If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Rate Thread | Display Modes |
#31
|
|||
|
|||
Hackers hid malware in CCleaner software
In message , Blake Snyder
writes: [] Two things to report on Revo. It *does* phone home, to: https://www.revouninstaller.com/free..._thankyou.html OK. I think blocking that doesn't stop it working, though. But that's easily circumvented with a HOSTS file entry of: 127.0.0.1 www.revouninstaller.com revouninstaller.com But worse, it didn't do anything with the HP entry of: HP Photosmart Officejet and Deskjet All-In-One Driver Software 13.0 Rel. B I was hoping to get rid of that entry once and for all. Well, you did give it a hard one to start with! I certainly wouldn't claim it does everything I'd like it to. But if you try it with something less demanding (and on its strongest setting), I think you'll find it finds quite a lot of directories, files, and registry entries left over after an app's own uninstaller has run. (Depending on the app., of course.) I find it acceptably useful. This started with me saying something like "how does it compare to revo", after you'd mentioned an uninstaller you use (I forget what): I'd still be interested in your opinion as to how the two compare. (I'm guessing that your alternative uninstaller didn't kill the HP stuff either! I find HP printers reasonable, but their installers an amazing example of bloatware and misleading.) PS: I'm changing the VPN server to see if the virus message goes away. If it doesn't go away, I'll check the header randomizing scripts which have been in place for so many years that I forget if they insert a bogus AV header. Worked! -- J. P. Gilliver. UMRA: 1960/1985 MB++G()AL-IS-Ch++(p)Ar@T+H+Sh0!:`)DNAf .... management speak, a language used by those employed to deliver change while dodging responsibility for its nastier effects. - Gillian Reynolds, RT 2016/9/17-23 |
Ads |
#32
|
|||
|
|||
Hackers hid malware in CCleaner software
In message , Blake Snyder
writes: [] So it was the VPN server that added that av sig line. I could track down which server it was and remove that from my list of thousands of freely available public VPN servers, but the sig line only bothers people who think that I didn't configure my AV program correctly. Sorry for being one such. In my defence I had no way of knowing you were using a VPN. I never see sig lines myself since my scripts change what I see by presenting everything in a table that culls out only the important information from their headers and statistics culled from the net. So I apologize for the sig lines, where the privacy randomization scripts do insert random sig lines but never that particular AV one. I see them in a different colour, so on the whole can ignore them - but of course that's triggered by a proper separator line, which that AV one doesn't have. (Any chance of you creating a .sig that consists solely of a "-- " line? That way at least it'd appear - or not appear in your case, when you're reading back your own posts - as part of a true .sig.) -- J. P. Gilliver. UMRA: 1960/1985 MB++G()AL-IS-Ch++(p)Ar@T+H+Sh0!:`)DNAf .... "from a person I admire, respect, and deeply love." "Who was that then?" "Me." (Zaphod Beeblebrox in the Link episode.) |
#33
|
|||
|
|||
Hackers hid malware in CCleaner software
"J. P. Gilliver (John)" wrote
| I agree with most of what you say about registry cleaners making | excessive claims about speed improvement and being of dubious value | altogether (though I agree with Blake that there's something | aesthetically satisfying: in the way that some people would clean mud | off their car even if it was just mud and over modern paint that | wouldn't be harmed by the mud being left) I can see that. I'm not above marching into HKCU\Software\ occasionally, snorting with righteous wrath, to decimate a key left by some kind of program that I tested out for about 15 seconds. It's the same satisfaction I get from putting supermarket ad fliers into *their* rubbish barrel on my way out of the store. | but the above _proportions_ I | think might not be representative of the case: I suspect that my (and | certainly a lot of people's) registries contain unnecessary data that is | a much higher proportion, possibly even far exceeding the "necessary" | part. I doubt that very much. You can browse through it and see what's there. That's why I listed details. The typical things that can be cleaned up are orphan COM keys under HKCR\CLSID\ and HKCU\Software\ keys for removed software. That's miniscule. I remember using Microsoft's cleaner (regclean?) back in the Win9x days. It used to remove a few 10s of KBs. Similarly, The Amazing Doctor Norton would offer to save me from disaster by removing a few dozen entries. Doesn't the cleaner you use offer a list or a backup put-it-back EXE in case something goes wrong? That should tell you how much is being "cleaned". If it were me I'd want to at least scan the list before letting anything clean. What if, for example, you install a program that doesn't register itself and doesn't register an uninstaller, but does record the activation key in the Registry? A cleaner is apt to remove that after not finding any record of the program in question. Then the next time you start the program it asks for the key, which you may no longer have. All kinds of little mix-ups like that could happen, partly because the Registry is not very systematic to begin with. The fact there's no dependable list of installed software is one example of that. And if you start getting into Microsoft's settings it can be quite an eye opener. I can only guess that many of their top programmers are fond of playing with secret decoder rings while they eat their Lucky Charms and sugar for breakfast. They *love* to obfuscate anything they get their hands on. Reg cleaners have to contend with that general disorder. I think the bloat will vary, though, depending on things you've installed. For instance, .Net writes a stunning number of entries to HKCR\, which is all the more surprising because the "classes" part of HKCR refers mainly to COM objects and .Net doesn't support COM in general. The ProgID entries (like system.runtime.etc) are all broken and useless from COM point of view. They're COM-incompatible .Net objects. So why is MS writing them all to HKCR? The whole point of COM object ProgIDs in HKCR is so that programmers can find available COM objects, like InternetExplorer.Application, MS Word objects, scripting objects, ActiveX controls, etc. Another issue is that "everyone and his brother" thinks it's fancy to cook up their own file types. IrfanView, Libre Office, ImgBurn... Those are just a few of the programs I have installed that have written frivolous, unnecessary "classes" to HKCR that represent nonsense file types. But cleaning those up can cause problems in the programs. The things that probably can't be safely removed are vast. For instance, I just exported HKCU\Software\Microsoft\ and got a 32 MB file. It probably compresses 10 times in the Registry, but that's still a vast amount of data. And it's only the Microsoft settings for current user. |
#34
|
|||
|
|||
Hackers hid malware in CCleaner software
On Wed, 20 Sep 2017 11:47:02 +0100, in
, J. P. Gilliver (John) wrote: I could track down which server it was and remove that from my list of thousands of freely available public VPN servers, but the sig line only bothers people who think that I didn't configure my AV program correctly. Sorry for being one such. In my defence I had no way of knowing you were using a VPN. Of course you wouldn't know. You might guess it if you started tracking my headers as I think this identity uses mixmin if I remember correctly, where Steve Crook, whom I know personally, at my bequest, changed his header obfuscation with every post, but then within a month, he was so inundated with spam implications that he now changes it once a month per NNTP server (which is per VPN server for me since I never am off VPN). Other news servers (e.g., Blueworld, which is hard to come by nowadays) would change the obfuscation in every post. The obfuscation is meant to fool people like you and me, and not the NSA though, as I'm sure it's easily cracked by those who track all of us daily in all that we do. In your defense, the two things you wouldn't know are that I'm using a different VPN server every few minutes (it's all automatically handled with scripts which shall remain private because they're not even close to perfect) and that some VPN servers (for whatever reason) add that Avast signature line and a few lines to the header. You could argue that I should be worried that the free VPN service is "scanning" and "recognizing" my actions as a "post", but I could argue back that the VPN server knows everything anyway so the "trust" issue is something everyone who uses a free public VPN server (of which there are thousands out there, and changing every day) has to reconcile themselves with. I never see sig lines myself since my scripts change what I see by presenting everything in a table that culls out only the important information from their headers and statistics culled from the net. So I apologize for the sig lines, where the privacy randomization scripts do insert random sig lines but never that particular AV one. I see them in a different colour, so on the whole can ignore them - but of course that's triggered by a proper separator line, which that AV one doesn't have. (Any chance of you creating a .sig that consists solely of a "-- " line? That way at least it'd appear - or not appear in your case, when you're reading back your own posts - as part of a true .sig.) I understand the "dash dash space" proper sig line, but the explanation we've heard a billion times from the Avast folks is that they *purposefully* put an improper sig, so that users can put their own sigs. My randomization program for Usenet identities also adds random sigs to certain identities but this identity doesn't seem to have a random sig. I don't know what VPN service I'm using at the moment, so I can't say whether it will add the Avast non-standard-on-purpose sig, but I will add my own sig below using the dash-dash-space syntax, just in case it does. -- This is a manual sig following the dash-dash-space syntax. --- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus |
#35
|
|||
|
|||
Hackers hid malware in CCleaner software
On Wed, 20 Sep 2017 11:27:52 +0100, in
, J. P. Gilliver (John) wrote: (The second one doesn't have the s in it.) My cut-and-paste from a command window always sucks! Thanks. It _may_ not be the case for these two, as they may always be created in the same order, but IME, the 8.3 forms are created - with the number after the ~ incrementing - in the order the files are, so they _could_ be the other way round. Or have higher indices if \tmp\junk already had some window~x files in them when those needed to be created. What amazes me but I haven't delved into why, is that when I tell people that even with Windows 10, you have to keep to 8+3 syntax, they say "prove it", where I don't keep a log of the times that the tilde shows up. The two things I can say, without actually being able to point to an actual example at the moment, is that when I don't use 8+3, then I need doublequotes when I shouldn't need them and the tilde shows up in the oddest places where you can rest assured I never created a directory named "C:\tmp\WINDOWS~". For one, I never use capital letters, and for the other, I never use tilde in a name. But Microsoft seems to love both. --- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus |
#36
|
|||
|
|||
Hackers hid malware in CCleaner software
On Wed, 20 Sep 2017 11:23:58 +0100, in
, J. P. Gilliver (John) wrote: I agree with most of what you say about registry cleaners making excessive claims about speed improvement and being of dubious value altogether I think both points are valid. Anyone who thinks cleaning the registry is going to make the system "faster" appreciably, is kidding themselves. But Ccleaner does more than clean the registry anyway, where it cleans "temp" stuff (of all sorts such as browser caches), and it uninstalls things nicely, and it tells you what's in the startup entries and it has a drive wiper. I think part of Mayayana's argument is that there are better purpose-built programs for that "other stuff" (such as "autoruns" for cleaning the startup entries, which is a perfectly good argument. In fact, these "other stuff cleaners" may actually do the job better than does CCleaner for all I know, so, that we'd have to list them individually to gain any tribal knowledge advantage overall. .. Cleans "files" (such as browser cache & windows logs & recent docs) .. Cleans "registry" (such as run at startup, unused file extensions) .. Uninstalls programs (which the Microsoft control panel applet also does) .. Disables startup entries (which autoruns can do) .. Disables browser plugins (which have other methods to do) I don't use the following but others might .. Scans computer for files (like pictures, music, etc.) .. Finds duplicates (which other programs can do better perhaps) .. Manages system restore points (other progs may do that better perhaps) .. Freespace wiper (other programs may do this better) There is merit to the argument that a "leatherman" doesn't do any of its various jobs well, where what you really want for performance is a tool specifically tailored to each job. (I assume that was meant to be "log" rather than "lot".) Yes. Sorry. Typo. I keep a manual text "log" of every installation. This log moves from machine to machine over time as the installers move. What I have been doing for decades is the simple sequence below. .. Before I download a new program, I make a folder for it, say "mkdir D:\myinstallers\cleaners\ccleaner\" (or whatever) .. Then I create a log file: "D:\myinstallers\cleaners\ccleaner\readthis.lo g" .. In that log file I put the basics such as the web site URL. .. I often print the web site to clickable PDF (using Adobe Acrobat). .. In the log file, I enter my thoughts which occur while installing. .. Later on, if I need to change a setting, I go back to the log file to add further thoughts. .. Then when I re-install, I read the log file before installing any software that I've already installed before (on any machine). The log is my combined "tribal knowledge" about that software. It's not named "readme" by the way, because other progs use that name. Everything is well thought out and KISS simple. It's always easy to find the log file because everything is in the same place hierarchically, in that my installer hierarchy is the same D:\myinstaller\cleaners\ccleaner\ As is my installation hierarchy C:\myapps\cleaners\ccleaner\ As is my menu hierarchy (which is the main launch interface) Start mymenu cleaners ccleaner.lnk NOTE: These aren't my actual hierarchies because I keep to an 8+3 for everything because even today, Microsoft Win10 screws up on anything longer in certain situations that crop up from time to time such that we get the tilde number syntax which sucks esthetically. I also never use plurals, so that I don't have to guess at a name ("is it cleaner or cleaners?"). There are - or used to be, I haven't looked for years - utilities (not sure if any free) that claim to do this for you, i. e. monitor all activity during an install (file installs, registry changes, whatever), to give you the option of thorough removal. We all used "InCtrl 5" (and the earlier incarnation) in the olden days. We would turn it on, and it would track everything changed and then we'd turn it off. One problem with In-Control was that you had to not do anything else at the same time for obvious reasons, which, in reality, isn't how we work. Another problem was that it was a huge log of mostly registry changes. So the InCtrl 5 log was nice but not actionable. My readthis.txt log is not nice nor is it complete but it's completely actionable in that it's my thoughts and manual actions and observations. Of course, my observations are only a skimming of the surface, so if you know of a good installation-log freeware program like In-Control-5 was, let the information surface! (I _think_ the paid version of revo might include such.) I wondered, have you ever explored any of them? I haven't - or if I did, it was so long ago that I can't remember - (a) because it seems like a lot of effort [though presumably less so than doing it manually as you do!], and (b) I'm not sure if there'd be problems using them to remove one thing when I'd _subsequently_ installed other things. I think we'd all benefit from looking again, so many years later, at the in-control-like programs that logged all the changes that an installer makes. I think we'd still need a separate log file for "actionable" summaries, but we could skim the in-control-5-like log for surprises, of which I'm sure *every* installer will gift us. --- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus |
#37
|
|||
|
|||
Hackers hid malware in CCleaner software
On Tue, 19 Sep 2017 22:21:57 -0400, in news
Mayayana wrote:
This might be a good time to take your anti-high blood pressure drugs. My problem is that I have strong feelings about things that I know about. --- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus |
#38
|
|||
|
|||
8.3 filenames (Was Hackers hid malware in CCleaner software)
On Wed, 20 Sep 2017 10:01:02 -0400, Wolf K wrote:
So to eliminate the 8.3 format from Windows would require rewriting the kernel at a rather low level. This is completely wrong. You have been able to disable 8.3 file name creation since the days of NT using the registry and since 2000 using group policy. https://support.microsoft.com/en-gb/...tfs-partitions Sent from my iFurryUnderbelly. -- p-0.0-h the cat Internet Terrorist, Mass sock puppeteer, Agent provocateur, Gutter rat, Devil incarnate, Linux user#666, ******* hacker, Resident evil, Monkey Boy, Certifiable criminal, Spineless cowardly scum, textbook Psychopath, the SCOURGE, l33t p00h d3 tr0ll, p00h == lam3r, p00h == tr0ll, troll infâme, the OVERCAT [The BEARPAIR are dead, and we are its murderers], lowlife troll, shyster [pending approval by STATE_TERROR], cripple, sociopath, kook, smug prick, smartarse, arsehole, moron, idiot, imbecile, snittish scumbag, liar, total ******* retard, shill, pooh-seur, scouringerer, jumped up chav, lycanthropic schizotypal lesbian, the most complete ignoid, joker, and furball. NewsGroups Numbrer One Terrorist Honorary SHYSTER and FRAUD awarded for services to Haberdashery. By Appointment to God Frank-Lin. Signature integrity check md5 Checksum: be0b2a8c486d83ce7db9a459b26c4896 I mark any message from »Q« the troll as stinky |
#39
|
|||
|
|||
Hackers hid malware in CCleaner software
On Wed, 20 Sep 2017 14:01:02 -0000 (UTC), in
news I don't know what VPN service I'm using at the moment, so I can't say whether it will add the Avast non-standard-on-purpose sig, but I will add my own sig below using the dash-dash-space syntax, just in case it does. -- This is a manual sig following the dash-dash-space syntax. --- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus OK. I tracked which VPN Service it was, and I change the name of that in my constantly changing list of thousands of free VPN service configuration files so that I can NOT use it for this identity! Also note that Avast configured the non-standard-sig on purpose to allow our own sigs, where it added a triple-dash non-standard sig below my double-dash standard sig. Anyway, I'm not using that same VPN service for this email because I can manually choose which VPN service I want to choose (although I generally let the randomization do its thing without my intervention). -- This VPN service is different than the last one which gave the avast sig. |
#40
|
|||
|
|||
HP/Epson Printer weirdware - other flavors? was Hackers hid malware in CCleaner software
"Mayayana" on Tue, 19 Sep 2017 22:21:57
-0400 typed in alt.windows7.general the following: | OMG. Do not get me started on HP printers! | It has been YEARS that I've been trying to get rid of some HP software on | my computer. The only way is to flush the operating system and start over. | Sigh. (Please don't get me started on HP.) | They're a weird bunch. One HP printer I had insisted I needed an updated IE to install the drivers! I had to trick it by changing the Registry value it was checking. Another came with a complete VB6 project for customer feedback. Not an EXE. The entire code project to make the EXE! But then I tried an Epson printer and it would arbitrarily decide to stop working, insisting that I offiicially had no ink left when that was not true. So now I accept HP as the lesser of the evils and only do as much printing as is necessary for things like business cards, contracts, customer receipts, etc. I switched over to Canon a long time ago. My issue with them is trying to find out which model will _automatically_ duplex print on legal size or B5 paper. (Insert rant: This seems to be a mystery that no one, least of all Canon, seems to know. Or it could be my search skills. Probably the later.) So, any weirdness in Canon printer files? tschus pyotr -- pyotr filipivich Next month's Panel: Graft - Boon or blessing? |
#41
|
|||
|
|||
8.3 filenames (Was Hackers hid malware in CCleaner software)
On Wed, 20 Sep 2017 12:59:44 -0400, in
, Wolf K wrote: So to eliminate the 8.3 format from Windows would require rewriting the kernel at a rather low level. This is completely wrong. You have been able to disable 8.3 file name creation since the days of NT using the registry and since 2000 using group policy. https://support.microsoft.com/en-gb/...tfs-partitions Sent from my iFurryUnderbelly. Thanks for corrected info. Does this "prove" that 8+3 is completely gone from Windows 10? I ask because I have a WINDOWS~ and a WINDOWS~1 that I certainly didn't create. I don't know how they got created but the creation probably has something to do with the fact that I re-defined the %TMP% & %TEMP% and all the other Windows temp directories to things like c:\tmp\junk\windows_temp\ After that, Windows 10 did its thing to create those 8+3 directories. --- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus |
#42
|
|||
|
|||
8.3 filenames (Was Hackers hid malware in CCleaner software)
On Wed, 20 Sep 2017 10:01:02 -0400, in
, Wolf K wrote: So to eliminate the 8.3 format from Windows would require rewriting the kernel at a rather low level. I think you have a great perspective on this problem. I find that most people (not you - but most) seem to think that the 8+3 legacy is gone, so they look at me funnily when I tell them that it pops up every once in a while, even on Windows 10. Then they tell me to "prove it" where I don't feel like digging into the dirt just to prove to them what I already know because it bites me every once in a while. So I'm glad that you're not one person that I have to "prove it" to. --- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus |
#43
|
|||
|
|||
Hackers hid malware in CCleaner software
On Wed, 20 Sep 2017 12:39:35 +0800, in
news So it really is crap. I still don't find a use for it after all these years... Do you do these half dozen tasks with freeware? If so, what freeware do you use for those tasks that you do? 1. Registry cleaning = what is the best freeware for this? 2. File cleaning = what is the best freeware for this? 3. Autorun disabling = Mark Russinovich's autoruns freeware 4. Browser plugin disabling = what is the best freeware for this? 5. Program uninstaller = Revo uninstaller freeware 6. Duplicate finder = http://www.top5freeware.com/duplicate-file-finder 7. Drive wiper = https://www.pcworld.com/article/254509/free_tools_to_wipe_your_drives_securely.html --- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus |
#44
|
|||
|
|||
Hackers hid malware in CCleaner software
On Wed, 20 Sep 2017 11:34:06 +0100, in
, J. P. Gilliver (John) wrote: Since there is no way now to NOT reboot (ask me how I know), I will have to OK I'm asking (-: [If this was the result of it running HP's own uninstaller as _part_ of a revo uninstall, I'd probably do my best _not_ to have it reboot at that point.] All (all) of the uninstallers I've tried so far did was run the HP uninstaller, which obviously doesn't work and always requires a reboot. It's not a big deal other than to say that uninstallers aren't all they're cracked up to be if all they do is run the HP uninstaller which fails to uninstall every time. --- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus |
#45
|
|||
|
|||
Hackers hid malware in CCleaner software
On Wed, 20 Sep 2017 11:43:05 +0100, in
, J. P. Gilliver (John) wrote: It *does* phone home, to: https://www.revouninstaller.com/free..._thankyou.html OK. I think blocking that doesn't stop it working, though. I understand. What matters is "how" they call it. If they call it by ip address, for example. No big deal though so we can drop that matter. I certainly wouldn't claim it does everything I'd like it to. But if you try it with something less demanding (and on its strongest setting), I think you'll find it finds quite a lot of directories, files, and registry entries left over after an app's own uninstaller has run. (Depending on the app., of course.) I find it acceptably useful. I like it. I think that the Ccleaner "leatherman" approach of doing lots of things is OK but the approach of having a single tool do a single job (like uninstalling apps) is a better approach. The work is in finding the best freeware to do the main jobs that CCleaner does: 1. Registry cleaning 2. File cleaning 3. Autorun disabling 4. Browser plugin disabling 5. Program uninstaller 6. Duplicate finder 7. Drive wiper This started with me saying something like "how does it compare to revo", after you'd mentioned an uninstaller you use (I forget what): I'd still be interested in your opinion as to how the two compare. (I'm guessing that your alternative uninstaller didn't kill the HP stuff either! I find HP printers reasonable, but their installers an amazing example of bloatware and misleading.) Nothing killed the HP stuff. No big deal. We live with this (and learn from it). I do like the Revo uninstaller, so here's my list of "best" freeware to the half dozen things that CCleaner does: 1. Registry cleaning = what is the best freeware for this? 2. File cleaning = what is the best freeware for this? 3. Autorun disabling = Mark Russinovich's autoruns freeware 4. Browser plugin disabling = what is the best freeware for this? 5. Program uninstaller = Revo uninstaller freeware 6. Duplicate finder = http://www.top5freeware.com/duplicate-file-finder 7. Drive wiper = https://www.pcworld.com/article/254509/free_tools_to_wipe_your_drives_securely.html --- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus |
Thread Tools | |
Display Modes | Rate This Thread |
|
|