RegClean2Sqr

10 january, 2008

RegClean2Sqr


Updated: January 7, 2008 4:35:46 PM
Type: Misleading Application
Name: RegClean
Version: 2.7
Publisher: 2Squared
Risk Impact: Medium
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000

SUMMARY

Behavior

RegClean2Sqr is a misleading application that may give exaggerated reports of errors on the computer.

Note: Virus definitions dated January 8th, 2008 or earlier may detect this application as RegClean.

Protection

  • Initial Rapid Release version January 7, 2008 revision 017
  • Latest Rapid Release version January 8, 2008 revision 006
  • Initial Daily Certified version January 7, 2008 revision 022
  • Latest Daily Certified version January 8, 2008 revision 022
  • Initial Weekly Certified release date January 9, 2008

TECHNICAL DETAILS

Behavior
The program must be manually installed.

The program reports false or exaggerated reports of errors on the computer.





The user is then prompted to pay for a full license of the application in order to remove the errors.





Installation
When the program is executed, it creates the following files:
  • %UserProfile%\Application Data\RegClean\Log\2008 Jan 07 - 12_01_02 PM_031.log
  • %UserProfile%\Application Data\RegClean\Log\2008 Jan 07 - 12_01_10 PM_843.log
  • %UserProfile%\Desktop\200defs_SR\2007-12-31_Downloader.MisleadApp_setupxv.exe.1.exe
  • %UserProfile%\Local Settings\Temp\symlcsv1.exe
  • C:\Documents and Settings\All Users\Desktop\RegClean.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\RegClean\RegClean on the Web.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\RegClean\RegClean.lnk
  • %ProgramFiles%\RegClean\DataBase.ref
  • %ProgramFiles%\RegClean\Launcher.exe
  • %ProgramFiles%\RegClean\RegClean.exe
  • %ProgramFiles%\RegClean\RegClean.url
  • %ProgramFiles%\RegClean\RegCleaner.dll
  • %ProgramFiles%\RegClean\TCL.dll
  • %ProgramFiles%\RegClean\zlib.dll
  • %WindГ¬r%\Installer\[RANDOM NAME].msi
  • %WindГ¬r%\Installer\{D6938AFF-30C4-409C-B667-3F6503750BB8}\Icon.exe
  • %WindГ¬r%\Tasks\RegClean Scheduled Scan.job


It may also create temporary files.

Next, the program creates the following registry entry so that it executes whenever Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"RegClean" = "%ProgramFiles%\RegClean\RegClean.exe"

The risk also creates the following entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\"C:\Program Files\RegClean\" = ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\"C:\Documents and Settings\All Users\Start Menu\Programs\RegClean\" = ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\"C:\WINDOWS\Installer\{D6938AFF-30C4-409C-B667-3F6503750BB8}\" = ""

It also creates the following registry subkeys:
  • HKEY_CURRENT_USER\Software\RegClean
  • HKEY_CLASSES_ROOT\Installer\Features\FFA8396D4C03C9046B76F3563057B08B
  • HKEY_CLASSES_ROOT\Installer\Products\FFA8396D4C03C9046B76F3563057B08B
  • HKEY_CLASSES_ROOT\Installer\UpgradeCodes\8E650C92721B8364BB774E25145C382A
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D6938AFF-30C4-409C-B667-3F6503750BB8}
  • HKEY_LOCAL_MACHINE\SOFTWARE\RegClean
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\350A43477F3E8D94EAB18377D1E7421D\FFA8396D4C03C9046B76F3563057B08B
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\3D1033F8162A79449B35709F1E31AF3B\FFA8396D4C03C9046B76F3563057B08B
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6121E96C162F8C64BAF0CE846F8186E5\FFA8396D4C03C9046B76F3563057B08B
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\78A0FBA817F2FC044AE7F3078863CC1B\FFA8396D4C03C9046B76F3563057B08B
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\8AE7DA13A8A50784EB8DB6C0C9CB5A00\FFA8396D4C03C9046B76F3563057B08B
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\96561E3A346665E4AA79D997C23D33FB\FFA8396D4C03C9046B76F3563057B08B
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\9F4D2600F2086F948BF0217B8EEAF075\FFA8396D4C03C9046B76F3563057B08B
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\B6EC329EDEB1E1F49A774B220E15682A\FFA8396D4C03C9046B76F3563057B08B

Cisco IOS Software Resource Reservation Protocol Interface Queue Wedge Vulnerability

A vulnerability in the Resource Reservation Protocol (RSVP) feature of Cisco IOS Software an...

30 september, 2013

Cisco IOS Software Internet Key Exchange Memory Leak Vulnerability

A vulnerability in the Internet Key Exchange (IKE) protocol of Cisco IOS Software and Cisco ...

30 september, 2013

Cisco IOS Software Multicast Network Time Protocol Denial of Service Vulnerability

A vulnerability in the implementation of the Network Time Protocol (NTP) feature in Cisco IO...

30 september, 2013

MS14-035: Cumulative Security Update for Internet Explorer (2969262)

This security update resolves two publicly disclosed vulnerabilities and fifty-seven privately repor...

11 june, 2014

MS14-036: Vulnerabilities in Microsoft Graphics Component Could Allow Remote Code Execution (2967487)

This security update resolves two privately reported vulnerabilities in Microsoft Windows, Microsoft...

11 june, 2014

MS14-034: Vulnerability in Microsoft Word Could Allow Remote Code Execution (2969261)

This security update resolves one privately reported vulnerability in Microsoft Office.

10 june, 2014

CVE-2014-5018

Incomplete blacklist vulnerability in the autoEscape function in common_helper.php in LimeSurvey 2.05+ Build 140618 allows remote attackers to conduct cross-site scripting (XSS) attacks via the GBK charset in the loadname parameter to index.php, related to the survey resume.

CVE-2014-5017

SQL injection vulnerability in CPDB in application/controllers/admin/participantsaction.php in LimeSurvey 2.05+ Build 140618 allows remote attackers to execute arbitrary SQL commands via the sidx parameter in a JSON request to admin/participants/sa/getParticipants_json, related to a search parameter.

CVE-2014-5016

Multiple cross-site scripting (XSS) vulnerabilities in LimeSurvey 2.05+ Build 140618 allow remote attackers to inject arbitrary web script or HTML via (1) the pid attribute to the getAttribute_json function to application/controllers/admin/participantsaction.php in CPDB, (2) the sa parameter to application/views/admin/globalSettings_view.php, or (3) a crafted CSV file to the "Import CSV" functionality.

CVE-2014-4987

server_user_groups.php in phpMyAdmin 4.1.x before 4.1.14.2 and 4.2.x before 4.2.6 allows remote authenticated users to bypass intended access restrictions and read the MySQL user list via a viewUsers request.

CVE-2014-4986

Multiple cross-site scripting (XSS) vulnerabilities in js/functions.js in phpMyAdmin 4.0.x before 4.0.10.1, 4.1.x before 4.1.14.2, and 4.2.x before 4.2.6 allow remote authenticated users to inject arbitrary web script or HTML via a crafted (1) table name or (2) column name that is improperly handled during construction of an AJAX confirmation message.

CVE-2014-4960

Multiple SQL injection vulnerabilities in models\gallery.php in Youtube Gallery (com_youtubegallery) component 4.x through 4.1.7, and possibly 3.x, for Joomla! allow remote attackers to execute arbitrary SQL commands via the (1) listid or (2) themeid parameter to index.php.

CVE-2014-4955

Cross-site scripting (XSS) vulnerability in the PMA_TRI_getRowForList function in libraries/rte/rte_list.lib.php in phpMyAdmin 4.0.x before 4.0.10.1, 4.1.x before 4.1.14.2, and 4.2.x before 4.2.6 allows remote authenticated users to inject arbitrary web script or HTML via a crafted trigger name that is improperly handled on the database triggers page.

CVE-2014-4734

Cross-site scripting (XSS) vulnerability in e107_admin/db.php in e107 2.0 alpha2 and earlier allows remote attackers to inject arbitrary web script or HTML via the type parameter.

CVE-2014-4342

MIT Kerberos 5 (aka krb5) 1.7.x through 1.12.x before 1.12.2 allows remote attackers to cause a denial of service (buffer over-read or NULL pointer dereference, and application crash) by injecting invalid tokens into a GSSAPI application session.

CVE-2014-4341

MIT Kerberos 5 (aka krb5) before 1.12.2 allows remote attackers to cause a denial of service (buffer over-read and application crash) by injecting invalid tokens into a GSSAPI application session.

CVE-2014-3894

Cross-site scripting (XSS) vulnerability in PHP Kobo Multifunctional MailForm Free 2014/1/28 and earlier allows remote attackers to inject arbitrary web script or HTML via an HTTP Referer header.

CVE-2014-3892

Cross-site scripting (XSS) vulnerability in Nexa Meridian before 2014 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVE-2014-3886

Cross-site scripting (XSS) vulnerability in Webmin before 1.690, when referrer checking is disabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.  NOTE: this might overlap CVE-2014-3924.

CVE-2014-3885

Cross-site scripting (XSS) vulnerability in Webmin before 1.690 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.  NOTE: this might overlap CVE-2014-3924.

CVE-2014-3884

Cross-site scripting (XSS) vulnerability in Usermin before 1.600 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.  NOTE: this might overlap CVE-2014-3924.

This Alert covers CVE-2010-0896 for the mail component of the Sun Convergence product

This Sun Alert covers CVE-2010-0896 for the mail component of the Sun Convergence product.

14 april, 2010

This Alert Covers CVE-2010-0893 for the Mail Component of the Sun Convergence Product

This Alert covers CVE-2010-0893 for the mail component of the Sun Convergence product.

14 april, 2010

SunOS 5.10_x86: ucode driver patch

6905530 processor microcode code can panic when retrieving microcode revision.

02 february, 2010

[RHSA-2010:1003-01] Moderate: git security update

Red Hat Security Advisory - Moderate: git security update

21 december, 2010

[RHSA-2010:1002-01] Moderate: mod_auth_mysql security update

Red Hat Security Advisory - Moderate: mod_auth_mysql security update

21 december, 2010

[RHSA-2010:1000-01] Important: bind security update

Red Hat Security Advisory - Important: bind security update

20 december, 2010