jonmar
-
Posts
7 -
Joined
-
Last visited
Posts posted by jonmar
-
-
Before installing the latest version of CCleaner (5.35), I checked my registry and there were some entries left over from 5.34 in HKLM/SOFTWARE/Piriform. In there I saw default and CR (or was it CZ? I can't remember now). I deleted HKLM/SOFTWARE/Piriform, rebooted, and then installed 5.35. I checked the registry again but this time I saw only default in there. What is the CR entry? Is it something legit or connected to the attack somehow? I haven't seen it mentioned anywhere in connection to this attack but I just wanted to make sure.
Thanks.
-
Hashes and other FAQs: https://piriform.zendesk.com/hc/en-us/articles/115001699371
Indicators of Compromise (IOCs) are in the latest Avast blogpost: https://blog.avast.com/additional-information-regarding-the-recent-ccleaner-apt-security-incident
You continue to use confusing language like "all users with the 32-bit version". That's literally ALL users because the same installer is used for both 64-bit and 32-bit systems and on a 64-bit system both executable files are installed. Could we get some clarification on this? If 64-bit systems were not affected by the malware then why not? What prevented the malware from executing?
-
I'm not sure I'm completely understanding how the 10 minute delay works. What I mean is that no one is ever going to keep the CCleaner app open for 10 minutes. It takes less than 30 seconds to scan and clean both the hard drive and registry and then you close the app. Does the 10 minute timer also continue ticking down while the CCleaner system tray icon is active? If it doesn't then it's a pretty useless malware. I must be missing something here.
-
FWIW I just downloaded a fresh install of CCleaner tonight at 11pm from the Piriform site, and instantly scanned it with Malwarebytes, and it found 2 malware infections. You folks have some work to do, and in the mean time I'm uninstalling CCleaner from our three computers.
What is the name of the file you downloaded and scanned? I just downloaded the current installer, ccsetup535.exe, and scanned it with Windows Defender, Spybot and Malwarebytes and all scans were clean.
-
@rexg as I already told you you seem to have checked all that is known to be checked at this stage. I'm sorry that I'm not officially with piriform, as an employee, but as a moderator I would hope that my words would've been enough. Right now, everything that's been disclosed you have done to protect your PC. The second stage stuff you were looking for has ONLY been noted of the computers of large influential companies - and only on 20 pcs out of hundreds or more checked at those organizations. Avast and Piriform are taking this seriously and they and cisco are working in tandem. All three of those (Avast, Piriform, Cisco/talos) are publicizing what they know as they know it. If more is discovered then and only then might your safeness level rise to looking for more. If you've rid yourself of the 5.33, if you've checked for the rare chance that you have second stage files and/or registry, then you've done all you can for now.
Correct me if I'm wrong but the number of 20 PCs infected with the stage 2 payload is from the database of the seized CnC server. But the database only had data from a few days starting from sept. 12th to about the 15th? All of the data that was on there from aug. 15th to sept. 11th had been wiped, so there could be many more computers infected with the stage 2 payload.
-
For info: I'm using Windows 10 x64, and always ran CCleaner from my task bar shortcut, so I think it always ran in 64-bit mode. But I never paid any attention to it before so I can't be 100% sure on that. I know it always installed in C:\Program Files\ and not C:\Program Files x86\.
Could someone clarify something for me? When uninstalling CCleaner, does the uninstall process delete the Agomo registry key?
The reason I'm asking is because I had updated from version 5.33 to version 5.34 before I knew about the attack. Then when I learned of the attack the first thing I did was uninstall CCleaner. At this point I didn't know about the Agomo registry key or the two trojan dll files or that only the 32-bit exe was infected.
I performed full scans with Windows Defender and Malwarebytes and even Spybot S&D and all results were completely clean. I then read this thread and some articles and learned about the Agomo registry key and the dlls. I checked for the registry key and it wasn't there. I also checked for the .dll files and they aren't on my machine either. I know Defender and Malwarebytes never removed them because all scans have been clean.So is it possible, that I was infected and had the Agomo key in my registry, and uninstalling CCleaner deleted it, or have I never had it in the first place and therefore was never infected?
I've read posts where people have updated to 5.34 and still had the Agomo key left over in their registry. But that's after updating, not a complete uninstall.
If I had known about all this before uninstalling, I would have checked for the registry key and the dll files, and whether or not the app ran in x64 mode, before I uninstalled. But since I didn't, I can't be sure so I'd appreciate if someone could answer these questions for me.
Thanks.
Announcement: Security Notification for CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191
in CCleaner
Posted
It was also enabled by default for me. That's after first uninstalling CCleaner completely before installing 5.35. I've also never enabled that setting in the past so it can't have been remembered from past settings.