Hackers hid malware in CCleaner software

On Mon, 18 Sep 2017 21:48:23 -0400, "Mayayana"
wrote:

I don't use those either, so I don't know.
I would *not* recommend Malwarebytes
without a big grain of salt. I guess if I were
in that boat I'd look up online to find the
specifics of the infestation.


However Malwarebytes did catch the ccleaner infection on my system.
Avast did not.



__
Someone who thinks logically provides
a nice contrast to the real world.
(Anonymous)

"Blake Snyder" wrote

| I don't know if cleaning the registry is a scam, and, I've never seen a
| problem that I could attribute to the cleaning of the registry.
|
| But I have seen *plenty* of left-over registry entries after uninstalling
a
| program which are cleaned by Ccleaner.
|
| Do those leftover registry entries cause harm.
| I can't say.
|

You can research it for yourself. Start Regmon or
Procmon. Then start IE. On my system, IE will make
over 5,000 Registry reads in about 1 second. (I don't
know why. Microsoft seem to do that deliberately to
obfuscate the relevant reads. That's the only reason
I can think of.)

So the Registry is incredibly fast. Cleaners generally
target 2 categories: Leftover software entries, like
you mentioned, and HKCR\CLSID keys.

An example of the first might be that Acme Editor
gets uninstalled and settings stay there. That's typical.
In case you decide to install it again your preferences
would still be intact. So you have some settings under
HKCU\Software\Acme Software\Acme Editor\

That adds a few bytes to the Registry and does
no harm. Since it's an Acme Software key, no other
software is affected by the settings.

An example of the second case might be a program
with a bad uninstaller that uninstalled their Acme123.dll
COM library but didn't unregister it. So there are keys
like HKCR\CLSID\{a1b2.....}\ and HKCR\AcmeLib.Ops.
Those are the keys that allow the COM library to be
accessed. With the library gone they're "orphan" entries.
But since no other program is going to use AcmeLib, the
entries do no harm.

The worst that might happen, which is still very
unlikely, would be that you'd see a message like,
"Unable to create object" when a program tries to
access AcmeLib. But you'd see an error message
anyway, in that case, because the DLL is gone. You
might just get a crash instead of the "unable to
create object" message. Either way, the Registry
entry won't matter.

The best analogy I can think of is that you have
a gigantic attic, full of stored stuff, and you hire a
teenager to clean up. The teenager finds 2 incomplete
decks of cards and a broken broomstick to throw
away. You feel satisfied. But nothing useful has been
done in the attic. You don't actually have more space.
It won't be any easier or faster when you want to find
something. And what if the teenager broke something,
or left behind a fire hazard?

If it really bugs you to have leftover settings in the
Registry it's easy to remove the software settings.
Just open Regedit to HKCU\Software\. Each subkey is
a company. You can delete the Acme Editor key.
Either way, anything that actually needs to access the
Registry is going to be doing it in the range of milliseconds,
regardless of whether your Registry is 20 MB or 20 MB
+ 30 KB of unnecessary data.


| | I use it mostly as my front end uninstaller.
| | It removes a lot of the BHOs and other hijacked autostarters.
| |
|
| It sounds like you install a lot of dubious stuff.
|
| I'm way better than most people so I doubt I install "dubious" stuff.
| You forget I know as much as you do about many things.
| Nonetheless, I do use exclusively freeware - but only the best.
....
| I probably led you astray with the letters BHO which, I agree, are
specific
| to browsers where anyone who gets a BHO is an idiot - so I see where you
| got the idea that I install dubious software.

I'm not making any assumption about how
much you know. But if you regularly have to
clean up bad installs then something is wrong.
I chimed in because the whole category of
"cleaning" is mostly a scam industry and people
don't realize it. It's like drain cleaners, or gas
tank conditioners, or dryer sheets, or bottled
water, or air fresheners, or gluten-free yogurt,
or life-extending quinoa magic, or any of the
other myriad nonsense that gets marketed:
You're lucky if they do no harm. They will not
do any real good. (Though I guess quinoa is
edible and reasonably nutritious, if you don't
mind starving Peruvian peasants resulting from
you being willing to pay through the nose for
magic starch.

I explained the details of the Registry above so
that anyone can check for themselves.

I agree that a lot of decent software nevertheless
tries to autostart things. HP printers are a good
example. iTunes is especially sleazy. Even 7-Zip does
things without asking. But all of that can be safely
controlled via Autoruns. That includes context menu
add-ons, which are under the Shell Extensions section.
Autoruns also lets you find out where things are, so you
can delete EXEs if desired. And as you may know,
Autoruns and the Sysinternals tools were originally
written by Mark Russinovich, a top Windows programmer
who then went to work for MS and left them in charge
of Sysinternals. So they're dependable programs.

You might have to watch installs to make sure you
don't agree to junk toolbars and such. (Maybe that's
what you had in mind with BHOs?) But aside from that,
any reputable software shouldn't be installing extra
items.

| The US gov just deprecated Kapersky by the way.
| I'm not sure what the threat is though.
|
I haven't followed that closely, but I think the
idea was that they think Kaspersky is working as
a spy company for Russia.

On Tue, 19 Sep 2017 09:54:58 -0400, in news Mayayana wrote:

You can research it for yourself. Start Regmon or
Procmon. Then start IE. On my system, IE will make
over 5,000 Registry reads in about 1 second. (I don't
know why. Microsoft seem to do that deliberately to
obfuscate the relevant reads. That's the only reason
I can think of.)

Hi Mayayana,
I've been around for decades, so I'm fully aware of the huge number of
registry entries that Microsoft products create. In Win95 days I used to
actually move the Microsoft Office installation by modifying every key in
the registry left after using COA (which didn't get everything).

I gave up on that approach of trying to put Microsoft stuff where it
belongs, but I'm as familiar with the huge clutter in the registry as you
are. I'm only debating with you that the Ccleaner registry cleaner is a
"scam".

I have been using the CCleaner registry cleaner for so long that I can't
even say how many years it has been. Probably since I first heard about
Ccleaner, and never once have I see it be a problem that I could attribute
to me cleaning the registry.

That's all I'm saying.

Does it clean the registry?
Yes.

Is it a scam?
I don't know.

So the Registry is incredibly fast. Cleaners generally
target 2 categories: Leftover software entries, like
you mentioned, and HKCR\CLSID keys.

I often move things to where I think they belong, where Ccleaner noticed
that I didn't do the job right.

An example of the first might be that Acme Editor
gets uninstalled and settings stay there. That's typical.
In case you decide to install it again your preferences
would still be intact. So you have some settings under
HKCU\Software\Acme Software\Acme Editor\

Yup. Lot's of stuff is left over after an uninstall.
I prefer to remove it all.
You may not.
But that doesn't make a Ccleaner approach a scam.

That adds a few bytes to the Registry and does
no harm. Since it's an Acme Software key, no other
software is affected by the settings.

I get your point that if someone thinks that cleaning the registry of old
entries is going to "speed up" their system, it's not. I get that.

But that doesn't make registry cleaning a scam.
I keep a clean desktop. I keep a clean file system.
I keep a clean office. And a clean kitchen.
My garage is clean and my car is clean.

Why shouldn't my registry be clean?
It's not a scam to want a clean registry anymore than it's a scam to want a
clean kitchen.

An example of the second case might be a program
with a bad uninstaller that uninstalled their Acme123.dll
COM library but didn't unregister it. So there are keys
like HKCR\CLSID\{a1b2.....}\ and HKCR\AcmeLib.Ops.
Those are the keys that allow the COM library to be
accessed. With the library gone they're "orphan" entries.
But since no other program is going to use AcmeLib, the
entries do no harm.

I get that Microsoft has a counter for any shared DLL that is counted down
somehow in the registry where that counter "can" get screwed up. Presumably
CCleaner handles that, where the presence of the extraneous DLL isn't a big
deal (however, again, it's not "clean").

Just as I clean my silverware after using it, I see nothing wrong with
cleaning out DLLs that are no longer needed.

Again, I'm only responding to the issue of Ccleaner being a "scam", where I
think it does something valuable in that it keeps the operating system a
bit cleaner than it would have been otherwise.

Is Ccleaner a panacea?
Nope.

The worst that might happen, which is still very
unlikely, would be that you'd see a message like,
"Unable to create object" when a program tries to
access AcmeLib. But you'd see an error message
anyway, in that case, because the DLL is gone. You
might just get a crash instead of the "unable to
create object" message. Either way, the Registry
entry won't matter.

I don't disagree.
It's just that I like to keep my system clean.
I put all four of the MS default temp directories in one hierarchy.
And I keep a fifth temp directory just for my own personal use.
Is that necessary? Nope.
Is it clean? Yes.

The best analogy I can think of is that you have
a gigantic attic, full of stored stuff, and you hire a
teenager to clean up. The teenager finds 2 incomplete
decks of cards and a broken broomstick to throw
away. You feel satisfied. But nothing useful has been
done in the attic. You don't actually have more space.
It won't be any easier or faster when you want to find
something. And what if the teenager broke something,
or left behind a fire hazard?

You make a very good point here, but that's not the same as calling
CCleaner a "scam". While CCleaner certainly can break something, I don't
think it has ever broken anything that I can remember in all the years I
have been using it (where I check most of the boxes, even the ones not on
by default and I don't make backups and I turn off the nag messages too).

Your point is valid that Ccleaner doesn't make the system faster.
Your point is valid that Ccleaner can screw something up.

But your point that CCleaner is a scam is not valid.
It's just one way to keep the system a tiny bit cleaner (IMHO).

That has esthetic value, if no other value is found for a clean toolbox.

If it really bugs you to have leftover settings in the
Registry it's easy to remove the software settings.
Just open Regedit to HKCU\Software\. Each subkey is
a company. You can delete the Acme Editor key.
Either way, anything that actually needs to access the
Registry is going to be doing it in the range of milliseconds,
regardless of whether your Registry is 20 MB or 20 MB
+ 30 KB of unnecessary data.

There are a gazillion keys that Ccleaner cleans up, and it's not only in
HKCU/Software that it does it.

Nonetheless, I have messed with the registry since Win95 days and I gave up
on manual edits except to key variables (such as the %temp% variables and
the %program files% and other key variables).

I am only saying that CCleaner has its place. The last time I manually
updated it was when I moved to Windows 10, and it seems to work just fine
for me.

I'm not making any assumption about how
much you know. But if you regularly have to
clean up bad installs then something is wrong.

Oh. Mayayana. You don't know what you just said.
Do you realize how many bad installers are out there?

As just one example, do you know that you can 'tell' Apple's iTunes to go
to C:\mystuff\apple-crap\iTunes and it will go there, but almost nothing
else of the tons of bloatware that follows (e.g., Bonjour for one) will go
there (Quicktime used to be added also, along with tons of other crapware).

Now I gave up on iTunes so long ago that I don't remember when, but that's
just the canonical example of bad bloatware installers. So many things
don't go where you tell them to go that it's not funny.

Don't even get me started on HP printer software not going where it
belongs, or Oracle programs, or Nvidia drivers, or anything from Microsoft.

It seems the bigger the company, the more misbehaved the installer.

I chimed in because the whole category of
"cleaning" is mostly a scam industry and people
don't realize it.

Mayayana, I respect your judgement and I, myself, know a scam when I see
it. There are LOTS of scams revolving around the fact that most people are
afraid of malware so they install all sorts of what turns out to be malware
to reputedly get rid of the malware. I'm sure you can rattle off a huge
list of such things as easily as I can.

But I don't consider CCleaner to be malware.
Is it scamware?
I don't think so.

It's not a panacea.
But it cleans "stuff" out that I would have to clean on my own.

About the only time I think it "screws up" is that I have this sneaking
suspicion that a reboot is necessary after many program uninstalls, where
if I run the reboot, I think there are registry actions that occur.

However, if I don't run the reboot, then CCleaner may (perhaps) clean out
those registry entries which the uninstaller put there with the result that
the uninstall actions won't occur.

Did I explain that problem well enough for you to understand or do you
think that's wrong that some programs when uninstalled leave registry
'actions' on purpose, which only run when you reboot. If ccleaner removes
them, they might not run.

Hence, in *that* case, Ccleaner would 'screw up'.
Does that make sense?

It's like drain cleaners, or gas
tank conditioners, or dryer sheets, or bottled
water, or air fresheners, or gluten-free yogurt,
or life-extending quinoa magic, or any of the
other myriad nonsense that gets marketed:

True dat. Seafoam. Marvel Mystery Oil. WD-40.
Lots of people want a "miracle in a can".
I agree with your point that, to some people, CCleaner may appear to be a
miracle in a can.

It's not.
But it's like MAF cleaner in that it's a bit better than cleaning your MAF
by hand.


You're lucky if they do no harm. They will not
do any real good.

I think you have two levels of "good".
a. Miracle cure good
b. Simple cleaning good

I think Ccleaner does clean stuff out that you'd have to clean out manually
if you didn't use Ccleaner (e.g., recent docs).

I don't think CCleaner is a miracle cure, but I don't think it's a scam
either.

I agree that a lot of decent software nevertheless
tries to autostart things. HP printers are a good
example.

OMG. Do not get me started on HP printers!
It has been YEARS that I've been trying to get rid of some HP software on
my computer. The only way is to flush the operating system and start over.
Sigh. (Please don't get me started on HP.)

iTunes is especially sleazy.
OMG. You know EXACTLY how to make me wince!

I know all about iTunes and I never want to see it again. Ever.
I have iOS and Android where there is never a need for iTunes crap.
Let's not go there or we'll drive the others nuts.

Even 7-Zip does things without asking.

Most programs (e.g., glasswire, filezilla, etc.) phone home, which is a
bitch, I agree. But what does 7-zip do? Let me check my 7-zip log file.

OK. Just checked. Here's what my manual log file said about 7-zip:
.. It's useful to open up Microsoft IMG files (e.g., MS Office)
.. The Microsoft IMG is sort of a zip, which 7zip unzips.
.. It also opens zip, cab, iso, and other files.
.. The 7zip installer does not seem to phone home
.. It installs super quickly.
.. But it only puts an icon in the "Program" folder.
.. So copy "7-Zip File Manager" to your cascaded menu.
.. And change the target to where you actually put the software
.. The program has a checkbox for adding 7zip to the context menus.
.. If that checkbox is on, make sure you turn it off.

That's all I noticed but I only used 7-zip to extract MS Office image files
(which are sort of kind of but not really iso files).

But all of that can be safely
controlled via Autoruns. That includes context menu
add-ons, which are under the Shell Extensions section.
Autoruns also lets you find out where things are, so you
can delete EXEs if desired. And as you may know,
Autoruns and the Sysinternals tools were originally
written by Mark Russinovich, a top Windows programmer
who then went to work for MS and left them in charge
of Sysinternals. So they're dependable programs.

I read PC Magazine just like you did in the COA and Process Explorer days
so I'm familiar with Russinovich (as is almost everyone on Windows).

I don't have "autoruns" though in my software hierarchy.
https://docs.microsoft.com/en-us/sysinternals/
https://docs.microsoft.com/en-us/sys...loads/autoruns

I downloaded and extracted the zip file and put that zip file where it
belongs and then created shortcuts to autoruns.lnk and then ran it.

After the EULA, it popped up a window with literally over a score of tabs,
each containing a page of checkbox information, which I'll have to weed
through.

Thanks. This Autoruns seems like a good program for weeding out auto run
stuff because LOTS of my entries say "File Not Found" (for example, Google
Chrome stuff, which I don't have anymore, and WinMail stuff, which I don't
even know what it is, and Windows Media Player stuff, again, which I don't
even have on my system to my knowledge, etc.

You might have to watch installs to make sure you
don't agree to junk toolbars and such. (Maybe that's
what you had in mind with BHOs?) But aside from that,
any reputable software shouldn't be installing extra
items.

I am as tuned as you are, Mayayana, to junk installs. I circumvent that by
a few methods, one of which is I only use the absolute best freeware most
of the time (although some times I have to test freeware to figure out what
is the best).

One method which is so easy I do it on every install is I disconnect the
network before clicking on any installer.

Another method is that I ALWAYS use the custom install (never once do I
not!) mainly because I don't put anything in any idiotic program files
directory (for lots of good reasons).

I also keep a lot of EVERY installation, so that I know what mistakes I
made (since they always catch you on something) particularly which ones
phone home and which ones have settings to stop that and which I have to
use the HOSTS file (yes, I know you love Acrylic DNS which I'll install
some day).

I disagree that "reputable software won't install extra items". I think
even Ccleaner now adds stuff, does it not? Also Flash (we can debate if
that's reputable) habitually tries to foist McAfee on us.

I think what happens is that reputable freeware starts adding stuff which
doesn't make it disreputable as long as it's obvious and easily blocked.

Of course, non reputable freeware is the worst - but nobody uses that who
has his mind in the right place (e.g., the billion screenshot programs out
there by way of example - none of which are needed).


| The US gov just deprecated Kapersky by the way.
| I'm not sure what the threat is though.
|
I haven't followed that closely, but I think the
idea was that they think Kaspersky is working as
a spy company for Russia.

I have been in the software industry for decades, and I also have studied
history my entire life. One simple example is that even the elevator
operator in the main French newspaper at the start of WWII was a German
spy. It cost the Germans nothing to pay this guy to be a "sleeper" when all
he needed to do was round up the journalists after the Germans took over
Paris.

The point is that sleepers exist in every single software company on this
planet. Sleepers from all countries. That means both friend and foe.

While I don't always trust my government to do the right thing, I "assume"
that they know what they're doing with Kapersky, so I will avoid it (I
never saw its value anyway so that's easy to do).

The problem is that probably all our firmware and software companies have
sleepers since it's dirt cheap to employ them (Hint: China has a billion
people to spare so what is it to them to sprinkle a sleeper in every
software and hardware company on this planet?)

My point is that all software is (likely) compromised.

The best bet is, for obvious reasons, open source software, but as
heartbleed showed, even that is only as good as the number of eyes testing
it out for flaws.

---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

On Tue, 19 Sep 2017 17:29:38 -0000 (UTC), in
news
As a test I hit the HP entry that Ccleaner and Windows control panel
couldn't get rid of:
HP Photosmart Officejet and Deskjet All-In-One Driver Software 13.0 Rel. B

It created a restore point (which I don't need and generally don't do), and
then it popped up a query to uninstall all HP products (Yes! Please!).

And then a funny popup that literally said:
Are you sure you want to remove from your computer?
Note the double space where a name would normally be.

And then the classic HP message "You must restart your computer to finish
the install" where I know from experience that it will do nothing but
reboot my computer and where the HP software will still be listed as being
there.

Since there is no way now to NOT reboot (ask me how I know), I will have to
send this message first and then see if it worked (which I'm pretty sure it
failed just like CCleaner and the windows add/remove programs failed).

But maybe I will get lucky ... if so I'll be a believer in Revo!

Two things to report on Revo.

It *does* phone home, to:
https://www.revouninstaller.com/free..._thankyou.html

But that's easily circumvented with a HOSTS file entry of:
127.0.0.1 www.revouninstaller.com revouninstaller.com

But worse, it didn't do anything with the HP entry of:
HP Photosmart Officejet and Deskjet All-In-One Driver Software 13.0 Rel. B

I was hoping to get rid of that entry once and for all.


PS: I'm changing the VPN server to see if the virus message goes away.
If it doesn't go away, I'll check the header randomizing scripts which have
been in place for so many years that I forget if they insert a bogus AV
header.

On Tue, 19 Sep 2017 17:55:52 -0000 (UTC), in
news
PS: I'm changing the VPN server to see if the virus message goes away.
If it doesn't go away, I'll check the header randomizing scripts which have
been in place for so many years that I forget if they insert a bogus AV
header.

So it was the VPN server that added that av sig line.

I could track down which server it was and remove that from my list of
thousands of freely available public VPN servers, but the sig line only
bothers people who think that I didn't configure my AV program correctly.

I never see sig lines myself since my scripts change what I see by
presenting everything in a table that culls out only the important
information from their headers and statistics culled from the net.

So I apologize for the sig lines, where the privacy randomization scripts
do insert random sig lines but never that particular AV one.

On Tue, 19 Sep 2017 09:54:58 -0400, "Mayayana"
wrote:

"Blake Snyder" wrote

| I don't know if cleaning the registry is a scam, and, I've never seen a
| problem that I could attribute to the cleaning of the registry.
|
| But I have seen *plenty* of left-over registry entries after uninstalling
a
| program which are cleaned by Ccleaner.
|
| Do those leftover registry entries cause harm.
| I can't say.
|

You can research it for yourself. Start Regmon or
Procmon. Then start IE. On my system, IE will make
over 5,000 Registry reads in about 1 second. (I don't
know why. Microsoft seem to do that deliberately to
obfuscate the relevant reads. That's the only reason
I can think of.)

So the Registry is incredibly fast. Cleaners generally
target 2 categories: Leftover software entries, like
you mentioned, and HKCR\CLSID keys.

An example of the first might be that Acme Editor
gets uninstalled and settings stay there. That's typical.
In case you decide to install it again your preferences
would still be intact. So you have some settings under
HKCU\Software\Acme Software\Acme Editor\

That adds a few bytes to the Registry and does
no harm. Since it's an Acme Software key, no other
software is affected by the settings.

An example of the second case might be a program
with a bad uninstaller that uninstalled their Acme123.dll
COM library but didn't unregister it. So there are keys
like HKCR\CLSID\{a1b2.....}\ and HKCR\AcmeLib.Ops.
Those are the keys that allow the COM library to be
accessed. With the library gone they're "orphan" entries.
But since no other program is going to use AcmeLib, the
entries do no harm.

The worst that might happen, which is still very
unlikely, would be that you'd see a message like,
"Unable to create object" when a program tries to
access AcmeLib. But you'd see an error message
anyway, in that case, because the DLL is gone. You
might just get a crash instead of the "unable to
create object" message. Either way, the Registry
entry won't matter.

The best analogy I can think of is that you have
a gigantic attic, full of stored stuff, and you hire a
teenager to clean up. The teenager finds 2 incomplete
decks of cards and a broken broomstick to throw
away. You feel satisfied. But nothing useful has been
done in the attic. You don't actually have more space.
It won't be any easier or faster when you want to find
something. And what if the teenager broke something,
or left behind a fire hazard?

If it really bugs you to have leftover settings in the
Registry it's easy to remove the software settings.
Just open Regedit to HKCU\Software\. Each subkey is
a company. You can delete the Acme Editor key.
Either way, anything that actually needs to access the
Registry is going to be doing it in the range of milliseconds,
regardless of whether your Registry is 20 MB or 20 MB
+ 30 KB of unnecessary data.


| | I use it mostly as my front end uninstaller.
| | It removes a lot of the BHOs and other hijacked autostarters.
| |
|
| It sounds like you install a lot of dubious stuff.
|
| I'm way better than most people so I doubt I install "dubious" stuff.
| You forget I know as much as you do about many things.
| Nonetheless, I do use exclusively freeware - but only the best.
...
| I probably led you astray with the letters BHO which, I agree, are
specific
| to browsers where anyone who gets a BHO is an idiot - so I see where you
| got the idea that I install dubious software.

I'm not making any assumption about how
much you know. But if you regularly have to
clean up bad installs then something is wrong.
I chimed in because the whole category of
"cleaning" is mostly a scam industry and people
don't realize it. It's like drain cleaners, or gas
tank conditioners, or dryer sheets, or bottled
water, or air fresheners, or gluten-free yogurt,
or life-extending quinoa magic, or any of the
other myriad nonsense that gets marketed:
You're lucky if they do no harm. They will not
do any real good. (Though I guess quinoa is
edible and reasonably nutritious, if you don't
mind starving Peruvian peasants resulting from
you being willing to pay through the nose for
magic starch.

I explained the details of the Registry above so
that anyone can check for themselves.

I agree that a lot of decent software nevertheless
tries to autostart things. HP printers are a good
example. iTunes is especially sleazy. Even 7-Zip does
things without asking. But all of that can be safely
controlled via Autoruns. That includes context menu
add-ons, which are under the Shell Extensions section.
Autoruns also lets you find out where things are, so you
can delete EXEs if desired. And as you may know,
Autoruns and the Sysinternals tools were originally
written by Mark Russinovich, a top Windows programmer
who then went to work for MS and left them in charge
of Sysinternals. So they're dependable programs.

You might have to watch installs to make sure you
don't agree to junk toolbars and such. (Maybe that's
what you had in mind with BHOs?) But aside from that,
any reputable software shouldn't be installing extra
items.

| The US gov just deprecated Kapersky by the way.
| I'm not sure what the threat is though.
|
I haven't followed that closely, but I think the
idea was that they think Kaspersky is working as
a spy company for Russia.

Re registry cleaners ....

http://privazer.com/download-shellba...ag-cleaner.php

Did it find anything personal in the registry that your system
might have stored for the forensic guys, and which you would rather
not be made public ?
No ? Great !!!!!
Ever thought of taking up religion as a profession ? I hear
there's a vacancy for the CEO's position.
[]'s
--
Don't be evil - Google 2004
We have a new policy - Google 2012

On 9/18/2017 8:21 PM, Blake Snyder wrote:
On Mon, 18 Sep 2017 17:13:49 -0600, in news Buffalo wrote:

Thanks, it sure gets you to that page a lot quicker, clever boy

What free software do you recommend for checking this in the future?

I have Wireshark, for example, but it's complex to use (as you may know).
I also have Fiddler4, & TCPView, & Glasswire.

None of those would have caught it though because all are active sniffers.

What free software, as a passive sniffer, do you recommend that
would/should have caught the spyware in CCleaner when even Avast & Kapersky
didn't catch it?

I have Norton 360 on my machines and it caught it.

I keep a script on my Desktop to clean TEMP.

Why not post the script here to help others?

On Tue, 19 Sep 2017 17:42:14 -0500, in
, M.L. wrote:

I keep a script on my Desktop to clean TEMP.

Why not post the script here to help others?

I know that was for Mayayana but here are the temp directories that you can
define to be in C:\tmp\* or wherever you want them to be.
http://www.askvg.com/list-of-environ...p-vista-and-7/

Then you can delete them just by deleting everything in c:\tmp\*
http://best-windows.vlaurie.com/envi...variables.html

Or you can just move them to a convenient easily deleted location.
https://technet.microsoft.com/en-us/...exchg.65).aspx

Here is a list of some of the system variables:
https://technet.microsoft.com/en-us/...(v=ws.10).aspx

As I recall, there are four "temp" system variables I have all set to my
c:\tmp\* directory where they can be easily cleaned up.

Be advised that even on Windows 10, Microsoft still constrains you to the
8+3 syntax, as exemplified he
c:] echo %temp%
C:\tmp\junk\WINDOW~
Where "Window~" is Microsoft's 8+3 way of doing things.

c:] echo %tmp%
C:\tmp\junk\WINDOW~1
c:] cd %tmp%
Where "Windows~1" in this case is actually "windows_temp".

Who'd have thought that even in Windows 10, you're limited to 8+3 syntax!

---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

On 9/19/2017 6:42 PM, M.L. wrote:


I keep a script on my Desktop to clean TEMP.

Why not post the script here to help others?

Here are the commands I use in my unattended overnight batch to keep my
Temp file to a reasonable size. I want to keep the most recent files and
folders in case they are needed. I realize many just want to do a delete
all.

:: Reduce Temp Files and Folders
::
-------------------------------------------------------------------------------------------------------
:: Remove from TEMP files LAST ACCESSed OLDER than AGE
SET _SRC=C:\Users\....\AppData\Local\Temp & SET AGE=120
FORFILES /P %_SRC% /S /C "CMD /C DEL /Q @path" /D -%AGE% NUL 2&1

:: Remove from TEMP empty folders
FOR /f "delims=" %%i in ('DIR %_SRC% /AD /S /B ^| SORT /R') DO RD "%%i"
NUL 2&1

NOTE "reverse sort" DIR because must remove "lowest" folders before
"highest" which would not be empty with "lowest" in place.
--
Zaidy036

"Blake Snyder" wrote

| I get that Microsoft has a counter for any shared DLL that is counted down
| somehow in the registry where that counter "can" get screwed up.
Presumably
| CCleaner handles that, where the presence of the extraneous DLL isn't a
big
| deal (however, again, it's not "clean").
|

I think you may be thinking of the refeence count.
Windows tracks loading and unloading of shared system
DLLs. It will then unload the DLL when the last reference
is dropped. I don't think that's connected to the Registry,
though I'm not sure. In any case, it would all be cleared
with a restart. As far as I know there are not typically
problems with that system.

| Oh. Mayayana. You don't know what you just said.
| Do you realize how many bad installers are out there?
|

I can't say that I've seen them. But I do agree that
there are an increasing number of sneaky ones that
will install junk if you're not careful. Even Irfanview.
And there's a lot of crap of another kind in programs
like Firefox: It doesn't actually install malware, but it
will inflict a kind of death by a 1,000 cuts, with things
like call-home data collection, ads in the default home
page, etc.

| OMG. Do not get me started on HP printers!
| It has been YEARS that I've been trying to get rid of some HP software on
| my computer. The only way is to flush the operating system and start over.
| Sigh. (Please don't get me started on HP.)
|
They're a weird bunch. One HP printer I had
insisted I needed an updated IE to install the drivers!
I had to trick it by changing the Registry value it was
checking. Another came with a complete VB6 project
for customer feedback. Not an EXE. The entire code
project to make the EXE! But then I tried an Epson
printer and it would arbitrarily decide to stop working,
insisting that I offiicially had no ink left when that was
not true.
So now I accept HP as the lesser of the evils
and only do as much printing as is necessary for
things like business cards, contracts, customer
receipts, etc.

| iTunes is especially sleazy.
| OMG. You know EXACTLY how to make me wince!
|
| I know all about iTunes and I never want to see it again. Ever.
| I have iOS and Android where there is never a need for iTunes crap.
| Let's not go there or we'll drive the others nuts.
|

This might be a good time to take your
anti-high blood pressure drugs.

"M.L." wrote

| I keep a script on my Desktop to clean TEMP.
|
| Why not post the script here to help others?

It's in this package:

http://www.jsware.net/jsware/scrfiles.php5#desk

It could be trimmed down quite a bit if you know the
paths. It's designed to work on all systems without
knowing paths. I mostly work on XP. I don't remember
whether I altered the script for Win7. I don't think so.
You may also not want to run as admin, in which case
you can only delete temp files in your own user folder,
but I assume it will also work to delete them in C:\TEMP
and C:\Windows\TEMP.


Here's the content of the message box window I
just got after running the script:

TEMP folders found: List shows beginning size of each TEMP folder found and
size of that folder after cleaning.

C:\WINDOWS\TEMP: 4 MB - 4 MB
C:\temp: 24 KB - 0 Bytes
C:\DOCUME~1\[username]\LOCALS~1\Temp: 6 MB - 0 Bytes
C:\DOCUME~1\Default User\Local Settings\Temp: 0 Bytes - 0 Bytes
C:\DOCUME~1\NetworkService\Local Settings\Temp: 0 Bytes - 0 Bytes
C:\DOCUME~1\LocalService\Local Settings\Temp: 0 Bytes - 0 Bytes
C:\DOCUME~1\Administrator\Local Settings\Temp: 0 Bytes - 0 Bytes

The 4 MB in C:\Windows\TEMP stayed because
they're open files. The script is designed to just
ignore errors, which will occur if a file is open and
can't be deleted.

The FileSystemObject used in VBS can deal with
deleting nested folders, so there's no need to get
into any fancy footwork like recursive cleaning. The
script just looks for any likely TEMP folders, then
deletes all files/folders in any TEMP folders found.

On 20/9/2017 1:54 AM, BurfordTJustice wrote:
So it really is crap.


I still don't find a use for it after all these years...

--
@~@ Remain silent! Drink, Blink, Stretch! Live long and prosper!!
/ v \ Simplicity is Beauty!
/( _ )\ May the Force and farces be with you!
^ ^ (x86_64 Ubuntu 9.10) Linux 2.6.39.3
�借貸! ��騙! ��交! �打交! �打劫! �自殺! 請考慮綜� (CSSA):
http://www.swd.gov.hk/tc/index/site_...sub_addressesa

Firstly, I really enjoyed Mayayana's post and Blake's reply. Both
well-thought-out and reasonable.

Just picking up on a couple of points:

In message , Blake Snyder
writes:
On Tue, 19 Sep 2017 09:54:58 -0400, in news Mayayana wrote:
[]
Either way, anything that actually needs to access the
Registry is going to be doing it in the range of milliseconds,
regardless of whether your Registry is 20 MB or 20 MB
+ 30 KB of unnecessary data.

I agree with most of what you say about registry cleaners making
excessive claims about speed improvement and being of dubious value
altogether (though I agree with Blake that there's something
aesthetically satisfying: in the way that some people would clean mud
off their car even if it was just mud and over modern paint that
wouldn't be harmed by the mud being left), but the above _proportions_ I
think might not be representative of the case: I suspect that my (and
certainly a lot of people's) registries contain unnecessary data that is
a much higher proportion, possibly even far exceeding the "necessary"
part.
[]
I also keep a lot of EVERY installation, so that I know what mistakes I
made (since they always catch you on something) particularly which ones
phone home and which ones have settings to stop that and which I have to
use the HOSTS file (yes, I know you love Acrylic DNS which I'll install
some day).
[]
(I assume that was meant to be "log" rather than "lot".) There are - or
used to be, I haven't looked for years - utilities (not sure if any
free) that claim to do this for you, i. e. monitor all activity during
an install (file installs, registry changes, whatever), to give you the
option of thorough removal. (I _think_ the paid version of revo might
include such.) I wondered, have you ever explored any of them? I haven't
- or if I did, it was so long ago that I can't remember - (a) because it
seems like a lot of effort [though presumably less so than doing it
manually as you do!], and (b) I'm not sure if there'd be problems using
them to remove one thing when I'd _subsequently_ installed other things.
--
J. P. Gilliver. UMRA: 1960/1985 MB++G()AL-IS-Ch++(p)Ar@T+H+Sh0!:`)DNAf

.... management speak, a language used by those employed to deliver change
while dodging responsibility for its nastier effects.
- Gillian Reynolds, RT 2016/9/17-23

In message , Blake Snyder
writes:
[]
Be advised that even on Windows 10, Microsoft still constrains you to the
8+3 syntax, as exemplified he
c:] echo %temp%
C:\tmp\junk\WINDOW~
Where "Window~" is Microsoft's 8+3 way of doing things.

c:] echo %tmp%
C:\tmp\junk\WINDOW~1
c:] cd %tmp%
Where "Windows~1" in this case is actually "windows_temp".

Who'd have thought that even in Windows 10, you're limited to 8+3 syntax!

(The second one doesn't have the s in it.)

It _may_ not be the case for these two, as they may always be created in
the same order, but IME, the 8.3 forms are created - with the number
after the ~ incrementing - in the order the files are, so they _could_
be the other way round. Or have higher indices if \tmp\junk already had
some window~x files in them when those needed to be created.

---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

--
J. P. Gilliver. UMRA: 1960/1985 MB++G()AL-IS-Ch++(p)Ar@T+H+Sh0!:`)DNAf

.... management speak, a language used by those employed to deliver change
while dodging responsibility for its nastier effects.
- Gillian Reynolds, RT 2016/9/17-23