BehaviorThe program must be manually installed.
The program reports false or exaggerated system security threats on the computer.
The user is then prompted to pay for a full license of the application in order to remove the errors.
InstallationWhen the program is executed, it creates the following files:
- %UserProfile%\Desktop\SpyKillerPro.lnk
- %UserProfile%\Start Menu\Programs\SpyKillerPro\SpyKillerPro.lnk
- %UserProfile%\Start Menu\Programs\SpyKillerPro\Uninstall.lnk
- %ProgramFiles%\SpyKillerPro\backup.lst
- %ProgramFiles%\SpyKillerPro\helper.sys
- %ProgramFiles%\SpyKillerPro\icon.ico
- %ProgramFiles%\SpyKillerPro\license.txt
- %ProgramFiles%\SpyKillerPro\pn.cfg
- %ProgramFiles%\SpyKillerPro\SpyKillerPro.exe
- %ProgramFiles%\SpyKillerPro\SpyKillerProUpdate.exe
- %ProgramFiles%\SpyKillerPro\SpyKillerPro_log.txt
- %ProgramFiles%\SpyKillerPro\spyware.dat
- %ProgramFiles%\SpyKillerPro\uninstall.exe
- %ProgramFiles%\SpyKillerPro\ver.dat
- %ProgramFiles%\SpyKillerPro\whitelist.cfg
Next, the program creates the following registry entries so that it executes whenever Windows starts:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Outerinfo" = "C:\WINDOWS\Outerinfo.exe"
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"SpyKillerPro" = "C:\Program Files\SpyKillerPro\SpyKillerPro.exe"
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"anti_troj" = "C:\WINDOWS\system32\anti_troj.exe"
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"dmime" = "C:\WINDOWS\System32\dmime.exe"
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"quartz" = "C:\WINDOWS\System32\quartz.exe"
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"winavx" = "C:\WINDOWS\system32\WinAvXX.exe"
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"windows update loader" = "C:\WINDOWS\xpupdate.exe"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"System" = "C:\WINDOWS\krln32.exe"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Tapicfg.exe" = "tapicfg.exe"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Windows Framework" = "C:\WINDOWS\system32\scvh0st.exe"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"anti_troj" = "C:\WINDOWS\system32\anti_troj.exe"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"bantool" = "bantool.exe"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"cssrss.exe" = "cssrss.exe"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"mmnext06" = "C:\WINDOWS\trjdwnl.dll"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"shellbn" = "C:\WINDOWS\shlext32.exe"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"vmlib" = "vmlib.exe"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"winavx" = "C:\WINDOWS\system32\WinAvXX.exe"
It also creates the following registry subkeys:
- HKEY_CURRENT_USER\Software\SpyKillerPro
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6C6B8C69-9285-4D94-8492-9E920C8C2B65}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9a19966f-ae0e-4699-8cce-9b6f5f1c352c}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ABCDECF0-4B15-11D1-ABED-709549C10000}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D714A94F-123A-45CC-8F03-040BCAF82AD6}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpyKillerPro
- HKEY_LOCAL_MACHINE\SOFTWARE\SpyKillerPro
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SpyKillerProFilter
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4e7bd74f-2b8d-469e-dcf7-f96da086b434}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{74f25a2c-22b3-4023-8f1a-ca616c30a8b5}
