If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Rate Thread | Display Modes |
#16
|
|||
|
|||
Hackers hid malware in CCleaner software
On Mon, 18 Sep 2017 21:48:23 -0400, "Mayayana"
wrote: I don't use those either, so I don't know. I would *not* recommend Malwarebytes without a big grain of salt. I guess if I were in that boat I'd look up online to find the specifics of the infestation. However Malwarebytes did catch the ccleaner infection on my system. Avast did not. __ Someone who thinks logically provides a nice contrast to the real world. (Anonymous) |
Ads |
#17
|
|||
|
|||
Hackers hid malware in CCleaner software
"Blake Snyder" wrote
| I don't know if cleaning the registry is a scam, and, I've never seen a | problem that I could attribute to the cleaning of the registry. | | But I have seen *plenty* of left-over registry entries after uninstalling a | program which are cleaned by Ccleaner. | | Do those leftover registry entries cause harm. | I can't say. | You can research it for yourself. Start Regmon or Procmon. Then start IE. On my system, IE will make over 5,000 Registry reads in about 1 second. (I don't know why. Microsoft seem to do that deliberately to obfuscate the relevant reads. That's the only reason I can think of.) So the Registry is incredibly fast. Cleaners generally target 2 categories: Leftover software entries, like you mentioned, and HKCR\CLSID keys. An example of the first might be that Acme Editor gets uninstalled and settings stay there. That's typical. In case you decide to install it again your preferences would still be intact. So you have some settings under HKCU\Software\Acme Software\Acme Editor\ That adds a few bytes to the Registry and does no harm. Since it's an Acme Software key, no other software is affected by the settings. An example of the second case might be a program with a bad uninstaller that uninstalled their Acme123.dll COM library but didn't unregister it. So there are keys like HKCR\CLSID\{a1b2.....}\ and HKCR\AcmeLib.Ops. Those are the keys that allow the COM library to be accessed. With the library gone they're "orphan" entries. But since no other program is going to use AcmeLib, the entries do no harm. The worst that might happen, which is still very unlikely, would be that you'd see a message like, "Unable to create object" when a program tries to access AcmeLib. But you'd see an error message anyway, in that case, because the DLL is gone. You might just get a crash instead of the "unable to create object" message. Either way, the Registry entry won't matter. The best analogy I can think of is that you have a gigantic attic, full of stored stuff, and you hire a teenager to clean up. The teenager finds 2 incomplete decks of cards and a broken broomstick to throw away. You feel satisfied. But nothing useful has been done in the attic. You don't actually have more space. It won't be any easier or faster when you want to find something. And what if the teenager broke something, or left behind a fire hazard? If it really bugs you to have leftover settings in the Registry it's easy to remove the software settings. Just open Regedit to HKCU\Software\. Each subkey is a company. You can delete the Acme Editor key. Either way, anything that actually needs to access the Registry is going to be doing it in the range of milliseconds, regardless of whether your Registry is 20 MB or 20 MB + 30 KB of unnecessary data. | | I use it mostly as my front end uninstaller. | | It removes a lot of the BHOs and other hijacked autostarters. | | | | It sounds like you install a lot of dubious stuff. | | I'm way better than most people so I doubt I install "dubious" stuff. | You forget I know as much as you do about many things. | Nonetheless, I do use exclusively freeware - but only the best. .... | I probably led you astray with the letters BHO which, I agree, are specific | to browsers where anyone who gets a BHO is an idiot - so I see where you | got the idea that I install dubious software. I'm not making any assumption about how much you know. But if you regularly have to clean up bad installs then something is wrong. I chimed in because the whole category of "cleaning" is mostly a scam industry and people don't realize it. It's like drain cleaners, or gas tank conditioners, or dryer sheets, or bottled water, or air fresheners, or gluten-free yogurt, or life-extending quinoa magic, or any of the other myriad nonsense that gets marketed: You're lucky if they do no harm. They will not do any real good. (Though I guess quinoa is edible and reasonably nutritious, if you don't mind starving Peruvian peasants resulting from you being willing to pay through the nose for magic starch. I explained the details of the Registry above so that anyone can check for themselves. I agree that a lot of decent software nevertheless tries to autostart things. HP printers are a good example. iTunes is especially sleazy. Even 7-Zip does things without asking. But all of that can be safely controlled via Autoruns. That includes context menu add-ons, which are under the Shell Extensions section. Autoruns also lets you find out where things are, so you can delete EXEs if desired. And as you may know, Autoruns and the Sysinternals tools were originally written by Mark Russinovich, a top Windows programmer who then went to work for MS and left them in charge of Sysinternals. So they're dependable programs. You might have to watch installs to make sure you don't agree to junk toolbars and such. (Maybe that's what you had in mind with BHOs?) But aside from that, any reputable software shouldn't be installing extra items. | The US gov just deprecated Kapersky by the way. | I'm not sure what the threat is though. | I haven't followed that closely, but I think the idea was that they think Kaspersky is working as a spy company for Russia. |
#18
|
|||
|
|||
Hackers hid malware in CCleaner software
On Tue, 19 Sep 2017 09:54:58 -0400, in news
Mayayana wrote:
You can research it for yourself. Start Regmon or Procmon. Then start IE. On my system, IE will make over 5,000 Registry reads in about 1 second. (I don't know why. Microsoft seem to do that deliberately to obfuscate the relevant reads. That's the only reason I can think of.) Hi Mayayana, I've been around for decades, so I'm fully aware of the huge number of registry entries that Microsoft products create. In Win95 days I used to actually move the Microsoft Office installation by modifying every key in the registry left after using COA (which didn't get everything). I gave up on that approach of trying to put Microsoft stuff where it belongs, but I'm as familiar with the huge clutter in the registry as you are. I'm only debating with you that the Ccleaner registry cleaner is a "scam". I have been using the CCleaner registry cleaner for so long that I can't even say how many years it has been. Probably since I first heard about Ccleaner, and never once have I see it be a problem that I could attribute to me cleaning the registry. That's all I'm saying. Does it clean the registry? Yes. Is it a scam? I don't know. So the Registry is incredibly fast. Cleaners generally target 2 categories: Leftover software entries, like you mentioned, and HKCR\CLSID keys. I often move things to where I think they belong, where Ccleaner noticed that I didn't do the job right. An example of the first might be that Acme Editor gets uninstalled and settings stay there. That's typical. In case you decide to install it again your preferences would still be intact. So you have some settings under HKCU\Software\Acme Software\Acme Editor\ Yup. Lot's of stuff is left over after an uninstall. I prefer to remove it all. You may not. But that doesn't make a Ccleaner approach a scam. That adds a few bytes to the Registry and does no harm. Since it's an Acme Software key, no other software is affected by the settings. I get your point that if someone thinks that cleaning the registry of old entries is going to "speed up" their system, it's not. I get that. But that doesn't make registry cleaning a scam. I keep a clean desktop. I keep a clean file system. I keep a clean office. And a clean kitchen. My garage is clean and my car is clean. Why shouldn't my registry be clean? It's not a scam to want a clean registry anymore than it's a scam to want a clean kitchen. An example of the second case might be a program with a bad uninstaller that uninstalled their Acme123.dll COM library but didn't unregister it. So there are keys like HKCR\CLSID\{a1b2.....}\ and HKCR\AcmeLib.Ops. Those are the keys that allow the COM library to be accessed. With the library gone they're "orphan" entries. But since no other program is going to use AcmeLib, the entries do no harm. I get that Microsoft has a counter for any shared DLL that is counted down somehow in the registry where that counter "can" get screwed up. Presumably CCleaner handles that, where the presence of the extraneous DLL isn't a big deal (however, again, it's not "clean"). Just as I clean my silverware after using it, I see nothing wrong with cleaning out DLLs that are no longer needed. Again, I'm only responding to the issue of Ccleaner being a "scam", where I think it does something valuable in that it keeps the operating system a bit cleaner than it would have been otherwise. Is Ccleaner a panacea? Nope. The worst that might happen, which is still very unlikely, would be that you'd see a message like, "Unable to create object" when a program tries to access AcmeLib. But you'd see an error message anyway, in that case, because the DLL is gone. You might just get a crash instead of the "unable to create object" message. Either way, the Registry entry won't matter. I don't disagree. It's just that I like to keep my system clean. I put all four of the MS default temp directories in one hierarchy. And I keep a fifth temp directory just for my own personal use. Is that necessary? Nope. Is it clean? Yes. The best analogy I can think of is that you have a gigantic attic, full of stored stuff, and you hire a teenager to clean up. The teenager finds 2 incomplete decks of cards and a broken broomstick to throw away. You feel satisfied. But nothing useful has been done in the attic. You don't actually have more space. It won't be any easier or faster when you want to find something. And what if the teenager broke something, or left behind a fire hazard? You make a very good point here, but that's not the same as calling CCleaner a "scam". While CCleaner certainly can break something, I don't think it has ever broken anything that I can remember in all the years I have been using it (where I check most of the boxes, even the ones not on by default and I don't make backups and I turn off the nag messages too). Your point is valid that Ccleaner doesn't make the system faster. Your point is valid that Ccleaner can screw something up. But your point that CCleaner is a scam is not valid. It's just one way to keep the system a tiny bit cleaner (IMHO). That has esthetic value, if no other value is found for a clean toolbox. If it really bugs you to have leftover settings in the Registry it's easy to remove the software settings. Just open Regedit to HKCU\Software\. Each subkey is a company. You can delete the Acme Editor key. Either way, anything that actually needs to access the Registry is going to be doing it in the range of milliseconds, regardless of whether your Registry is 20 MB or 20 MB + 30 KB of unnecessary data. There are a gazillion keys that Ccleaner cleans up, and it's not only in HKCU/Software that it does it. Nonetheless, I have messed with the registry since Win95 days and I gave up on manual edits except to key variables (such as the %temp% variables and the %program files% and other key variables). I am only saying that CCleaner has its place. The last time I manually updated it was when I moved to Windows 10, and it seems to work just fine for me. I'm not making any assumption about how much you know. But if you regularly have to clean up bad installs then something is wrong. Oh. Mayayana. You don't know what you just said. Do you realize how many bad installers are out there? As just one example, do you know that you can 'tell' Apple's iTunes to go to C:\mystuff\apple-crap\iTunes and it will go there, but almost nothing else of the tons of bloatware that follows (e.g., Bonjour for one) will go there (Quicktime used to be added also, along with tons of other crapware). Now I gave up on iTunes so long ago that I don't remember when, but that's just the canonical example of bad bloatware installers. So many things don't go where you tell them to go that it's not funny. Don't even get me started on HP printer software not going where it belongs, or Oracle programs, or Nvidia drivers, or anything from Microsoft. It seems the bigger the company, the more misbehaved the installer. I chimed in because the whole category of "cleaning" is mostly a scam industry and people don't realize it. Mayayana, I respect your judgement and I, myself, know a scam when I see it. There are LOTS of scams revolving around the fact that most people are afraid of malware so they install all sorts of what turns out to be malware to reputedly get rid of the malware. I'm sure you can rattle off a huge list of such things as easily as I can. But I don't consider CCleaner to be malware. Is it scamware? I don't think so. It's not a panacea. But it cleans "stuff" out that I would have to clean on my own. About the only time I think it "screws up" is that I have this sneaking suspicion that a reboot is necessary after many program uninstalls, where if I run the reboot, I think there are registry actions that occur. However, if I don't run the reboot, then CCleaner may (perhaps) clean out those registry entries which the uninstaller put there with the result that the uninstall actions won't occur. Did I explain that problem well enough for you to understand or do you think that's wrong that some programs when uninstalled leave registry 'actions' on purpose, which only run when you reboot. If ccleaner removes them, they might not run. Hence, in *that* case, Ccleaner would 'screw up'. Does that make sense? It's like drain cleaners, or gas tank conditioners, or dryer sheets, or bottled water, or air fresheners, or gluten-free yogurt, or life-extending quinoa magic, or any of the other myriad nonsense that gets marketed: True dat. Seafoam. Marvel Mystery Oil. WD-40. Lots of people want a "miracle in a can". I agree with your point that, to some people, CCleaner may appear to be a miracle in a can. It's not. But it's like MAF cleaner in that it's a bit better than cleaning your MAF by hand. You're lucky if they do no harm. They will not do any real good. I think you have two levels of "good". a. Miracle cure good b. Simple cleaning good I think Ccleaner does clean stuff out that you'd have to clean out manually if you didn't use Ccleaner (e.g., recent docs). I don't think CCleaner is a miracle cure, but I don't think it's a scam either. I agree that a lot of decent software nevertheless tries to autostart things. HP printers are a good example. OMG. Do not get me started on HP printers! It has been YEARS that I've been trying to get rid of some HP software on my computer. The only way is to flush the operating system and start over. Sigh. (Please don't get me started on HP.) iTunes is especially sleazy. OMG. You know EXACTLY how to make me wince! I know all about iTunes and I never want to see it again. Ever. I have iOS and Android where there is never a need for iTunes crap. Let's not go there or we'll drive the others nuts. Even 7-Zip does things without asking. Most programs (e.g., glasswire, filezilla, etc.) phone home, which is a bitch, I agree. But what does 7-zip do? Let me check my 7-zip log file. OK. Just checked. Here's what my manual log file said about 7-zip: .. It's useful to open up Microsoft IMG files (e.g., MS Office) .. The Microsoft IMG is sort of a zip, which 7zip unzips. .. It also opens zip, cab, iso, and other files. .. The 7zip installer does not seem to phone home .. It installs super quickly. .. But it only puts an icon in the "Program" folder. .. So copy "7-Zip File Manager" to your cascaded menu. .. And change the target to where you actually put the software .. The program has a checkbox for adding 7zip to the context menus. .. If that checkbox is on, make sure you turn it off. That's all I noticed but I only used 7-zip to extract MS Office image files (which are sort of kind of but not really iso files). But all of that can be safely controlled via Autoruns. That includes context menu add-ons, which are under the Shell Extensions section. Autoruns also lets you find out where things are, so you can delete EXEs if desired. And as you may know, Autoruns and the Sysinternals tools were originally written by Mark Russinovich, a top Windows programmer who then went to work for MS and left them in charge of Sysinternals. So they're dependable programs. I read PC Magazine just like you did in the COA and Process Explorer days so I'm familiar with Russinovich (as is almost everyone on Windows). I don't have "autoruns" though in my software hierarchy. https://docs.microsoft.com/en-us/sysinternals/ https://docs.microsoft.com/en-us/sys...loads/autoruns I downloaded and extracted the zip file and put that zip file where it belongs and then created shortcuts to autoruns.lnk and then ran it. After the EULA, it popped up a window with literally over a score of tabs, each containing a page of checkbox information, which I'll have to weed through. Thanks. This Autoruns seems like a good program for weeding out auto run stuff because LOTS of my entries say "File Not Found" (for example, Google Chrome stuff, which I don't have anymore, and WinMail stuff, which I don't even know what it is, and Windows Media Player stuff, again, which I don't even have on my system to my knowledge, etc. You might have to watch installs to make sure you don't agree to junk toolbars and such. (Maybe that's what you had in mind with BHOs?) But aside from that, any reputable software shouldn't be installing extra items. I am as tuned as you are, Mayayana, to junk installs. I circumvent that by a few methods, one of which is I only use the absolute best freeware most of the time (although some times I have to test freeware to figure out what is the best). One method which is so easy I do it on every install is I disconnect the network before clicking on any installer. Another method is that I ALWAYS use the custom install (never once do I not!) mainly because I don't put anything in any idiotic program files directory (for lots of good reasons). I also keep a lot of EVERY installation, so that I know what mistakes I made (since they always catch you on something) particularly which ones phone home and which ones have settings to stop that and which I have to use the HOSTS file (yes, I know you love Acrylic DNS which I'll install some day). I disagree that "reputable software won't install extra items". I think even Ccleaner now adds stuff, does it not? Also Flash (we can debate if that's reputable) habitually tries to foist McAfee on us. I think what happens is that reputable freeware starts adding stuff which doesn't make it disreputable as long as it's obvious and easily blocked. Of course, non reputable freeware is the worst - but nobody uses that who has his mind in the right place (e.g., the billion screenshot programs out there by way of example - none of which are needed). | The US gov just deprecated Kapersky by the way. | I'm not sure what the threat is though. | I haven't followed that closely, but I think the idea was that they think Kaspersky is working as a spy company for Russia. I have been in the software industry for decades, and I also have studied history my entire life. One simple example is that even the elevator operator in the main French newspaper at the start of WWII was a German spy. It cost the Germans nothing to pay this guy to be a "sleeper" when all he needed to do was round up the journalists after the Germans took over Paris. The point is that sleepers exist in every single software company on this planet. Sleepers from all countries. That means both friend and foe. While I don't always trust my government to do the right thing, I "assume" that they know what they're doing with Kapersky, so I will avoid it (I never saw its value anyway so that's easy to do). The problem is that probably all our firmware and software companies have sleepers since it's dirt cheap to employ them (Hint: China has a billion people to spare so what is it to them to sprinkle a sleeper in every software and hardware company on this planet?) My point is that all software is (likely) compromised. The best bet is, for obvious reasons, open source software, but as heartbleed showed, even that is only as good as the number of eyes testing it out for flaws. --- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus |
#19
|
|||
|
|||
Hackers hid malware in CCleaner software
On Tue, 19 Sep 2017 17:29:38 -0000 (UTC), in
news As a test I hit the HP entry that Ccleaner and Windows control panel couldn't get rid of: HP Photosmart Officejet and Deskjet All-In-One Driver Software 13.0 Rel. B It created a restore point (which I don't need and generally don't do), and then it popped up a query to uninstall all HP products (Yes! Please!). And then a funny popup that literally said: Are you sure you want to remove from your computer? Note the double space where a name would normally be. And then the classic HP message "You must restart your computer to finish the install" where I know from experience that it will do nothing but reboot my computer and where the HP software will still be listed as being there. Since there is no way now to NOT reboot (ask me how I know), I will have to send this message first and then see if it worked (which I'm pretty sure it failed just like CCleaner and the windows add/remove programs failed). But maybe I will get lucky ... if so I'll be a believer in Revo! Two things to report on Revo. It *does* phone home, to: https://www.revouninstaller.com/free..._thankyou.html But that's easily circumvented with a HOSTS file entry of: 127.0.0.1 www.revouninstaller.com revouninstaller.com But worse, it didn't do anything with the HP entry of: HP Photosmart Officejet and Deskjet All-In-One Driver Software 13.0 Rel. B I was hoping to get rid of that entry once and for all. PS: I'm changing the VPN server to see if the virus message goes away. If it doesn't go away, I'll check the header randomizing scripts which have been in place for so many years that I forget if they insert a bogus AV header. |
#20
|
|||
|
|||
Hackers hid malware in CCleaner software
On Tue, 19 Sep 2017 17:55:52 -0000 (UTC), in
news PS: I'm changing the VPN server to see if the virus message goes away. If it doesn't go away, I'll check the header randomizing scripts which have been in place for so many years that I forget if they insert a bogus AV header. So it was the VPN server that added that av sig line. I could track down which server it was and remove that from my list of thousands of freely available public VPN servers, but the sig line only bothers people who think that I didn't configure my AV program correctly. I never see sig lines myself since my scripts change what I see by presenting everything in a table that culls out only the important information from their headers and statistics culled from the net. So I apologize for the sig lines, where the privacy randomization scripts do insert random sig lines but never that particular AV one. |
#21
|
|||
|
|||
Hackers hid malware in CCleaner software
On Tue, 19 Sep 2017 09:54:58 -0400, "Mayayana"
wrote: "Blake Snyder" wrote | I don't know if cleaning the registry is a scam, and, I've never seen a | problem that I could attribute to the cleaning of the registry. | | But I have seen *plenty* of left-over registry entries after uninstalling a | program which are cleaned by Ccleaner. | | Do those leftover registry entries cause harm. | I can't say. | You can research it for yourself. Start Regmon or Procmon. Then start IE. On my system, IE will make over 5,000 Registry reads in about 1 second. (I don't know why. Microsoft seem to do that deliberately to obfuscate the relevant reads. That's the only reason I can think of.) So the Registry is incredibly fast. Cleaners generally target 2 categories: Leftover software entries, like you mentioned, and HKCR\CLSID keys. An example of the first might be that Acme Editor gets uninstalled and settings stay there. That's typical. In case you decide to install it again your preferences would still be intact. So you have some settings under HKCU\Software\Acme Software\Acme Editor\ That adds a few bytes to the Registry and does no harm. Since it's an Acme Software key, no other software is affected by the settings. An example of the second case might be a program with a bad uninstaller that uninstalled their Acme123.dll COM library but didn't unregister it. So there are keys like HKCR\CLSID\{a1b2.....}\ and HKCR\AcmeLib.Ops. Those are the keys that allow the COM library to be accessed. With the library gone they're "orphan" entries. But since no other program is going to use AcmeLib, the entries do no harm. The worst that might happen, which is still very unlikely, would be that you'd see a message like, "Unable to create object" when a program tries to access AcmeLib. But you'd see an error message anyway, in that case, because the DLL is gone. You might just get a crash instead of the "unable to create object" message. Either way, the Registry entry won't matter. The best analogy I can think of is that you have a gigantic attic, full of stored stuff, and you hire a teenager to clean up. The teenager finds 2 incomplete decks of cards and a broken broomstick to throw away. You feel satisfied. But nothing useful has been done in the attic. You don't actually have more space. It won't be any easier or faster when you want to find something. And what if the teenager broke something, or left behind a fire hazard? If it really bugs you to have leftover settings in the Registry it's easy to remove the software settings. Just open Regedit to HKCU\Software\. Each subkey is a company. You can delete the Acme Editor key. Either way, anything that actually needs to access the Registry is going to be doing it in the range of milliseconds, regardless of whether your Registry is 20 MB or 20 MB + 30 KB of unnecessary data. | | I use it mostly as my front end uninstaller. | | It removes a lot of the BHOs and other hijacked autostarters. | | | | It sounds like you install a lot of dubious stuff. | | I'm way better than most people so I doubt I install "dubious" stuff. | You forget I know as much as you do about many things. | Nonetheless, I do use exclusively freeware - but only the best. ... | I probably led you astray with the letters BHO which, I agree, are specific | to browsers where anyone who gets a BHO is an idiot - so I see where you | got the idea that I install dubious software. I'm not making any assumption about how much you know. But if you regularly have to clean up bad installs then something is wrong. I chimed in because the whole category of "cleaning" is mostly a scam industry and people don't realize it. It's like drain cleaners, or gas tank conditioners, or dryer sheets, or bottled water, or air fresheners, or gluten-free yogurt, or life-extending quinoa magic, or any of the other myriad nonsense that gets marketed: You're lucky if they do no harm. They will not do any real good. (Though I guess quinoa is edible and reasonably nutritious, if you don't mind starving Peruvian peasants resulting from you being willing to pay through the nose for magic starch. I explained the details of the Registry above so that anyone can check for themselves. I agree that a lot of decent software nevertheless tries to autostart things. HP printers are a good example. iTunes is especially sleazy. Even 7-Zip does things without asking. But all of that can be safely controlled via Autoruns. That includes context menu add-ons, which are under the Shell Extensions section. Autoruns also lets you find out where things are, so you can delete EXEs if desired. And as you may know, Autoruns and the Sysinternals tools were originally written by Mark Russinovich, a top Windows programmer who then went to work for MS and left them in charge of Sysinternals. So they're dependable programs. You might have to watch installs to make sure you don't agree to junk toolbars and such. (Maybe that's what you had in mind with BHOs?) But aside from that, any reputable software shouldn't be installing extra items. | The US gov just deprecated Kapersky by the way. | I'm not sure what the threat is though. | I haven't followed that closely, but I think the idea was that they think Kaspersky is working as a spy company for Russia. Re registry cleaners .... http://privazer.com/download-shellba...ag-cleaner.php Did it find anything personal in the registry that your system might have stored for the forensic guys, and which you would rather not be made public ? No ? Great !!!!! Ever thought of taking up religion as a profession ? I hear there's a vacancy for the CEO's position. []'s -- Don't be evil - Google 2004 We have a new policy - Google 2012 |
#22
|
|||
|
|||
Hackers hid malware in CCleaner software
On 9/18/2017 8:21 PM, Blake Snyder wrote:
On Mon, 18 Sep 2017 17:13:49 -0600, in news Buffalo wrote: Thanks, it sure gets you to that page a lot quicker, clever boy What free software do you recommend for checking this in the future? I have Wireshark, for example, but it's complex to use (as you may know). I also have Fiddler4, & TCPView, & Glasswire. None of those would have caught it though because all are active sniffers. What free software, as a passive sniffer, do you recommend that would/should have caught the spyware in CCleaner when even Avast & Kapersky didn't catch it? I have Norton 360 on my machines and it caught it. |
#23
|
|||
|
|||
Hackers hid malware in CCleaner software
I keep a script on my Desktop to clean TEMP. Why not post the script here to help others? |
#24
|
|||
|
|||
Hackers hid malware in CCleaner software
On Tue, 19 Sep 2017 17:42:14 -0500, in
, M.L. wrote: I keep a script on my Desktop to clean TEMP. Why not post the script here to help others? I know that was for Mayayana but here are the temp directories that you can define to be in C:\tmp\* or wherever you want them to be. http://www.askvg.com/list-of-environ...p-vista-and-7/ Then you can delete them just by deleting everything in c:\tmp\* http://best-windows.vlaurie.com/envi...variables.html Or you can just move them to a convenient easily deleted location. https://technet.microsoft.com/en-us/...exchg.65).aspx Here is a list of some of the system variables: https://technet.microsoft.com/en-us/...(v=ws.10).aspx As I recall, there are four "temp" system variables I have all set to my c:\tmp\* directory where they can be easily cleaned up. Be advised that even on Windows 10, Microsoft still constrains you to the 8+3 syntax, as exemplified he c:] echo %temp% C:\tmp\junk\WINDOW~ Where "Window~" is Microsoft's 8+3 way of doing things. c:] echo %tmp% C:\tmp\junk\WINDOW~1 c:] cd %tmp% Where "Windows~1" in this case is actually "windows_temp". Who'd have thought that even in Windows 10, you're limited to 8+3 syntax! --- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus |
#25
|
|||
|
|||
Hackers hid malware in CCleaner software
On 9/19/2017 6:42 PM, M.L. wrote:
I keep a script on my Desktop to clean TEMP. Why not post the script here to help others? Here are the commands I use in my unattended overnight batch to keep my Temp file to a reasonable size. I want to keep the most recent files and folders in case they are needed. I realize many just want to do a delete all. :: Reduce Temp Files and Folders :: ------------------------------------------------------------------------------------------------------- :: Remove from TEMP files LAST ACCESSed OLDER than AGE SET _SRC=C:\Users\....\AppData\Local\Temp & SET AGE=120 FORFILES /P %_SRC% /S /C "CMD /C DEL /Q @path" /D -%AGE% NUL 2&1 :: Remove from TEMP empty folders FOR /f "delims=" %%i in ('DIR %_SRC% /AD /S /B ^| SORT /R') DO RD "%%i" NUL 2&1 NOTE "reverse sort" DIR because must remove "lowest" folders before "highest" which would not be empty with "lowest" in place. -- Zaidy036 |
#26
|
|||
|
|||
Hackers hid malware in CCleaner software
"Blake Snyder" wrote
| I get that Microsoft has a counter for any shared DLL that is counted down | somehow in the registry where that counter "can" get screwed up. Presumably | CCleaner handles that, where the presence of the extraneous DLL isn't a big | deal (however, again, it's not "clean"). | I think you may be thinking of the refeence count. Windows tracks loading and unloading of shared system DLLs. It will then unload the DLL when the last reference is dropped. I don't think that's connected to the Registry, though I'm not sure. In any case, it would all be cleared with a restart. As far as I know there are not typically problems with that system. | Oh. Mayayana. You don't know what you just said. | Do you realize how many bad installers are out there? | I can't say that I've seen them. But I do agree that there are an increasing number of sneaky ones that will install junk if you're not careful. Even Irfanview. And there's a lot of crap of another kind in programs like Firefox: It doesn't actually install malware, but it will inflict a kind of death by a 1,000 cuts, with things like call-home data collection, ads in the default home page, etc. | OMG. Do not get me started on HP printers! | It has been YEARS that I've been trying to get rid of some HP software on | my computer. The only way is to flush the operating system and start over. | Sigh. (Please don't get me started on HP.) | They're a weird bunch. One HP printer I had insisted I needed an updated IE to install the drivers! I had to trick it by changing the Registry value it was checking. Another came with a complete VB6 project for customer feedback. Not an EXE. The entire code project to make the EXE! But then I tried an Epson printer and it would arbitrarily decide to stop working, insisting that I offiicially had no ink left when that was not true. So now I accept HP as the lesser of the evils and only do as much printing as is necessary for things like business cards, contracts, customer receipts, etc. | iTunes is especially sleazy. | OMG. You know EXACTLY how to make me wince! | | I know all about iTunes and I never want to see it again. Ever. | I have iOS and Android where there is never a need for iTunes crap. | Let's not go there or we'll drive the others nuts. | This might be a good time to take your anti-high blood pressure drugs. |
#27
|
|||
|
|||
Hackers hid malware in CCleaner software
"M.L." wrote
| I keep a script on my Desktop to clean TEMP. | | Why not post the script here to help others? It's in this package: http://www.jsware.net/jsware/scrfiles.php5#desk It could be trimmed down quite a bit if you know the paths. It's designed to work on all systems without knowing paths. I mostly work on XP. I don't remember whether I altered the script for Win7. I don't think so. You may also not want to run as admin, in which case you can only delete temp files in your own user folder, but I assume it will also work to delete them in C:\TEMP and C:\Windows\TEMP. Here's the content of the message box window I just got after running the script: TEMP folders found: List shows beginning size of each TEMP folder found and size of that folder after cleaning. C:\WINDOWS\TEMP: 4 MB - 4 MB C:\temp: 24 KB - 0 Bytes C:\DOCUME~1\[username]\LOCALS~1\Temp: 6 MB - 0 Bytes C:\DOCUME~1\Default User\Local Settings\Temp: 0 Bytes - 0 Bytes C:\DOCUME~1\NetworkService\Local Settings\Temp: 0 Bytes - 0 Bytes C:\DOCUME~1\LocalService\Local Settings\Temp: 0 Bytes - 0 Bytes C:\DOCUME~1\Administrator\Local Settings\Temp: 0 Bytes - 0 Bytes The 4 MB in C:\Windows\TEMP stayed because they're open files. The script is designed to just ignore errors, which will occur if a file is open and can't be deleted. The FileSystemObject used in VBS can deal with deleting nested folders, so there's no need to get into any fancy footwork like recursive cleaning. The script just looks for any likely TEMP folders, then deletes all files/folders in any TEMP folders found. |
#28
|
|||
|
|||
Hackers hid malware in CCleaner software
On 20/9/2017 1:54 AM, BurfordTJustice wrote:
So it really is crap. I still don't find a use for it after all these years... -- @~@ Remain silent! Drink, Blink, Stretch! Live long and prosper!! / v \ Simplicity is Beauty! /( _ )\ May the Force and farces be with you! ^ ^ (x86_64 Ubuntu 9.10) Linux 2.6.39.3 不借貸! 不詐騙! 不援交! 不打交! 不打劫! 不自殺! 請考慮綜援 (CSSA): http://www.swd.gov.hk/tc/index/site_...sub_addressesa |
#29
|
|||
|
|||
Hackers hid malware in CCleaner software
Firstly, I really enjoyed Mayayana's post and Blake's reply. Both
well-thought-out and reasonable. Just picking up on a couple of points: In message , Blake Snyder writes: On Tue, 19 Sep 2017 09:54:58 -0400, in news Mayayana wrote: [] Either way, anything that actually needs to access the Registry is going to be doing it in the range of milliseconds, regardless of whether your Registry is 20 MB or 20 MB + 30 KB of unnecessary data. I agree with most of what you say about registry cleaners making excessive claims about speed improvement and being of dubious value altogether (though I agree with Blake that there's something aesthetically satisfying: in the way that some people would clean mud off their car even if it was just mud and over modern paint that wouldn't be harmed by the mud being left), but the above _proportions_ I think might not be representative of the case: I suspect that my (and certainly a lot of people's) registries contain unnecessary data that is a much higher proportion, possibly even far exceeding the "necessary" part. [] I also keep a lot of EVERY installation, so that I know what mistakes I made (since they always catch you on something) particularly which ones phone home and which ones have settings to stop that and which I have to use the HOSTS file (yes, I know you love Acrylic DNS which I'll install some day). [] (I assume that was meant to be "log" rather than "lot".) There are - or used to be, I haven't looked for years - utilities (not sure if any free) that claim to do this for you, i. e. monitor all activity during an install (file installs, registry changes, whatever), to give you the option of thorough removal. (I _think_ the paid version of revo might include such.) I wondered, have you ever explored any of them? I haven't - or if I did, it was so long ago that I can't remember - (a) because it seems like a lot of effort [though presumably less so than doing it manually as you do!], and (b) I'm not sure if there'd be problems using them to remove one thing when I'd _subsequently_ installed other things. -- J. P. Gilliver. UMRA: 1960/1985 MB++G()AL-IS-Ch++(p)Ar@T+H+Sh0!:`)DNAf .... management speak, a language used by those employed to deliver change while dodging responsibility for its nastier effects. - Gillian Reynolds, RT 2016/9/17-23 |
#30
|
|||
|
|||
Hackers hid malware in CCleaner software
In message , Blake Snyder
writes: [] Be advised that even on Windows 10, Microsoft still constrains you to the 8+3 syntax, as exemplified he c:] echo %temp% C:\tmp\junk\WINDOW~ Where "Window~" is Microsoft's 8+3 way of doing things. c:] echo %tmp% C:\tmp\junk\WINDOW~1 c:] cd %tmp% Where "Windows~1" in this case is actually "windows_temp". Who'd have thought that even in Windows 10, you're limited to 8+3 syntax! (The second one doesn't have the s in it.) It _may_ not be the case for these two, as they may always be created in the same order, but IME, the 8.3 forms are created - with the number after the ~ incrementing - in the order the files are, so they _could_ be the other way round. Or have higher indices if \tmp\junk already had some window~x files in them when those needed to be created. --- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus -- J. P. Gilliver. UMRA: 1960/1985 MB++G()AL-IS-Ch++(p)Ar@T+H+Sh0!:`)DNAf .... management speak, a language used by those employed to deliver change while dodging responsibility for its nastier effects. - Gillian Reynolds, RT 2016/9/17-23 |
Thread Tools | |
Display Modes | Rate This Thread |
|
|