1. /
  2. Security Response/
  3. PcTurboPro

PcTurboPro

Updated:
December 21, 2007 4:46:13 PM
Type:
Misleading Application
Name:
PcTurboPro
Version:
1.1.52.1
Publisher:
PcTurboPro
Risk Impact:
Medium
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP
Behavior
The misleading application may be silently installed by another program.

The program scans the computer for system performance problems.




When the scan is complete, it reports false or exaggerated system performance problems on the computer.





The user is then prompted to pay for a full license of the application in order to remove the errors.





Installation
When the program is executed, it creates the following files:
  • %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\PCTurboPro.lnk
  • %UserProfile%\Application Data\PCTurbo Pro Free\Logs\update.log
  • %UserProfile%\Desktop\PCTurboPro.lnk
  • %UserProfile%\Local Settings\Temp\NI.UPCTP_0001_N101M1309\settings.ini
  • %UserProfile%\Local Settings\Temp\NI.UPCTP_0001_N101M1309\setup.exe
  • %UserProfile%\Local Settings\Temp\NI.UPCTP_0001_N101M1309\setup.len
  • C:\Documents and Settings\All Users\Start Menu\Programs\PCTurboPro\PCTurboPro Manual.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\PCTurboPro\PCTurboPro on the Web.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\PCTurboPro\PCTurboPro.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\PCTurboPro\Uninstall PCTurboPro.lnk
  • %CommonProgramFiles%\PCTurboPro\pasmon.exe
  • %ProgramFiles%\PCTurboPro_Free\AtlServ.exe
  • %ProgramFiles%\PCTurboPro_Free\bnlink.dat
  • %ProgramFiles%\PCTurboPro_Free\cpuinfo.dll
  • %ProgramFiles%\PCTurboPro_Free\err.log
  • %ProgramFiles%\PCTurboPro_Free\InstHelp.exe
  • %ProgramFiles%\PCTurboPro_Free\lapv.dat
  • %ProgramFiles%\PCTurboPro_Free\LibInfo.dll
  • %ProgramFiles%\PCTurboPro_Free\License.rtf
  • %ProgramFiles%\PCTurboPro_Free\manual.chm
  • %ProgramFiles%\PCTurboPro_Free\pctp.exe
  • %ProgramFiles%\PCTurboPro_Free\pctp.url
  • %ProgramFiles%\PCTurboPro_Free\pctp.xml
  • %ProgramFiles%\PCTurboPro_Free\pv.dat
  • %ProgramFiles%\PCTurboPro_Free\sr.log
  • %ProgramFiles%\PCTurboPro_Free\unins000.dat
  • %ProgramFiles%\PCTurboPro_Free\up.dat
  • %ProgramFiles%\PCTurboPro_Free\UPCTPcw.exe
  • %ProgramFiles%\PCTurboPro_Free\updater.dat


It then creates the following clean files:
  • %ProgramFiles%\PCTurboPro_Free\atl71.dll
  • %ProgramFiles%\PCTurboPro_Free\mfc71.dll
  • %ProgramFiles%\PCTurboPro_Free\msvcp71.dll
  • %ProgramFiles%\PCTurboPro_Free\msvcr71.dll
  • %ProgramFiles%\PCTurboPro_Free\unins000.exe
  • %System%\Cfx32.lic
  • %System%\cfx32.ocx


The program creates the following folders:
  • C:\Documents and Settings\All Users\Application Data\SalesMonitor
  • C:\Documents and Settings\All Users\Application Data\SalesMonitor\Data


Next, the program creates the following registry entries so that it executes whenever Windows starts:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"PCTurboPro" = "C:\Program Files\PCTurboPro_Free\pctp.exe logon"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Salestart" = "C:\Program Files\Common Files\PCTurboPro\pasmon.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"UPCTPcw" = "C:\Program Files\PCTurboPro_Free\UPCTPcw.exe -c"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"pctp_check" = ""


It also creates the following registry subkeys:
  • HKEY_CURRENT_USER\Software\PCTurboPro
  • HKEY_CLASSES_ROOT\AppID\AtlServ.EXE
  • HKEY_CLASSES_ROOT\AppID\ForseRemove
  • HKEY_CLASSES_ROOT\AppID\{67396B77-DEEA-4701-B384-8BE4DCDF4BD5}
  • HKEY_CLASSES_ROOT\AtlServ.CoInServ.1
  • HKEY_CLASSES_ROOT\AtlServ.CoInServ
  • HKEY_CLASSES_ROOT\CLSID\{67396B77-DEEA-4701-B384-8BE4DCDF4BD5}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UPCTP_is1
  • HKEY_LOCAL_MACHINE\SOFTWARE\PCTurboPro
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SServ


The program creates the following clean registry subkeys:
  • HKEY_CURRENT_USER\Software\Software FX, Inc
  • HKEY_CLASSES_ROOT\CLSID\{7930C862-4D6A-101B-8650-00AA003A4D8E}
  • HKEY_CLASSES_ROOT\CLSID\{8996B0A1-D7BE-101B-8650-00AA003A5593}
  • HKEY_CLASSES_ROOT\CLSID\{A9CF1100-4F9C-101B-8650-00AA003A4D8E}
  • HKEY_CLASSES_ROOT\CLSID\{A9CF1102-4F9C-101B-8650-00AA003A4D8E}
  • HKEY_CLASSES_ROOT\CLSID\{A9CF1104-4F9C-101B-8650-00AA003A4D8E}
  • HKEY_CLASSES_ROOT\CLSID\{A9CF1106-4F9C-101B-8650-00AA003A4D8E}
  • HKEY_CLASSES_ROOT\CLSID\{A9CF1108-4F9C-101B-8650-00AA003A4D8E}
  • HKEY_CLASSES_ROOT\CLSID\{A9CF110A-4F9C-101B-8650-00AA003A4D8E}
  • HKEY_CLASSES_ROOT\CLSID\{AC583F40-4F20-101B-8650-00AA003A4D8E}
  • HKEY_CLASSES_ROOT\Interface\{2DC488B0-D891-101B-8652-00AA003A5593}
  • HKEY_CLASSES_ROOT\Interface\{2DC488B1-D891-101B-8652-00AA003A5593}
  • HKEY_CLASSES_ROOT\Interface\{9FA54936-B425-4551-8D0E-8EF4025DF7A9}
  • HKEY_CLASSES_ROOT\SoftwareFX.ChartFX.20
  • HKEY_CLASSES_ROOT\TypeLib\{5243BDE8-2535-477B-AB99-A08202E77971}
  • HKEY_CLASSES_ROOT\TypeLib\{8996B0A4-D7BE-101B-8650-00AA003A5593}
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report, Volume 17
Symantec DeepSight Screensaver