Jump to content

jonmar

Members
  • Posts

    7
  • Joined

  • Last visited

Reputation

0 Neutral
  1. It was also enabled by default for me. That's after first uninstalling CCleaner completely before installing 5.35. I've also never enabled that setting in the past so it can't have been remembered from past settings.
  2. Before installing the latest version of CCleaner (5.35), I checked my registry and there were some entries left over from 5.34 in HKLM/SOFTWARE/Piriform. In there I saw default and CR (or was it CZ? I can't remember now). I deleted HKLM/SOFTWARE/Piriform, rebooted, and then installed 5.35. I checked the registry again but this time I saw only default in there. What is the CR entry? Is it something legit or connected to the attack somehow? I haven't seen it mentioned anywhere in connection to this attack but I just wanted to make sure. Thanks.
  3. You continue to use confusing language like "all users with the 32-bit version". That's literally ALL users because the same installer is used for both 64-bit and 32-bit systems and on a 64-bit system both executable files are installed. Could we get some clarification on this? If 64-bit systems were not affected by the malware then why not? What prevented the malware from executing?
  4. I'm not sure I'm completely understanding how the 10 minute delay works. What I mean is that no one is ever going to keep the CCleaner app open for 10 minutes. It takes less than 30 seconds to scan and clean both the hard drive and registry and then you close the app. Does the 10 minute timer also continue ticking down while the CCleaner system tray icon is active? If it doesn't then it's a pretty useless malware. I must be missing something here.
  5. What is the name of the file you downloaded and scanned? I just downloaded the current installer, ccsetup535.exe, and scanned it with Windows Defender, Spybot and Malwarebytes and all scans were clean.
  6. Correct me if I'm wrong but the number of 20 PCs infected with the stage 2 payload is from the database of the seized CnC server. But the database only had data from a few days starting from sept. 12th to about the 15th? All of the data that was on there from aug. 15th to sept. 11th had been wiped, so there could be many more computers infected with the stage 2 payload.
  7. For info: I'm using Windows 10 x64, and always ran CCleaner from my task bar shortcut, so I think it always ran in 64-bit mode. But I never paid any attention to it before so I can't be 100% sure on that. I know it always installed in C:\Program Files\ and not C:\Program Files x86\. Could someone clarify something for me? When uninstalling CCleaner, does the uninstall process delete the Agomo registry key? The reason I'm asking is because I had updated from version 5.33 to version 5.34 before I knew about the attack. Then when I learned of the attack the first thing I did was uninstall CCleaner. At this point I didn't know about the Agomo registry key or the two trojan dll files or that only the 32-bit exe was infected. I performed full scans with Windows Defender and Malwarebytes and even Spybot S&D and all results were completely clean. I then read this thread and some articles and learned about the Agomo registry key and the dlls. I checked for the registry key and it wasn't there. I also checked for the .dll files and they aren't on my machine either. I know Defender and Malwarebytes never removed them because all scans have been clean. So is it possible, that I was infected and had the Agomo key in my registry, and uninstalling CCleaner deleted it, or have I never had it in the first place and therefore was never infected? I've read posts where people have updated to 5.34 and still had the Agomo key left over in their registry. But that's after updating, not a complete uninstall. If I had known about all this before uninstalling, I would have checked for the registry key and the dll files, and whether or not the app ran in x64 mode, before I uninstalled. But since I didn't, I can't be sure so I'd appreciate if someone could answer these questions for me. Thanks.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.