Hi, I have updated ccleaner to the new 64 bit version.
Then I have run MBAM, which detected Trojan.Floxif at location C:/Users/Gebruiker/Downloads/ccsetup533_slim.exe
What to do next, enabling MBAM to remove this malware?
Help is appreciated, thanks in advance.
This is avast forum not malwarebytes
Questions about this has been asked/answered in Malwarebytes forum
And empty your download folder for old stuff 
There are no symptoms , because the threat is so well hidden via obfuscators and other software. it can only be detected by the existence of the “Agomo” sub-key in Windows Registry-editor.
To be able to run the malicious file, every time Windows starts the trojan can add the following to the registry in “Windows” sub-key, inside HKEY_LOCAL_MACHINE’ SOFTWARE Microsoft Windows NT CurrentVersion :
→ “AppInit_DLLs” = “C:\Program Files Common Files System symsrv.dll”
“LoadAppInit_DLLs” = 1
Furthermore Trojan.Floxif can also hide the registry entries by attacking the following Registry sub-keys:
→ HKEY_CURRENT_USER ¬Software ¬Microsoft ¬Windows ¬CurrentVersion Explorer ¬Advanced
HKEY_CURRENT_USER Software Microsoft Windows CurrentVersion Policies Explorer
HKEY_LOCAL_MACHINE SOFTWARE Microsoft Windows CurrentVersion Explorer Geavanceerd Map SuperHidden
HKEY_LOCAL_MACHINE SOFTWARE Microsoft Windows NT CurrentVersion Winlogon
These keys are set with following values:
→ “ShowSuperHidden” = 0
“NoDriveTypeAutoRun” = 145
“Type” = “radio-”
“SFCDisable” = 4294967197
Another activity executed is a connection to the following Windows application programming interfaces (APIs):
→ CredReadW (advapi32.dll)
CreateServiceA (advapi32.dll)
CreateServiceW (advapi32.dll)
OpenServiceA (advapi32.dll)
OpenServiceW (advapi32.dll)
WinVerifyTrust (Wintrust.dll)
CreateFileW (kernel32.dll)
ExitProcess (kernel32.dll)
RegOpenKeyExA (kernel32.dll)
RegOpenKeyExW (kernel32.dll)
CreateProcessInternalW (kernel32.dll)
MessageBoxTimeoutW (user32.dll)
KiUserExceptionDispatcher (ntdll.dll)
WahReferenceContextByHandle (ws2help.dll) (the attacker therefore are known as API hackers)
Well the infection process does not end there, Trojan.Floxif malware also tries to remove system files from Windows itself:
→ %Program Files% Common Files System symsrv.dll.dat
%Users% Administrator Local Temp …*.tmp
The ultimate goal of the Floxif malware is stealing information from your computer/device or installing other malware.Next to gathering lists of what programs run on your computer, it reads network information together with unique identifiers, the virus can also connect out to a remote host to download malcode. To store stolen info, Trojan.Floxif could create following files:
→ %System Drive% pagefile.pif
%System Drive% autorun.inf
%Temp% update.exe
From such files it automattically executes file update.exe.
Info credits go to Vencislav Krustev
polonus (volunteer website security analyst and website error-hunter)
Ok, then tell us, is every user of CCleaner 5.33 afacted by this malware? Avast not detected anything on my system. How can i check if i am affected or how remove this malware? Thank you
The check is described here: http://www.majorgeeks.com/news/story/how_to_tell_if_you_were_infected_by_the_ccleaner_malware_issue.html
In a few easy well described steps via what the registry editor will kick up,
you can see you are affected or not.
polonus
So if here no Agomo folder there i am not infected? So how is possible some pople are infected and some no? Deleting this folder completely remove this malware? Thank you.
Ahoy The Owner,
Because not all versions were infested.
The 64 bit was never affected, the 32 and slim one again were.
Agomo in the registry is the only give away…
When infested you have to reset your comp OS to an earlier clean date,
because the malware will automattically reset/restore at start-up,
and you’d never sure other malware was not being downloaded.
Your were compromised and you cannot leave your OS compromised period.
polonus
Thank you for answer. 32/64bit installer is the same. There is no separate installer for 32 and 64 bit. I am 64 bit user and i dont have Agomo folder. But 32 bit users it has, then if new malware is downloaded, it must be downloaded by some excutable which should be detected by avast i hope. Thank you for good news, 64 bit are not affected!
Well resetting the system could be a bit too drastic measure as we read:
Some media reports suggest that the affected systems needed to be restored to a pre-August 15th state or reinstalled/rebuilt. We do not believe this is necessary. About 30% of CCleaner users also run Avast security software, which enables us to analyze behavioral, traffic and file/registry data from those machines. Based on the analysis of this data, we believe that the second stage payload never activated, i.e. the only malicious code present on customer machines was the one embedded in the ccleaner.exe binary. Therefore, we consider restoring the affected machines to the pre-August 15 state unnecessary. By similar logic, security companies are not usually advising customers to reformat their machines after a remote code execution vulnerability is identified on their computer.This is the official avast point o’ view,
polonus
Update: Seems there was a small number of users that were infested with additional malware through a remote host,
and they are advised to reset their computers OS to a known clean date before July 15th last! Read:
http://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html
Damian
I was wondering why my Avast Free did not detect the Floxit. Trojan, before it was installed on my computer? The only strange occurance in that 36 hour time span (between knowledge & quarantining) I could see was my “Behaviour Shield” turning off.
@firefox0085,
Because a download server had been hacked and redirected to a C2 server by very advanced sophisticated state actors (‘legit’ hackers),
I wonder how long other vendors will detect when they were “provided” with such a “payload”, would eset etc. in that scenario still detect. Avast fell victim to covering piriforms back there entering compromised software acquired by avast. Now they take the wrong end of the stick. But this will not be the end of it, we’d learn from this incident.
We live in the days of WannaCry, proliferation of 0-day malcode that U.S. spooks were sitting on for years and are now escaping earlier than they can be patched by Silicon Valley. Sad developments really and frightening as such. But the common end user does not get targeted by such advanced attacks, but still may endure the collateral damage.
For what it is worth you may check your comp here with a free online scanner, that detects (hopefully no FPs ;)): https://www.eset.com/int/home/online-scanner/
polonus (volunteer website security analyst and website error-hunter)
Thank you.
I remember installing the affected CCleaner version on my PC and my dad’s laptop. Moved to 5.34 then to 5.35 per advisory. Upon reading stuff about the fiasco I immediately head over to my PC and checked for any Floxif-related registry keys. Couldn’t find any Agomo-related keys and such, and scans from other vendors didn’t turn out anything out of the ordinary. Do I still have to reformat my rig or am I in the clear with this?
Well the bank is always safest after the burlarly took place. "Every AV and the kitchen sink"now checked on the latest CCleaner release, so I presume as you update to the latest version you are safe sas can be.
If you are among one of the dozen technology firms targeted with the initial compromittal, then you could read here for some more background and learn that the digital infrastructure “could be” a rather dangerous place:
https://forum.avast.com/index.php?topic=66267.msg1422253#msg1422253
Don’t worry or be paranoid, you weren’t targeted and a second or a dormant payload has not materialized yet and is not forseen.
polonus (volunteer website security analyst and website error-hunter)
I’m wondering if I am now vulnerable, because Avast will just recognize my applications as known good, despite the fact that they’re hiding another Trojan.
Avast detects this threat fine.Keep your shields up 
Kaspersy detects that Trojan fine too for the matter, problem is the trojan comes back over and over again, mine is hidden on Firefox cache. Today i just performed a clean Firefox installation hope that solves this issue.
“Avast detects this threat fine”
Avast did NOT detect the trojan this time 'round though.
Not sure what you mean but i was checking the infected binaries myself and avast detects all of them.