I've made an experimental OpenSBI detection for RegCleanPro from SysTweak as PUPS due to aggressive advertising. I've used InCtrl5 to track changes, then optimized a bit, but for now it's not really special.

However, I don't have any idea how to post it in OpenSBI Files forum as it's locked for posting by default. I've tried to use Login option in OpenSBI Editor, but it fails like shown in picture, even if login is valid.

QFKzqHu.png

How I'm supposed to submit it?

Anyway, here's the code if you want to check it out:

Code:
// info: RegCleanPro
// author: Tom.K
// date: 2014-02-20 (2.0)
// copyright: (c) 2014 Safer-Networking Ltd. All rights reserved.
// count: 124
// reverse engineering prohibited!

:: RegCleanPro
// {Cat:PUPS}{Cnt:1}
// {Det:Tom.K,2014-02-20}


// {Cat:Test}{Cnt:1}
// {Det:Tom.K,2014-02-20}
RegyKey:"<$REG_SETTINGS>",HKEY_CURRENT_USER,"\Software\","systweak"
RegyValue:"<$REG_SETTINGS>",HKEY_CURRENT_USER,"\Software\systweak","MachineID"
RegyKey:"<$REG_SETTINGS>",HKEY_CURRENT_USER,"\Software\systweak\","RegClean Pro"
RegyValue:"<$REG_SETTINGS>",HKEY_CURRENT_USER,"\Software\systweak\RegClean Pro","ErrorCount"
RegyKey:"<$REG_SETTINGS>",HKEY_CURRENT_USER,"\Software\systweak\RegClean Pro\","Version *"
RegyValue:"<$REG_SETTINGS>",HKEY_CURRENT_USER,"\Software\systweak\RegClean Pro\Version *","TrialType"
RegyValue:"<$REG_SETTINGS>",HKEY_CURRENT_USER,"\Software\systweak\RegClean Pro\Version *","StrLatestRestorePoint"
RegyValue:"<$REG_SETTINGS>",HKEY_CURRENT_USER,"\Software\systweak\RegClean Pro\Version *","StrLatestRegDefrag"
RegyValue:"<$REG_SETTINGS>",HKEY_CURRENT_USER,"\Software\systweak\RegClean Pro\Version *","StrLastStartupOpt"
RegyValue:"<$REG_SETTINGS>",HKEY_CURRENT_USER,"\Software\systweak\RegClean Pro\Version *","StrLastScanResults"
RegyValue:"<$REG_SETTINGS>",HKEY_CURRENT_USER,"\Software\systweak\RegClean Pro\Version *","StrLastScan"
RegyValue:"<$REG_SETTINGS>",HKEY_CURRENT_USER,"\Software\systweak\RegClean Pro\Version *","StrLastOptimizeTime"
RegyValue:"<$REG_SETTINGS>",HKEY_CURRENT_USER,"\Software\systweak\RegClean Pro\Version *","StartWhenWinBoots"
RegyValue:"<$REG_SETTINGS>",HKEY_CURRENT_USER,"\Software\systweak\RegClean Pro\Version *","StartScan"
RegyValue:"<$REG_SETTINGS>",HKEY_CURRENT_USER,"\Software\systweak\RegClean Pro\Version *","StartMinimized"
RegyValue:"<$REG_SETTINGS>",HKEY_CURRENT_USER,"\Software\systweak\RegClean Pro\Version *","StartAutoTutorial"
RegyValue:"<$REG_SETTINGS>",HKEY_CURRENT_USER,"\Software\systweak\RegClean Pro\Version *","StartAutoScanPMUI"
RegyValue:"<$REG_SETTINGS>",HKEY_CURRENT_USER,"\Software\systweak\RegClean Pro\Version *","StartAutoScanOnLaunch"
RegyValue:"<$REG_SETTINGS>",HKEY_CURRENT_USER,"\Software\systweak\RegClean Pro\Version *","SetEnableSound"
RegyValue:"<$REG_SETTINGS>",HKEY_CURRENT_USER,"\Software\systweak\RegClean Pro\Version *","SetChkSkipEmptyKeys"
RegyValue:"<$REG_SETTINGS>",HKEY_CURRENT_USER,"\Software\systweak\RegClean Pro\Version *","SetChkREmovableMedia"
RegyValue:"<$REG_SETTINGS>",HKEY_CURRENT_USER,"\Software\systweak\RegClean Pro\Version *","SetChkDontShowRedTrayPopup"
RegyValue:"<$REG_SETTINGS>",HKEY_CURRENT_USER,"\Software\systweak\RegClean Pro\Version *","ScheduledTime"
RegyValue:"<$REG_SETTINGS>",HKEY_CURRENT_USER,"\Software\systweak\RegClean Pro\Version *","RegErrsFixedTillDate"
RegyValue:"<$REG_SETTINGS>",HKEY_CURRENT_USER,"\Software\systweak\RegClean Pro\Version *","RegErrsFixedLast"
RegyValue:"<$REG_SETTINGS>",HKEY_CURRENT_USER,"\Software\systweak\RegClean Pro\Version *","RegErrFoundTillDate"
RegyValue:"<$REG_SETTINGS>",HKEY_CURRENT_USER,"\Software\systweak\RegClean Pro\Version *","NumTimesRCPRunned"
RegyValue:"<$REG_SETTINGS>",HKEY_CURRENT_USER,"\Software\systweak\RegClean Pro\Version *","ImprovementProgram"
RegyValue:"<$REG_SETTINGS>",HKEY_CURRENT_USER,"\Software\systweak\RegClean Pro\Version *","GoToSystemTrayOnClose"
RegyValue:"<$REG_SETTINGS>",HKEY_CURRENT_USER,"\Software\systweak\RegClean Pro\Version *","FirstRun"
RegyValue:"<$REG_SETTINGS>",HKEY_CURRENT_USER,"\Software\systweak\RegClean Pro\Version *","CurrentScanTime"
RegyValue:"<$REG_SETTINGS>",HKEY_CURRENT_USER,"\Software\systweak\RegClean Pro\Version *","AutoRepair"
RegyKey:"<$REG_SETTINGS>",HKEY_CURRENT_USER,"\Software\systweak\RegClean Pro\Version *\","LANG"
RegyValue:"<$REG_SETTINGS>",HKEY_CURRENT_USER,"\Software\systweak\RegClean Pro\Version *\LANG","LangID"
RegyValue:"<$REG_SETTINGS>",HKEY_CURRENT_USER,"\Software\systweak\RegClean Pro\Version *\LANG","LangCode"
RegyKey:"<$REG_SETTINGS>",HKEY_CURRENT_USER,"\Software\systweak\","ssd"
RegyValue:"<$REG_SETTINGS>",HKEY_CURRENT_USER,"\Software\systweak\ssd","ASOBUILDFOR"
RegyValue:"<$REG_SETTINGS>",HKEY_CURRENT_USER,"\Software\systweak\ssd","ASO3CAM"
RegyValue:"<$REG_SETTINGS>",HKEY_CURRENT_USER,"\Software\systweak\ssd","ASO3AFFILIATE"
RegyKey:"<$REG_UNINSTALL>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\","RegClean Pro_is[0-9]"
RegyValue:"<$REG_UNINSTALL>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RegClean Pro_is[0-9]","URLInfoAbout"
RegyValue:"<$REG_UNINSTALL>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RegClean Pro_is[0-9]","UninstallString"
RegyValue:"<$REG_UNINSTALL>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RegClean Pro_is[0-9]","QuietUninstallString"
RegyValue:"<$REG_UNINSTALL>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RegClean Pro_is[0-9]","Publisher"
RegyValue:"<$REG_UNINSTALL>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RegClean Pro_is[0-9]","NoRepair"
RegyValue:"<$REG_UNINSTALL>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RegClean Pro_is[0-9]","NoModify"
RegyValue:"<$REG_UNINSTALL>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RegClean Pro_is[0-9]","MinorVersion"
RegyValue:"<$REG_UNINSTALL>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RegClean Pro_is[0-9]","MajorVersion"
RegyValue:"<$REG_UNINSTALL>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RegClean Pro_is[0-9]","InstallLocation"
RegyValue:"<$REG_UNINSTALL>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RegClean Pro_is[0-9]","InstallDate"
RegyValue:"<$REG_UNINSTALL>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RegClean Pro_is[0-9]","Inno Setup: User"
RegyValue:"<$REG_UNINSTALL>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RegClean Pro_is[0-9]","Inno Setup: Setup Version"
RegyValue:"<$REG_UNINSTALL>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RegClean Pro_is[0-9]","Inno Setup: Language"
RegyValue:"<$REG_UNINSTALL>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RegClean Pro_is[0-9]","Inno Setup: Icon Group"
RegyValue:"<$REG_UNINSTALL>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RegClean Pro_is[0-9]","Inno Setup: App Path"
RegyValue:"<$REG_UNINSTALL>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RegClean Pro_is[0-9]","HelpLink"
RegyValue:"<$REG_UNINSTALL>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RegClean Pro_is[0-9]","DisplayVersion"
RegyValue:"<$REG_UNINSTALL>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RegClean Pro_is[0-9]","DisplayName"
RegyValue:"<$REG_UNINSTALL>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RegClean Pro_is[0-9]","DisplayIcon"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\","Systweak"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Systweak","MachineID"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Systweak\","Params"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Systweak\Params","utm_source"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Systweak\Params","utm_medium"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Systweak\Params","utm_campaign"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Systweak\Params","affiliateid"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Systweak\","RegClean Pro"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Systweak\RegClean Pro\","Version *"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Systweak\RegClean Pro\Version *","utm_source"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Systweak\RegClean Pro\Version *","utm_medium"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Systweak\RegClean Pro\Version *","utm_campaign"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Systweak\RegClean Pro\Version *","TELNOSPAIN"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Systweak\RegClean Pro\Version *","TELNO"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Systweak\RegClean Pro\Version *","RENEWALURL"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Systweak\RegClean Pro\Version *","RCPURL"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Systweak\RegClean Pro\Version *","MaxFixLimit"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Systweak\RegClean Pro\Version *","LaunchASP"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Systweak\RegClean Pro\Version *","InstallASP"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Systweak\RegClean Pro\Version *","InstallAmazon"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Systweak\RegClean Pro\Version *","FirstTimeASPFired"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Systweak\RegClean Pro\Version *","FireAmazonOffered"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Systweak\RegClean Pro\Version *","Expired"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Systweak\RegClean Pro\Version *\","LANG"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Systweak\RegClean Pro\Version *\LANG","LangID"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Systweak\","ssd"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Systweak\ssd","ASOBUILDFOR"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Systweak\ssd","ASO3CAM"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Systweak\ssd","ASO3AFFILIATE"
Directory:"<$DIR_PROGGROUP>","<$COMMONPROGRAMS>\RegClean Pro"
File:"<$FILE_GROUPENTRY>","<$COMMONPROGRAMS>\RegClean Pro\Uninstall RegClean Pro.lnk","filesize=722"
File:"<$FILE_GROUPENTRY>","<$COMMONPROGRAMS>\RegClean Pro\Register RegClean Pro.lnk","filesize=763"
File:"<$FILE_GROUPENTRY>","<$COMMONPROGRAMS>\RegClean Pro\RegClean Pro.lnk","filesize=737"
File:"<$FILE_GROUPENTRY>","<$COMMONDESKTOP>\RegClean Pro.lnk","filesize=725"
Directory:"<$DIR_APPDATA>","<$COMMONAPPDATA>\systweak"
Directory:"<$DIR_APPDATA>","<$COMMONAPPDATA>\systweak\RegClean Pro"
Directory:"<$DIR_APPDATA>","<$COMMONAPPDATA>\systweak\RegClean Pro\Version *"
File:"<$FILE_DATA>","<$COMMONAPPDATA>\systweak\RegClean Pro\Version *\TempHLList.rcp"
File:"<$FILE_DATA>","<$COMMONAPPDATA>\systweak\RegClean Pro\Version *\results.rcp"
File:"<$FILE_DATA>","<$COMMONAPPDATA>\systweak\RegClean Pro\Version *\log_*.log"
File:"<$FILE_DATA>","<$COMMONAPPDATA>\systweak\RegClean Pro\Version *\ExcludeList.rcp"
File:"<$FILE_DATA>","<$COMMONAPPDATA>\systweak\RegClean Pro\Version *\eng_rcp.dat"
Directory:"<$DIR_APPDATA>","<$COMMONAPPDATA>\systweak\ssd"
File:"<$FILE_EXE>","<$COMMONAPPDATA>\systweak\ssd\SSDPTstub.exe","filesize=580816"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\RegClean Pro"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\RegClean Pro\xmllite.dll","filesize=126976"
File:"<$FILE_UNINSTALLER>","<$PROGRAMFILES>\RegClean Pro\unins000.msg","filesize=22701"
File:"<$FILE_UNINSTALLER>","<$PROGRAMFILES>\RegClean Pro\unins000.exe","filesize=1199960"
File:"<$FILE_UNINSTALLER>","<$PROGRAMFILES>\RegClean Pro\unins000.dat","filesize=81711"
File:"<$FILE_DATA>","<$PROGRAMFILES>\RegClean Pro\*_uninst*.ini"
File:"<$FILE_DATA>","<$PROGRAMFILES>\RegClean Pro\*_rcp*.ini"
File:"<$FILE_EXE>","<$PROGRAMFILES>\RegClean Pro\systweakasp.exe","filesize=591896"
File:"<$FILE_EXE>","<$PROGRAMFILES>\RegClean Pro\SSDPTstub.exe","filesize=580816"
File:"<$FILE_EXE>","<$PROGRAMFILES>\RegClean Pro\RegCleanPro.exe","filesize=7911256"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\RegClean Pro\RegCleanPro.dll","filesize=1650688"
File:"<$FILE_UNINSTALLER>","<$PROGRAMFILES>\RegClean Pro\RCPUninstall.exe","filesize=537432"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\RegClean Pro\isxdl.dll","filesize=157016"
File:"<$FILE_PICTURE>","<$PROGRAMFILES>\RegClean Pro\install_left_image.bmp","filesize=156296"
File:"<$FILE_INSTALLER>","<$PROGRAMFILES>\RegClean Pro\Cloud_Backup_Setup_Intl.exe","filesize=73840"
File:"<$FILE_INSTALLER>","<$PROGRAMFILES>\RegClean Pro\Cloud_Backup_Setup.exe","filesize=73824"
File:"<$FILE_EXE>","<$PROGRAMFILES>\RegClean Pro\CleanSchedule.exe","filesize=101208"
File:"<$FILE_EXE>","<$WINDIR>\system32\roboot.exe","filesize=18776"
File:"<$FILE_DATA>","<$WINDIR>\Tasks\RegClean Pro_UPDATES.job","filesize=272"
File:"<$FILE_DATA>","<$WINDIR>\Tasks\RegClean Pro_DEFAULT.job","filesize=264"
I want to improve detection to make more dynamic scan, but filesize as condition is weak as if it gets updated, it won't be flagged as detection. One way would be to set condition to higher or equal to. Another way would be to search string in executables so that they could be easily detected, but I have to find specific string which won't be changed. Even though RegCleanPro isn't updated a lot, I want to do it just for prevention purposes.

In addition I want to configure how Spybot should detect Program Files folder. If RegCleanPro is installed on some other folder, detection will fail. To solve this issue, I could fetch install path from registry values from uninstaller to make it possible to detect path properly. If possible, there could be other ways of detecting paths, like fetching install path from some files in Application Data folder or similar.

For example, Registry String Value in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RegCleanPro","UninstallString"
Contains following data:
"C:\InstalledLocation\unins000.exe"

I can use that data to detect files and folder by defining it as some user-defined variable.

And instead of this:

Directory:"<$DIR_PROG>","<$PROGRAMFILES>\RegClean Pro"
File:"<$FILE_EXE>","<$PROGRAMFILES>\RegClean Pro\systweakasp.exe","filesize=591896"

I could add this:

UserRegPath:"HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RegClean Pro_is[0-9]","UninstallString","<$INSTALLDIR>","\uninst[0-9].exe"

First value would be key location, second string value, third user-defined name of path to be used, and last for defining the end of folder location, so that executable path and anything else after it gets ignored.

And then I could use this:

Directory:"<$DIR_PROG>","<$INSTALLDIR>"
File:"<$FILE_EXE>","<$INSTALLDIR>\systweakasp.exe","filesize=591896"

This is just a suggestion, though, it might be still complicated.

Waiting for reply.