You're in: Panda Security > Home Users > security-info > about-malware > encyclopedia > overview
Active Scan. Scan your PC free
Panda Security Product Line 2012

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard True 0

SpywareCleaner2010

 
Threat LevelLow threatDamageHighDistributionNot widespread

Effects 

SpywareCleaner2010 is a fake antivirus program that carries out the following actions:

  • When it is run, the installation process of the program is started:

    Screen of the program installation
  • Once installed in the computer, the main interface of the program is opened and it displays a message notifying users that it is a free trial version:

    Program interface
  • If users choose the free option, the program simulates that it is being updated and then starts scanning the system in search for possible malware.
  • The result of this scan indicates that the computer is infected with different type of malware, as can be seen in the image below:

    Scan carried out by the program
  • If users decide to eliminate these threats, the program will require them to enter a serial number in order to register. In case this is not correct, an error message like the following will be displayed:

    Registration process of SpywareCleaner2010
  • As users do not have the serial number of the product, they will be given the option to purchase it through the following website:

    Website to purchase SpywareCleaner2010

Infection strategy 

SpywareCleaner2010 creates the following folders:

  • rnsafe, in the Program Files directory.
  • Data, Quarantine, UP and UpTemp, in the folder rnsafe, in the Program Files directory.
  • a group of programs called Spyware Cleaner 2010 V4.05 in the Start menu with several links to different options of the fake antivirus:

    Group of programs of SpywareCleaner2010

 

SpywareCleaner2010 creates the following files in the folder rnsafe of the Program Files directory:

  • SPYWARECLEANER.EXE (main file), RNSCAN.EXE (which carries out the scan), UNINS000.EXE (program uninstaller), RNHOSTS.EXE, RNJKC.EXE, RNRC.EXE, RNRECYCEL.EXE, RNRELY.EXE, RNSETTINGS.EXE, RNSTARTUP.EXE, RNTEMP.EXE, RNUP.EXE and RNUPDATE.EXE.
  • RNAST.DAR, RNAXS.SQ, RNDES.ASW, RNDRV.SYS, RNDTH.ST, RNEL.BB, RNIG02.DST, RNQIZ.BA, RNRCP.BB, RNREC.DAT, RNRIC.BB, RNSAFE.URL, RNSO1.BB, RNWAD.AS, UP.RN and UPDATE.INI.

 

Additionally, SpywareCleaner2010 creates these other files:

  • SPYWARE CLEANER 2010 V4.05.LNK, in the Desktop. This file is a shortcut to the program:

    Shortcut to SpywareCleaner2010
  • SPYWARE CLEANER 2010 V4.05.LNK, in the Quick Launch bar.

 

 

SpywareCleaner2010 creates the following entries in the Windows Registry:

  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs
    url1 = http://www.rn    <blocked>fe.com/
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*
    a =     %path where it has been run%\rnsetup.exe
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\exe
    a =     %path where it has been run%\rnsetup.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0D87E4C9-67E9-4AAD-96E6-D70B3F15F8A3}_is1
    DisplayName = Spyware Cleaner 2010 V4.05
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0D87E4C9-67E9-4AAD-96E6-D70B3F15F8A3}_is1
    HelpLink = http://www.rn    <blocked>fe.com/
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0D87E4C9-67E9-4AAD-96E6-D70B3F15F8A3}_is1
    Inno Setup: App Path = C:\Program Files\rnsafe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0D87E4C9-67E9-4AAD-96E6-D70B3F15F8A3}_is1
    Inno Setup: Selected Tasks = desktopicon,quicklaunchicon
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0D87E4C9-67E9-4AAD-96E6-D70B3F15F8A3}_is1
    Inno Setup: Setup Version = 5.2.3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0D87E4C9-67E9-4AAD-96E6-D70B3F15F8A3}_is1
    Inno Setup: User =     %username%
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0D87E4C9-67E9-4AAD-96E6-D70B3F15F8A3}_is1
    InstallDate = Data: 20100614
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0D87E4C9-67E9-4AAD-96E6-D70B3F15F8A3}_is1
    InstallLocation = C:\Program Files\rnsafe\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0D87E4C9-67E9-4AAD-96E6-D70B3F15F8A3}_is1
    NoModify = 01, 00, 00, 00
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0D87E4C9-67E9-4AAD-96E6-D70B3F15F8A3}_is1
    NoRepair = 01, 00, 00, 00
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0D87E4C9-67E9-4AAD-96E6-D70B3F15F8A3}_is1
    Publisher = RnSafe Software Corporation
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0D87E4C9-67E9-4AAD-96E6-D70B3F15F8A3}_is1
    QuietUninstallString = C:\Program Files\rnsafe\unins000.exe /SILENT
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0D87E4C9-67E9-4AAD-96E6-D70B3F15F8A3}_is1
    UninstallString = C:\Program Files\rnsafe\unins000.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0D87E4C9-67E9-4AAD-96E6-D70B3F15F8A3}_is1
    URLInfoAbout = http://www.rn    <blocked>fe.com/
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0D87E4C9-67E9-4AAD-96E6-D70B3F15F8A3}_is1
    URLUpdateInfo = http://www.rn    <blocked>fe.com/

Means of transmission 

SpywareCleaner2010 can reach the computer when the user accesses certain websites which display banners or pop-up windows which lead to the download of this program. It can also reach the computer in a link that can be received via spam messages, fraudulent websites, etc.

Further Details  

SpywareCleaner2010 is 3,739,136 bytes in size.