I have had CCleaner 64bit version 5.33, and I’m kinda scared that I probably got the malware, I heard that the 32Bit only got affected. But I heared people saying they found a Trojan on the 64Bit. So I’d like to know what to do as I’m panicking right now. But hey I really hope that malware attackers remove the malware from normal consumers as they only target big companies

Please go read the threads about it.
All already has been explained.

Alright, I have followed the steps of this article http://www.majorgeeks.com/news/story/how_to_tell_if_you_were_infected_by_the_ccleaner_malware_issue.html and as I uninstalled the 64Bit version I don’t see the piriform folder or the agomo. Does it mean I’m safe??

Yep, you are more than likely safe, as we haven’t heard of any “dormant” payload yet.

Update the proggie to the latest available version/update and with all applications check with VirusTotal
and then for CCleaner scan and check:
File Names
CCleaner.exe
ccleaner
ccleaner.exe
a5b6d1a38d1a62a960ff66f7e07903257294a5ec
10F16BAE4E236292A3BFA47B6F100518
478262A5D9D72BF339BD9B17261FEA42DFDF0E36E4F233BBF7D6C6E9DE0B0DC8
478262A5D9D72BF339BD9B17261FEA42DFDF0E36E4F233BBF7D6C6E9DE0B0DC8.exe
Signature Info
Signature Verification
Signed file, valid signature
File Version Information
Copyright Copyright © 2005-2017 Piriform Ltd
Product CCleaner
Description CCleaner
Original Name ccleaner.exe
Internal Name ccleaner
File Version 5, 35, 0, 6210
Comments CCleaner
Date Signed 8:23 AM 9/20/2017
Signers
Piriform Ltd
Symantec Class 3 SHA256 Code Signing CA
VeriSign
Counter Signers
Symantec Time Stamping Services Signer - G4
Symantec Time Stamping Services CA - G2
Thawte Timestamping CA

Also click the + on the signers like - Piriform Ltd
Status Valid
Valid From 1:00 AM 9/20/2017
Valid To 12:59 AM 10/12/2018
Valid Usage Code Signing
Algorithm sha256RSA
Thumbprint 540860AEA73A7856B4D326418E2FEE0F2AE9C361
Serial Number 52 B6 A8 14 74 E8 04 89 20 F1 90 9E 45 4D 7F C0

This VT routine check should be performed for all you download, a lot of normal end-users do not,
but I do advise everyone. If something is not like it should, do not download!!!

polonus

Well thanks! Now I can sleep peacefully and not to keep waking up. I will do it later as my wifi is currently down and I’m using my phone mobile data. Thanks

Sorry Polonus, that routing would not have caught the Ccleaner infection and is certainly a lot of additional work to go through for a simple download. Use only trusted sites to download your programs from. Whenever possible get the download directly from the author’s site.

Hi bob3160,

That is not for the program download, that’s the additional details the VT report give us on a clean scan.
VT is a very trustworthy source.
Whenever he scans the proper download link, he would get similar results.
Where you get the idea the infection cannot be found at the VT respository, is beyond me,
not any of the scanners there can get a valid detection? Do not believe you.

polonus

Well additionally, you were right that neither piriform nor avast could detect it, because they were blinded by the unknown payload,
however other scanners without the payload detected it later. That was at the culprit of it, And now avast finally also detects.

polonus

??? “they”? Avast was never loaded/blinded with payload… ???

Hi Lisandro,

Well that was the situation between August 15, 2017 and September 15, 2017 according to https://blog.avast.com/progress-on-ccleaner-investigation ,and the claims done here by Cisco’s: http://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html

Initially no one detected the hidden C2 server 307 redirect, I quote “situations where entire stages of an attack go undetected for a long period of time” and there one is not aware of the full payload involved. This should be a lesson for release management in the future.

polonus

Well, it’s a matter of English words for me:
The malware was hidden for all security products.
But none of them was blinded by the malware itself, as they were mocked by the malware.

Hi Lisandro,

The sad issue here is that we still do not know about the full impact of the incident before Sept. 12th last and the amount of data that went out of the window. Mockery or not, this is proof of the fact that the overall security status of the Internet has been severely affected in this particular case by certain advanced state hackers. Recently in Asia alone hundreds and hundreds of infested C2 servers have been taken down by concerted police action.

What can you trust again in such a generally “borked” situation and there avast comes out as as much of a victim as all other parties involved, especially end-users.

We do not live in an ideal world, still I side with those that want to uphold proper security, just for the sole reason that the other option is no option in my view.

polonus

To-day’s Avast Update on the incident: A number of roughly 40 users were infested with the second payload. This according to avast reporting here: https://blog.avast.com/additional-information-regarding-the-recent-ccleaner-apt-security-incident

General backgrounds on that situation (nothing to do with avast ), read this: https://medium.com/message/everything-is-broken-81e5f33a24e1 and discussed from another point of observation, here: https://www.networkworld.com/article/3134516/security/answers-to-is-the-internet-broken-and-other-dyn-ddos-questions.html

polonus