Advisories
Vulnerability Database
PoC
Viruses
Research Lab

RegClean2Sqr

10 january, 2008

RegClean2Sqr


Updated: January 7, 2008 4:35:46 PM
Type: Misleading Application
Name: RegClean
Version: 2.7
Publisher: 2Squared
Risk Impact: Medium
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000

SUMMARY

Behavior

RegClean2Sqr is a misleading application that may give exaggerated reports of errors on the computer.

Note: Virus definitions dated January 8th, 2008 or earlier may detect this application as RegClean.

Protection

  • Initial Rapid Release version January 7, 2008 revision 017
  • Latest Rapid Release version January 8, 2008 revision 006
  • Initial Daily Certified version January 7, 2008 revision 022
  • Latest Daily Certified version January 8, 2008 revision 022
  • Initial Weekly Certified release date January 9, 2008

TECHNICAL DETAILS

Behavior
The program must be manually installed.

The program reports false or exaggerated reports of errors on the computer.





The user is then prompted to pay for a full license of the application in order to remove the errors.





Installation
When the program is executed, it creates the following files:
  • %UserProfile%\Application Data\RegClean\Log\2008 Jan 07 - 12_01_02 PM_031.log
  • %UserProfile%\Application Data\RegClean\Log\2008 Jan 07 - 12_01_10 PM_843.log
  • %UserProfile%\Desktop\200defs_SR\2007-12-31_Downloader.MisleadApp_setupxv.exe.1.exe
  • %UserProfile%\Local Settings\Temp\symlcsv1.exe
  • C:\Documents and Settings\All Users\Desktop\RegClean.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\RegClean\RegClean on the Web.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\RegClean\RegClean.lnk
  • %ProgramFiles%\RegClean\DataBase.ref
  • %ProgramFiles%\RegClean\Launcher.exe
  • %ProgramFiles%\RegClean\RegClean.exe
  • %ProgramFiles%\RegClean\RegClean.url
  • %ProgramFiles%\RegClean\RegCleaner.dll
  • %ProgramFiles%\RegClean\TCL.dll
  • %ProgramFiles%\RegClean\zlib.dll
  • %WindГ¬r%\Installer\[RANDOM NAME].msi
  • %WindГ¬r%\Installer\{D6938AFF-30C4-409C-B667-3F6503750BB8}\Icon.exe
  • %WindГ¬r%\Tasks\RegClean Scheduled Scan.job


It may also create temporary files.

Next, the program creates the following registry entry so that it executes whenever Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"RegClean" = "%ProgramFiles%\RegClean\RegClean.exe"

The risk also creates the following entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\"C:\Program Files\RegClean\" = ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\"C:\Documents and Settings\All Users\Start Menu\Programs\RegClean\" = ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\"C:\WINDOWS\Installer\{D6938AFF-30C4-409C-B667-3F6503750BB8}\" = ""

It also creates the following registry subkeys:
  • HKEY_CURRENT_USER\Software\RegClean
  • HKEY_CLASSES_ROOT\Installer\Features\FFA8396D4C03C9046B76F3563057B08B
  • HKEY_CLASSES_ROOT\Installer\Products\FFA8396D4C03C9046B76F3563057B08B
  • HKEY_CLASSES_ROOT\Installer\UpgradeCodes\8E650C92721B8364BB774E25145C382A
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D6938AFF-30C4-409C-B667-3F6503750BB8}
  • HKEY_LOCAL_MACHINE\SOFTWARE\RegClean
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\350A43477F3E8D94EAB18377D1E7421D\FFA8396D4C03C9046B76F3563057B08B
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\3D1033F8162A79449B35709F1E31AF3B\FFA8396D4C03C9046B76F3563057B08B
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6121E96C162F8C64BAF0CE846F8186E5\FFA8396D4C03C9046B76F3563057B08B
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\78A0FBA817F2FC044AE7F3078863CC1B\FFA8396D4C03C9046B76F3563057B08B
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\8AE7DA13A8A50784EB8DB6C0C9CB5A00\FFA8396D4C03C9046B76F3563057B08B
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\96561E3A346665E4AA79D997C23D33FB\FFA8396D4C03C9046B76F3563057B08B
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\9F4D2600F2086F948BF0217B8EEAF075\FFA8396D4C03C9046B76F3563057B08B
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\B6EC329EDEB1E1F49A774B220E15682A\FFA8396D4C03C9046B76F3563057B08B

Cisco Security Advisory: Cisco Security Agent Remote Code Execution Vulnerabilities

Cisco Security Agent is affected by vulnerabilities that could allow an unauthenticated attacker to ...

27 october, 2011

Cisco Security Advisory: Denial of Service Vulnerability in Cisco Video Surveillance IP Cameras

A denial of service (DoS) vulnerability exists in the Cisco Video Surveillance IP Cameras 24 ...

27 october, 2011

Cisco Security Advisory: Cisco Unified Contact Center Express Directory Traversal Vulnerability

Cisco Unified Contact Center Express (UCCX or Unified CCX) and Cisco Unified IP Interactive ...

27 october, 2011

MS13-046: Vulnerabilities in Kernel-Mode Drivers Could Allow Elevation Of Privilege (2840221)

This security update resolves three privately reported vulnerabilities in Microsoft Windows.

14 may, 2013

MS13-045: Vulnerability in Windows Essentials Could Allow Information Disclosure (2813707)

This security update resolves a privately reported vulnerability in Windows Essentials.

14 may, 2013

MS13-043: Vulnerability in Microsoft Word Could Allow Remote Code Execution (2830399)

This security update resolves one privately reported vulnerability in Microsoft Office.

14 may, 2013

CVE-2012-5948

Multiple cross-site scripting (XSS) vulnerabilities in IBM TRIRIGA Application Platform 2.x and 3.x before 3.3, and 8, allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) WebProcess.srv, (2) the html/en/default/ directory, (3) Widget/resource, (4) birt/frameset, or (5) ganttlib/gantt-jws.jnlp.

National Vulnerability Database 23 april, 2013

CVE-2013-0242

Buffer overflow in the extend_buffers function in the regular expression matcher (posix/regexec.c) in glibc, possibly 2.17 and earlier, allows context-dependent attackers to cause a denial of service (memory corruption and crash) via crafted multibyte characters.

National Vulnerability Database 08 february, 2013

CVE-2012-3280

Multiple unspecified vulnerabilities on HP NonStop Servers H06.x and J06.x allow remote authenticated users to obtain sensitive information, modify data, or cause a denial of service via an OSS Remote Operation over an Expand connection.

National Vulnerability Database 13 february, 2013

CVE-2009-2213

The default configuration of the Security global settings on the Citrix NetScaler Access Gateway appliance with Enterprise Edition firmware 9.0, 8.1, and earlier specifies Allow for the Default Authorization Action option, which might allow remote authenticated users to bypass intended access restrictions.

National Vulnerability Database 25 june, 2009

CVE-2013-2703

Cross-site request forgery (CSRF) vulnerability in the Facebook Members plugin before 5.0.5 for WordPress allows remote attackers to hijack the authentication of administrators for requests that modify this plugin's settings.

National Vulnerability Database 05 may, 2013

CVE-2013-2702

Cross-site request forgery (CSRF) vulnerability in the Easy AdSense Lite plugin before 6.10 for WordPress allows remote attackers to hijack the authentication of arbitrary users for requests that modify this plugin's settings.

National Vulnerability Database 05 may, 2013

CVE-2013-1347

Microsoft Internet Explorer 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing an object that (1) was not properly allocated or (2) is deleted, as exploited in the wild in May 2013.

National Vulnerability Database 05 may, 2013

CVE-2013-1092

Multiple unquoted Windows search path vulnerabilities in Novell ZENworks Desktop Management (ZDM) 7 through 7.1 might allow local users to gain privileges via a Trojan horse "program" file in the C: folder, related to an attempted launch of (1) ZenRem32.exe or (2) wm.exe.

National Vulnerability Database 05 may, 2013

CVE-2013-0726

Stack-based buffer overflow in the ERM_convert_to_correct_webpath function in ermapper_u.dll in ERDAS ER Viewer before 13.00.0001 allows remote attackers to execute arbitrary code via a crafted pathname in an ERS file.

National Vulnerability Database 05 may, 2013

CVE-2013-3269

Cross-site request forgery (CSRF) vulnerability in Cybozu Office before 8.1.6 and 9.x before 9.3.0 allows remote attackers to hijack the authentication of arbitrary users for requests that change mobile passwords, a different vulnerability than CVE-2013-2305.

National Vulnerability Database 25 april, 2013

CVE-2013-3268

Novell iManager 2.7 before SP6 Patch 1 does not refresh a token after a logout action, which has unspecified impact and remote attack vectors.

National Vulnerability Database 24 april, 2013

CVE-2013-1821

lib/rexml/text.rb in the REXML parser in Ruby before 1.9.3-p392 allows remote attackers to cause a denial of service (memory consumption and crash) via crafted text nodes in an XML document, aka an XML Entity Expansion (XEE) attack.

National Vulnerability Database 09 april, 2013

CVE-2013-1665

The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex and Folsom, Django, and possibly other products allow remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity (XXE) attack.

National Vulnerability Database 02 april, 2013

CVE-2013-1664

The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex, Folsom, and Grizzly; Compute (Nova) Essex and Folsom; Cinder Folsom; Django; and possibly other products allow remote attackers to cause a denial of service (resource consumption and crash) via an XML Entity Expansion (XEE) attack.

National Vulnerability Database 02 april, 2013

CVE-2013-1288

Use-after-free vulnerability in Microsoft Internet Explorer 8 allows remote attackers to execute arbitrary code via a crafted web site that triggers access to a deleted object, aka "Internet Explorer CTreeNode Use After Free Vulnerability."

National Vulnerability Database 12 march, 2013
Search
Sun Microsystems

This Alert covers CVE-2010-0896 for the mail component of the Sun Convergence product

This Sun Alert covers CVE-2010-0896 for the mail component of the Sun Convergence product.

14 april, 2010

This Alert Covers CVE-2010-0893 for the Mail Component of the Sun Convergence Product

This Alert covers CVE-2010-0893 for the mail component of the Sun Convergence product.

14 april, 2010

SunOS 5.10_x86: ucode driver patch

6905530 processor microcode code can panic when retrieving microcode revision.

02 february, 2010

Red Hat

[RHSA-2010:1003-01] Moderate: git security update

Red Hat Security Advisory - Moderate: git security update

21 december, 2010

[RHSA-2010:1002-01] Moderate: mod_auth_mysql security update

Red Hat Security Advisory - Moderate: mod_auth_mysql security update

21 december, 2010

[RHSA-2010:1000-01] Important: bind security update

Red Hat Security Advisory - Important: bind security update

20 december, 2010

РоС

Quick Search 1.1.0.189 Buffer Overflow Vulnerability (SEH)

Serva 32 TFTP 2.1.0 - Buffer Overflow DoS Exploit

Privilege Escalation Exploit For Linux 2.6.37 - 3.8.8

AdvertismentAbout ProjectContact UsCopyrightExportRSSMy SettingsMap