AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |
Back to Blog
Ccleaner cloud install exe installer12/30/2023 The CCleaner installer included the Floxif trojan, but the malware executed only on 32-bit systems.Īugust 20 and 21 - Morphisec's security product detects first instances of malicious activity (malware was collecting device details and sending the data to a remote server), but Morphisec does not notify Avast.Īugust 24 - Piriform releases CCleaner Cloud v that also includes the Floxif trojan. July 18 - Avast decides to buy Piriform, the company behind CCleaner.Īugust 15 - Piriform, now part of Avast, releases CCleaner 5.33. July 3 - Evidence suggests hackers breached Piriform's IT systems. The 64bit OS used the CCleaner64.exe and this file was not infected."īelow is a simplified timeline of events, based on Avast's recent statement: It was installed into the CCleaner.exe file and activated when run. The Trojan in CCleaner 533 only affected the 32bit version of Windows. "What version of the OS are you running 32bit or 64bit. But just in case, update your antivirus/antimalware software and do a scan to safely remove it.ĭrmike: From reading the articles above, the registry keys are still created and the virus is still present on your hard drive. If you find the above registry, then must likely you're infected. If later you updated to v5.34, this doesn't remove the malware's registry, just replaces CCleaner's main (infected) EXE with a clean one, so you still need to clean that manually. The malware is run during CCleaner's installation/update/execution if these conditions are met:ĭuring the install, the malware creates the registry "HKEY_LOCAL_MACHINE\SOFTWARE\Piriform\Agomo", and somehow, saves certain information that uploads it somewhere during the installation and execution of CCleaner. If you downloaded it during that month, it is most likely that you may have it. Yep, the affected installer that had malware was up for almost a month, a nobody noticed. So I thought: "Whaaaaat? It must be a false positive." But as turns out, it wasn't (:P)Ī quick Google search result in many pages with the news from just a couple of days ago saying that the installer for v5.33 was modified by a group of hackers that injected some type of malware in the installer while was in Piriform's server ready for download, and downloaded more than 2 million times while was available from August 15 until September 12, when v5.34 replaced it. Time Scanner Object type Object Threat Action User Information Hash First seen hereĢ1-09-2017 0:57:15 Real-time file system protection file D:\data\_201\software\ccleaner\ccsetup533.exe Win32/CCleaner.A trojan cleaned by deleting Azrael-PC\Azrael Event occurred during an attempt to access the file by the application: C:\Windows\explorer.exe (4583DAF9442880204730FB2C8A060430640494B1). I thought: "But just the other day I updated to v5.34!", and then went to the folder where I keep the latest installers (just in case as a backup, for the programs I always use) to check the day I downloaded v5.34, when my antivirus automatically deleted the installer for v5.33, and this log showed up: After browsing the Internet tonight, I opened CCleaner v5.34 to clean up the system before shutting it down, when I found this message by CCleaner saying I should update to v5.35.
0 Comments
Read More
Leave a Reply. |