Jump to content

NonConvergentWaveform

Experienced Members
  • Posts

    54
  • Joined

  • Last visited

Everything posted by NonConvergentWaveform

  1. 7-zip can do it in the context menu (does SHA-1 and SHA-256, but not md5 -- but who uses md5 any more these days?) Sigcheck from sysinternals can also do it (command line only). It also does a better job of checking digital signatures than the windows interface.
  2. Ok, I understand now. It won't let you mange load on start commands specific to your account (which you should have control over as a non-admin) and when it makes you elevate to admin (run as another user) it no longer shows start up items specific to your account. You should have enough rights to manage almost everything that only loads under your account, but ccleaner (wrongly?) assumes you don't and makes you run as admin (elevate). Can you post some screenshots of this?
  3. Open a command prompt like you were going to launch the program from the command line. Run this command: set __COMPAT_LAYER=RUNASINVOKER Then try to run CCleaner via that command prompt window. This will suppress it from trying to run as admin. I have not tried this my self for ccleaner but it has worked for other programs.
  4. Nothing is, driving for example. But these attackers had 600,000+ computers they could infect, the chose only 20 (at various large businesses) so they could steal from them. They'd have to be pretty stupid to try to infect ccleaner again (with all the scrutiny), they may have already stolen what they wanted (or not) if they attack again it will be in a new an surprising way, maybe similar maybe not. Want a safety net? Wait 4 months after you download something to install it (and scan it before you do). As long as the program has no critical security updates this will give other a chance to check things out first. Of course this doesn't work when a program has a critical security update...
  5. Weird, I wonder would could have garbled / set to deny the NTFS permissions?
  6. I see. I guess since this process signs installers in real time (with user adjustments like install times limits, and installer expiration) more care is needed to re-implement then simply swapping out the key. I wasn't sure if this overlooked since it didn't seem to be documented anywhere.
  7. Thumprint(SHA1) F4BDA9EFA31EF4A8FA3B6BB0BE13862D7B8ED9B0 Serial Number: 4B48B27C8224FE37B17A6A2ED7A81C9F Not Before: Aug 12 00:00:00 2015 GMT Not After : Oct 10 23:59:59 2018 GMT Revocation Status : Revoked on <‎Tuesday, ‎September ‎19, ‎2017> Signing Time: 10/5/2017 11:44 PM agent_installer.msi Signing Time: 9/13/2017 4:30 PM CCleanerCloudAgent.exe 1.7.0.3214 Signing Time: 9/13/2017 4:30 PM CCleanerCloudAgent.exe 1.7.0.3214 Signing Time: 9/13/2017 4:30 PM CCleanerCloudHealthCheck.exe 1.7.0.3214
  8. I wouldn't trust that drive, get your data backed up. It lost 161 sectors (which may or may not have contained something important) and replaced them with spares. There's one sector it can't read right now (not replaced with a spare). And there were (or are) 6 sectors that not only it can't read, it can't even figure out where they are located on the disk surface. This drive should have failed a SMART self test in the past (if one was ever run by the user), and should still fail even now (it will start passing if it reallocates some bad sectors, but that's no reason to start trusting the drive again). The drive has not exceeded the smart thresholds so it's not saying "I've failed" yet. Most bad drives actually fail before they reach that stage. (or are so bad as to be unusable and NEVER reach the stage where they call themselves 'bad')
  9. I'm not sure about the rest of them, but the "Run As Administrator" is doing exactly what one would expect. Every time you run it (not even trying to run as admin) it tries to run as admin, which means it prompts you. The only way to bypass this is the scheduled task (which I think is an option in the program).
  10. For this threat there was little or no distinction between the portable version and the installed version. Since you didn't specific details as to your usage I am making a few guesses. You used the 32-bit version out of the portable package "CCleaner.exe" vs "CCleaner64.exe", you did so before September 16th, you were connected to the internet at the time. Which means it's possible for stage 2.
  11. The registry traces are irrelevant, they only traces left behind by early stage malware action. After the fact they are just traces. Worry about the intruder, don't worry about his footprints. The registry traces don't try to connect to the (offline) malware server, the program itself does. If you didn't leave behind the portable version it isn't still trying to connect to the disabled malware server.
  12. Depends on which version you used, when you used it, and if the computer had an internet connection at the time. Refer back to this rough outline from my previous post: https://forum.piriform.com/index.php?showtopic=48869&page=11&do=findComment&comment=286985 Also an update the second line labeled "Note A1" appears to be improbable. For the portable version you can ignore anywhere it says "installed".
  13. No, I was trying to get direct clear answers about all the files tied to this incident (not just that they were related to this issue, how they were related). I think I have most of my questions answered most of the way as of my last post. I was trying to rule out #2 to some extent and to be clear on which files were affected so one could tell for sure if they were affected. I still wonder a little bit about the auto update prompt getting stuck on even in the free version right before this incident. Anyway, thank you for your time and sorry to bother you with questions I wanted to get very specific answers to but may not have asked you adequate clarity.
  14. It appears that "CCleanerCloudAgent.exe" is the main exe file for that version. But it seems that all 3 of the internal programs that come CCleanerCloud were infected including "CCleanerCloudAgentHealtCheck.exe" and "CCleanerCloudTray.exe". Apparently the payload in the cloud version was created slightly later and was adjusted to run even without administrative privileges. I wonder when the bug that caused all version to prompt to auto-update regardless of the setting (even the free version -- which doesn't auto update) was introduced? SHA256 hash of files I am only wondering about: 0564718B3778D91EFD7A9972E11852E29F88103A10CB8862C285B924BC412013 (tampered -- contains tampered file) -- auto updater even for free version? 0D4F12F4790D2DFEF2D6F3B3BE74062AAD3214CB619071306E98A813A334D7B8 (tampered, contains payload?) 9C205EC7DA1FF84D5AA0A96A0A77B092239C2BB94BCB05DB41680A9A718A01EB (tampered, contains payload?) BEA487B2B0370189677850A9D3F41BA308D0DBD2504CED1E8957308C43AE4913 (tampered, contains payload?) A013538E96CD5D71DD5642D7FDCE053BB63D3134962E2305F47CE4932A0E54AF unclear, probably: (tampered -- contains tampered file) BD1C9D48C3D8A199A33D0B11795FF7346EDF9D0305A666CAA5323D7F43BDCFE9 unclear, probably: (tampered -- contains tampered file) C92ACB88D618C55E865AB29CAAFB991E0A131A676773EF2DA71DC03CC6B8953E unclear, probably: (tampered -- contains tampered file) 7BC0EAF33627B1A9E4FF9F6DD1FA9CA655A98363B69441EFD3D4ED503317804D unclear, probably: (tampered -- contains tampered file) Mostly resolved: 04BED8E35483D50A25AD8CF203E6F157E0F2FE39A762F5FBACD672A3495D6A11 (tampered -- contains tampered file) 2FE8CFEEB601F779209925F83C6248FB4F3BFB3113AC43A3B2633EC9494DCEE0 (tampered -- contains tampered file) 4F8F49E4FC71142036F5788219595308266F06A6A737AC942048B15D8880364A (tampered -- contains tampered file) E338C420D9EDC219B45A81FE0CCF077EF8D62A4BA8330A327C183E4069954CE1 (tampered -- contains tampered file) 3C0BC541EC149E29AFB24720ABC4916906F6A0FA89A83F5CB23AED8F7F1146C3 (tampered -- contains tampered file) A3E619CD619AB8E557C7D1C18FC7EA56EC3DFD13889E3A9919345B78336EFDB2 (tampered -- contains tampered file) :Mostly resolved *resolved*: 1A4A5123D7B2C534CB3E3168F7032CF9EBF38B9A2A97226D0FDB7933CF6030FF (tampered -- contains tampered file, but not known to be otherwise modified) 6F7840C77F99049D788155C1351E1560B62B8AD18AD0E9ADDA8218B9F432F0A9 (tampered, contains payload) 276936C38BD8AE2F26AAB14ABFF115EA04F33F262A04609D77B0874965EF7012 (tampered -- contains tampered file, but not known to be otherwise modified) 36B36EE9515E0A60629D2C722B006B33E543DCE1C8C2611053E0651A0BFDB2E9 (tampered, contains payload) :*resolved* -- these have been answered
  15. If the only file "CCleaner.exe" 32-bit (which we know there are two) was all that was messed with (and ignoring the installers which contain said files), then what is going on with (for example) "CCleanerCloudHealthCheck.exe" which is not an installer, not "CCleaner.exe" 32-bit, and is also in your opinion "bad". "Don't worry, only CCleaner.exe 32-bit is tampered with, if you didn't run it you are fine, there are no other tampered files, well expect for some other files (maybe.. or not) just ignore those."This is the answer I feel I have now, which doesn't seem to close the case.
  16. Only the 32-bit version was tampered, yet multiple files are listed in the blog post. Files one would think are fine and not messed with. Yet they are listed in the blog post and have detections on VT Which is right: CCleaner.exe 32-bit (and installer containing it) Variant A CCleaner.exe 32-bit (and installer containing it) Variant B and possibly some other installers also containing A or B are therefore flagged. OR Other files other than CCleaner.exe 32-bit (excluding installers) are compromised such as: CCleanerCloudHealthCheck.exe 9C205EC7DA1FF84D5AA0A96A0A77B092239C2BB94BCB05DB41680A9A718A01EB
  17. Doesn't pop up a warning if you got to the http (not https) version of the site. Which is what I assume the members of that site are doing since they posted there as recently as yesterday. It's a normal forum with normal users which formerly had an SSL certificate. The certificate lapsed (I guess they didn't need it / too expensive) and they didn't renew it.
  18. I'm not sure why we are afraid of this site more than any other site on the internet. After all it is hosted on the same computer that runs this forum. Which brings me back to my question, what's with that? I mean it's not like they separate virtual instances, it would seem certain that Apache instance hosting both websites has access to the private keys for both of the SSL certificates. This implies that the owner of one fully trusts the other or that there is only one owner.
  19. It seems your hard drive, the port it is plugged into or the power that it is getting, or the disk surface/heads, or the controller card on the drive (pick one or more) are/is totally messed up. You need professional level data recovery services if you want your data back. The messing around you've done with the drive since your first found that it wasn't working may have eliminated any chance that even the pros can get your data back (then again it doesn't look too good to begin with). Common prices for professional data recovery services could be $500 - $5000 USD. Some may offer a "no data recovered no cost" guarantee, other may not. Some professional data recovery services may be more skilled than others and that skill may not necessarily correspond with price (just don't expect one of them to undertake a serious data recovery attempt for $50 involving transferring the "adaptives" calibration data from the chip to another board, replacing all the read/write heads and the preamp and recover all your data guarantee success and no cost for replacement parts) Choice A: give up on your data (or restore from your backup copy) Choice B: use professional data recovery services Choice C: mess around with the drive more (this includes simply leaving it in your computer with power), have virtually no chance of getting any of your data back yourself, and drastically reduce the chances that Choice B will work.
  20. It appears to still be active (aside from the SSL cert expiring): hxxp://beetleforum.net/forums/
  21. It seems to be exactly what I though, your drive's controller card is not reading from the disk and is indicating zero size. That's why when you tried to erase some of the data from drive (which you did in my above quote of you) it was unable to do so because your drive is zero sectors in size. Post a screen shot from your device manager, it should confirm that the controller card on the hard drive is as good as detached from the drive assembly.
  22. That info came from the blog post from avast and a little bit of research about which files(installers) contain which files. My question on that thread was answered. (hurray!) Variant A was the release build, Variant B was a in house test build which is sometimes made. (both were, of course tampered with) "From time to time we build a second set of binaries for testing purposes" All my info comes from official posts, info from talos, or direct first hand info (I have one or more tampered files which are digitally signed by piriform) SHA256 hash of files I am (still) asking about: A013538E96CD5D71DD5642D7FDCE053BB63D3134962E2305F47CE4932A0E54AF BD1C9D48C3D8A199A33D0B11795FF7346EDF9D0305A666CAA5323D7F43BDCFE9 C92ACB88D618C55E865AB29CAAFB991E0A131A676773EF2DA71DC03CC6B8953E 04BED8E35483D50A25AD8CF203E6F157E0F2FE39A762F5FBACD672A3495D6A11 0564718B3778D91EFD7A9972E11852E29F88103A10CB8862C285B924BC412013 2FE8CFEEB601F779209925F83C6248FB4F3BFB3113AC43A3B2633EC9494DCEE0 4F8F49E4FC71142036F5788219595308266F06A6A737AC942048B15D8880364A E338C420D9EDC219B45A81FE0CCF077EF8D62A4BA8330A327C183E4069954CE1 3C0BC541EC149E29AFB24720ABC4916906F6A0FA89A83F5CB23AED8F7F1146C3 7BC0EAF33627B1A9E4FF9F6DD1FA9CA655A98363B69441EFD3D4ED503317804D A3E619CD619AB8E557C7D1C18FC7EA56EC3DFD13889E3A9919345B78336EFDB2 0D4F12F4790D2DFEF2D6F3B3BE74062AAD3214CB619071306E98A813A334D7B8 9C205EC7DA1FF84D5AA0A96A0A77B092239C2BB94BCB05DB41680A9A718A01EB BEA487B2B0370189677850A9D3F41BA308D0DBD2504CED1E8957308C43AE4913 *resolved*: 1A4A5123D7B2C534CB3E3168F7032CF9EBF38B9A2A97226D0FDB7933CF6030FF (tampered -- contains tampered file, but not known to be otherwise modified) 6F7840C77F99049D788155C1351E1560B62B8AD18AD0E9ADDA8218B9F432F0A9 (tampered) 276936C38BD8AE2F26AAB14ABFF115EA04F33F262A04609D77B0874965EF7012 (tampered -- contains tampered file, but not known to be otherwise modified) 36B36EE9515E0A60629D2C722B006B33E543DCE1C8C2611053E0651A0BFDB2E9 (tampered) :*resolved* -- these have been answered
  23. Yea, the SSL cert is expired, not really a shocking concern. Also that website is hosted on the same IP as this forum and this forum website is handing out that cert (which your browser ignores because it also gives a valid cert). It's hosted (more or less) at piriform, so I wasn't thinking it was unsafe.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.