How to Tell If You Were Infected by the CCleaner Malware Issue
Posted by: Jon Ben-Mayor on 09/20/2017 04:07 AM [ Comments ]
Just a quick little write-up to allow you to double check your machine for the infection stemming from the CCleaner compromise even if you have updated to newest version there will still be a tell-tale sign left in the Windows Registry.
***Update: CCleaner has updated to 5.35 and with this update, all builds are signed with new Digital Signatures.
If you are one of the unlucky CCleaner v5.33 32-Bit users then the infected version, once installed, created a Windows Registry Key in your system.
You will need to go to the Registry Editor first to start looking for the offending keys left by the malware.
From there then select HKEY_LOCAL_MACHINE and under that go to SOFTWARE.
From there locate Piriform - if you are infected, you will see Agomo listed there with two data values named MUID and TCID. These two data values are what was utilized by the Floxif infection in version 5.33. Floxif is engineered to gather data from an infected machine and pass it back to the hacker's command and control center.
With this type of malware, the potential exists for it to download other malware onto your machine if CCleaner is not updated immediately. As of now, Avast indicates that there is no indication that this has occurred.
As Tim described in his informative article this morning, the only way to correct the issue is to update to 5.35 which now includes new Digital Signatures. But keep in mind that updating will not remove the Agomo key - it will only replace the infected executables, in turn, removing the malware from your machine.
So even if you already updated to the 5.35 version of CCleaner but are curious if you were even infected at all this sequence will let you know.
***Update: CCleaner has updated to 5.35 and with this update, all builds are signed with new Digital Signatures.
You will need to go to the Registry Editor first to start looking for the offending keys left by the malware.
From there then select HKEY_LOCAL_MACHINE and under that go to SOFTWARE.
From there locate Piriform - if you are infected, you will see Agomo listed there with two data values named MUID and TCID. These two data values are what was utilized by the Floxif infection in version 5.33. Floxif is engineered to gather data from an infected machine and pass it back to the hacker's command and control center.
With this type of malware, the potential exists for it to download other malware onto your machine if CCleaner is not updated immediately. As of now, Avast indicates that there is no indication that this has occurred.
As Tim described in his informative article this morning, the only way to correct the issue is to update to 5.35 which now includes new Digital Signatures. But keep in mind that updating will not remove the Agomo key - it will only replace the infected executables, in turn, removing the malware from your machine.
So even if you already updated to the 5.35 version of CCleaner but are curious if you were even infected at all this sequence will let you know.
Comments