Submission Summary:

• Submission details:
• Submission received: 19 May 2008, 00:02:13
• Processing time: 4 min 44 sec
• Submitted sample:
• File MD5: 0xF1C5BF6FE74EE2615544FEDDB316237E
• File SHA-1: 0xD6E5B2EEB5D5CB4B9EBD92B14E55D42847CB5C21
• Filesize: 4,941,731 bytes

• Summary of the findings:

What's been found	Severity Level
Capability to send out email message(s) with the built-in SMTP client engine.
Downloads/requests other files from Internet.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

• The new window was created, as shown below:

Possible Security Risk

• Attention! Characteristics of the following security risk was identified in the system:

Security Risk	Description
RogueAntiSpyware.AdvancedCleaner	RogueAntiSpyware.AdvancedCleaner displays fake alerts in malware payloads in order to persuade users into buying the rogue antispyware products. It also comes bundled with RogueAntiSpyware.ErrClean.

• Attention! The following threat category was identified:

Threat Category	Description
	A spyware program that represents security risk for a local system

File System Modifications

• The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%CommonPrograms%\AdvancedCleaner Free\AdvancedCleaner HomePage.lnk	581 bytes	MD5: 0x9AE337A4EC31143B8F729453379365B2 SHA-1: 0xA01B590E1AE20A290DA779929FCFCF8919C16B1C	AdvancedCleaner [McAfee]
2	%CommonPrograms%\AdvancedCleaner Free\AdvancedCleaner Online Manual.lnk	591 bytes	MD5: 0xA1BE5C4764D5B362D654B9F27A9A9EAD SHA-1: 0x7C07CE97EE963492E98415456451F55BD5FAC364	AdvancedCleaner [McAfee]
3	%CommonPrograms%\AdvancedCleaner Free\AdvancedCleaner Online Support.lnk	595 bytes	MD5: 0x70F7CE278745A276982715A3ECDDEA87 SHA-1: 0x8ACF7B8D54E1494F0211ADDF9E059F76222B2ED5	AdvancedCleaner [McAfee]
4	%CommonPrograms%\AdvancedCleaner Free\AdvancedCleaner.lnk	754 bytes	MD5: 0x2DFEB075A5CBBF90D1E34169E255A769 SHA-1: 0xAD7EB59F11A9CEDD2D55F43F1712E0E5E73ADB18	AdvancedCleaner [McAfee]
5	%CommonPrograms%\AdvancedCleaner Free\Uninstall AdvancedCleaner.lnk	1,670 bytes	MD5: 0x96D8533C3FC0541473D83105E66D0926 SHA-1: 0x6E56690E5FB3F03D10015E4370A0B925CD2B3604	AdvancedCleaner [McAfee]
6	%DesktopDir%\AdvancedCleaner Free.lnk	742 bytes	MD5: 0xCD9897F55217C35060F1D71F2FADC207 SHA-1: 0x488B012F5ECB69C72CAFBE2F7373B5097D43DE8D	AdvancedCleaner [McAfee]
7	%ProgramFiles%\AdvancedCleaner Free\acu.dat	360 bytes	MD5: 0x352FCE0AB49DA11B2F02E824D855B6CE SHA-1: 0x0E9BF066D02C94047BD3A1C8FE319F2CF4B9C6BD	(not available)
8	%ProgramFiles%\AdvancedCleaner Free\antiVlog.dat	37 bytes	MD5: 0x5BD00D780B963C8F34BC98612AB548FA SHA-1: 0x476E0B82A2C5024C1EC94F6EF1F5D3FC2093627C	(not available)
9	%ProgramFiles%\AdvancedCleaner Free\appAct.dat	319 bytes	MD5: 0x10A00DC56DB2CBDB4F5754BA38A69307 SHA-1: 0xDCC8515C04EFB5A7CA1E61437CD32114B3FF2965	(not available)
10	%ProgramFiles%\AdvancedCleaner Free\AppDB\AppBase.xml	23,354 bytes	MD5: 0x17AB8E8A75AF14C4E93959E05D98DB36 SHA-1: 0x8C8C6ADF60ECBF3B5F6ACFE1B315EBA71FCBF4ED	(not available)
11	%ProgramFiles%\AdvancedCleaner Free\AppDB\profiles.dat	371 bytes	MD5: 0xE1216ABB2A3E9A3CABE741557426A673 SHA-1: 0x5DC39B0F6475C034B9D8741464296DF9252C7B7C	(not available)
12	%ProgramFiles%\AdvancedCleaner Free\AppDB\prowords.dat	395 bytes	MD5: 0xC36F8084FCD44683833797925705D9BE SHA-1: 0x55C761A6B546FAF75E18F7B8DE43589B547BB817	(not available)
13	%ProgramFiles%\AdvancedCleaner Free\appv.dat	8 bytes	MD5: 0xD55B3E4BB81D775312DB67FF31E1D09F SHA-1: 0xB5ED897DB220D65906DBBE5D3BD0C7313FF0B440	(not available)
14	%ProgramFiles%\AdvancedCleaner Free\atl71.dll	89,088 bytes	MD5: 0x8F2097E8B174F38178570C611464935F SHA-1: 0x86476819229F4BF00F32E5F0969E19C5B61D1B2A	(not available)
15	%ProgramFiles%\AdvancedCleaner Free\ian_monitor.exe	241,152 bytes	MD5: 0x48F2CFCC906666A78D7A84BC8D8AEC21 SHA-1: 0x7B77BC270BDBB1B5D382EFD4340B76780AF2D2A9	RogueAntiSpyware.AdvancedCleaner [PCTools] AdvancedCleaner [McAfee]
16	%ProgramFiles%\AdvancedCleaner Free\img\button.gif %ProgramFiles%\AdvancedCleaner Free\img\button2.gif	7,487 bytes	MD5: 0x8994BAFEA1D35F7FE83106A9B8F3398D SHA-1: 0x2057B827CD2DAA1AD039A76EACE1FD08B63B2A2C	(not available)
17	%ProgramFiles%\AdvancedCleaner Free\img\header.gif	3,915 bytes	MD5: 0x9A74B3599A951A505FD8DC0E7D2606E9 SHA-1: 0x995060BCA0CD088B89516BCEA3D36E1360EB8B93	(not available)
18	%ProgramFiles%\AdvancedCleaner Free\img\logo.gif	5,966 bytes	MD5: 0xFD2AFDD1A280A83B5471279D17458F3F SHA-1: 0x655DB504F5CB6C5456C26C770D89DD5652C68D4B	(not available)
19	%ProgramFiles%\AdvancedCleaner Free\img\spacer.gif	43 bytes	MD5: 0xAC8DB5074CCA965A2880FC1397B1CEFB SHA-1: 0x366606473D4D89BB102A33B820C211156487C986	(not available)
20	%ProgramFiles%\AdvancedCleaner Free\img\top1.jpg	498 bytes	MD5: 0x18ECF4295372D9C0237F70C620725AAC SHA-1: 0x3D09BE86512718F75015306D3F882FC7D6A0802D	(not available)
21	%ProgramFiles%\AdvancedCleaner Free\img\top2.jpg	12,273 bytes	MD5: 0x3492DB9A1209661B964EC62A5B942259 SHA-1: 0xC8BA2112D5591A774D288815382FF24F72367688	(not available)
22	%ProgramFiles%\AdvancedCleaner Free\img\top_line.gif	50 bytes	MD5: 0x0E61E10090DA23A0968C2746222AC3BC SHA-1: 0x9DC5B7273D6C718680428DAD52E9FD52DCB5DDB0	(not available)
23	%ProgramFiles%\AdvancedCleaner Free\InstStat.exe	135,168 bytes	MD5: 0x647CA51F63343E6B81554B012B93935F SHA-1: 0x9383A0FF8B93BAF67409E6DDB4338EF21C054893	RogueAntiSpyware.AdvancedCleaner [PCTools] AdvancedCleaner [McAfee]
24	%ProgramFiles%\AdvancedCleaner Free\lapv.dat	3 bytes	MD5: 0x5B068A95442C7D5505B4166A77357EA5 SHA-1: 0x916A3B37862D25C71EB7293F7B653E91636F92A7	(not available)
25	%ProgramFiles%\AdvancedCleaner Free\license.rtf	10,295 bytes	MD5: 0x354AE80850E1B56D0842FF8EDD1405AF SHA-1: 0xAD9A14C51F7EA8FDDB3D739C5A5281BB2919428C	(not available)
26	%ProgramFiles%\AdvancedCleaner Free\manual.url	73 bytes	MD5: 0x0EFDAB94EF8E5963B0FCF3632B282A57 SHA-1: 0x18EB54DAA577581E39AAC74A59306103656EBC86	(not available)
27	%ProgramFiles%\AdvancedCleaner Free\mfc71.dll	1,060,864 bytes	MD5: 0xF35A584E947A5B401FEB0FE01DB4A0D7 SHA-1: 0x664DC99E78261A43D876311931694B6EF87CC8B9	(not available)
28	%ProgramFiles%\AdvancedCleaner Free\msvcp71.dll %System%\msvcp71.dll	499,712 bytes	MD5: 0x561FA2ABB31DFA8FAB762145F81667C2 SHA-1: 0xC8CCB04EEDAC821A13FAE314A2435192860C72B8	(not available)
29	%ProgramFiles%\AdvancedCleaner Free\msvcr71.dll	348,160 bytes	MD5: 0x86F1895AE8C5E8B17D99ECE768A70732 SHA-1: 0xD5502A1D00787D68F548DDEEBBDE1ECA5E2B38CA	(not available)
30	%ProgramFiles%\AdvancedCleaner Free\naglinks.dat	33,973 bytes	MD5: 0x07AA2A510A7B0DAF7AA4E42313D70B48 SHA-1: 0x3300923A773A20D85667D71C704A547F910D08C9	(not available)
31	%ProgramFiles%\AdvancedCleaner Free\readme.rtf	9,397 bytes	MD5: 0x8E684387C74BBC139820B8B46A89D1B1 SHA-1: 0xA2F4E211DBB933CFB302BDB6D9161862340EA7EB	(not available)
32	%ProgramFiles%\AdvancedCleaner Free\report.dat	63,447 bytes	MD5: 0xB85A928B5AC1C2AE689DA335860DD5C2 SHA-1: 0x3216BE89382B540F119E7BE978A2766CBF16F2F5	(not available)
33	%ProgramFiles%\AdvancedCleaner Free\req.dat	112 bytes	MD5: 0x73BA4F2BDAD84037C6BD2FD317BD6376 SHA-1: 0xF6B181B55A01809BB838BDBDA5054C5DB2C0D4FA	(not available)
34	%ProgramFiles%\AdvancedCleaner Free\request.dat	119 bytes	MD5: 0x7AE3834A40CD96E64D73BD4DC0873C89 SHA-1: 0x6830C9D9A13A90F2A11F9093A1DBC8CB8987360F	(not available)
35	%ProgramFiles%\AdvancedCleaner Free\support.url	74 bytes	MD5: 0x9BD58331703A72A2782C485F2018D0DD SHA-1: 0x0F75B3D2E6C2D3B6318F3087222762B81B9A2F7F	(not available)
36	%ProgramFiles%\AdvancedCleaner Free\tasks.dat	160 bytes	MD5: 0xE5D32E0B1E9826E5C90F5657BA659E98 SHA-1: 0x95DE1E6BF5725A6A28613B4ED5CB0C1CEB169290	(not available)
37	%ProgramFiles%\AdvancedCleaner Free\transformer.dat	2,949,120 bytes	MD5: 0x53851DE6D7BA2DCC4308F60A1C937AEF SHA-1: 0x95C584ACF95689127756AE66CC3EC7D2A2E2123B	(not available)
38	%ProgramFiles%\AdvancedCleaner Free\UADC.exe	1,558,528 bytes	MD5: 0xAB6A714D01C169F570129F1410B38FAE SHA-1: 0xDAB956603DEEF55224AA639FD29F581E4ED28A72	RogueAntiSpyware.AdvancedCleaner [PCTools] AdvancedCleaner [McAfee]
39	%ProgramFiles%\AdvancedCleaner Free\UADC.exe.manifest	705 bytes	MD5: 0xE0C0FC0DD5E6E2187AA9095E583D67BD SHA-1: 0x76D090498C13312D84172D6E2CAD6933DBB56B20	RogueAntiSpyware.AdvancedCleaner [PCTools]
40	%ProgramFiles%\AdvancedCleaner Free\UADC.url	56 bytes	MD5: 0xD26BEA1DE23BB020DDC58D8B4B008202 SHA-1: 0xF8514ADF5B10EA2420C225D1D08302793C5127AB	(not available)
41	%ProgramFiles%\AdvancedCleaner Free\UADC.xml	2,179,014 bytes	MD5: 0xD5DB3111CEAC1F154E14684C28140A06 SHA-1: 0x626CB7D2CE22C9059EF1C36701DB5C923AE7B75C	RogueAntiSpyware.AdvancedCleaner [PCTools]
42	%ProgramFiles%\AdvancedCleaner Free\UADCcw.exe	180,224 bytes	MD5: 0x02FB5A645B3058FEDC58BC35BB8726DE SHA-1: 0x0811EB06F69BF437A5718B25A2E3E9BD62858F98	RogueAntiSpyware.AdvancedCleaner [PCTools] not-a-virus:FraudTool.Win32.AdvancedCleaner.a [Kaspersky Lab] AdvancedCleaner [McAfee]
43	%ProgramFiles%\AdvancedCleaner Free\unins000.dat	7,670 bytes	MD5: 0x8D1C1B98E9458141776E71093F1C6EE5 SHA-1: 0xD65D357D2F1AE794C4273BB09F30A0C914536C47	(not available)
44	%ProgramFiles%\AdvancedCleaner Free\unins000.exe	692,569 bytes	MD5: 0xC277877D3191DD4203A870B7207EA57C SHA-1: 0xE4F08213C40DF6E1D365E369FF7FAE320F991A79	(not available)
45	%ProgramFiles%\AdvancedCleaner Free\uninstall.ico	1,406 bytes	MD5: 0xE2E51E0FBBEEA6A503848578389976DF SHA-1: 0x536FDDA9E987F70664798D7AB411F555903F5271	(not available)
46	%ProgramFiles%\AdvancedCleaner Free\UninstallPage.html	5,026 bytes	MD5: 0xFEA08BD4EDADA49C0147DD712B1F8F00 SHA-1: 0x0F9F3629A56EE20681DECC66B71889AFCDD65EB3	(not available)
47	%ProgramFiles%\AdvancedCleaner Free\upser.dat	33 bytes	MD5: 0xA7A0F6A6E31583FAEE6D8C9C4E8F855B SHA-1: 0x1BE639FCF6B980669BDA47EADC8C19351D208046	(not available)
48	[file and pathname of the sample #1]	4,941,731 bytes	MD5: 0xF1C5BF6FE74EE2615544FEDDB316237E SHA-1: 0xD6E5B2EEB5D5CB4B9EBD92B14E55D42847CB5C21	(not available)

• Notes:
• %CommonPrograms% is a variable that refers to the file system directory that contains the directories for the common program groups that appear on the Start menu for all users. A typical path is C:\Documents and Settings\All Users\Start Menu\Programs (Windows NT/2000/XP).
• %DesktopDir% is a variable that refers to the file system directory used to physically store file objects on the desktop. A typical path is C:\Documents and Settings\[UserName]\Desktop.
• %ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.
• %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

• The following directories were created:
• %CommonPrograms%\AdvancedCleaner Free
• %ProgramFiles%\AdvancedCleaner Free
• %ProgramFiles%\AdvancedCleaner Free\AppDB
• %ProgramFiles%\AdvancedCleaner Free\img

Memory Modifications

• There were new processes created in the system:

Process Name	Process Filename	Main Module Size
InstStat.exe	%ProgramFiles%\AdvancedCleaner Free\InstStat.exe	135,168 bytes
uadccw.exe	%ProgramFiles%\advancedcleaner free\uadccw.exe	221,184 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	81,920 bytes
[filename of the sample #1].tmp	%Temp%\is-75PV7.tmp\[filename of the sample #1].tmp	741,376 bytes

• Notes:
• %Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

Registry Modifications

• The following Registry Keys were created:
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UADC_is1
• HKEY_LOCAL_MACHINE\SOFTWARE\AdvancedCleaner Free
• HKEY_LOCAL_MACHINE\SOFTWARE\UADC_3769470239
• HKEY_CURRENT_USER\Software\AdvancedCleaner Free

• The newly created Registry Values are:
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
• AdvancedCleaner Free = ""%ProgramFiles%\AdvancedCleaner Free\UADC.exe" /min"
• SM_IAN = "%ProgramFiles%\advancedcleaner free\ian_monitor.exe"
• UADC_3769470239 = ""%ProgramFiles%\AdvancedCleaner Free\UADCcw.exe" -c"

so that UADC.exe runs every time Windows starts
so that ian_monitor.exe runs every time Windows starts
so that UADCcw.exe runs every time Windows starts

• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UADC_is1]
• Inno Setup: Setup Version = "5.2.0"
• Inno Setup: App Path = "%ProgramFiles%\AdvancedCleaner Free"
• InstallLocation = "%ProgramFiles%\AdvancedCleaner Free\"
• Inno Setup: Icon Group = "AdvancedCleaner Free"
• Inno Setup: User = "%UserName%"
• Inno Setup: Selected Tasks = "desktopicon"
• Inno Setup: Deselected Tasks = "quicklaunchicon"
• DisplayName = "AdvancedCleaner Free 1.0.52.2"
• UninstallString = ""%ProgramFiles%\AdvancedCleaner Free\unins000.exe""
• QuietUninstallString = ""%ProgramFiles%\AdvancedCleaner Free\unins000.exe" /SILENT"
• Publisher = "AdvancedCleaner, Inc."
• URLInfoAbout = "http://www.advancedcleaner.com"
• HelpLink = "http://www.advancedcleaner.com"
• URLUpdateInfo = "http://www.advancedcleaner.com"
• NoModify = 0x00000001
• NoRepair = 0x00000001
• InstallDate = "20080107"
• [HKEY_LOCAL_MACHINE\SOFTWARE\AdvancedCleaner Free]
• Abbr = "UADC"
• InstallPath = "%ProgramFiles%\AdvancedCleaner Free"
• ActivationCode = "c536be66-e58c-4315-92ad-fd35e8724ca1"
• [HKEY_LOCAL_MACHINE\SOFTWARE\UADC_3769470239]
• UADC_3769470239 = 0x00000001

Other details

• To mark the presence in the system, the following Mutex object was created:
• uadc.exemutex

• The data identified by the following URL was then requested from the remote web server:
• http://inscan.advancedcleaner.com/?action=23&abbr=UADC__52.2&pc_id=525497056&ida=&led=&afr=&lp=&addt=&cnt=&lng=