1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP RegistryCare Activity

HTTP RegistryCare Activity

Severity: Medium

This attack could pose a moderate security threat. It does not require immediate action.

Description

This signature detects activities of misleading application PCCleaner.

Additional Information

When RegistryCare is installed, it performs the following actions:

1. Creates the following files:

* %UserProfile%\Desktop\Registry Care.lnk
* %UserProfile%\Start Menu\Programs\Registry Care\Registry Care.lnk
* %UserProfile%\Start Menu\Programs\Registry Care\Uninstall Registry Care.lnk
* %ProgramFiles%\RegistryCare\INSTALL.LOG
* %ProgramFiles%\RegistryCare\RegistryCare.exe
* %ProgramFiles%\RegistryCare\Unwise.exe

Note:
* %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).
* %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.

2. Creates the following registry subkeys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Registry Care
HKEY_CURRENT_USER\Software\RegistryCare

3. Scans the Windows registry, reporting registry subkeys that reference files or other subkeys that are no longer present on the computer.

4. Gives exaggerated reports of critical errors in the registry on the computer.

5. Prompts the user to purchase a registered version of the software in order to remove the reported errors.

Affected

  • Windows 2000
  • Windows 95
  • Windows 98
  • Windows Me
  • Windows NT
  • Windows XP

Response

The following instructions pertain to all Symantec antivirus products that support security risk detection.

1. Update the definitions.
2. Uninstall the security risk.
3. Run the scan.
4. Delete any values added to the registry.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube