malika4
-
Posts
30 -
Joined
-
Last visited
Posts posted by malika4
-
-
So a 64bit system has Clean And safe? Hasn t received The first payload You would Tell?
"Unless the code ran on a 64-bit system long enough for the delayed action to be triggered, assuming the installation was not corrupt or the CCleaner64.exe binaries modified in any way, we believe a 64-bit system should not have received the second payload."
It s correct that if The Agomo Keys aren t in The registry The backdoor was Not activated? And a 64bit syste without Agomo Keys i Clean And Not compromises?
-
@patrykr you got it mostly correct except for skip uac being default it isn't. I also think the shortcuts on recycle bin also first call ccleaner.exe
Is enables by default, in all My 3 pcs Is Like this And after reinstalled ccleaner Is enables by default
-
-----------------------------------------------
Question for administrators or people close to the topic:
Were there any cases of infection of 64-bit computers or not? If so, under what conditions 64-bit computers could infect?
on the piriform zendesk there is write:
Who was affected?
This issue was isolated to two versions: Cleaner v5.33.6162 for 32-bit Windows users and CCleaner Cloud v1.07.3191 (if you are using CCleaner Cloud, the 32-bit version runs on 64-bit machines).
All builds on these version numbers were affected: Free, Professional, Slim, Portable, Business and Technician versions of CCleaner.
so a 64bit windows if has the ccleaner cloud version it runs the ccleaner.exe (32bit version)
-
If you are on a windows 64-bit be sure to check the 32-bit registry as if a 32-bit program wrote to:
HKEY_LOCAL_MACHINE\SOFTWARE\Piriform\Agomo
and you checked it with regedit it would actually end up here:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Piriform\Agomo
Hi, I don't have any Piriform folder on HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node on my desktop, in my husband's laptop there is but Agomo there isn't
and in HKEY_LOCAL_MACHINE\SOFTWARE\Piriform\ no Agomo
On all my 3 pcs Windows 10 64bit I have this
Yes Task CCleanerSkipUAC Piriform Ltd "C:\Program Files\CCleaner\CCleaner.exe" $(Arg0)
and is like this by default (I haven't modified this) so I think that if this task can activeted the trojan all the 64bits systems will be affected because I read that all 64bit version have the task like this but on Avast Blog there is write that The total number of unique PCs (unique MAC addresses) that communicated with the CnC server was 1,646,536 -
Not have,sorry But My Phone has italian dictionary. I don t have any of that keys And My antivirus kis2017 And malwearbytes haven t detected Them
-
64bit users
Installed and ran ccleaner v5.33.0.6162 before September 16th, and did use the skip User Account Control (UAC) feature But run only 64bit version?
I only use 64bit version But have The Uac feature active But don t have any Agomo Keys or Webemperf 1-4
-
No It s The dame Now, thanks
-
https://piriform.zendesk.com/hc/en-us/articles/115001699371 here There is write The sha256 of all versions.
Now is corretto But 3 hours ago are like i wrote in The 1st post
-
Hi,
I downloaded from Piriform site the 5.35 version on September 20. On Virus Total
SHA-256 06b27f68366f8d25a599c3ad8b1d23f18158f4edddee3174a22d3698089a8bc3 File name CCleaner64.exe File size 9.4 MB
Basic Properties
MD5e6f5ad3fd6d0f64ec88357fc481a71abSHA-192fcff26e8c5f8238c2b7f1c025289c20168c9c2
On the piriform.zendesk.com there is write:
CCleaner64.exe - 64-bit CCleaner executable
MD5: e6f5ad3fd6d0f64ec88357fc481a71ab
SHA256: 478262a5d9d72bf339bd9b17261fea42dfdf0e36e4f233bbf7d6c6e9de0b0dc8why the sha256 are different?
there is an error? becvause I see that on piriform.zendesk the cc5.35.exe and cc5.3564.exe have the same sha256:
CCleaner.exe - 32-bit CCleaner executable
MD5: 10f16bae4e236292a3bfa47b6f100518
SHA256: 478262a5d9d72bf339bd9b17261fea42dfdf0e36e4f233bbf7d6c6e9de0b0dc8CCleaner64.exe - 64-bit CCleaner executable
MD5: e6f5ad3fd6d0f64ec88357fc481a71ab
SHA256: 478262a5d9d72bf339bd9b17261fea42dfdf0e36e4f233bbf7d6c6e9de0b0dc8 -
Some antivirus software have been updated to remove these keys, so this is not necessarily true. However, if your antivirus solution has not flagged these keys to you before removing, then it suggests no communication from your system was made to the command and control server.
when the notice of the trojan was comunicate last monday I just have installed version 5.34, my antivirus only detected the installer that I have on Document folder. I searched the keys on the registry but there weren t and not Kis2017 or Malwearebytes detected them on my system. I have windows 10 64bit and ccleaner 64bit
-
All antivirus Now detect The backdoor on The 5.33 installer
-
I Read The news in The avast blog And It confirms that The Trojan create The Agomo Keys in registry so without Them The system was Not affected, right?
-
Users might like to read these 2 posts from someone who knows what they are talking about .
https://www.wilderssecurity.com/threads/ccleaner-v5.370654/page-26#post-2707924
https://www.wilderssecurity.com/threads/ccleaner-v5.370654/page-27#post-2708085
After you have read those 2 posts then watch this video
https://www.youtube.com/watch?v=i1u0LqZLDvc&feature=youtu.be
Thanks so much hazelnut for The links And especially for The video.
The video explain perfectly how The Trojan And The backdoor works in conclusion without any Agomo Keys on The registry The system wasn t compromised (right?)
-
yes the point is the infected machine are the pc with the maliciuos key and files? they need to be restored or reinstalling windows?
if in the pc there aren t those keys/files it's ok and no need to be restored reinstalling windows or there are other problems?
-
 Our questions aren't that technical.  My summary of the questions is:
 
does the  32-bit/64-bit distinction still hold? 
does having ccleaner.exe in scheduled startup mean we  were exposed to 32-bit threats even on 64-bit devices?
has the 2nd payload been found anywhere other than servers on the target list?
 
and another question, if we don 't have the Agomo key in registry are we safe for the 1 payload?
if the one payload was not activated there is possibility that the second yes? or if we don't have the WbemPerf 1-4 and the GeeSetup_x86.dll TSMSISrv.dll EFACli64.dll we are safe?
Please someone reply
Is good enough a restore point or not? In my laptop I have do this in a date pre 5.33 but in my desktop
I have no restore point systems to a pre-ccsetup533.exe so in case I have to format and reinstall Windows
in many site like Avast forum, Bleepingcomputer and Majorjeeks said that if there aren't any of the malicious keys and files on the pc, the pc is clean and safe from the trojan infection
https://www.ghacks.net/2017/09/21/ccleaner-malware-second-payload-discovered/
https://forum.avast.com/index.php?topic=208612.45
-
today I read an article of Sky Tg24 (italian page http://tg24.sky.it/tecnologia/2017/09/21/attacco-ccleaner-grandi-aziende.html?social=facebook_skytg24) when they write that the malware was directed to Windows 7 and Xp pc of important companies so I think that the malware that is in the 32bit version of cclenaer 5.33 can exsecute on a 64bit version of Windows 7 (not in windows 10)
So I ask at people with 64bit that have found the malware if they have Windows 7 and they found the Agomo registry key and the WbemPerf 1-4 registry key
thanks
p.s. Is from monday that I'm anxious and nervous for this question
-
Mind you, "login" (post 129 above) found ccleaner.exe in start-up schedule on his Windows 10 64-bit device
Same for me But The directory is C program Files (64bit) Not c program Files x86, so this i importante or Not To execute a 64bit Version?
-
Gaz132 what Windows do You have? 7 or xp?
On malwearbytes forma user ask about Windows 10 And 64bit version. The expert Said that malwearbytes detect And cancell The Trojan And The registry Key And if The registry Key agomo there isn t on The system The backdoor Not affected The pc
-
But this is The cloud Page? It isn t The piriform Page forse download
-
In The avast blog update when It talks about The Trojan 32 And 64 bit of The second payload They speak of Windows 7 And xp so It Can be probably that The 32bit Trojan Can activate in a 64 bit system But on 7 or xp (systems that Most companies use yet)
-
yes I would know if really people with windows 64bit, ccleaner 5.3364.exe, without any of the Agomo key, WebemPerf 1-4 or GeeSetup_x86.dll
TSMSISrv.dll EFACli64.dll are really safe or not. We have to reinstall OS or restore an image previous of version 5.33? Are our passwords, data safe?
-
Does the Trojan work only when running the 32-bit version? The CCleaner installer does not start the Trojan? I correctly understand that the Trojan could get into the 64-bit system only if you manually run the CCleaner.exe (x32)?
Il You manually run The x32 It Will be open The 64bit version because The sistem i 64bit.
In what registry folder can this be checked?
You Can open prompt And copy The Key if The reply is error or Not found It s ok
Files are in the root of folder C, or are you talking about searching the entire directory? Can there be a specific folder where the Trojan is saved?
I search on all The c folder
-
I have a few questions:
1. Whence the virus was installed? From CCleaner.exe (x32), CCleaner64.exe, or from the installer?
2. How can I check if I have ever had an infected version?
3. How can I check if I had a virus on my computer?
4. Does the last update (5.35) remove the virus?
5. Where to look for trojans, which is written in the news (32-bit trojan is TSMSISrv.dll, the 64-bit trojan is EFACli64.dll)?
if You have 64bit pc You're not infected because if You have installed the 5.33 version runs only the 64bit version on Your sistem (the 32bits is infected and the cloud version). You can check in the registry folder to check if there are the registry key on the pc. Scan the pc with an antivirus like Malwearbytes, Kaspersky. Check for the files TSMSISrv.dll, the 64-bit trojan is EFACli64.dll on Windows C
-
Bru20,
You antivirus found The Trojan that is ccleaner5.33.exe Even if You have 64bit in The program folder there is ccleaner5.33.exe And 5.3364.exe. do You have The registry Key agomo? If there is You are really infected. Do You have The installer? The antivirus Can sign this like compromise object
Announcement: Security Notification for CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191
in CCleaner
Posted
the ccleaner scheduler is the automatic cleaning of the system option? (Run ccleaner on a schedule?) i haven t this option activated