VirusProtectPro

It has been reported that the program gets downloaded by Trojan.Zlob.

Once run, the security risk creates the following folders:

• %ProgramFiles%\VirusProtectPro 3.3
• %ProgramFiles%\VirusProtectPro 3.3\Lang
• %ProgramFiles%\VirusProtectPro 3.3\Logs
• %ProgramFiles%\VirusProtectPro 3.3\Quarantine

It then creates the following files:

• %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\VirusProtectPro 3.3.lnk
• %UserProfile%\Desktop\VirusProtectPro 3.3.lnk
• %ProgramFiles%\VirusProtectPro 3.3\Uninstall VirusProtectPro 3.3.lnk
• %ProgramFiles%\Programs\VirusProtectPro 3.3\VirusProtectPro 3.3 Website.lnk
• %ProgramFiles%\VirusProtectPro 3.3\VirusProtectPro 3.3.lnk
• %ProgramFiles%\VirusProtectPro 3.3.lnk
• %ProgramFiles%\VirusProtectPro 3.3\blacklist.txt
• %ProgramFiles%\VirusProtectPro 3.3\Lang\English.ini
• %ProgramFiles%\VirusProtectPro 3.3\msvcp71.dll
• %ProgramFiles%\VirusProtectPro 3.3\msvcr71.dll
• %ProgramFiles%\VirusProtectPro 3.3\uninst.exe
• %ProgramFiles%\VirusProtectPro 3.3\VirusProtectPro 3.3.exe
• %ProgramFiles%\VirusProtectPro 3.3\VirusProtectPro 3.3.url
• %ProgramFiles%\VirusProtectPro 3.3\vpp.dat

The security risk then creates the following registry entry so that it runs when Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"VirusProtectPro 3.3" = ""%ProgramFiles%\VirusProtectPro 3.3\VirusProtectPro 3.3.exe" /h"

It also creates the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{45C2FDBE-1D46-B98E-F9A9-9D44B93A9D52}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1D52BB09-465C-4AA4-9FBD-71D1690CAED3}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{24998748-6E8A-40D1-AA97-E9952EE9ED18}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{287FFE0C-15D0-4BFD-BAA9-0582C6361BBB}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{45973D31-5CE3-4503-BC81-25E525119C48}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{46D4D563-1C43-4CEE-AF98-471385F2BC42}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5596A310-2E54-4B75-ADA3-7EE0AD10E228}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5C17F7D3-8460-4488-84EB-986A38BEDD2D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{71DF187C-DC99-4A35-BDB2-C099821A435D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{74DF3F5E-99D7-4F4D-81C3-95201D4CDA88}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{91478017-FF82-4C5D-9FFF-7801F8D99CCC}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9F9C8CF3-EB4A-4851-A4F6-2370F5BC79EE}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B1B9C911-CA24-4E1E-9F56-838486218327}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C78E49C0-AB82-4C79-A189-F1E34980643B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D2A0598F-FBC4-4721-BC85-F75C0712C100}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E7B2831E-A25A-430B-B3E3-3D414F9C4288}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EDC652FF-2EA2-4E46-8849-D9041B77B88E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{049FECE3-18C7-4023-A1BE-CFAA2C4EE387}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\VirusProtectPro 3.3.exe 3.3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VirusProtectPro 3.3
HKEY_LOCAL_MACHINE\SOFTWARE\VirusProtectPro 3.3

It may give exaggerated reports of threats on the computer. The program then prompts the user to purchase a registered version of the software in order to remove the reported threats.

Summary