Updated: September 4, 2007 3:04:06 PM
Type: Misleading Application
Name: ErrorProtector
Publisher: ErrorProtector Inc.
Risk Impact: Medium
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000
BehaviorErrorProtector can be downloaded from [http://]www.errorprotector.com or it can be installed by a downloader.
When it is executed and a scan is run, it scans the computer and displays exaggerated reports of errors on the computer.
The risk also displays a registration screen, asking the user to register the software to remove the supposed threats.
InstallationWhen the risk is installed, it creates the following files:
- %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\ErrorProtector.lnk
- %UserProfile%\Cookies\administrator@errorprotector[2].txt
- %UserProfile%\Desktop\ErrorProtector.lnk
- %SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\ErrorProtector Unregistered Version\Contact customer support.lnk
- %SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\ErrorProtector Unregistered Version\ErrorProtector on the Web.lnk
- %SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\ErrorProtector Unregistered Version\ErrorProtector.lnk
- %SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\ErrorProtector Unregistered Version\Uninstall ErrorProtector.lnk
- %ProgramFiles%\Common Files\ErrorProtector Free\startmon.exe
- %ProgramFiles%\ErrorProtector Free\Activate.dat
- %ProgramFiles%\ErrorProtector Free\atl71.dll
- %ProgramFiles%\ErrorProtector Free\bnlink.dat
- %ProgramFiles%\ErrorProtector Free\DataBase.sav
- %ProgramFiles%\ErrorProtector Free\ertmain.exe
- %ProgramFiles%\ErrorProtector Free\hmlink.dat
- %ProgramFiles%\ErrorProtector Free\insthelp.exe
- %ProgramFiles%\ErrorProtector Free\lapv.dat
- %ProgramFiles%\ErrorProtector Free\License.rtf
- %ProgramFiles%\ErrorProtector Free\mfc71.dll
- %ProgramFiles%\ErrorProtector Free\msvcp71.dll
- %ProgramFiles%\ErrorProtector Free\msvcr71.dll
- %ProgramFiles%\ErrorProtector Free\pv.dat
- %ProgramFiles%\ErrorProtector Free\readme.rtf
- %ProgramFiles%\ErrorProtector Free\ReportListFile.dat
- %ProgramFiles%\ErrorProtector Free\ResErrors.log
- %ProgramFiles%\ErrorProtector Free\sr.log
- %ProgramFiles%\ErrorProtector Free\support.url
- %ProgramFiles%\ErrorProtector Free\uertcookiemon.exe
- %ProgramFiles%\ErrorProtector Free\uerturl.url
- %ProgramFiles%\ErrorProtector Free\umain.xml
- %ProgramFiles%\ErrorProtector Free\unins000.dat
- %ProgramFiles%\ErrorProtector Free\unins000.exe
- %ProgramFiles%\ErrorProtector Free\up.dat
- %ProgramFiles%\ErrorProtector Free\updater.dat
- %ProgramFiles%\ErrorProtector Free\updater.exe
It may also create and populate the following folder:
%SystemDrive%\Documents and Settings\All Users\Application Data\ErrorProtector Free
The risk creates the following registry subkeys:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UERT_is1
- HKEY_LOCAL_MACHINE\SOFTWARE\ErrorProtector Free
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\ErrorProtector Unregistered Version
- HKEY_CURRENT_USER\Software\ErrorProtector Free
It also creates the following registry entries, so that it starts when Windows starts:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"ErrorProtector Free" = "C:\Program Files\ErrorProtector Free\ertmain.exe /min"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Salestart" = ""C:\Program Files\Common Files\ErrorProtector Free\startmon.exe""
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"ErrorProtector Free" = ""C:\Program Files\ErrorProtector Free\ertmain.exe""
Technorati
Digg
Delicious
Reddit
StumbleUpon
Facebook
Yahoo
Twitter
Faves
Newsvine
