Friday, July 29, 2016

Feedly:Understanding Java Code and Malware | Malwarebytes Unpacked. PUP Friday: Cleaning up with 5 star awards



from Understanding Java Code and Malware | Malwarebytes Unpacked

Systweak’s RegClean Pro is quite a popular software. Top Ten Reviews, a consumer review portal based in Utah, has ranked it as number one in their “Registry Repair Software” category. It also boasts of having won more than a hundred 5-star awards. Yet in spite of these, something is amiss. With praises for it also come criticisms. And we’ve seen a lot of them.

What is RegClean Pro?

It is a piece of software that markets itself as a registry cleaner and optimizer in order to improve the performance of the PC. It does this by removing redundant keys and/or entries from the Windows registry.

RegClean Pro arrives on user systems either as a downloaded file from www[DOT]systweak[DOT]com/registry-cleaner/, or as a program bundled with other free third-party software. The sample we’re using for this post has an MD5 hash value of 5b8e73834ad13039e7f9bc0338b4a946.

Although Systweak caters to various operating systems, RegClean Pro in particular can only be downloaded and used by Windows users.

regclean-pro-file

What happens when you install RegClean Pro?

Upon execution, RegClean Pro attempts to fingerprint the machine it is being installed on by looking up the user’s Windows account name and the computer name. It does this behind the scenes while showing the usual software GUI that users are expected to see. Below is a slideshow of these interfaces in succession:

Click to view slideshow.

It then opens the default browser to display the following “Thank you” message:

regclean-pro-ty

It finally creates the following scheduled tasks, which enables it to further execute at certain times of the day:

regclean-pro-tasksched

Below is RegClean Pro’s shortcut after it finished installing:

regclean-pro-shortcut

For the purpose of displaying how RegClean Pro performs, below is a slideshow of its interfaces (also in succession) after it executed by itself opened the “Thank you” page above:

Click to view slideshow.

Notable files and/or folders added:

  • C:\Program Files (x86)\RegClean Pro\Cloud_Backup_Setup.exe
    • detected as PUP.Optional.MyPCBackup
  • C:\Program Files (x86)\RegClean Pro\Cloud_Backup_Setup_Intl.exe
    • detected as PUP.Optional.MyPCBackup
  • C:\Program Files (x86)\RegClean Pro\unins000.exe
    • detected as PUP.Optional.SysTweak

Anything off with RegClean Pro’s End-User License Agreement?

For software that claims to clean the registry in order to improve PC performance, we find it quite odd to see the below bit in its EULA (emphasis ours):

NO PERFORMANCE WARRANTY. SYSTWEAK specifically disclaims any warranty for the amount
of performance increase or utility provided by the SOFTWARE PRODUCT. By purchasing
this software and accepting this EULA you specifically agree that you understand
that no representation or warranty is made by SYSTWEAK that the SOFTWARE PRODUCT
will necessarily increase performance or provide a utility benefit on your computer,
and that no claim of specific deficiency, defect, or underperformance has been made
with respect to your computer. Any claims of performance increases or utility made
for the software are those of possible or potential improvement or utility, and n
warranty is offered that a specific utility or amount of performance increase, if
any, will be realized on any particular computer. Each computer is different and
the scenarios under which they are used are different, and no claim is made that
any one computer or usage scenario shall see a performance increase or utility
benefit from the SOFTWARE PRODUCT. Your sole remedy for any dissatisfaction with
the presence of or the degree or amount of performance improvement or utility shall
be limited to the customer remedies described above.

Here’s another bit that we want to highlight in case you have used RegClean Pro and wish to hold Systweak responsible for the uncorrectable changes the software made to your system (emphasis ours):

BACKUP RESPONSIBILITY. The SOFTWARE PRODUCT is a system utility, and as such can
make irreversible changes to the state of computer on which it is run and that
SYSTWEAK cannot accurately predict or ensure the outcome in all possible scenarios,
and therefore purchaser agrees to make and test a complete system backup and backup
of all personal information before operating the SOFTWARE PRODUCT. You agree that
you accept all responsibility for reversing or correcting any changes made by the
SOFTWARE PRODUCT.

Does Malwarebytes Anti-Malware (MBAM) detect RegClean Pro?

We detect the installer the RegClean Pro installer as PUP.Optional.RegCleanerPro. For its other component files, we detect as PUP.Optional.RegCleanPro. You may refer to our forum page in case you’re interested in knowing what these component files are and other technical details.

Conclusion

Systweak, the India-based developer of RegClean Pro, boasts of being a Microsoft Gold Partner. Some dodgy companies do this, too, but in Systweak’s case, they indeed are an MS Gold Partner. For some users, a partnership with a tech giant is enough to convince them to try out a third-party software. Consumers expect quality products and services because of this. In the end, however, many are let down, realizing that what they get is a PUP.

We have reported this company to Microsoft so they can open an investigation and hopefully consider revoking Systweak’s Gold partnership status.

As for registry cleaners, we generally consider them as digital snake oil, so I wouldn’t touch it with a barge pole if I were you.

More PUP Friday posts:

Jovi Umawing (Thanks to Pieter for the assist)

 

Web Analytics