Finding computers infected with the Floxif CCleaner malware

cc cleaner blog
It recently became clear that version 5.33 of the popular clean-up tool, CCleaner, was infected with the Malware dubbed "Floxif". Using Lansweeper you can scan your Windows computers to find out which computers are safe, are currently still infected or were infected. To diagnose this as accurately as possible we'll be scanning for multiple things. After following the steps below you can find out whether any scanned computer in your environment was affected:
  • In the web console go to Scanning\File & Registry Scanning
  • Click the Add File Scan button and enter the file path below
    %programfiles(x86)%\CCleaner\CCleaner.exe
  • Click the Add Registry Scan button, select HKEY_LOCAL_MACHINE as rootkey enter SOFTWARE\Piriform\Agomo as regpath and MUID as valuename
    ccleaner vulnerabilility fix
  • Go to Assets\Windows and click the Rescan Assets button in the left-hand pane. This will rescan all items on your Windows computers, including Registry and File scans.

    CCleaner vulnerability solution

  • Go to Scanning\Scanning Queue and wait for your scans to finish.
  • Go to Reports\Create New Report to open the report builder.
  • Copy and paste the SQL query below into the bottom window.
  • Give your report a title and click Save & Run.

If you want to discuss this blog post you can do so in this forum topic.

  • Select Top 1000000 tblAssets.AssetID,
    tblAssets.AssetName,
    tblAssets.Domain,
    tblAssets.Username,
    tblAssets.Userdomain,
    tsysAssetTypes.AssetTypeIcon10 As icon,
    tblAssets.IPAddress,
    tblAssets.Lastseen,
    tblAssets.Lasttried,
    Case
    When CCleanerInfo.ValuenameFound = 'No key found' And
    CCleanerInfo.[32-bit CCleaner Exe] = 'Not found' Then 'Not Infected'
    When CCleanerInfo.ValuenameFound = 'No key found' And
    CCleanerInfo.[CCleaner Version] Not Like '5.33%' Then 'Not Infected'
    When CCleanerInfo.ValuenameFound = 'MUID value found' And
    CCleanerInfo.[CCleaner Version] Not Like '5.33%' Then
    'Infected registry key found'
    When CCleanerInfo.ValuenameFound = 'No key found' And
    CCleanerInfo.[CCleaner Version] Like '5.33%' Then
    'Infected CCleaner found but no registry key'
    When CCleanerInfo.ValuenameFound = 'MUID value found' And
    CCleanerInfo.[CCleaner Version] Like '5.33%' Then
    'Infected CCleaner and registry found' End As Status,
    CCleanerInfo.Regkey,
    CCleanerInfo.Valuename,
    CCleanerInfo.ValuenameFound,
    CCleanerInfo.[32-bit CCleaner Exe],
    CCleanerInfo.[CCleaner Version],
    CCleanerInfo.[CCleaner path]
    From tblAssets
    Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
    Inner Join tsysAssetTypes On tsysAssetTypes.AssetType = tblAssets.Assettype
    Inner Join tblComputersystem On tblAssets.AssetID = tblComputersystem.AssetID
    Left Join (Select Top 1000000 tblAssets.AssetID,
    Case
    When CCleanerReg.Valuename Is Not Null And CCleanerReg.Valuename <>
    '' Then 'MUID value found' Else 'No key found' End As ValuenameFound,
    CCleanerReg.Regkey,
    CCleanerReg.Valuename,
    Case When CCleanerFile.Found = 1 Then 'Found' Else 'Not Found'
    End As [32-bit CCleaner Exe],
    Replace(Replace(CCleanerFile.FileVersion, ' ', ''), ',', '.') As
    [CCleaner Version],
    CCleanerFile.PatchSearched As [CCleaner path]
    From tblAssets
    Left Join (Select Top 1000000 tblRegistry.AssetID,
    tblRegistry.Regkey,
    tblRegistry.Valuename,
    tblRegistry.Value,
    tblRegistry.Lastchanged
    From tblRegistry
    Where tblRegistry.Regkey Like '%SOFTWARE\Piriform\Agomo' And
    tblRegistry.Valuename = 'MUID') CCleanerReg On CCleanerReg.AssetID =
    tblAssets.AssetID
    Left Join (Select Top 1000000 tblFileVersions.AssetID,
    tblFileVersions.FilePathfull As PatchSearched,
    tblFileVersions.Found,
    tblFileVersions.FileVersion,
    tblFileVersions.CompanyName,
    tblFileVersions.Filesize,
    tblFileVersions.Lastchanged,
    tblFileVersions.CreationDate,
    tblFileVersions.LastAccessed,
    tblFileVersions.LastModified
    From tblFileVersions
    Where tblFileVersions.FilePathfull Like '%CCleaner.exe') As CCleanerFile
    On tblAssets.AssetID = CCleanerFile.AssetID) As CCleanerInfo
    On tblAssets.AssetID = CCleanerInfo.AssetID
    Where tblComputersystem.SystemType Not Like 'x64%'
    Order By tblAssets.Domain,
    tblAssets.AssetName

Try Lansweeper for Free

Learn why Lansweeper is used by thousands of enterprises worldwide.​
FREE WHITE PAPER
Why centralized IT Asset Discovery is more crucial than ever.