Hackers hid malware in CCleaner software

In message , Blake Snyder
writes:
[]
Two things to report on Revo.

It *does* phone home, to:
https://www.revouninstaller.com/free..._thankyou.html

OK. I think blocking that doesn't stop it working, though.

But that's easily circumvented with a HOSTS file entry of:
127.0.0.1 www.revouninstaller.com revouninstaller.com

But worse, it didn't do anything with the HP entry of:
HP Photosmart Officejet and Deskjet All-In-One Driver Software 13.0 Rel. B

I was hoping to get rid of that entry once and for all.


Well, you did give it a hard one to start with!

I certainly wouldn't claim it does everything I'd like it to. But if you
try it with something less demanding (and on its strongest setting), I
think you'll find it finds quite a lot of directories, files, and
registry entries left over after an app's own uninstaller has run.
(Depending on the app., of course.) I find it acceptably useful.

This started with me saying something like "how does it compare to
revo", after you'd mentioned an uninstaller you use (I forget what): I'd
still be interested in your opinion as to how the two compare. (I'm
guessing that your alternative uninstaller didn't kill the HP stuff
either! I find HP printers reasonable, but their installers an amazing
example of bloatware and misleading.)

PS: I'm changing the VPN server to see if the virus message goes away.
If it doesn't go away, I'll check the header randomizing scripts which have
been in place for so many years that I forget if they insert a bogus AV
header.

Worked!
--
J. P. Gilliver. UMRA: 1960/1985 MB++G()AL-IS-Ch++(p)Ar@T+H+Sh0!:`)DNAf

.... management speak, a language used by those employed to deliver change
while dodging responsibility for its nastier effects.
- Gillian Reynolds, RT 2016/9/17-23

In message , Blake Snyder
writes:
[]
So it was the VPN server that added that av sig line.

I could track down which server it was and remove that from my list of
thousands of freely available public VPN servers, but the sig line only
bothers people who think that I didn't configure my AV program correctly.

Sorry for being one such. In my defence I had no way of knowing you were
using a VPN.

I never see sig lines myself since my scripts change what I see by
presenting everything in a table that culls out only the important
information from their headers and statistics culled from the net.

So I apologize for the sig lines, where the privacy randomization scripts
do insert random sig lines but never that particular AV one.

I see them in a different colour, so on the whole can ignore them - but
of course that's triggered by a proper separator line, which that AV one
doesn't have. (Any chance of you creating a .sig that consists solely of
a "-- " line? That way at least it'd appear - or not appear in your
case, when you're reading back your own posts - as part of a true .sig.)
--
J. P. Gilliver. UMRA: 1960/1985 MB++G()AL-IS-Ch++(p)Ar@T+H+Sh0!:`)DNAf

.... "from a person I admire, respect, and deeply love." "Who was that then?"
"Me." (Zaphod Beeblebrox in the Link episode.)

"J. P. Gilliver (John)" wrote

| I agree with most of what you say about registry cleaners making
| excessive claims about speed improvement and being of dubious value
| altogether (though I agree with Blake that there's something
| aesthetically satisfying: in the way that some people would clean mud
| off their car even if it was just mud and over modern paint that
| wouldn't be harmed by the mud being left)

I can see that. I'm not above marching into
HKCU\Software\ occasionally, snorting with
righteous wrath, to decimate a key left by some
kind of program that I tested out for about
15 seconds. It's the same satisfaction I get
from putting supermarket ad fliers into *their*
rubbish barrel on my way out of the store.

| but the above _proportions_ I
| think might not be representative of the case: I suspect that my (and
| certainly a lot of people's) registries contain unnecessary data that is
| a much higher proportion, possibly even far exceeding the "necessary"
| part.

I doubt that very much. You can browse through it
and see what's there. That's why I listed details. The
typical things that can be cleaned up are orphan
COM keys under HKCR\CLSID\ and HKCU\Software\
keys for removed software. That's miniscule. I remember
using Microsoft's cleaner (regclean?) back in the Win9x
days. It used to remove a few 10s of KBs. Similarly,
The Amazing Doctor Norton would offer to save me
from disaster by removing a few dozen entries.

Doesn't the cleaner you use offer a list or a backup
put-it-back EXE in case something goes wrong? That
should tell you how much is being "cleaned".

If it were me I'd want to at least scan the list before
letting anything clean. What if, for example, you install
a program that doesn't register itself and doesn't
register an uninstaller, but does record the activation
key in the Registry? A cleaner is apt to remove that
after not finding any record of the program in question.
Then the next time you start the program it asks for
the key, which you may no longer have. All kinds of little
mix-ups like that could happen, partly because the
Registry is not very systematic to begin with. The fact
there's no dependable list of installed software is one
example of that. And if you start getting into Microsoft's
settings it can be quite an eye opener. I can only guess
that many of their top programmers are fond of playing with
secret decoder rings while they eat their Lucky Charms
and sugar for breakfast. They *love* to obfuscate anything
they get their hands on. Reg cleaners have to contend with
that general disorder.

I think the bloat will vary, though, depending on things
you've installed. For instance, .Net writes a stunning number
of entries to HKCR\, which is all the more surprising because
the "classes" part of HKCR refers mainly to COM objects
and .Net doesn't support COM in general. The ProgID entries
(like system.runtime.etc) are all broken and useless from
COM point of view. They're COM-incompatible .Net objects.
So why is MS writing them all to HKCR? The whole point of
COM object ProgIDs in HKCR is so that programmers can
find available COM objects, like InternetExplorer.Application,
MS Word objects, scripting objects, ActiveX controls, etc.

Another issue is that "everyone and his brother" thinks
it's fancy to cook up their own file types. IrfanView,
Libre Office, ImgBurn... Those are just a few of the programs
I have installed that have written frivolous, unnecessary
"classes" to HKCR that represent nonsense file types. But
cleaning those up can cause problems in the programs.

The things that probably can't be safely removed
are vast. For instance, I just exported HKCU\Software\Microsoft\
and got a 32 MB file. It probably compresses 10 times in the
Registry, but that's still a vast amount of data. And it's only
the Microsoft settings for current user.

On Wed, 20 Sep 2017 11:47:02 +0100, in
, J. P. Gilliver (John) wrote:

I could track down which server it was and remove that from my list of
thousands of freely available public VPN servers, but the sig line only
bothers people who think that I didn't configure my AV program correctly.

Sorry for being one such. In my defence I had no way of knowing you were
using a VPN.

Of course you wouldn't know. You might guess it if you started tracking my
headers as I think this identity uses mixmin if I remember correctly, where
Steve Crook, whom I know personally, at my bequest, changed his header
obfuscation with every post, but then within a month, he was so inundated
with spam implications that he now changes it once a month per NNTP server
(which is per VPN server for me since I never am off VPN).

Other news servers (e.g., Blueworld, which is hard to come by nowadays)
would change the obfuscation in every post. The obfuscation is meant to
fool people like you and me, and not the NSA though, as I'm sure it's
easily cracked by those who track all of us daily in all that we do.

In your defense, the two things you wouldn't know are that I'm using a
different VPN server every few minutes (it's all automatically handled with
scripts which shall remain private because they're not even close to
perfect) and that some VPN servers (for whatever reason) add that Avast
signature line and a few lines to the header.

You could argue that I should be worried that the free VPN service is
"scanning" and "recognizing" my actions as a "post", but I could argue back
that the VPN server knows everything anyway so the "trust" issue is
something everyone who uses a free public VPN server (of which there are
thousands out there, and changing every day) has to reconcile themselves
with.

I never see sig lines myself since my scripts change what I see by
presenting everything in a table that culls out only the important
information from their headers and statistics culled from the net.

So I apologize for the sig lines, where the privacy randomization scripts
do insert random sig lines but never that particular AV one.

I see them in a different colour, so on the whole can ignore them - but
of course that's triggered by a proper separator line, which that AV one
doesn't have. (Any chance of you creating a .sig that consists solely of
a "-- " line? That way at least it'd appear - or not appear in your
case, when you're reading back your own posts - as part of a true .sig.)

I understand the "dash dash space" proper sig line, but the explanation
we've heard a billion times from the Avast folks is that they
*purposefully* put an improper sig, so that users can put their own sigs.

My randomization program for Usenet identities also adds random sigs to
certain identities but this identity doesn't seem to have a random sig.

I don't know what VPN service I'm using at the moment, so I can't say
whether it will add the Avast non-standard-on-purpose sig, but I will add
my own sig below using the dash-dash-space syntax, just in case it does.

--
This is a manual sig following the dash-dash-space syntax.

---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

On Wed, 20 Sep 2017 11:27:52 +0100, in
, J. P. Gilliver (John) wrote:

(The second one doesn't have the s in it.)

My cut-and-paste from a command window always sucks!
Thanks.

It _may_ not be the case for these two, as they may always be created in
the same order, but IME, the 8.3 forms are created - with the number
after the ~ incrementing - in the order the files are, so they _could_
be the other way round. Or have higher indices if \tmp\junk already had
some window~x files in them when those needed to be created.

What amazes me but I haven't delved into why, is that when I tell people
that even with Windows 10, you have to keep to 8+3 syntax, they say "prove
it", where I don't keep a log of the times that the tilde shows up.

The two things I can say, without actually being able to point to an actual
example at the moment, is that when I don't use 8+3, then I need
doublequotes when I shouldn't need them and the tilde shows up in the
oddest places where you can rest assured I never created a directory named
"C:\tmp\WINDOWS~".

For one, I never use capital letters, and for the other, I never use tilde
in a name. But Microsoft seems to love both.

---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

On Wed, 20 Sep 2017 11:23:58 +0100, in
, J. P. Gilliver (John) wrote:

I agree with most of what you say about registry cleaners making
excessive claims about speed improvement and being of dubious value
altogether

I think both points are valid.

Anyone who thinks cleaning the registry is going to make the system
"faster" appreciably, is kidding themselves.

But Ccleaner does more than clean the registry anyway, where it cleans
"temp" stuff (of all sorts such as browser caches), and it uninstalls
things nicely, and it tells you what's in the startup entries and it has a
drive wiper.

I think part of Mayayana's argument is that there are better purpose-built
programs for that "other stuff" (such as "autoruns" for cleaning the
startup entries, which is a perfectly good argument.

In fact, these "other stuff cleaners" may actually do the job better than
does CCleaner for all I know, so, that we'd have to list them individually
to gain any tribal knowledge advantage overall.

.. Cleans "files" (such as browser cache & windows logs & recent docs)
.. Cleans "registry" (such as run at startup, unused file extensions)
.. Uninstalls programs (which the Microsoft control panel applet also does)
.. Disables startup entries (which autoruns can do)
.. Disables browser plugins (which have other methods to do)
I don't use the following but others might
.. Scans computer for files (like pictures, music, etc.)
.. Finds duplicates (which other programs can do better perhaps)
.. Manages system restore points (other progs may do that better perhaps)
.. Freespace wiper (other programs may do this better)

There is merit to the argument that a "leatherman" doesn't do any of its
various jobs well, where what you really want for performance is a tool
specifically tailored to each job.

(I assume that was meant to be "log" rather than "lot".)

Yes. Sorry. Typo. I keep a manual text "log" of every installation.
This log moves from machine to machine over time as the installers move.
What I have been doing for decades is the simple sequence below.

.. Before I download a new program, I make a folder for it, say
"mkdir D:\myinstallers\cleaners\ccleaner\" (or whatever)
.. Then I create a log file:
"D:\myinstallers\cleaners\ccleaner\readthis.lo g"
.. In that log file I put the basics such as the web site URL.
.. I often print the web site to clickable PDF (using Adobe Acrobat).
.. In the log file, I enter my thoughts which occur while installing.
.. Later on, if I need to change a setting, I go back to the log file
to add further thoughts.
.. Then when I re-install, I read the log file before installing any
software that I've already installed before (on any machine).

The log is my combined "tribal knowledge" about that software.
It's not named "readme" by the way, because other progs use that name.

Everything is well thought out and KISS simple.
It's always easy to find the log file because everything is in the same
place hierarchically, in that my installer hierarchy is the same
D:\myinstaller\cleaners\ccleaner\
As is my installation hierarchy
C:\myapps\cleaners\ccleaner\
As is my menu hierarchy (which is the main launch interface)
Start mymenu cleaners ccleaner.lnk

NOTE: These aren't my actual hierarchies because I keep to an 8+3 for
everything because even today, Microsoft Win10 screws up on anything longer
in certain situations that crop up from time to time such that we get the
tilde number syntax which sucks esthetically. I also never use plurals, so
that I don't have to guess at a name ("is it cleaner or cleaners?").

There are - or
used to be, I haven't looked for years - utilities (not sure if any
free) that claim to do this for you, i. e. monitor all activity during
an install (file installs, registry changes, whatever), to give you the
option of thorough removal.

We all used "InCtrl 5" (and the earlier incarnation) in the olden days.

We would turn it on, and it would track everything changed and then we'd
turn it off.

One problem with In-Control was that you had to not do anything else at the
same time for obvious reasons, which, in reality, isn't how we work.
Another problem was that it was a huge log of mostly registry changes.

So the InCtrl 5 log was nice but not actionable.
My readthis.txt log is not nice nor is it complete but it's completely
actionable in that it's my thoughts and manual actions and observations.

Of course, my observations are only a skimming of the surface, so if you
know of a good installation-log freeware program like In-Control-5 was, let
the information surface!

(I _think_ the paid version of revo might
include such.) I wondered, have you ever explored any of them? I haven't
- or if I did, it was so long ago that I can't remember - (a) because it
seems like a lot of effort [though presumably less so than doing it
manually as you do!], and (b) I'm not sure if there'd be problems using
them to remove one thing when I'd _subsequently_ installed other things.

I think we'd all benefit from looking again, so many years later, at the
in-control-like programs that logged all the changes that an installer
makes.

I think we'd still need a separate log file for "actionable" summaries, but
we could skim the in-control-5-like log for surprises, of which I'm sure
*every* installer will gift us.

---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

On Tue, 19 Sep 2017 22:21:57 -0400, in news Mayayana wrote:

This might be a good time to take your
anti-high blood pressure drugs.

My problem is that I have strong feelings about things that I know about.


---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

On Wed, 20 Sep 2017 10:01:02 -0400, Wolf K wrote:

So to eliminate the 8.3 format from Windows would require rewriting the
kernel at a rather low level.

This is completely wrong. You have been able to disable 8.3 file name
creation since the days of NT using the registry and since 2000 using
group policy.

https://support.microsoft.com/en-gb/...tfs-partitions

Sent from my iFurryUnderbelly.

--
p-0.0-h the cat

Internet Terrorist, Mass sock puppeteer, Agent provocateur, Gutter rat,
Devil incarnate, Linux user#666, ******* hacker, Resident evil, Monkey Boy,
Certifiable criminal, Spineless cowardly scum, textbook Psychopath,
the SCOURGE, l33t p00h d3 tr0ll, p00h == lam3r, p00h == tr0ll, troll infâme,
the OVERCAT [The BEARPAIR are dead, and we are its murderers], lowlife troll,
shyster [pending approval by STATE_TERROR], cripple, sociopath, kook,
smug prick, smartarse, arsehole, moron, idiot, imbecile, snittish scumbag,
liar, total ******* retard, shill, pooh-seur, scouringerer, jumped up chav,
lycanthropic schizotypal lesbian, the most complete ignoid, joker, and furball.

NewsGroups Numbrer One Terrorist

Honorary SHYSTER and FRAUD awarded for services to Haberdashery.
By Appointment to God Frank-Lin.

Signature integrity check
md5 Checksum: be0b2a8c486d83ce7db9a459b26c4896

I mark any message from »Q« the troll as stinky

On Wed, 20 Sep 2017 14:01:02 -0000 (UTC), in
news
I don't know what VPN service I'm using at the moment, so I can't say
whether it will add the Avast non-standard-on-purpose sig, but I will add
my own sig below using the dash-dash-space syntax, just in case it does.

--
This is a manual sig following the dash-dash-space syntax.

---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

OK. I tracked which VPN Service it was, and I change the name of that in my
constantly changing list of thousands of free VPN service configuration
files so that I can NOT use it for this identity!



Also note that Avast configured the non-standard-sig on purpose to allow
our own sigs, where it added a triple-dash non-standard sig below my
double-dash standard sig.

Anyway, I'm not using that same VPN service for this email because I can
manually choose which VPN service I want to choose (although I generally
let the randomization do its thing without my intervention).

--
This VPN service is different than the last one which gave the avast sig.

"Mayayana" on Tue, 19 Sep 2017 22:21:57
-0400 typed in alt.windows7.general the following:

| OMG. Do not get me started on HP printers!
| It has been YEARS that I've been trying to get rid of some HP software on
| my computer. The only way is to flush the operating system and start over.
| Sigh. (Please don't get me started on HP.)
|
They're a weird bunch. One HP printer I had
insisted I needed an updated IE to install the drivers!
I had to trick it by changing the Registry value it was
checking. Another came with a complete VB6 project
for customer feedback. Not an EXE. The entire code
project to make the EXE! But then I tried an Epson
printer and it would arbitrarily decide to stop working,
insisting that I offiicially had no ink left when that was
not true.
So now I accept HP as the lesser of the evils
and only do as much printing as is necessary for
things like business cards, contracts, customer
receipts, etc.

I switched over to Canon a long time ago. My issue with them is
trying to find out which model will _automatically_ duplex print on
legal size or B5 paper. (Insert rant: This seems to be a mystery that
no one, least of all Canon, seems to know. Or it could be my search
skills. Probably the later.)

So, any weirdness in Canon printer files?

tschus
pyotr
--
pyotr filipivich
Next month's Panel: Graft - Boon or blessing?

On Wed, 20 Sep 2017 12:59:44 -0400, in
, Wolf K wrote:

So to eliminate the 8.3 format from Windows would require rewriting the
kernel at a rather low level.
This is completely wrong. You have been able to disable 8.3 file name
creation since the days of NT using the registry and since 2000 using
group policy.

https://support.microsoft.com/en-gb/...tfs-partitions

Sent from my iFurryUnderbelly.


Thanks for corrected info.

Does this "prove" that 8+3 is completely gone from Windows 10?

I ask because I have a WINDOWS~ and a WINDOWS~1 that I certainly didn't
create.

I don't know how they got created but the creation probably has something
to do with the fact that I re-defined the %TMP% & %TEMP% and all the other
Windows temp directories to things like c:\tmp\junk\windows_temp\

After that, Windows 10 did its thing to create those 8+3 directories.

---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

On Wed, 20 Sep 2017 10:01:02 -0400, in
, Wolf K wrote:

So to eliminate the 8.3 format from Windows would require rewriting the
kernel at a rather low level.

I think you have a great perspective on this problem.

I find that most people (not you - but most) seem to think that the 8+3
legacy is gone, so they look at me funnily when I tell them that it pops up
every once in a while, even on Windows 10.

Then they tell me to "prove it" where I don't feel like digging into the
dirt just to prove to them what I already know because it bites me every
once in a while.

So I'm glad that you're not one person that I have to "prove it" to.


---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

On Wed, 20 Sep 2017 12:39:35 +0800, in
news
So it really is crap.


I still don't find a use for it after all these years...

Do you do these half dozen tasks with freeware?
If so, what freeware do you use for those tasks that you do?

1. Registry cleaning = what is the best freeware for this?
2. File cleaning = what is the best freeware for this?
3. Autorun disabling = Mark Russinovich's autoruns freeware
4. Browser plugin disabling = what is the best freeware for this?
5. Program uninstaller = Revo uninstaller freeware
6. Duplicate finder = http://www.top5freeware.com/duplicate-file-finder
7. Drive wiper = https://www.pcworld.com/article/254509/free_tools_to_wipe_your_drives_securely.html

---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

On Wed, 20 Sep 2017 11:34:06 +0100, in
, J. P. Gilliver (John) wrote:

Since there is no way now to NOT reboot (ask me how I know), I will have to

OK I'm asking (-: [If this was the result of it running HP's own
uninstaller as _part_ of a revo uninstall, I'd probably do my best _not_
to have it reboot at that point.]

All (all) of the uninstallers I've tried so far did was run the HP
uninstaller, which obviously doesn't work and always requires a reboot.

It's not a big deal other than to say that uninstallers aren't all they're
cracked up to be if all they do is run the HP uninstaller which fails to
uninstall every time.

---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

On Wed, 20 Sep 2017 11:43:05 +0100, in
, J. P. Gilliver (John) wrote:

It *does* phone home, to:
https://www.revouninstaller.com/free..._thankyou.html

OK. I think blocking that doesn't stop it working, though.

I understand. What matters is "how" they call it.
If they call it by ip address, for example.
No big deal though so we can drop that matter.

I certainly wouldn't claim it does everything I'd like it to. But if you
try it with something less demanding (and on its strongest setting), I
think you'll find it finds quite a lot of directories, files, and
registry entries left over after an app's own uninstaller has run.
(Depending on the app., of course.) I find it acceptably useful.

I like it.
I think that the Ccleaner "leatherman" approach of doing lots of things is
OK but the approach of having a single tool do a single job (like
uninstalling apps) is a better approach.

The work is in finding the best freeware to do the main jobs that CCleaner
does:
1. Registry cleaning
2. File cleaning
3. Autorun disabling
4. Browser plugin disabling
5. Program uninstaller
6. Duplicate finder
7. Drive wiper

This started with me saying something like "how does it compare to
revo", after you'd mentioned an uninstaller you use (I forget what): I'd
still be interested in your opinion as to how the two compare. (I'm
guessing that your alternative uninstaller didn't kill the HP stuff
either! I find HP printers reasonable, but their installers an amazing
example of bloatware and misleading.)

Nothing killed the HP stuff.
No big deal. We live with this (and learn from it).

I do like the Revo uninstaller, so here's my list of "best" freeware to the
half dozen things that CCleaner does:

1. Registry cleaning = what is the best freeware for this?
2. File cleaning = what is the best freeware for this?
3. Autorun disabling = Mark Russinovich's autoruns freeware
4. Browser plugin disabling = what is the best freeware for this?
5. Program uninstaller = Revo uninstaller freeware
6. Duplicate finder = http://www.top5freeware.com/duplicate-file-finder
7. Drive wiper = https://www.pcworld.com/article/254509/free_tools_to_wipe_your_drives_securely.html

---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus