||||
Symantec.com > Business > Security Response > ErrClean
PRINT THIS PAGE

ErrClean

Printer Friendly Page

Updated: September 11, 2007 2:01:17 PM
Type: Misleading Application
Name: ErrClean
Version: 1.3.26.0
Risk Impact: Medium
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000


Behavior
This program must be manually installed.

When it is executed and a scan is run, it scans the computer and displays exaggerated reports of errors on the computer.





The risk also displays a registration screen, asking the user to register the software to remove the falsely reported threats.





Installation
When the program is executed, it creates the following folder:
%UserProfile%\Application Data\errclean

Next, the program creates the following files:
  • %UserProfile%\Desktop\ErrClean.lnk
  • C:\Documents and Settings\All Users\Application Data\errclean\Data\em
  • C:\Documents and Settings\All Users\Application Data\errclean\Data\oid
  • C:\Documents and Settings\All Users\Application Data\errclean\Data\user
  • C:\Documents and Settings\All Users\Start Menu\Programs\ErrClean\Contact Customer Service.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\ErrClean\ErrClean.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\ErrClean\Uninstall ErrClean.lnk
  • %ProgramFiles%\ErrClean\SysRep.exe
  • %ProgramFiles%\ErrClean\ugescw.exe
  • %ProgramFiles%\ErrClean\License.rtf
  • %ProgramFiles%\ErrClean\Readme.rtf
  • %ProgramFiles%\ErrClean\Res\Main.ico
  • %ProgramFiles%\ErrClean\Res\RecycleBin.ico
  • %ProgramFiles%\ErrClean\rm.url
  • %ProgramFiles%\ErrClean\sr.log
  • %ProgramFiles%\ErrClean\swupd.log
  • %ProgramFiles%\ErrClean\SysRep.exe.cer
  • %ProgramFiles%\ErrClean\SysRep.exe.Log
  • %ProgramFiles%\ErrClean\SysRep.exe.xml
  • %ProgramFiles%\ErrClean\SysRep.url
  • %ProgramFiles%\ErrClean\unins000.dat
  • %ProgramFiles%\ErrClean\urls.ini
  • %ProgramFiles%\ErrClean\unins000.exe
  • %ProgramFiles%\ErrClean\transpaid.exe
  • %UserProfile%\Local Settings\Temp\[RANDOM CHARACTERS]\setup.exe
  • %UserProfile%\Local Settings\Temp\[RANDOM CHARACTERS]\settings.ini
  • %UserProfile%\Local Settings\Temp\[RANDOM CHARACTERS]\setup.len


It also creates the following clean files:
  • %ProgramFiles%\ErrClean\atl71.dll
  • %ProgramFiles%\ErrClean\mfc71.dll
  • %ProgramFiles%\ErrClean\msvcp71.dll
  • %ProgramFiles%\ErrClean\msvcr71.dll


The program then creates the following registry entries so that it executes whenever Windows starts:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"ErrClean" = "C:\Program Files\ErrClean\SysRep.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"ugescw" = ""C:\PROGRA~1\ErrClean\ugescw.exe" -start"


It also creates the following registry subkeys:
  • HKEY_USERS\[ALL USERS]\Software\ErrClean
  • HKEY_LOCAL_MACHINE\SOFTWARE\ErrClean
  • HKEY_LOCAL_MACHINE\SOFTWARE\ugescw
  • HKEY_LOCAL_MACHINE\SOFTWARE\Purchased Products\System Error Repair
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GES_is1
Search by name
Example: W32.Beagle.AG@mm
Symantec DeepSight Screensaver
©1995 - 2010 Symantec Corporation
Site Map|
Legal Notices|
Privacy Policy|
|
Contact Us|
Global Sites|
License Agreements|
RSS