NonConvergentWaveform

Right--2 leftover registry Trojans---Malwarebytes listed them as "Trojans". I`ll be running a deep scan real soon---hoping it does`nt find anymore crap. Traces FROM Trojans. A burglar's footprint is FROM a burglar, but it can't steal your TV. Don't worry about how to remove his footprint from the mud, worry about what his friend (that he invited) was doing hiding in your house for the last month.

MD5: ef694b89ad7addb9a16bb6f26f1efaf7 = CCleaner.exe (32-bit 5.33.6162) SHA-256: 6F7840C77F99049D788155C1351E1560B62B8AD18AD0E9ADDA8218B9F432F0A9 Signing date 8/3/2017 10:42 AM By "2 active Trojans" you mean 2 left over registry traces? That hardly counts. What counts is the stage/phase 2 download that the attacker only did on some machines (targeted attack) that no-one is talking about or has an good sample of. No idea what it does or if it exists.

No, it can't be. Check the version number. Also the clean version wasn't digitally signed and released 16 minutes later on 8/3/2017.

Can you/piriform clarify why there is a second build of "5.33.6162" signed 16 minutes later? Why was this second copy created? What is changed? Is it typical to build and sign a second copy of the software (and installer) at ever? (or not to change the build number?) ccsetup533.exe SHA-256 1A4A5123D7B2C534CB3E3168F7032CF9EBF38B9A2A97226D0FDB7933CF6030FF Signing date 8/3/2017 10:43 AM CCleaner.exe (32-bit 5.33.6162) SHA-256 6F7840C77F99049D788155C1351E1560B62B8AD18AD0E9ADDA8218B9F432F0A9 Signing date 8/3/2017 10:42 AM ccsetup533.exe SHA-256 276936C38BD8AE2F26AAB14ABFF115EA04F33F262A04609D77B0874965EF7012 Signing date 8/3/2017 10:59 AM CCleaner.exe (32-bit 5.33.6162) SHA-256 36B36EE9515E0A60629D2C722B006B33E543DCE1C8C2611053E0651A0BFDB2E9 Signing date 8/3/2017 10:58 AM Also since the malware (when talking to the malware server when it was up for weeks) sends a list of running software couldn't the malware authors have chosen NOT to deploy malware phase/stage 2 (or to deploy different malware) on the basis of which anti-virus (if any) was installed or any of a large number of system specific criteria? How would you know what stage/phase 2 malware was deployed (under the control of the malware author on the basis of system data send via the trojan) if the malware author chose not to deploy it to systems with avast installed? Was the malware server captured for examination? I understand that it is (probably) in the USA. Clues from it could be reveling/handy.