NonConvergentWaveform

7-zip can do it in the context menu (does SHA-1 and SHA-256, but not md5 -- but who uses md5 any more these days?) Sigcheck from sysinternals can also do it (command line only). It also does a better job of checking digital signatures than the windows interface.

IOCs https://en.wikipedia.org/wiki/Indicator_of_compromise

Ok, I understand now. It won't let you mange load on start commands specific to your account (which you should have control over as a non-admin) and when it makes you elevate to admin (run as another user) it no longer shows start up items specific to your account. You should have enough rights to manage almost everything that only loads under your account, but ccleaner (wrongly?) assumes you don't and makes you run as admin (elevate). Can you post some screenshots of this?

Open a command prompt like you were going to launch the program from the command line. Run this command: set __COMPAT_LAYER=RUNASINVOKER Then try to run CCleaner via that command prompt window. This will suppress it from trying to run as admin. I have not tried this my self for ccleaner but it has worked for other programs.

Nothing is, driving for example. But these attackers had 600,000+ computers they could infect, the chose only 20 (at various large businesses) so they could steal from them. They'd have to be pretty stupid to try to infect ccleaner again (with all the scrutiny), they may have already stolen what they wanted (or not) if they attack again it will be in a new an surprising way, maybe similar maybe not. Want a safety net? Wait 4 months after you download something to install it (and scan it before you do). As long as the program has no critical security updates this will give other a chance to check things out first. Of course this doesn't work when a program has a critical security update...

Weird, I wonder would could have garbled / set to deny the NTFS permissions?

I see. I guess since this process signs installers in real time (with user adjustments like install times limits, and installer expiration) more care is needed to re-implement then simply swapping out the key. I wasn't sure if this overlooked since it didn't seem to be documented anywhere.

Thumprint(SHA1) F4BDA9EFA31EF4A8FA3B6BB0BE13862D7B8ED9B0 Serial Number: 4B48B27C8224FE37B17A6A2ED7A81C9F Not Before: Aug 12 00:00:00 2015 GMT Not After : Oct 10 23:59:59 2018 GMT Revocation Status : Revoked on <‎Tuesday, ‎September ‎19, ‎2017> Signing Time: 10/5/2017 11:44 PM agent_installer.msi Signing Time: 9/13/2017 4:30 PM CCleanerCloudAgent.exe 1.7.0.3214 Signing Time: 9/13/2017 4:30 PM CCleanerCloudAgent.exe 1.7.0.3214 Signing Time: 9/13/2017 4:30 PM CCleanerCloudHealthCheck.exe 1.7.0.3214

I wouldn't trust that drive, get your data backed up. It lost 161 sectors (which may or may not have contained something important) and replaced them with spares. There's one sector it can't read right now (not replaced with a spare). And there were (or are) 6 sectors that not only it can't read, it can't even figure out where they are located on the disk surface. This drive should have failed a SMART self test in the past (if one was ever run by the user), and should still fail even now (it will start passing if it reallocates some bad sectors, but that's no reason to start trusting the drive again). The drive has not exceeded the smart thresholds so it's not saying "I've failed" yet. Most bad drives actually fail before they reach that stage. (or are so bad as to be unusable and NEVER reach the stage where they call themselves 'bad')

I'm not sure about the rest of them, but the "Run As Administrator" is doing exactly what one would expect. Every time you run it (not even trying to run as admin) it tries to run as admin, which means it prompts you. The only way to bypass this is the scheduled task (which I think is an option in the program).

For this threat there was little or no distinction between the portable version and the installed version. Since you didn't specific details as to your usage I am making a few guesses. You used the 32-bit version out of the portable package "CCleaner.exe" vs "CCleaner64.exe", you did so before September 16th, you were connected to the internet at the time. Which means it's possible for stage 2.

The registry traces are irrelevant, they only traces left behind by early stage malware action. After the fact they are just traces. Worry about the intruder, don't worry about his footprints. The registry traces don't try to connect to the (offline) malware server, the program itself does. If you didn't leave behind the portable version it isn't still trying to connect to the disabled malware server.

Depends on which version you used, when you used it, and if the computer had an internet connection at the time. Refer back to this rough outline from my previous post: https://forum.piriform.com/index.php?showtopic=48869&page=11&do=findComment&comment=286985 Also an update the second line labeled "Note A1" appears to be improbable. For the portable version you can ignore anywhere it says "installed".

No, I was trying to get direct clear answers about all the files tied to this incident (not just that they were related to this issue, how they were related). I think I have most of my questions answered most of the way as of my last post. I was trying to rule out #2 to some extent and to be clear on which files were affected so one could tell for sure if they were affected. I still wonder a little bit about the auto update prompt getting stuck on even in the free version right before this incident. Anyway, thank you for your time and sorry to bother you with questions I wanted to get very specific answers to but may not have asked you adequate clarity.

It appears that "CCleanerCloudAgent.exe" is the main exe file for that version. But it seems that all 3 of the internal programs that come CCleanerCloud were infected including "CCleanerCloudAgentHealtCheck.exe" and "CCleanerCloudTray.exe". Apparently the payload in the cloud version was created slightly later and was adjusted to run even without administrative privileges. I wonder when the bug that caused all version to prompt to auto-update regardless of the setting (even the free version -- which doesn't auto update) was introduced? SHA256 hash of files I am only wondering about: 0564718B3778D91EFD7A9972E11852E29F88103A10CB8862C285B924BC412013 (tampered -- contains tampered file) -- auto updater even for free version? 0D4F12F4790D2DFEF2D6F3B3BE74062AAD3214CB619071306E98A813A334D7B8 (tampered, contains payload?) 9C205EC7DA1FF84D5AA0A96A0A77B092239C2BB94BCB05DB41680A9A718A01EB (tampered, contains payload?) BEA487B2B0370189677850A9D3F41BA308D0DBD2504CED1E8957308C43AE4913 (tampered, contains payload?) A013538E96CD5D71DD5642D7FDCE053BB63D3134962E2305F47CE4932A0E54AF unclear, probably: (tampered -- contains tampered file) BD1C9D48C3D8A199A33D0B11795FF7346EDF9D0305A666CAA5323D7F43BDCFE9 unclear, probably: (tampered -- contains tampered file) C92ACB88D618C55E865AB29CAAFB991E0A131A676773EF2DA71DC03CC6B8953E unclear, probably: (tampered -- contains tampered file) 7BC0EAF33627B1A9E4FF9F6DD1FA9CA655A98363B69441EFD3D4ED503317804D unclear, probably: (tampered -- contains tampered file) Mostly resolved: 04BED8E35483D50A25AD8CF203E6F157E0F2FE39A762F5FBACD672A3495D6A11 (tampered -- contains tampered file) 2FE8CFEEB601F779209925F83C6248FB4F3BFB3113AC43A3B2633EC9494DCEE0 (tampered -- contains tampered file) 4F8F49E4FC71142036F5788219595308266F06A6A737AC942048B15D8880364A (tampered -- contains tampered file) E338C420D9EDC219B45A81FE0CCF077EF8D62A4BA8330A327C183E4069954CE1 (tampered -- contains tampered file) 3C0BC541EC149E29AFB24720ABC4916906F6A0FA89A83F5CB23AED8F7F1146C3 (tampered -- contains tampered file) A3E619CD619AB8E557C7D1C18FC7EA56EC3DFD13889E3A9919345B78336EFDB2 (tampered -- contains tampered file) :Mostly resolved *resolved*: 1A4A5123D7B2C534CB3E3168F7032CF9EBF38B9A2A97226D0FDB7933CF6030FF (tampered -- contains tampered file, but not known to be otherwise modified) 6F7840C77F99049D788155C1351E1560B62B8AD18AD0E9ADDA8218B9F432F0A9 (tampered, contains payload) 276936C38BD8AE2F26AAB14ABFF115EA04F33F262A04609D77B0874965EF7012 (tampered -- contains tampered file, but not known to be otherwise modified) 36B36EE9515E0A60629D2C722B006B33E543DCE1C8C2611053E0651A0BFDB2E9 (tampered, contains payload) :*resolved* -- these have been answered