login123

Hi, NonConvergentWaveform. All the questions in your post #14 are already answered, as I think you already know. The questions about Variant A & Variant B were answered in a post you started, read, and acknowledged here: https://forum.piriform.com/index.php?showtopic=48916&hl= The question about CCleanerCloudHealthCheck was answered in post #9 above. As far as the existence of "Files one would think are fine and not messed with" that issue is rendered moot by the information you have already read. In other words, it doesn't matter a whit what one thinks. If Virustotal says a file is bad it is. If a virus checker flags it, it is bad. I tell my friends and family this. For any other files in question, perform a malware check using a quality antivirus, or a quality online scanner, or go here and read item #10: https://forum.piriform.com/index.php?showannouncement=15&f=5 I don't work for Piriform, or Avast, but I have some time available, so have followed this pretty closely. I think it's time to realize that this malware has been brought under control. These folks have been remarkably open and above board about it. Any suggestion that there are other malicious files floating around is not supported by presently available evidence. EDIT 05 Oct 17: Should make it clear that my comments do not apply to the big organizations like Microsoft & Cisco that may have been target by later stages of this malware. Those folks have been contacted by Piriform & Avast to make sure they are OK.

All those hashes listed in post #12 are listed, identified, and classified in the Avast blog linked in post #9. All except one give a result on Virustotal, that one has no matches just now. What other information do you seek?

Way too technical for me. I just know if a site pops a warning I don't go there.

Hi, mrdimly. Don't mean to butt in, but the moderators & admins are probably pretty busy right now. If you go see the post linked below it will lead you to a list of the hashes for the infected files, about three quarters down the page. Also, it's recommended to delete any infected installers. You probably wouldn't run them but someone else might. https://blog.avast.com/additional-information-regarding-the-recent-ccleaner-apt-security-incident

Be careful. When I click on that link in post #11, it pops a warning for insecure connection. Imho it should not be a live link.

It's pretty well answered in post #4 above, but just for grins I checked those hashes, can't sleep anyway. To be fair to NonConvergentWaveform, there has been a LOT of confusing stuff written, 32 bit vs 64 bit vs 1 stage vs 2 stage, etc yada yada. I think it's a bunch simpler than that but can't say so for sure so won't.

All those hashes and some others are listed in this Avast blog, they all come back bad. They are all associated with ver 5.33.6162 or Agomo. They are also searchable at Virustotal except for one. https://blog.avast.com/additional-information-regarding-the-recent-ccleaner-apt-security-incident The Avast blog entry is already posted on this forum at: https://forum.piriform.com/index.php?showtopic=48869&page=11#entry286957

Bless you, Andavari. Now I can follow you, and see if Kas will work on xp here... Have been looking for a replacement for Avast.

As of 2017-09-24 00:29:04 UTC Bitdefender did not find my copy of ccsetup535.exe to be infected. ESET did flag it for the google toolbar bundled with it. https://www.virustotal.com/en/file/85d5309373cd1713eeb2416b4767c653e96a9e9cef3689dbb8f548cd23494319/analysis/1506212944/ Sha 256 for that file is 85d5309373cd1713eeb2416b4767c653e96a9e9cef3689dbb8f548cd23494319

Strolling through this topic one reads posts that communicate uncertainty about this situation. As there are two and a quarter million people potentially affected, it would be good to provide peace of mind. Quite likely Piriform is not keeping its head down nor dragging its feet, but rather is waiting to be certain before speaking. It would be really great if Tom Piriform would edit that first post with a prominent line about "How to be sure your computer is fixed". Or maybe someone would create a standalone locked sitcky by that name. Simple stuff, like "Here's how to fix this infection if you think you have it." AND (not or) something about "Here's how to manually verify that it is fixed". What to look for in the registry, what DLLs to look for, etc. Just my opinion, as a NTTMM (Not Too Tekkie Mere Mortal).

I have a file called ccsetup533.exe which was downloaded on 08 sep 17 with these hashes as computed by Nirsoft's HashMyFiles. md5: 75735db7291a19329190757437bdb847 sha256:1a4a5123d7b2c534cb3e3168f7032cf9ebf38b9a2a97226d0fdb7933cf6030ff Avast alarms on this file and also on the slim version and the portable version downloaded the same date. Just an FYI.

Tried to put the exe file down in program files and associate GIFs to it, didn't work. Anyway, Virustotal shows that 8 engines detect it as malware. I think its a false positive, but . . . should have checked that first. Doesn't really worry me a bit but if I wasn't "shadowed" it would. Still searching my VAST ARCHIVES of obsolete or useless software for a viable candidate. ----- edit: Nothing here that you couldn't find and experiment with for yourself.

Hazelnuts post below leads to an exe file that works here on win xp. Author says it works on win 7, I haven't tried that I did scan it w/ Avast, seems OK. Hazelnuts post: https://forum.piriform.com/index.php?showtopic=32595&page=3&do=findComment&comment=195574 goes to post #3 where there is a download link https://www.sevenforums.com/music-pictures-video/39095-animated-gifs-windows-photo-viewer.html The download link goes to https://docs.google.com/file/d/0B3H6-TZ2sGreQ3ZoVGR5ejZpTzQ/edit

attachment removed per member request

What sort of threats? I ask because you might have been scammed. If that is possible, go here and look at rule #10. https://forum.piriform.com/index.php?showannouncement=15&f=5

Also, be sure you downloaded CCleaner from the official site. http://www.piriform.com/

Thanks, Hazelnut & Trium. Ver 1.13.8 is working perfectly here on win xp for two portable browsers, Firefox 48.0.1 & Seamonkey 2.46.

Thanks, Andavari, I already have net 4.0. Also, will back everything up. OK, another oddity to consider. Avast updates here are now set to manual, so I tried a manual definitions update and it worked as usual. Later tried right clicking on the tray icon. That worked also, showed "already up to date". Now if that will just work with Powershadow off . . .

@ trium. I think something is wrong with the update mechanism. Maybe the wide scope of the problem will make them fix it quicker. Eventually they will fix it, imho. In the meantime this system is running without updates, but is "shadowed" so maybe any nasties will be deleted on restart.

" all relevant info as usual" . . . :lol: Yep, regular chatterbox, I guess. Just wanted to give all the clues I could think of. Thanks for that link. We'll see what happens here and there. Noticed that this problem has occurred several times over the years, and affects win xp thru win 10, but not everyone. The only pattern I saw was that most of the posters were XP'ers and only fewer used later OSs. @ Andavari, thanks. I knew you didn't use Avast, but others on here do (I sent a PM) and if they aren't "shadowed" when that update starts it will cause a bit of trouble. I may give Panda a try.

Starting a couple of days ago the updater for Avast started behaving very oddly, now it just sort of gums up, turns Avast off, and stops. I have lots of documentation & pictures, wanna see'em? Huh, do ya, huh, huh, do ya? There are quite a few references around the net, nothing definitive. I have posted a problem description on their forum, nothing yet, but will continue to watch it. https://forum.avast.com/index.php?topic=207365.0 For now Avast auto updates are disabled. That stops the locking up. Pity, Avast was the only software that I ever allowed to auto update.

Thank you.

Thanks, Hazeelnut. Got it. Is it running well on xp also? Waiting now for the portable version.

Thank you, Nergal. Worked perfectly. Took all of one minute.

Seamonkey 2.46 portable seems quite fast here on win xp. Is there any quick & easy way to import bookmarks from IE into Seamonkey? The help instructions don't work here. The only way I can find is to manually make new bookmark folders and copy / paste each url. Thanks in advance.