shadeclan

Thank you for your responses. Just to clarify - CCleaner's main purpose for me is to remove all the useless junk left behind by careless programmers who don't think it's important to clean up after themselves (such programmers generally don't concern themselves with the memory or CPU cycles that their applications use up either but that's a different story). I was hoping that CCleaner might be useful as a malware forensics tool but only insofar as it could display entries from any location where the operating system might start up an application. Since it is not capable of doing so, tools such as those mentioned in your posts or at my seminars must be added to my software inventory. I would not expect CCleaner to act as a full-blown anti-virus application in any sense of the word nor would I expect CCleaner to be able to remove said malware. There are a large number of such applications on the market. Anti-virus software requires a great deal of time, effort and money to maintain and, by its reactionary nature, lags behind increasingly sophisticated malware making it of dubious value - often detecting malware only after months of infestation. CCleaner was never intended to address malware problems and I wouldn't buy it if it did. I prefer that CCleaner continue as freeware and not expand its scope into malware removal. I think that people would find CCleaner a little more useful if it did a more thorough job of detecting programs slated for startup during bootup and that's all I really wanted to say.

Some of the other registry keys which are used during boot-up (and which could be compromised by a cunning hacker) would be ... The services keys: KEY_LOCAL_MACHINE\System\CurrentControlSet\Services HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices The logon keys: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell The autostart keys and user folders you mentioned, plus: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load There is a registry key which starts up programs when user32.dll is loaded ... HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows ... and a registry key that loads the listed programs when Explorer is launched: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Programs can also be launched if included in this key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler These files can also be used as startup vectors: 1. c:\autoexec.bat 2. c:\config.sys 3 . windir\wininit.ini - Usually used by setup programs to have a file run once and then get deleted. 4. windir\winstart.bat 5. windir\win.ini - [windows] "load" 6. windir\win.ini - [windows] "run" 7. windir\system.ini - [boot] "shell" 8 . windir\system.ini - [boot] "scrnsave.exe" 9. windir\dosstart.bat - Used in Win95 or 98 when you select the "Restart in MS-DOS mode" in the shutdown menu. 10. windir\system\autoexec.nt 11. windir\system\config.nt From your conversation, I suspect that the CCleaner startup tool doesn't quite cover all of these. I got this information from http://www.bleepingc...rtup-locations/. Personally, given all these places where a clever hacker could hide something that would start up on boot-up, I'm glad that I'm migrating to Linux at home. I just never realized how dysfunctional Windows was until Wednesday, when I saw all these places where an application or script could be started from. It's pure madness!

I am not expecting CCleaner to act as a malware remover. I am expecting CCleaner to display, in the Startup tool, info from any folder or registry key where the system would look to start applications on boot-up (or shortly thereafter). In other words, I would like the Startup tool to perform its advertized function.

I just finished a security conference and found out there's a TON of different ways (in Win7 especially) to start an app. I'm concerned about malware - does CCleaner scan ALL the places where an application could be automatically started by the OS? I know it doesn't scan the services.