guest11 Posted September 22, 2017 ID:1166294 Share Posted September 22, 2017 Hello, earlier this week during a threat scan MB alerted me that it detected this trojan in CCleaner and it's installer. I've quarantined the files, but is that enough? Should I also delete them? I'm also worried that my computer may not be totally clean, I've attached the FRST logs below. I've read a lot about it before posting here, but different sites give different info. One says if you're using 64-bit and the registry key (I can't remember what it was exactly) is absent, then you're clean. Another site says it installs a fileless virus and corrupts files and that you need to restore your computer to an early point or reset to factory condition and change all passwords from another computer or phone. I've only ever run the 64-bit version of CCleaner, but I understand the code was also in the installer. Was there a keylogger component to the virus that I need to change log ins? Is there anything else I need to look for? Thank you. Addition.txt FRST.txt Link to post Share on other sites More sharing options...
guest11 Posted September 27, 2017 Author ID:1167626 Share Posted September 27, 2017 Sorry to push this back up, but it's been 5 days and I haven't received a response.. The Malwarebytes Lab says that this infection changes legitimate files that can't be repaired with MB. Can anyone tell me which files these are? Link to post Share on other sites More sharing options...
Aura Posted September 27, 2017 ID:1167639 Share Posted September 27, 2017 Hi guest11 Since you're running Windows 64-bit, you shouldn't have been affected by the malicious payload that was embedded in CCleaner v5.33. Though we can check if the Agomo key is present or not on your system to confirm. Farbar Recovery Scan Tool (FRST) - Registry Search Follow the instructions below to download and execute a Registry search on your system with FRST, and provide the log in your next reply. Right-click on the executable and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users) Accept the disclaimer by clicking on Yes, and FRST will then do a back-up of your Registry which should take a few seconds In the Search text area, copy and paste the following:Agomo Once done, click on the Search Registry button and wait for FRST to finish the search On completion, a log will open in Notepad. Copy and paste its content in your next reply Link to post Share on other sites More sharing options...
guest11 Posted September 28, 2017 Author ID:1167854 Share Posted September 28, 2017 Thank you for your response. I ran the scan and this is what came up: ================== Search Registry: "Agomo" =========== ====== End of Search ====== I did run the installer which was also labeled as infected. Is there any need to change log in passwords or router password? And is keeping the infected files in quarantine better, or should I just delete them? And finally, is using the add/remove program feature ok to remove the rest of the CCleaner files? Sorry for all the questions, but this is the first time MB has caught something like this on my system, and I'm seeing different advice from different security experts, some saying if the key isn't there you're ok, some saying that you have to restore to an earlier date or even completely restore to factory condition. Link to post Share on other sites More sharing options...
Aura Posted September 28, 2017 ID:1167893 Share Posted September 28, 2017 As suspected, you weren't hit by the malicious payload embedded in the CCleaner v5.33 installer. There is no need to change your passwords, or your router password. Files placed in quarantine are harmless. You can delete them if you wish. And uninstalling CCleaner normally will do the job. Link to post Share on other sites More sharing options...
guest11 Posted September 29, 2017 Author ID:1168150 Share Posted September 29, 2017 Thank you for your help. The reason I ask about the log ins and router password is because some of them were changed during the time I had the infected version of CCleaner installed. Link to post Share on other sites More sharing options...
Aura Posted September 29, 2017 ID:1168186 Share Posted September 29, 2017 I doubt these were caused by Floxif, since your system wasn't affected by it. Link to post Share on other sites More sharing options...
Aura Posted October 2, 2017 ID:1168903 Share Posted October 2, 2017 Hi guest11, Are you still with me? Link to post Share on other sites More sharing options...
guest11 Posted October 2, 2017 Author ID:1168977 Share Posted October 2, 2017 Hi, sorry about the delay. No, the password changes were because of a hardware/software conflict that has been resolved. I was concerned since it happened after the installer was run and the bad version of CCleaner was on my computer it could have caused some sort of damage. So you would say I could log in to accounts without changing passwords, online shopping, etc without worry? Link to post Share on other sites More sharing options...
Aura Posted October 2, 2017 ID:1168997 Share Posted October 2, 2017 You can, yes. There's nothing to worry about Link to post Share on other sites More sharing options...
guest11 Posted October 4, 2017 Author ID:1169561 Share Posted October 4, 2017 Thank you very much for your help, you can close this topic. Link to post Share on other sites More sharing options...
Aura Posted October 4, 2017 ID:1169574 Share Posted October 4, 2017 No problem guest11, you're welcome! Stay safe Link to post Share on other sites More sharing options...
Aura Posted October 4, 2017 ID:1169575 Share Posted October 4, 2017 Glad we could help. :)If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts