Jump to content


Experienced Members
  • Posts

  • Joined

  • Last visited

Posts posted by NonConvergentWaveform

  1. I didn't mean for post 279 to sound as sarcastic as it does when I re-read it. 

    It as a pitiable attempt at humor.  Someday I'll learn . . .


    Anyway, maybe "1st Question ..." is asking how to calculate hash sums?

    Great software for calculating hash sums offline is Nirsoft's Hash My Files. Free, no installation, fast. 

    7-zip can do it in the context menu (does SHA-1 and SHA-256, but not md5 -- but who uses md5 any more these days?)

    Sigcheck from sysinternals can also do it (command line only). It also does a better job of checking digital signatures than the windows interface.

  2. Thank you, but i'm not forced to run it as administrator if I want to use Ccleaner, I can normally double click and it runs the program under my user session, though, if I do that, my user don't have enough right to modify the on-start programs,  same for your method since it doesn't give admin privilege ? . And if I want to have the proper rights, i need to run as admin and then the only thing i can manage is the on-start programs of my admin session .

    Ok, I understand now. It won't let you mange load on start commands specific to your account (which you should have control over as a non-admin) and when it makes you elevate to admin (run as another user) it no longer shows start up items specific to your account.


    You should have enough rights to manage almost everything that only loads under your account, but ccleaner (wrongly?) assumes you don't and makes you run as admin (elevate).


    Can you post some screenshots of this?

  3. Open a command prompt like you were going to launch the program from the command line. Run this command:


    Then try to run CCleaner via that command prompt window. This will suppress it from trying to run as admin. I have not tried this my self for ccleaner but it has worked for other programs.

  4. So, it's still not 100% safe

    Nothing is, driving for example. But these attackers had 600,000+ computers they could infect, the chose only 20 (at various large businesses) so they could steal from them. They'd have to be pretty stupid to try to infect ccleaner again (with all the scrutiny), they may have already stolen what they wanted (or not) if they attack again it will be in a new an surprising way, maybe similar maybe not.


    Want a safety net? Wait 4 months after you download something to install it (and scan it before you do). As long as the program has no critical security updates this will give other a chance to check things out first. Of course this doesn't work when a program has a critical security update...

  5. I had the same issue.. 


    Windows 10 Creators 1703  Avast (nothing in Virus Chest or Exclude or Include for anything in anything Avast) but still no Desktop Icon..


    Went into shortcut Properties to update icon got an error..  You do NOT have permission to access this file.. 


    So here are the steps I took to fix.

    1. Open Explorer and went to c:\program files\
    2. Right clicked on CCleaner folder, selected Properties
    3. Click on Security Tab, then Advanced button.
    4. In the Advanced Security Settings window clicked on Change permissions button.
    5. Checked the box labeled, Replace all Child object permission entries with inheritable permission entries from this object.
    6. clicked Apply button
    7. then click OK button.


    Icon appeared correctly instantly..



    Weird, I wonder would could have garbled / set to deny the NTFS permissions?

  6. Hi NonConvergentWaveform,


    We are working as fast as we can to replace this. We have rebuilt the build infrastructure and have updated our build signing process to be more secure. We are currently doing final testing on a version built using this new infrastructure that will replace these certificates and we expect it to be released as early as next week.

    I see. I guess since this process signs installers in real time (with user adjustments like install times limits, and installer expiration) more care is needed to re-implement then simply swapping out the key. I wasn't sure if this overlooked since it didn't seem to be documented anywhere.

  7. Thumprint(SHA1) F4BDA9EFA31EF4A8FA3B6BB0BE13862D7B8ED9B0
    Serial Number:  4B48B27C8224FE37B17A6A2ED7A81C9F


    Not Before: Aug 12 00:00:00 2015 GMT
    Not After : Oct 10 23:59:59 2018 GMT


    Revocation Status : Revoked on <‎Tuesday, ‎September ‎19, ‎2017>


    Signing Time: 10/5/2017 11:44 PM



    Signing Time:  9/13/2017 4:30 PM



    Signing Time:  9/13/2017 4:30 PM



    Signing Time:  9/13/2017 4:30 PM


  8. I have a drive where Speccy gives a SMART Warning, but every individual value is marked as good.


    However, when I run HDSCan, it reports a yellow exclamation for the following (the numbers correspond to Speccy's numerical columns. the first value, the real value and the last value being the raw value)

    05 Reallocation Sector Count 161, 238, 237, 63, A1

    C4 Reallocation Event Count 2, 251, 251, 0, 2 

    Uncorrectable Errors Count.1, 252, 252, 0, 1


    Here is a screenshot, https://ibb.co/bsWDJw

    I wouldn't trust that drive, get your data backed up.

    It lost 161 sectors (which may or may not have contained something important) and replaced them with spares.

    There's one sector it can't read right now (not replaced with a spare).

    And there were (or are) 6 sectors that not only it can't read, it can't even figure out where they are located on the disk surface.


    This drive should have failed a SMART self test in the past (if one was ever run by the user), and should still fail even now (it will start passing if it reallocates some bad sectors, but that's no reason to start trusting the drive again).

    The drive has not exceeded the smart thresholds so it's not saying "I've failed" yet. Most bad drives actually fail before they reach that stage. (or are so bad as to be unusable and NEVER reach the stage where they call themselves 'bad')


    First, my info:

    • CCleaner Professional v5.35.6210 (64-bit)
    • Win10 64-bit
    • AMD Athlon II X4 640 Processor
    • 8.0GB RAM
    • AMD Radeon HD 5670


    I have several problems that are probably related:

    • Even though I have gone into properties and told CCleaner to Run As Administrator, I get the UAC window popping up when I start it.
    • In Options/Scheduling I have set CCleaner to run weekly every Tuesday at 3:22AM, but the scheduled run never occurs.
    • CCleaner never empties the Recycle Bin.
    • CCleaner does not automatically update when a new version is available. In Options/Settings I have checked the boxes for run at startup, automatically check for new versions (with silent background updates), none of that is happening.
    • In Options/Monitoring I have enabled system monitoring, and those popups DO happen.



    I'm not sure about the rest of them, but the "Run As Administrator" is doing exactly what one would expect. Every time you run it (not even trying to run as admin) it tries to run as admin, which means it prompts you. The only way to bypass this is the scheduled task (which I think is an option in the program).

  10. Thanks NonConvergentWaveform. That was really the essence of my question. I'm not as worried about the past intrusion because there was nothing on there, but am worried about whether there might be any potential ongoing issues once private data starts being added to a computer. Basically, having used the portable version, is there any residual, ongoing threat still on the computers?

    For this threat there was little or no distinction between the portable version and the installed version.


    Since you didn't specific details as to your usage I am making a few guesses. You used the 32-bit version out of the portable package "CCleaner.exe" vs "CCleaner64.exe", you did so before September 16th, you were connected to the internet at the time. Which means it's possible for stage 2.


    If Stage 2 possible:

    The attackers probably decided not to infect your computer. They had the option to infect you, but they passed. (this info comes from the attacker's captured server, info could have been tampered with)

    For those few machines that were given the stage 2 infection, this malware could have taken any action(s), including downloading more malware, stealing info, and/or deleting all traces of infection. (leaving nothing to find later)

  11. Thanks for your repsonse Nergal, and the video. So just to confirm your conclusion, it is the running of CCleaner.exe process that places the registry markers, not the installation process? So just running the portable version would have left behind some entries in the registry, that would still be there (albeit now pinging a server that is no longer active)?

    The registry traces are irrelevant, they only traces left behind by early stage malware action. After the fact they are just traces. Worry about the intruder, don't worry about his footprints.


    The registry traces don't try to connect to the (offline) malware server, the program itself does. If you didn't leave behind the portable version it isn't still trying to connect to the disabled malware server.

  12. I'm not a frequent user of CCleaner, but recently (I think) used an infected portable version from a USB stick when setting up some laptops for an overseas school. They are now in a remote location so it's not super simple to check the impact, but just wanted to ask an initial question here. I understand that the portable version was affected, but does that mean it installed anything locally, or would it just have gathered information while running and then stopped? i.e. did it subversively change any registry values while running, or is the malware effectively 'portable' like the version of CCleaner, so that once it's closed, nothing more happens? Hope that makes sense. Because they were basically new when cleaned and still generic, I'm not really that concerned about any personal data being gathered, because there really wasn't any, but need to find out if I should proceed with further cleaning to prevent future issues, or whether instead there is nothing residual on there because I used the portable version? 'Cleaning' now is complicated by location and language. If has to be done, so be it, but maybe isn't necessary because I used the portable version? 


    Depends on which version you used, when you used it, and if the computer had an internet connection at the time.


    Refer back to this rough outline from my previous post:



    Also an update the second line labeled "Note A1" appears to be improbable.


    For the portable version you can ignore anywhere it says "installed".

  13. Wellll, I think maybe the OP has three possible agendas. 


    1. To appear clever by asking questions which seem clever,


    2. To continue to promote the idea that malicious files are floating around unidentified,


    3. To continue to control the attention of forum members and readers and moderators.  


    Neither of the three is likely to succeed. 

    1. Asking the same questions repeatedly is a waste of time.  Same for quarreling with the answers.

    2. Piriform & Avast have posted much information about this event.  Very technical explanations are available for any who search.

    3. Unless something important develops I shall retire from this topic.

    No, I was trying to get direct clear answers about all the files tied to this incident (not just that they were related to this issue, how they were related). I think I have most of my questions answered most of the way as of my last post. I was trying to rule out #2 to some extent and to be clear on which files were affected so one could tell for sure if they were affected.


    I still wonder a little bit about the auto update prompt getting stuck on even in the free version right before this incident.


    Anyway, thank you for your time and sorry to bother you with questions I wanted to get very specific answers to but may not have asked you adequate clarity.

  14. It is the case though. Where do you see ccleanercloudhealthcheck.exe is flagged as virus. Where did you even get that file if you aren't using ccleaner cloud. It was announced that the cloud version of the time was infected, idk if the file ccleaner.exe is the same or different for cloud but both of those were infected, as we've constantly stated

    It appears that "CCleanerCloudAgent.exe" is the main exe file for that version. But it seems that all 3 of the internal programs that come CCleanerCloud were infected including "CCleanerCloudAgentHealtCheck.exe" and "CCleanerCloudTray.exe". Apparently the payload in the cloud version was created slightly later and was adjusted to run even without administrative privileges.


    I wonder when the bug that caused all version to prompt to auto-update regardless of the setting (even the free version -- which doesn't auto update) was introduced?


    SHA256 hash of files I am only wondering about:
    0564718B3778D91EFD7A9972E11852E29F88103A10CB8862C285B924BC412013 (tampered -- contains tampered file) -- auto updater even for free version?
    0D4F12F4790D2DFEF2D6F3B3BE74062AAD3214CB619071306E98A813A334D7B8 (tampered, contains payload?)
    9C205EC7DA1FF84D5AA0A96A0A77B092239C2BB94BCB05DB41680A9A718A01EB (tampered, contains payload?)
    BEA487B2B0370189677850A9D3F41BA308D0DBD2504CED1E8957308C43AE4913 (tampered, contains payload?)
    A013538E96CD5D71DD5642D7FDCE053BB63D3134962E2305F47CE4932A0E54AF unclear, probably: (tampered -- contains tampered file)
    BD1C9D48C3D8A199A33D0B11795FF7346EDF9D0305A666CAA5323D7F43BDCFE9 unclear, probably: (tampered -- contains tampered file)
    C92ACB88D618C55E865AB29CAAFB991E0A131A676773EF2DA71DC03CC6B8953E unclear, probably: (tampered -- contains tampered file)
    7BC0EAF33627B1A9E4FF9F6DD1FA9CA655A98363B69441EFD3D4ED503317804D unclear, probably: (tampered -- contains tampered file)
    Mostly resolved:
    04BED8E35483D50A25AD8CF203E6F157E0F2FE39A762F5FBACD672A3495D6A11 (tampered -- contains tampered file)
    2FE8CFEEB601F779209925F83C6248FB4F3BFB3113AC43A3B2633EC9494DCEE0 (tampered -- contains tampered file)
    4F8F49E4FC71142036F5788219595308266F06A6A737AC942048B15D8880364A (tampered -- contains tampered file)
    E338C420D9EDC219B45A81FE0CCF077EF8D62A4BA8330A327C183E4069954CE1 (tampered -- contains tampered file)
    3C0BC541EC149E29AFB24720ABC4916906F6A0FA89A83F5CB23AED8F7F1146C3 (tampered -- contains tampered file)
    A3E619CD619AB8E557C7D1C18FC7EA56EC3DFD13889E3A9919345B78336EFDB2 (tampered -- contains tampered file)
    :Mostly resolved
    1A4A5123D7B2C534CB3E3168F7032CF9EBF38B9A2A97226D0FDB7933CF6030FF (tampered -- contains tampered file, but not known to be otherwise modified)
    6F7840C77F99049D788155C1351E1560B62B8AD18AD0E9ADDA8218B9F432F0A9 (tampered, contains payload)
    276936C38BD8AE2F26AAB14ABFF115EA04F33F262A04609D77B0874965EF7012 (tampered -- contains tampered file, but not known to be otherwise modified)
    36B36EE9515E0A60629D2C722B006B33E543DCE1C8C2611053E0651A0BFDB2E9 (tampered, contains payload)
    :*resolved* -- these have been answered
  15. Hi, NonConvergentWaveform.

    All the questions in your post #14 are already answered, as I think you already know.


    The questions about Variant A & Variant B were answered in a post you started, read, and acknowledged here:

    The question about CCleanerCloudHealthCheck was answered in post #9 above. 


    As far as the existence of "Files one would think are fine and not messed with" that issue is rendered moot by the information you have already read. 

    In other words, it doesn't matter a whit what one thinks.  If Virustotal says a file is bad it is.  If a virus checker flags it, it is bad.


    I tell my friends and family this.  For any other files in question, perform a malware check using a quality antivirus, or a quality online scanner, or go here and read item #10:

    I don't work for Piriform, or Avast, but I have some time available, so have followed this pretty closely. 

    I think it's time to realize that this malware has been brought under control. 

    These folks have been remarkably open and above board about it. 

    Any suggestion that there are other malicious files floating around is not supported by presently available evidence. 


    EDIT 05 Oct 17: 

    Should make it clear that my comments do not apply to the big organizations like Microsoft & Cisco that may have been target by later stages of this malware.  Those folks have been contacted by Piriform & Avast to make sure they are OK.



    If the only file "CCleaner.exe" 32-bit (which we know there are two) was all that was messed with (and ignoring the installers which contain said files), then what is going on with (for example) "CCleanerCloudHealthCheck.exe" which is not an installer, not "CCleaner.exe" 32-bit, and is also in your opinion "bad".

    • "Don't worry, only CCleaner.exe 32-bit is tampered with, if you didn't run it you are fine, there are no other tampered files, well expect for some other files (maybe.. or not) just ignore those."

    This is the answer I feel I have now, which doesn't seem to close the case.

  16. All those hashes listed in post #12 are listed, identified, and classified in the Avast blog linked in post #9. 


    All except one give a result on Virustotal, that one has no matches just now. 


    What other information do you seek? 


    Only the 32-bit version was tampered, yet multiple files are listed in the blog post. Files one would think are fine and not messed with. Yet they are listed in the blog post and have detections on VT


    Which is right:


    CCleaner.exe 32-bit (and installer containing it) Variant A

    CCleaner.exe 32-bit (and installer containing it) Variant B

    and possibly some other installers also containing A or B are therefore flagged.




    Other files other than CCleaner.exe 32-bit (excluding installers) are compromised such as:



  17. Way too technical for me. I just know if a site pops a warning I don't go there.  :)

    Doesn't pop up a warning if you got to the http (not https) version of the site. Which is what I assume the members of that site are doing since they posted there as recently as yesterday.


    It's a normal forum with normal users which formerly had an SSL certificate. The certificate lapsed (I guess they didn't need it / too expensive) and they didn't renew it.

  18. Please follow suite and write the url with hxxp, thanks.

    I'm not sure why we are afraid of this site more than any other site on the internet. After all it is hosted on the same computer that runs this forum.


    Which brings me back to my question, what's with that? I mean it's not like they separate virtual instances, it would seem certain that Apache instance hosting both websites has access to the private keys for both of the SSL certificates. This implies that the owner of one fully trusts the other or that there is only one owner.

  19. It seems your hard drive, the port it is plugged into or the power that it is getting, or the disk surface/heads, or the controller card on the drive (pick one or more) are/is totally messed up. You need professional level data recovery services if you want your data back. The messing around you've done with the drive since your first found that it wasn't working may have eliminated any chance that even the pros can get your data back (then again it doesn't look too good to begin with).


    Common prices for professional data recovery services could be $500 - $5000 USD. Some may offer a "no data recovered no cost" guarantee, other may not. Some professional data recovery services may be more skilled than others and that skill may not necessarily correspond with price (just don't expect one of them to undertake a serious data recovery attempt for $50 involving transferring the "adaptives" calibration data from the chip to another board, replacing all the read/write heads and the preamp and recover all your data guarantee success and no cost for replacement parts)


    • Choice A: give up on your data (or restore from your backup copy)
    • Choice B: use professional data recovery services
    • Choice C: mess around with the drive more (this includes simply leaving it in your computer with power), have virtually no chance of getting any of your data back yourself, and drastically reduce the chances that Choice B will work.

    Nope it's hosted on Invision the owner of the php that builds the forum. I guess beetle probably was on the ip address before piriform.

    It appears to still be active (aside from the SSL cert expiring):



  21. I got this when initializing an MBR:




    And this initializing GPT:






    In Device Manager, I have Unknown device under Disk Drives. My options are Update driver, Disable device, or Uninstall device.



    There may be a options here using  "the free version of 'Partition Find and Mount' which let me mount the drive read only."

    It seems to be exactly what I though, your drive's controller card is not reading from the disk and is indicating zero size. That's why when you tried to erase some of the data from drive (which you did in my above quote of you) it was unable to do so because your drive is zero sectors in size. Post a screen shot from your device manager, it should confirm that the controller card on the hard drive is as good as detached from the drive assembly.

  22. Sorry I should have been more clear. The info is for the two uploads (the two installers posted within minutes of each other) in his other thread. This Is why one thread is better than three.

    That info came from the blog post from avast and a little bit of research about which files(installers) contain which files. My question on that thread was answered. (hurray!)


    Variant A was the release build, Variant B was a in house test build which is sometimes made. (both were, of course tampered with)

     "From time to time we build a second set of binaries for testing purposes"


    All my info comes from official posts, info from talos, or direct first hand info (I have one or more tampered files which are digitally signed by piriform)


    SHA256 hash of files I am (still) asking about:
    1A4A5123D7B2C534CB3E3168F7032CF9EBF38B9A2A97226D0FDB7933CF6030FF (tampered -- contains tampered file, but not known to be otherwise modified)
    6F7840C77F99049D788155C1351E1560B62B8AD18AD0E9ADDA8218B9F432F0A9 (tampered)
    276936C38BD8AE2F26AAB14ABFF115EA04F33F262A04609D77B0874965EF7012 (tampered -- contains tampered file, but not known to be otherwise modified)
    36B36EE9515E0A60629D2C722B006B33E543DCE1C8C2611053E0651A0BFDB2E9 (tampered)
    :*resolved* -- these have been answered
  23. Be careful.  When I click on that link in post #11, it pops a warning for insecure connection.  Imho it should not be a live link. 

    Yea, the SSL cert is expired, not really a shocking concern. Also that website is hosted on the same IP as this forum and this forum website is handing out that cert (which your browser ignores because it also gives a valid cert).


    It's hosted (more or less) at piriform, so I wasn't thinking it was unsafe.

  • Create New...

Important Information

By using this site, you agree to our Terms of Use.