TRY NOW
Vulnerability

Finding computers infected with the Floxif CCleaner malware

3 min. read
19/09/2017
By Lansweeper
cc cleaner blog
It recently became clear that version 5.33 of the popular clean-up tool, CCleaner, was infected with the Malware dubbed “Floxif”. Using Lansweeper you can scan your Windows computers to find out which computers are safe, are currently still infected or were infected. To diagnose this as accurately as possible we’ll be scanning for multiple things. After following the steps below you can find out whether any scanned computer in your environment was affected:
  • In the web console go to ScanningFile & Registry Scanning
  • Click the Add File Scan button and enter the file path below
    %programfiles(x86)%CCleanerCCleaner.exe
    CCleaner 1
  • Click the Add Registry Scan button, select HKEY_LOCAL_MACHINE as rootkey enter SOFTWAREPiriformAgomo as regpath and MUID as valuename
    ccleaner vulnerabilility fix
  • Go to AssetsWindows and click the Rescan Assets button in the left-hand pane. This will rescan all items on your Windows computers, including Registry and File scans.
    CCleaner vulnerability solution
  • Go to ScanningScanning Queue and wait for your scans to finish.
  • Go to ReportsCreate New Report to open the report builder.
  • Copy and paste the SQL query below into the bottom window.
  • Give your report a title and click Save & Run.
If you want to discuss this blog post you can do so in this forum topic.
  • Select Top 1000000 tblAssets.AssetID, tblAssets.AssetName, tblAssets.Domain, tblAssets.Username, tblAssets.Userdomain, tsysAssetTypes.AssetTypeIcon10 As icon, tblAssets.IPAddress, tblAssets.Lastseen, tblAssets.Lasttried, Case When CCleanerInfo.ValuenameFound = 'No key found' And CCleanerInfo.[32-bit CCleaner Exe] = 'Not found' Then 'Not Infected' When CCleanerInfo.ValuenameFound = 'No key found' And CCleanerInfo.[CCleaner Version] Not Like '5.33%' Then 'Not Infected' When CCleanerInfo.ValuenameFound = 'MUID value found' And CCleanerInfo.[CCleaner Version] Not Like '5.33%' Then 'Infected registry key found' When CCleanerInfo.ValuenameFound = 'No key found' And CCleanerInfo.[CCleaner Version] Like '5.33%' Then 'Infected CCleaner found but no registry key' When CCleanerInfo.ValuenameFound = 'MUID value found' And CCleanerInfo.[CCleaner Version] Like '5.33%' Then 'Infected CCleaner and registry found' End As Status, CCleanerInfo.Regkey, CCleanerInfo.Valuename, CCleanerInfo.ValuenameFound, CCleanerInfo.[32-bit CCleaner Exe], CCleanerInfo.[CCleaner Version], CCleanerInfo.[CCleaner path] From tblAssets Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID Inner Join tsysAssetTypes On tsysAssetTypes.AssetType = tblAssets.Assettype Inner Join tblComputersystem On tblAssets.AssetID = tblComputersystem.AssetID Left Join (Select Top 1000000 tblAssets.AssetID, Case When CCleanerReg.Valuename Is Not Null And CCleanerReg.Valuename <> '' Then 'MUID value found' Else 'No key found' End As ValuenameFound, CCleanerReg.Regkey, CCleanerReg.Valuename, Case When CCleanerFile.Found = 1 Then 'Found' Else 'Not Found' End As [32-bit CCleaner Exe], Replace(Replace(CCleanerFile.FileVersion, ' ', ''), ',', '.') As [CCleaner Version], CCleanerFile.PatchSearched As [CCleaner path] From tblAssets Left Join (Select Top 1000000 tblRegistry.AssetID, tblRegistry.Regkey, tblRegistry.Valuename, tblRegistry.Value, tblRegistry.Lastchanged From tblRegistry Where tblRegistry.Regkey Like '%SOFTWAREPiriformAgomo' And tblRegistry.Valuename = 'MUID') CCleanerReg On CCleanerReg.AssetID = tblAssets.AssetID Left Join (Select Top 1000000 tblFileVersions.AssetID, tblFileVersions.FilePathfull As PatchSearched, tblFileVersions.Found, tblFileVersions.FileVersion, tblFileVersions.CompanyName, tblFileVersions.Filesize, tblFileVersions.Lastchanged, tblFileVersions.CreationDate, tblFileVersions.LastAccessed, tblFileVersions.LastModified From tblFileVersions Where tblFileVersions.FilePathfull Like '%CCleaner.exe') As CCleanerFile On tblAssets.AssetID = CCleanerFile.AssetID) As CCleanerInfo On tblAssets.AssetID = CCleanerInfo.AssetID Where tblComputersystem.SystemType Not Like 'x64%' Order By tblAssets.Domain, tblAssets.AssetName
NO CREDIT CARD REQUIRED

Ready to get started?
You’ll be up and running in no time.

Explore all our features, free for 14 days.