SafeStrip

Behavior:
This program must be manually installed.

The program identifies a number of false threats on the computer.





The user is then prompted to pay for a full license of the application in order to remove the falsely identified threats.





Installation:
When the program is executed, it creates the following folder:
%ProgramFiles%\SafeStrip\Quarantine

It also creates the following files:

• %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\SafeStrip.lnk
• %UserProfile%\Desktop\SafeStrip.lnk
• C:\Documents and Settings\All Users\Start Menu\Programs\SafeStrip\SafeStrip on the Web.lnk
• C:\Documents and Settings\All Users\Start Menu\Programs\SafeStrip\SafeStrip.lnk
• C:\Documents and Settings\All Users\Start Menu\Programs\SafeStrip\Uninstall SafeStrip.lnk
• %ProgramFiles%\SafeStrip\backup.lst
• %ProgramFiles%\SafeStrip\helper.sys
• %ProgramFiles%\SafeStrip\SafeStrip.exe
• %ProgramFiles%\SafeStrip\SafeStrip.url
• %ProgramFiles%\SafeStrip\SafeStripReminder.exe
• %ProgramFiles%\SafeStrip\SafeStripUpdate.exe
• %ProgramFiles%\SafeStrip\Scripts\FileInfo.script
• %ProgramFiles%\SafeStrip\Scripts\HTMLReport.script
• %ProgramFiles%\SafeStrip\Scripts\MD5.script
• %ProgramFiles%\SafeStrip\Scripts\MonitorReport.script
• %ProgramFiles%\SafeStrip\Scripts\PendDel.script
• %ProgramFiles%\SafeStrip\Scripts\Quarantine.script
• %ProgramFiles%\SafeStrip\Scripts\Reports.script
• %ProgramFiles%\SafeStrip\spyware.dat
• %ProgramFiles%\SafeStrip\SysBackup\explorer.exe
• %ProgramFiles%\SafeStrip\SysBackup\explorer.exe.md5
• %ProgramFiles%\SafeStrip\SysBackup\ntoskrnl.exe
• %ProgramFiles%\SafeStrip\SysBackup\ntoskrnl.exe.md5
• %ProgramFiles%\SafeStrip\SysBackup\shlwapi.dll
• %ProgramFiles%\SafeStrip\SysBackup\shlwapi.dll.md5
• %ProgramFiles%\SafeStrip\SysBackup\wininet.dll
• %ProgramFiles%\SafeStrip\SysBackup\wininet.dll.md5
• %ProgramFiles%\SafeStrip\unins000.dat
• %ProgramFiles%\SafeStrip\unins000.exe
• %ProgramFiles%\SafeStrip\ver.dar
• %ProgramFiles%\SafeStrip\ver.dat
• %ProgramFiles%\SafeStrip\whitelist.cfg

Next, the program creates the following registry entries so that it executes whenever Windows starts:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"SafeStrip" = "%ProgramFiles%\SafeStrip\SafeStrip.exe"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"SafeStripReminder" = "%ProgramFiles%\SafeStrip\SafeStripReminder.exe"

It also creates the following registry subkeys:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SafeStrip_is1
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SAFESTRIPFILTER
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SAFESTRIPFILTER\0000
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SAFESTRIPFILTER\0000\Control
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SafeStripFilter
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SafeStripFilter\Security
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SafeStripFilter\Enum
• HKEY_CURRENT_USER\Software\SafeStrip
• HKEY_CURRENT_USER\Software\SafeStrip\FirstRun
• HKEY_CURRENT_USER\Software\SafeStrip\Options
• HKEY_CURRENT_USER\Software\SafeStrip\Register

Summary