silvergs Posted February 19, 2019 Share Posted February 19, 2019 Hello, Just recently we uninstalled ccleaner from a few machines. Watching traffic on our firewall, I am seeing two requests for ccupdate10.cab from the machines which we uninstalled cccleaner from. I'm 99.9% certain that this is a file that ccleaner requests. Why is this file still being requested? When looking for piriform traces, I am finding pfBL.dll in our temp directories. Link to comment Share on other sites More sharing options...
Moderators hazelnut Posted February 19, 2019 Moderators Share Posted February 19, 2019 Just asking if you have Lighroom or any software that installs drivers etc. Windows Updates also uses .cab files. Don't think CCleaner does though. Support contact https://support.ccleaner.com/s/contact-form?language=en_US&form=general or support@ccleaner.com Link to comment Share on other sites More sharing options...
Moderators nukecad Posted February 19, 2019 Moderators Share Posted February 19, 2019 Might also be something to do with Adobe Illustrator CC if you have that installed? *** Out of Beer Error ->->-> Recovering Memory *** Worried about 'Tracking Files'? Worried about why some files come back after cleaning? See this link:https://community.ccleaner.com/topic/52668-tracking-files/?tab=comments#comment-300043 Link to comment Share on other sites More sharing options...
silvergs Posted February 19, 2019 Author Share Posted February 19, 2019 dont have lightroom or illustrator. What is concerning is finding the pfBL.dll in the temp directory. When looking at the file it says piriform. Also these requests are only coming from two machines . If I reinstall ccleaner on another machine Im 99.9% sure I see it requesting ccupdate10.cab Link to comment Share on other sites More sharing options...
Moderators nukecad Posted February 19, 2019 Moderators Share Posted February 19, 2019 From a quick search pfBL.dll is associated with CCleaner. I'm not sure just what it is, but it could be an orphan from the uninstall? ccupdate10.cab Like Hazelnut says I didn't think CCleaner used cab files. However the 'update' may be a clue here. It could be something to do with the CCupdate.exe 'Emergency Updater'. I always delete that now, but again I never saw a cab associated with it. Which brings another thought- Do those machines by any chance have Avast AV on them? Avast AV's include an updater for CCleaner.https://forum.avast.com/index.php?topic=217752.msg1457538#msg1457538 *** Out of Beer Error ->->-> Recovering Memory *** Worried about 'Tracking Files'? Worried about why some files come back after cleaning? See this link:https://community.ccleaner.com/topic/52668-tracking-files/?tab=comments#comment-300043 Link to comment Share on other sites More sharing options...
silvergs Posted February 19, 2019 Author Share Posted February 19, 2019 no AVAST on our machines. What interesting is Im seeing these files also being requested 20180205.dll (https://www.hybrid-analysis.com/sample/c427bcf6b065edf06662e0540e3e9a21c07095184e7bb9d05926dc3b79fc3348?environmentId=120 ) and 20170922.dll Link to comment Share on other sites More sharing options...
silvergs Posted February 19, 2019 Author Share Posted February 19, 2019 just did a wireshark and the requested URL is /tools/ccleaner/update/ccupdate10.cab @ akaami. ccleaner is uninstalled per the uninstaller. so something is going on. Link to comment Share on other sites More sharing options...
Guest Ben CCleaner Posted February 21, 2019 Share Posted February 21, 2019 .CAB files are only used with the emergency updater. Are you saying its making requests on machines with CC uninstalled? Link to comment Share on other sites More sharing options...
silvergs Posted February 21, 2019 Author Share Posted February 21, 2019 Ben, Yes requests are being made, even though all Piriform products are uninstalled Here is an imgur link to the wireshark'd traffic https://imgur.com/a/BzdMm5P Doing more research, disabling Background Intelligent Transfer Service, stops this from happening. Some job from ccleaner is stuck in BITS is my guess right now More research. Finding the below powershell command. Feel confident I found the problem. Note we DONT HAVE AVAST/AVG installed PS C:\Windows\system32> Get-BitsTransfer -AllUsers JobId DisplayName TransferTy pe ----- ----------- ---------- 2791a1e2-de68-4898-8b95-bc9f2ef59264 AvEmUpdate download Download 223e23b4-9f8c-4e73-91ef-ac203993e01b AvEmUpdate download Download Link to comment Share on other sites More sharing options...
Guest Ben CCleaner Posted February 22, 2019 Share Posted February 22, 2019 Can you confirm if CCupdate.exe has been removed in the uninstallation along with the Update scheduled task? Link to comment Share on other sites More sharing options...
silvergs Posted February 22, 2019 Author Share Posted February 22, 2019 Searched the c: drive for CCupdate.exe, no hits. There is no schedule task, as when I disabled scheduled tasks, the job still ran. Cleaning out the BITS entries has resolved the issue. Link to comment Share on other sites More sharing options...
Guest Stephen CCleaner Posted February 25, 2019 Share Posted February 25, 2019 How was the uninstallation performed? Was the CCleaner uninstaller used, or was this done in some other way? Link to comment Share on other sites More sharing options...
silvergs Posted February 25, 2019 Author Share Posted February 25, 2019 CCleaner uninstall DOES NOT remove these entries from the BITS client. In addition when looking at the user that created AvEmUpdate BITS task, I came across one created by a standard user and another create by nt authority . What I am doing for now, is stopping the BITS service and removing the qmgr files. This removes EVERYTHING from the BITS service and stops this from happening. It is concerning that we found this and now we are searching our entire network for this condition. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now