shadeclan Posted June 6, 2013 Share Posted June 6, 2013 I just finished a security conference and found out there's a TON of different ways (in Win7 especially) to start an app. I'm concerned about malware - does CCleaner scan ALL the places where an application could be automatically started by the OS? I know it doesn't scan the services. Link to comment Share on other sites More sharing options...
Moderators hazelnut Posted June 6, 2013 Moderators Share Posted June 6, 2013 Just so we are clear about one thing, CCleaner is not a malware remover or malware scanner. Can you be a bit clearer about what you are expecting from CCleaner? Support contact https://support.ccleaner.com/s/contact-form?language=en_US&form=general or support@ccleaner.com Link to comment Share on other sites More sharing options...
TheWebAtom Posted June 7, 2013 Share Posted June 7, 2013 shadeclan; CCleaner doesn't check services, but all the usual suspects (HKCU:Run, HKCU:RunOnce, HKLM:Run, HKLM:RunOnce; BHO, Scheduled Tasks, %appdata%\Microsoft\Windows\Start Menu\Programs\Startup\) are scanned. I'm not 100% sure whether C:\Windows\Tasks and C:\Windows\System32\Tasks are detected. I'm Shane. Link to comment Share on other sites More sharing options...
Alan_B Posted June 7, 2013 Share Posted June 7, 2013 Just because CCleaner scans a location is no guarantee that it will see, recognize, and exterminate any malware that is held there. Even dedicated Anti-Virus products fail when a zero-day virus arrives. Even if CCleaner attempts to remove a piece of malware it will be thwarted if the malware has installed itself with highest level access protection. One benefit from using CCleaner is that your A.V. does not have to spend time analyzing junk files that have already been deleted by CCleaner. Link to comment Share on other sites More sharing options...
Moderators Andavari Posted June 7, 2013 Moderators Share Posted June 7, 2013 There is actually a site/forum that uses CCleaner with a winapp2.ini file to remove malware and/or malware left-overs, that's about all I know about it. Link to comment Share on other sites More sharing options...
shadeclan Posted June 7, 2013 Author Share Posted June 7, 2013 Just so we are clear about one thing, CCleaner is not a malware remover or malware scanner. Can you be a bit clearer about what you are expecting from CCleaner? I am not expecting CCleaner to act as a malware remover. I am expecting CCleaner to display, in the Startup tool, info from any folder or registry key where the system would look to start applications on boot-up (or shortly thereafter). In other words, I would like the Startup tool to perform its advertized function. Link to comment Share on other sites More sharing options...
shadeclan Posted June 7, 2013 Author Share Posted June 7, 2013 shadeclan; CCleaner doesn't check services, but all the usual suspects (HKCU:Run, HKCU:RunOnce, HKLM:Run, HKLM:RunOnce; BHO, Scheduled Tasks, %appdata%\Microsoft\Windows\Start Menu\Programs\Startup\) are scanned. I'm not 100% sure whether C:\Windows\Tasks and C:\Windows\System32\Tasks are detected. Some of the other registry keys which are used during boot-up (and which could be compromised by a cunning hacker) would be ... The services keys: KEY_LOCAL_MACHINE\System\CurrentControlSet\Services HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices The logon keys: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell The autostart keys and user folders you mentioned, plus: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load There is a registry key which starts up programs when user32.dll is loaded ... HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows ... and a registry key that loads the listed programs when Explorer is launched: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Programs can also be launched if included in this key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler These files can also be used as startup vectors: 1. c:\autoexec.bat 2. c:\config.sys 3 . windir\wininit.ini - Usually used by setup programs to have a file run once and then get deleted. 4. windir\winstart.bat 5. windir\win.ini - [windows] "load" 6. windir\win.ini - [windows] "run" 7. windir\system.ini - [boot] "shell" 8 . windir\system.ini - [boot] "scrnsave.exe" 9. windir\dosstart.bat - Used in Win95 or 98 when you select the "Restart in MS-DOS mode" in the shutdown menu. 10. windir\system\autoexec.nt 11. windir\system\config.nt From your conversation, I suspect that the CCleaner startup tool doesn't quite cover all of these. I got this information from http://www.bleepingc...rtup-locations/. Personally, given all these places where a clever hacker could hide something that would start up on boot-up, I'm glad that I'm migrating to Linux at home. I just never realized how dysfunctional Windows was until Wednesday, when I saw all these places where an application or script could be started from. It's pure madness! Link to comment Share on other sites More sharing options...
Alan_B Posted June 7, 2013 Share Posted June 7, 2013 I am expecting CCleaner to display, in the Startup tool, info from any folder or registry key where the system would look to start applications on boot-up (or shortly thereafter). In other words, I would like the Startup tool to perform its advertized function. That is NOT its advertised function as I see it. It displays those folders and registry keys which contain entries that cause a start-up. If there is no entry then the folder/key is not reported until an entry is deposited. I suggest that you try Autoruns from Sysinternals. That is devoted to detection and control of anything that auto-starts, though Autoruns itself may only report the folders/keys that have active entries. Link to comment Share on other sites More sharing options...
Winapp2.ini Posted June 7, 2013 Share Posted June 7, 2013 No it doesn't. CurseClient is an application that will show in MSCONFIG but not in CCleaner. I don't know how or why it does that. winapp2.ini additions thread winapp2.ini github Link to comment Share on other sites More sharing options...
Moderators Andavari Posted June 8, 2013 Moderators Share Posted June 8, 2013 Some of the other registry keys which are used during boot-up (and which could be compromised by a cunning hacker) would be... There's even more than that list you posted, and unfortunately some malware is smart enough to mask itself as a legit startup/program. Possibly beyond the scope of CCleaner to show all of those and more into the realm of anti-malware/anti-virus to protect against malware registering startups. Link to comment Share on other sites More sharing options...
Moderators hazelnut Posted June 8, 2013 Moderators Share Posted June 8, 2013 One of the dangers in removing temp files which are listed in legit locations is that some really nasty infections move legit startup files into a temp area. You clean using ccleaner because you suspect you are infected and you find out all you pics, docs and startup programs are gone. (rare but it can happen) I understand how attending the security conference has fired you up as regards malware detection etc. so I would suggest to apply to one of the malware training forums which are available on the net. There you will learn so much more. Here are a couple http://www.bleepingc...aining-program/ http://www.geekstogo.com/geeku/ Support contact https://support.ccleaner.com/s/contact-form?language=en_US&form=general or support@ccleaner.com Link to comment Share on other sites More sharing options...
shadeclan Posted June 13, 2013 Author Share Posted June 13, 2013 Thank you for your responses. Just to clarify - CCleaner's main purpose for me is to remove all the useless junk left behind by careless programmers who don't think it's important to clean up after themselves (such programmers generally don't concern themselves with the memory or CPU cycles that their applications use up either but that's a different story). I was hoping that CCleaner might be useful as a malware forensics tool but only insofar as it could display entries from any location where the operating system might start up an application. Since it is not capable of doing so, tools such as those mentioned in your posts or at my seminars must be added to my software inventory. I would not expect CCleaner to act as a full-blown anti-virus application in any sense of the word nor would I expect CCleaner to be able to remove said malware. There are a large number of such applications on the market. Anti-virus software requires a great deal of time, effort and money to maintain and, by its reactionary nature, lags behind increasingly sophisticated malware making it of dubious value - often detecting malware only after months of infestation. CCleaner was never intended to address malware problems and I wouldn't buy it if it did. I prefer that CCleaner continue as freeware and not expand its scope into malware removal. I think that people would find CCleaner a little more useful if it did a more thorough job of detecting programs slated for startup during bootup and that's all I really wanted to say. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now