Jump to content
CCleaner Community Forums

NonConvergentWaveform

Experienced Members
  • Content Count

    54
  • Joined

  • Last visited

Everything posted by NonConvergentWaveform

  1. 7-zip can do it in the context menu (does SHA-1 and SHA-256, but not md5 -- but who uses md5 any more these days?) Sigcheck from sysinternals can also do it (command line only). It also does a better job of checking digital signatures than the windows interface.
  2. Weird, I wonder would could have garbled / set to deny the NTFS permissions?
  3. For this threat there was little or no distinction between the portable version and the installed version. Since you didn't specific details as to your usage I am making a few guesses. You used the 32-bit version out of the portable package "CCleaner.exe" vs "CCleaner64.exe", you did so before September 16th, you were connected to the internet at the time. Which means it's possible for stage 2.
  4. The registry traces are irrelevant, they only traces left behind by early stage malware action. After the fact they are just traces. Worry about the intruder, don't worry about his footprints. The registry traces don't try to connect to the (offline) malware server, the program itself does. If you didn't leave behind the portable version it isn't still trying to connect to the disabled malware server.
  5. Depends on which version you used, when you used it, and if the computer had an internet connection at the time. Refer back to this rough outline from my previous post: https://forum.piriform.com/index.php?showtopic=48869&page=11&do=findComment&comment=286985 Also an update the second line labeled "Note A1" appears to be improbable. For the portable version you can ignore anywhere it says "installed".
  6. It comes back to a company called "Fastly" in San Francisco, CA. They are listed only by a PO Box. Their allocation is named "SKYCA-3". Never heard of them. https://whois.arin.net/rest/net/NET-151-101-0-0-1/pft?s=151.101.112.64
  7. If you are on a windows 64-bit be sure to check the 32-bit registry as if a 32-bit program wrote to: HKEY_LOCAL_MACHINE\SOFTWARE\Piriform\Agomo and you checked it with regedit it would actually end up here: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Piriform\Agomo
  8. As long as the 2nd stage virus (and any other viruses it downloaded later) didn't delete that key and/or itself before you checked. Didn't run CCleaner v5.33.0.6162 (or CCleanerCloud v1.7.0.3191) at any point = not infected Installed but didn't run CCleaner v5.33.0.6162 (or CCleanerCloud v1.7.0.3191) before September 16th = not infected (this assumes the installer doesn't run the main exe files at all after installing) Installed and ran CCleaner v5.33.0.6162 before September 16th, but firewall rules denied CCleaner.exe all network access = not infected Installed and ran CCleaner v5.3
  9. You can read the full article here: https://blog.avast.com/update-to-the-ccleaner-5.33.6162-security-incident Tom So what would prevent the malware server (which the infected ccleaner told what software we are running) from NOT deploying phase/stage 2 to ANY of those computers running avast?
  10. Right--2 leftover registry Trojans---Malwarebytes listed them as "Trojans". I`ll be running a deep scan real soon---hoping it does`nt find anymore crap. Traces FROM Trojans. A burglar's footprint is FROM a burglar, but it can't steal your TV. Don't worry about how to remove his footprint from the mud, worry about what his friend (that he invited) was doing hiding in your house for the last month.
  11. MD5: ef694b89ad7addb9a16bb6f26f1efaf7 = CCleaner.exe (32-bit 5.33.6162) SHA-256: 6F7840C77F99049D788155C1351E1560B62B8AD18AD0E9ADDA8218B9F432F0A9 Signing date 8/3/2017 10:42 AM By "2 active Trojans" you mean 2 left over registry traces? That hardly counts. What counts is the stage/phase 2 download that the attacker only did on some machines (targeted attack) that no-one is talking about or has an good sample of. No idea what it does or if it exists.
  12. No, it can't be. Check the version number. Also the clean version wasn't digitally signed and released 16 minutes later on 8/3/2017.
  13. Can you/piriform clarify why there is a second build of "5.33.6162" signed 16 minutes later? Why was this second copy created? What is changed? Is it typical to build and sign a second copy of the software (and installer) at ever? (or not to change the build number?) ccsetup533.exe SHA-256 1A4A5123D7B2C534CB3E3168F7032CF9EBF38B9A2A97226D0FDB7933CF6030FF Signing date 8/3/2017 10:43 AM CCleaner.exe (32-bit 5.33.6162) SHA-256 6F7840C77F99049D788155C1351E1560B62B8AD18AD0E9ADDA8218B9F432F0A9 Signing date 8/3/2017 10:42 AM ccsetup533.exe SHA-256 276936C38BD8AE2F26AAB14ABFF115EA
×
×
  • Create New...