on other sites More sharing options...
loki Posted September 24, 2017 Author Share Posted September 24, 2017 And how many users would know what they're looking at when reading those logs? It is a good thing to do for those who understand it, but the reality is most wouldn't know a valid request from a malicious one. Link to comment Share on other sites More sharing options...
il88pp Posted September 24, 2017 Share Posted September 24, 2017 Thank you for that, I'll keep following the story. [sIGPIC][/sIGPIC] Link to comment Share on other sites More sharing options...
CRJ_simpilot Posted September 25, 2017 Share Posted September 25, 2017 And how many users would know what they're looking at when reading those logs? It is a good thing to do for those who understand it, but the reality is most wouldn't know a valid request from a malicious one. I wasn't talking about users of Ccleaner. I said server logs. A little reading comprehension is needed on your part. Sever logs are the logs from the servers that host the Ccleaner executable. Hackers were able to gain entry and replace the executable with one that is laced with malware. Plus, Ccleaner should be signed. OOM errors? Read this. What the squawk? An awesome weather website with oodles of Info. and options. Wile E. Coyote would be impressed. Link to comment Share on other sites More sharing options...
loki Posted September 25, 2017 Author Share Posted September 25, 2017 I wasn't talking about users of Ccleaner. I said server logs. A little reading comprehension is needed on your part. Sever logs are the logs from the servers that host the Ccleaner executable. Hackers were able to gain entry and replace the executable with one that is laced with malware. Plus, Ccleaner should be signed. Sorry, I misread your post. No need to be rude. Link to comment Share on other sites More sharing options...
CRJ_simpilot Posted September 30, 2017 Share Posted September 30, 2017 Wasn't being rude, just being forward because I don't want to look like an idiot. OOM errors? Read this. What the squawk? An awesome weather website with oodles of Info. and options. Wile E. Coyote would be impressed. Link to comment Share on other sites More sharing options...
hairforceone Posted November 27, 2017 Share Posted November 27, 2017 Ah, good that you mentioned this. I knew of someone who had to erase their hard drive but didn't know why it had gotten infected. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.