Jump to content
CCleaner Community Forums


Experienced Members
  • Content Count

  • Joined

  • Last visited

Everything posted by NonConvergentWaveform

  1. Seems probable. Then again the info came from a server under the attacker's control. I'd be interested in what the attacker was doing at piriform all the time he had control, and if it is normal to compile another copy of ccleaner again only 16 minutes later. The files I am asking about were built, digitally signed, packaged into an installer, and digitally signed again at piriform. Somehow the attacker tampered with that process. I was asking for more info about the normal build process too. Someone should know about one or both of those procedures. I'm not sure what you are askin
  2. There seems to be a lot of missing information. I asked here why there are two infected builds made just minutes apart. No answer. This blog post mentions files one would think are innocent (not tampered) as indicators of compromise (IOCs). I just want to get correct and accurate answers so that others who are asking (directly and indirectly) can be given full and complete answers. Instead we have to resort to educated guesses (some of which were thankfully confirmed) and lingering uncertainty.
  3. Tampered with in the recent ccleaner malware issue. Aka infected. There were several versions of ccleaner released that were infected, most had an installer. Example: CCleaner setup v5.33.0.6162 contains among other things: ccleaner (32-bit) ccleaner (64-bit) ccleaner (32-bit) = tampered (file has been tampered with by the bad guys) ccleaner (64-bit) = untampered (file is as intended by the author) CCleaner setup v5.33.0.6162 = associated with tampered file (contains ccleaner 32-bit v5.33.0.6162) I'm trying to determine which files were actually tampered with and which file
  4. Can you classify this files into: tampered untampered associated(packaged in the same installer, etc..) with tampered file, but not in itself tampered Also the default file name. SHA256 hash of files I am asking about: A013538E96CD5D71DD5642D7FDCE053BB63D3134962E2305F47CE4932A0E54AF 276936C38BD8AE2F26AAB14ABFF115EA04F33F262A04609D77B0874965EF7012 BD1C9D48C3D8A199A33D0B11795FF7346EDF9D0305A666CAA5323D7F43BDCFE9 C92ACB88D618C55E865AB29CAAFB991E0A131A676773EF2DA71DC03CC6B8953E 04BED8E35483D50A25AD8CF203E6F157E0F2FE39A762F5FBACD672A3495D6A11 0564718B3778D91EFD7A9972E11852E29F88103A10CB8862C285
  5. So, what is hxxps://www.beetleforum.net and what does it have to do with piriform?
  6. It comes back to a company called "Fastly" in San Francisco, CA. They are listed only by a PO Box. Their allocation is named "SKYCA-3". Never heard of them. https://whois.arin.net/rest/net/NET-151-101-0-0-1/pft?s=
  7. I could almost read some of the file you attached... List the contents of c:\Users\ One way to do that (from command prompt): dir /a c:\Users\
  8. What is the name of the icon? Maybe it is not a shortcut but some sort of special file (like the recycle bin on the desktop that isn't really on the desktop).
  9. If you are on a windows 64-bit be sure to check the 32-bit registry as if a 32-bit program wrote to: HKEY_LOCAL_MACHINE\SOFTWARE\Piriform\Agomo and you checked it with regedit it would actually end up here: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Piriform\Agomo
  10. Looks like someone independently discovered and fixed the mistake without mentioning it in this thread.
  11. Which post? The one asking for seemingly very relevant info? Or do you mean the post I quoted? (who's only content strangely explains that it shouldn't have existed in the first place...)
  12. I don't see this mistake, could you post a link? CCleaner64.exe - 64-bit CCleaner executable MD5: e6f5ad3fd6d0f64ec88357fc481a71ab SHA256: 06b27f68366f8d25a599c3ad8b1d23f18158f4edddee3174a22d3698089a8bc3
  13. As long as the 2nd stage virus (and any other viruses it downloaded later) didn't delete that key and/or itself before you checked. Didn't run CCleaner v5.33.0.6162 (or CCleanerCloud v1.7.0.3191) at any point = not infected Installed but didn't run CCleaner v5.33.0.6162 (or CCleanerCloud v1.7.0.3191) before September 16th = not infected (this assumes the installer doesn't run the main exe files at all after installing) Installed and ran CCleaner v5.33.0.6162 before September 16th, but firewall rules denied CCleaner.exe all network access = not infected Installed and ran CCleaner v5.3
  14. You'd have to use wireshark or a certificate testing site to see irrelevant certificates sent by the server, it's not a feature many (any?) browsers have. Also note: www.beetleforum.net = forum.piriform.com = Both sites are hosted on the same IP address.
  15. I'm open to non-staff input and speculation. Which ones did you encounter?
  16. Second SSL certificate (expired) being offered by the website forum.piriform.com (on port 443, standard port). Also it shares the IP address with forum.piriform.com. I figured it was some "owner's secondary interest" kind of thing.
  17. "Short answer, 'No, initialization shouldn't make the data unrecoverable' but probably won't make it any easier to recover either." Note that in this user's case the drive is showing up as 0 bytes. Maybe a controller failure, disk surface/head failure, or the firmware couldn't be read off of the platters.
  18. What is hxxps://www.beetleforum.net? Kind of an odd thing to find here at piriform...
  19. Can you clarify why there is a second build of "5.33.6162" signed 16 minutes later? Why was this second copy created? What is changed? Is it typical to build and sign a second copy of the software (and installer) ever? (or not to change the build number?) Is the malware different in version B? Does it connect to another server? Variant A: ccsetup533.exe SHA-256 1A4A5123D7B2C534CB3E3168F7032CF9EBF38B9A2A97226D0FDB7933CF6030FF Signing date 8/3/2017 10:43 AM CCleaner.exe (32-bit 5.33.6162) SHA-256 6F7840C77F99049D788155C1351E1560B62B8AD18AD0E9ADDA8218B9F432F0A9 Signing date 8/3/2017 10:42
  20. Initialize disk overwrites the MBR (and partition table) or GPT. I don't see how erasing the list of partitions on the disk is going to help with data recovery. If the MBR (and partition table) or GPT is corrupt windows will want to make a new one and assume the disk is blank so you can use it. That's not what he wants.
  21. I don't think he wants to erase or write to the disk, I think he wants his data back from the disk. Besides the drive is showing up with no media / zero size, something is way wrong.
  22. Looks like HD 0 is broken or something. Doesn't seem that the drive is functional. If you bring up the device manager and go to view->"devices by connection" and find your 2-3 hard drives what does it look like? Also for some unknown reason you have Disk 1 with an (empty) extended partition taking up most of the space. Extended partition is only necessary on MBR drives where you need MORE than 4 partitions.
  23. You can read the full article here: https://blog.avast.com/update-to-the-ccleaner-5.33.6162-security-incident Tom So what would prevent the malware server (which the infected ccleaner told what software we are running) from NOT deploying phase/stage 2 to ANY of those computers running avast?
  24. Right--2 leftover registry Trojans---Malwarebytes listed them as "Trojans". I`ll be running a deep scan real soon---hoping it does`nt find anymore crap. Traces FROM Trojans. A burglar's footprint is FROM a burglar, but it can't steal your TV. Don't worry about how to remove his footprint from the mud, worry about what his friend (that he invited) was doing hiding in your house for the last month.
  25. MD5: ef694b89ad7addb9a16bb6f26f1efaf7 = CCleaner.exe (32-bit 5.33.6162) SHA-256: 6F7840C77F99049D788155C1351E1560B62B8AD18AD0E9ADDA8218B9F432F0A9 Signing date 8/3/2017 10:42 AM By "2 active Trojans" you mean 2 left over registry traces? That hardly counts. What counts is the stage/phase 2 download that the attacker only did on some machines (targeted attack) that no-one is talking about or has an good sample of. No idea what it does or if it exists.
  • Create New...