RegClean2Sqr

10 january, 2008

RegClean2Sqr


Updated: January 7, 2008 4:35:46 PM
Type: Misleading Application
Name: RegClean
Version: 2.7
Publisher: 2Squared
Risk Impact: Medium
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000

SUMMARY

Behavior

RegClean2Sqr is a misleading application that may give exaggerated reports of errors on the computer.

Note: Virus definitions dated January 8th, 2008 or earlier may detect this application as RegClean.

Protection

  • Initial Rapid Release version January 7, 2008 revision 017
  • Latest Rapid Release version January 8, 2008 revision 006
  • Initial Daily Certified version January 7, 2008 revision 022
  • Latest Daily Certified version January 8, 2008 revision 022
  • Initial Weekly Certified release date January 9, 2008

TECHNICAL DETAILS

Behavior
The program must be manually installed.

The program reports false or exaggerated reports of errors on the computer.





The user is then prompted to pay for a full license of the application in order to remove the errors.





Installation
When the program is executed, it creates the following files:
  • %UserProfile%\Application Data\RegClean\Log\2008 Jan 07 - 12_01_02 PM_031.log
  • %UserProfile%\Application Data\RegClean\Log\2008 Jan 07 - 12_01_10 PM_843.log
  • %UserProfile%\Desktop\200defs_SR\2007-12-31_Downloader.MisleadApp_setupxv.exe.1.exe
  • %UserProfile%\Local Settings\Temp\symlcsv1.exe
  • C:\Documents and Settings\All Users\Desktop\RegClean.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\RegClean\RegClean on the Web.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\RegClean\RegClean.lnk
  • %ProgramFiles%\RegClean\DataBase.ref
  • %ProgramFiles%\RegClean\Launcher.exe
  • %ProgramFiles%\RegClean\RegClean.exe
  • %ProgramFiles%\RegClean\RegClean.url
  • %ProgramFiles%\RegClean\RegCleaner.dll
  • %ProgramFiles%\RegClean\TCL.dll
  • %ProgramFiles%\RegClean\zlib.dll
  • %WindГ¬r%\Installer\[RANDOM NAME].msi
  • %WindГ¬r%\Installer\{D6938AFF-30C4-409C-B667-3F6503750BB8}\Icon.exe
  • %WindГ¬r%\Tasks\RegClean Scheduled Scan.job


It may also create temporary files.

Next, the program creates the following registry entry so that it executes whenever Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"RegClean" = "%ProgramFiles%\RegClean\RegClean.exe"

The risk also creates the following entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\"C:\Program Files\RegClean\" = ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\"C:\Documents and Settings\All Users\Start Menu\Programs\RegClean\" = ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\"C:\WINDOWS\Installer\{D6938AFF-30C4-409C-B667-3F6503750BB8}\" = ""

It also creates the following registry subkeys:
  • HKEY_CURRENT_USER\Software\RegClean
  • HKEY_CLASSES_ROOT\Installer\Features\FFA8396D4C03C9046B76F3563057B08B
  • HKEY_CLASSES_ROOT\Installer\Products\FFA8396D4C03C9046B76F3563057B08B
  • HKEY_CLASSES_ROOT\Installer\UpgradeCodes\8E650C92721B8364BB774E25145C382A
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D6938AFF-30C4-409C-B667-3F6503750BB8}
  • HKEY_LOCAL_MACHINE\SOFTWARE\RegClean
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\350A43477F3E8D94EAB18377D1E7421D\FFA8396D4C03C9046B76F3563057B08B
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\3D1033F8162A79449B35709F1E31AF3B\FFA8396D4C03C9046B76F3563057B08B
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6121E96C162F8C64BAF0CE846F8186E5\FFA8396D4C03C9046B76F3563057B08B
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\78A0FBA817F2FC044AE7F3078863CC1B\FFA8396D4C03C9046B76F3563057B08B
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\8AE7DA13A8A50784EB8DB6C0C9CB5A00\FFA8396D4C03C9046B76F3563057B08B
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\96561E3A346665E4AA79D997C23D33FB\FFA8396D4C03C9046B76F3563057B08B
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\9F4D2600F2086F948BF0217B8EEAF075\FFA8396D4C03C9046B76F3563057B08B
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\B6EC329EDEB1E1F49A774B220E15682A\FFA8396D4C03C9046B76F3563057B08B

Cisco IOS Software Resource Reservation Protocol Interface Queue Wedge Vulnerability

A vulnerability in the Resource Reservation Protocol (RSVP) feature of Cisco IOS Software an...

30 september, 2013

Cisco IOS Software Internet Key Exchange Memory Leak Vulnerability

A vulnerability in the Internet Key Exchange (IKE) protocol of Cisco IOS Software and Cisco ...

30 september, 2013

Cisco IOS Software Multicast Network Time Protocol Denial of Service Vulnerability

A vulnerability in the implementation of the Network Time Protocol (NTP) feature in Cisco IO...

30 september, 2013

MS14-035: Cumulative Security Update for Internet Explorer (2969262)

This security update resolves two publicly disclosed vulnerabilities and fifty-seven privately repor...

11 june, 2014

MS14-036: Vulnerabilities in Microsoft Graphics Component Could Allow Remote Code Execution (2967487)

This security update resolves two privately reported vulnerabilities in Microsoft Windows, Microsoft...

11 june, 2014

MS14-034: Vulnerability in Microsoft Word Could Allow Remote Code Execution (2969261)

This security update resolves one privately reported vulnerability in Microsoft Office.

10 june, 2014

CVE-2015-1424

Cross-site request forgery (CSRF) vulnerability in Gecko CMS 2.2 and 2.3 allows remote attackers to hijack the authentication of administrators for requests that add an administrator user via a newuser request to admin/index.php.

CVE-2015-1423

Multiple SQL injection vulnerabilities in Gecko CMS 2.2 and 2.3 allow remote administrators to execute arbitrary SQL commands via the (1) jak_delete_log[] or (2) ssp parameter to admin/index.php.

CVE-2015-1366

Cross-site scripting (XSS) vulnerability in pixabay-images.php in the Pixabay Images plugin before 2.4 for WordPress allows remote attackers to inject arbitrary web script or HTML via the image_user parameter.

CVE-2015-1365

Directory traversal vulnerability in pixabay-images.php in the Pixabay Images plugin before 2.4 for WordPress allows remote attackers to write to arbitrary files via a .. (dot dot) in the q parameter.

CVE-2014-9650

CRLF injection vulnerability in the management plugin in RabbitMQ 2.1.0 through 3.4.x before 3.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the download parameter to api/definitions.

CVE-2014-9649

Cross-site scripting (XSS) vulnerability in the management plugin in RabbitMQ 2.1.0 through 3.4.x before 3.4.1 allows remote attackers to inject arbitrary web script or HTML via the path info to api/, which is not properly handled in an error message.

CVE-2014-0191

The xmlParserHandlePEReference function in parser.c in libxml2 before 2.9.2, as used in Web Listener in Oracle HTTP Server in Oracle Fusion Middleware 11.1.1.7.0, 12.1.2.0, and 12.1.3.0 and other products, loads external parameter entities regardless of whether entity substitution or validation is enabled, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XML document.

CVE-2013-4260

lib/ansible/playbook/__init__.py in Ansible 1.2.x before 1.2.3, when playbook does not run due to an error, allows local users to overwrite arbitrary files via a symlink attack on a retry file with a predictable name in /var/tmp/ansible/.

CVE-2013-4259

runner/connection_plugins/ssh.py in Ansible before 1.2.3, when using ControlPersist, allows local users to redirect a ssh session via a symlink attack on a socket file with a predictable name in /tmp/.

CVE-2015-0586

The Network-Based Application Recognition (NBAR) protocol implementation in Cisco IOS 15.3(100)M and earlier on Cisco 2900 Integrated Services Router (aka Cisco Internet Router) devices allows remote attackers to cause a denial of service (NBAR process hang) via IPv4 packets, aka Bug ID CSCuo73682.

CVE-2015-0581

The XML parser in Cisco Prime Service Catalog before 10.1 allows remote authenticated users to read arbitrary files or cause a denial of service (CPU and memory consumption) via an external entity declaration in conjunction with an entity reference, as demonstrated by reading private keys, related to an XML External Entity (XXE) issue, aka Bug ID CSCup92880.

CVE-2015-0312

Double free vulnerability in Adobe Flash Player before 13.0.0.264 and 14.x through 16.x before 16.0.0.296 on Windows and OS X and before 11.2.202.440 on Linux allows attackers to execute arbitrary code via unspecified vectors.

CVE-2015-0235

Heap-based buffer overflow in the __nss_hostname_digits_dots function in glibc 2.2, and other 2.x versions before 2.18, allows context-dependent attackers to execute arbitrary code via vectors related to the (1) gethostbyname or (2) gethostbyname2 function, aka "GHOST."

CVE-2014-9323

The xdr_status_vector function in Firebird before 2.1.7 and 2.5.x before 2.5.3 SU1 allows remote attackers to cause a denial of service (NULL pointer dereference, segmentation fault, and crash) via an op_response action with a non-empty status.

CVE-2014-8920

Buffer overflow in the Data Transfer Program in IBM i Access 5770-XE1 5R4, 6.1, and 7.1 on Windows allows local users to gain privileges via unspecified vectors.

This Alert covers CVE-2010-0896 for the mail component of the Sun Convergence product

This Sun Alert covers CVE-2010-0896 for the mail component of the Sun Convergence product.

14 april, 2010

This Alert Covers CVE-2010-0893 for the Mail Component of the Sun Convergence Product

This Alert covers CVE-2010-0893 for the mail component of the Sun Convergence product.

14 april, 2010

SunOS 5.10_x86: ucode driver patch

6905530 processor microcode code can panic when retrieving microcode revision.

02 february, 2010

[RHSA-2010:1003-01] Moderate: git security update

Red Hat Security Advisory - Moderate: git security update

21 december, 2010

[RHSA-2010:1002-01] Moderate: mod_auth_mysql security update

Red Hat Security Advisory - Moderate: mod_auth_mysql security update

21 december, 2010

[RHSA-2010:1000-01] Important: bind security update

Red Hat Security Advisory - Important: bind security update

20 december, 2010