[ccupdate10.cab requests after uninstall]

CCleaner uninstall DOES NOT remove these entries from the BITS client.  In addition when looking at the user that created AvEmUpdate BITS task,  I came across one created by a standard user and another create by nt authority .  What I am doing for now, is stopping the BITS service and removing the qmgr files.  This removes EVERYTHING from the BITS service and stops this from happening.  It is concerning that we found this and now we are searching our entire network for this condition.

[ccupdate10.cab requests after uninstall]

Searched the c: drive for CCupdate.exe, no hits.  There is no schedule task, as when I disabled scheduled tasks, the job still ran.  Cleaning out the BITS entries has resolved the issue.

[ccupdate10.cab requests after uninstall]

Ben,

Yes requests are being made, even though all Piriform products are uninstalled  Here is an imgur link to the wireshark'd traffic https://imgur.com/a/BzdMm5P

 

Doing more research, disabling Background Intelligent Transfer Service, stops this from happening.  Some job from ccleaner is stuck in BITS is my guess right now

 

More research.  Finding the below powershell command.  Feel confident I found the problem.  Note we DONT HAVE AVAST/AVG installed

PS C:\Windows\system32> Get-BitsTransfer -AllUsers

JobId                                DisplayName                                                             TransferTy
                                                                                                             pe
-----                                -----------                                                             ----------
2791a1e2-de68-4898-8b95-bc9f2ef59264 AvEmUpdate download                                                     Download
223e23b4-9f8c-4e73-91ef-ac203993e01b AvEmUpdate download                                                     Download

[ccupdate10.cab requests after uninstall]

just did a wireshark and the requested URL is /tools/ccleaner/update/ccupdate10.cab @ akaami.  ccleaner is uninstalled per the uninstaller.  so something is going on.

[ccupdate10.cab requests after uninstall]

no AVAST on our machines.

 

  What interesting is Im seeing these files also being requested 20180205.dll (https://www.hybrid-analysis.com/sample/c427bcf6b065edf06662e0540e3e9a21c07095184e7bb9d05926dc3b79fc3348?environmentId=120 ) and 20170922.dll

 

 

[ccupdate10.cab requests after uninstall]

dont have lightroom or illustrator.  What is concerning is finding the pfBL.dll in the temp directory.  When looking at the file it says piriform.  Also these requests are only coming from two machines .  If I reinstall ccleaner on another machine Im 99.9% sure I see it requesting ccupdate10.cab

[ccupdate10.cab requests after uninstall]

Hello,

Just recently we uninstalled ccleaner from a few machines.  Watching traffic on our firewall, I am seeing two requests for ccupdate10.cab from the machines which we uninstalled cccleaner from.  I'm 99.9% certain that this is a file that ccleaner requests.  Why is this file still being requested?  When looking for piriform traces, I am finding pfBL.dll in our temp directories.