Jump to content
CCleaner Community Forums


Experienced Members
  • Content Count

  • Joined

  • Last visited

Everything posted by NonConvergentWaveform

  1. 7-zip can do it in the context menu (does SHA-1 and SHA-256, but not md5 -- but who uses md5 any more these days?) Sigcheck from sysinternals can also do it (command line only). It also does a better job of checking digital signatures than the windows interface.
  2. Ok, I understand now. It won't let you mange load on start commands specific to your account (which you should have control over as a non-admin) and when it makes you elevate to admin (run as another user) it no longer shows start up items specific to your account. You should have enough rights to manage almost everything that only loads under your account, but ccleaner (wrongly?) assumes you don't and makes you run as admin (elevate). Can you post some screenshots of this?
  3. Open a command prompt like you were going to launch the program from the command line. Run this command: set __COMPAT_LAYER=RUNASINVOKER Then try to run CCleaner via that command prompt window. This will suppress it from trying to run as admin. I have not tried this my self for ccleaner but it has worked for other programs.
  4. Nothing is, driving for example. But these attackers had 600,000+ computers they could infect, the chose only 20 (at various large businesses) so they could steal from them. They'd have to be pretty stupid to try to infect ccleaner again (with all the scrutiny), they may have already stolen what they wanted (or not) if they attack again it will be in a new an surprising way, maybe similar maybe not. Want a safety net? Wait 4 months after you download something to install it (and scan it before you do). As long as the program has no critical security updates this will give other a chance to
  5. Weird, I wonder would could have garbled / set to deny the NTFS permissions?
  6. I see. I guess since this process signs installers in real time (with user adjustments like install times limits, and installer expiration) more care is needed to re-implement then simply swapping out the key. I wasn't sure if this overlooked since it didn't seem to be documented anywhere.
  7. Thumprint(SHA1) F4BDA9EFA31EF4A8FA3B6BB0BE13862D7B8ED9B0 Serial Number: 4B48B27C8224FE37B17A6A2ED7A81C9F Not Before: Aug 12 00:00:00 2015 GMT Not After : Oct 10 23:59:59 2018 GMT Revocation Status : Revoked on <‎Tuesday, ‎September ‎19, ‎2017> Signing Time: 10/5/2017 11:44 PM agent_installer.msi Signing Time: 9/13/2017 4:30 PM CCleanerCloudAgent.exe Signing Time: 9/13/2017 4:30 PM CCleanerCloudAgent.exe Signing Time: 9/13/2017 4:30 PM CCleanerCloudHealthCheck.exe
  8. I wouldn't trust that drive, get your data backed up. It lost 161 sectors (which may or may not have contained something important) and replaced them with spares. There's one sector it can't read right now (not replaced with a spare). And there were (or are) 6 sectors that not only it can't read, it can't even figure out where they are located on the disk surface. This drive should have failed a SMART self test in the past (if one was ever run by the user), and should still fail even now (it will start passing if it reallocates some bad sectors, but that's no reason to start trusting th
  9. I'm not sure about the rest of them, but the "Run As Administrator" is doing exactly what one would expect. Every time you run it (not even trying to run as admin) it tries to run as admin, which means it prompts you. The only way to bypass this is the scheduled task (which I think is an option in the program).
  10. For this threat there was little or no distinction between the portable version and the installed version. Since you didn't specific details as to your usage I am making a few guesses. You used the 32-bit version out of the portable package "CCleaner.exe" vs "CCleaner64.exe", you did so before September 16th, you were connected to the internet at the time. Which means it's possible for stage 2.
  11. The registry traces are irrelevant, they only traces left behind by early stage malware action. After the fact they are just traces. Worry about the intruder, don't worry about his footprints. The registry traces don't try to connect to the (offline) malware server, the program itself does. If you didn't leave behind the portable version it isn't still trying to connect to the disabled malware server.
  12. Depends on which version you used, when you used it, and if the computer had an internet connection at the time. Refer back to this rough outline from my previous post: https://forum.piriform.com/index.php?showtopic=48869&page=11&do=findComment&comment=286985 Also an update the second line labeled "Note A1" appears to be improbable. For the portable version you can ignore anywhere it says "installed".
  13. No, I was trying to get direct clear answers about all the files tied to this incident (not just that they were related to this issue, how they were related). I think I have most of my questions answered most of the way as of my last post. I was trying to rule out #2 to some extent and to be clear on which files were affected so one could tell for sure if they were affected. I still wonder a little bit about the auto update prompt getting stuck on even in the free version right before this incident. Anyway, thank you for your time and sorry to bother you with questions I wanted to get
  14. It appears that "CCleanerCloudAgent.exe" is the main exe file for that version. But it seems that all 3 of the internal programs that come CCleanerCloud were infected including "CCleanerCloudAgentHealtCheck.exe" and "CCleanerCloudTray.exe". Apparently the payload in the cloud version was created slightly later and was adjusted to run even without administrative privileges. I wonder when the bug that caused all version to prompt to auto-update regardless of the setting (even the free version -- which doesn't auto update) was introduced? SHA256 hash of files I am only wondering about:
  15. If the only file "CCleaner.exe" 32-bit (which we know there are two) was all that was messed with (and ignoring the installers which contain said files), then what is going on with (for example) "CCleanerCloudHealthCheck.exe" which is not an installer, not "CCleaner.exe" 32-bit, and is also in your opinion "bad". "Don't worry, only CCleaner.exe 32-bit is tampered with, if you didn't run it you are fine, there are no other tampered files, well expect for some other files (maybe.. or not) just ignore those."This is the answer I feel I have now, which doesn't seem to close the case.
  16. Only the 32-bit version was tampered, yet multiple files are listed in the blog post. Files one would think are fine and not messed with. Yet they are listed in the blog post and have detections on VT Which is right: CCleaner.exe 32-bit (and installer containing it) Variant A CCleaner.exe 32-bit (and installer containing it) Variant B and possibly some other installers also containing A or B are therefore flagged. OR Other files other than CCleaner.exe 32-bit (excluding installers) are compromised such as: CCleanerCloudHealthCheck.exe 9C205EC7DA1FF84D5AA0A96A0A77B092239C2BB
  17. Doesn't pop up a warning if you got to the http (not https) version of the site. Which is what I assume the members of that site are doing since they posted there as recently as yesterday. It's a normal forum with normal users which formerly had an SSL certificate. The certificate lapsed (I guess they didn't need it / too expensive) and they didn't renew it.
  18. I'm not sure why we are afraid of this site more than any other site on the internet. After all it is hosted on the same computer that runs this forum. Which brings me back to my question, what's with that? I mean it's not like they separate virtual instances, it would seem certain that Apache instance hosting both websites has access to the private keys for both of the SSL certificates. This implies that the owner of one fully trusts the other or that there is only one owner.
  19. It seems your hard drive, the port it is plugged into or the power that it is getting, or the disk surface/heads, or the controller card on the drive (pick one or more) are/is totally messed up. You need professional level data recovery services if you want your data back. The messing around you've done with the drive since your first found that it wasn't working may have eliminated any chance that even the pros can get your data back (then again it doesn't look too good to begin with). Common prices for professional data recovery services could be $500 - $5000 USD. Some may offer a "no da
  20. It appears to still be active (aside from the SSL cert expiring): hxxp://beetleforum.net/forums/
  21. It seems to be exactly what I though, your drive's controller card is not reading from the disk and is indicating zero size. That's why when you tried to erase some of the data from drive (which you did in my above quote of you) it was unable to do so because your drive is zero sectors in size. Post a screen shot from your device manager, it should confirm that the controller card on the hard drive is as good as detached from the drive assembly.
  22. That info came from the blog post from avast and a little bit of research about which files(installers) contain which files. My question on that thread was answered. (hurray!) Variant A was the release build, Variant B was a in house test build which is sometimes made. (both were, of course tampered with) "From time to time we build a second set of binaries for testing purposes" All my info comes from official posts, info from talos, or direct first hand info (I have one or more tampered files which are digitally signed by piriform) SHA256 hash of files I am (still) asking about
  23. Yea, the SSL cert is expired, not really a shocking concern. Also that website is hosted on the same IP as this forum and this forum website is handing out that cert (which your browser ignores because it also gives a valid cert). It's hosted (more or less) at piriform, so I wasn't thinking it was unsafe.
  • Create New...