BehaviorThe program can be downloaded and manually installed.
The program reports false or exaggerated system security threats on the computer.
The user is then prompted to pay for a full license of the application in order to remove the threats.
InstallationWhen the program is executed, it creates the following files:
- %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\UnVirex.lnk
- %UserProfile%\Local Settings\Temp\[RANDOM CHARACTERS]\ext.dll
- %UserProfile%\Local Settings\Temp\[RANDOM CHARACTERS]\System.dll
- C:\Documents and Settings\All Users\Desktop\UnVirex.lnk
- C:\Documents and Settings\All Users\Start Menu\Programs\UnVirex\How to Register UnVirex.lnk
- C:\Documents and Settings\All Users\Start Menu\Programs\UnVirex\Register UnVirex.lnk
- C:\Documents and Settings\All Users\Start Menu\Programs\UnVirex\Uninstall.lnk
- C:\Documents and Settings\All Users\Start Menu\Programs\UnVirex\UnVirex.lnk
- C:\Documents and Settings\All Users\Start Menu\Programs\UnVirex.lnk
- %ProgramFiles%\UnVirex\daily.cvd
- %ProgramFiles%\UnVirex\Drvfltip.sys
- %ProgramFiles%\UnVirex\hjengine.dll
- %ProgramFiles%\UnVirex\IEAddon.dll
- %ProgramFiles%\UnVirex\main.cvd
- %ProgramFiles%\UnVirex\MFC71.dll
- %ProgramFiles%\UnVirex\MFC71ENU.DLL
- %ProgramFiles%\UnVirex\msvcp71.dll
- %ProgramFiles%\UnVirex\msvcr71.dll
- %ProgramFiles%\UnVirex\pthreadVC2.dll
- %ProgramFiles%\UnVirex\siglsp.dll
- %ProgramFiles%\UnVirex\uninstall.exe
- %ProgramFiles%\UnVirex\UnVirex.exe
Next, the program creates the following registry entry so that it executes whenever Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"UnVirex" = "C:\Program Files\UnVirex\UnVirex.exe"
It then creates the following registry entries, which modify the LSP stack:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\00000001\"PackedCatalogItem" = "%ProgramFiles%\UnVirex\siglsp.dll"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000013\"PackedCatalogItem" = "%ProgramFiles%\UnVirex\siglsp.dll"
The program also creates the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\"UnVirex" = "UnVirex"
It also creates the following registry subkeys:
- HKEY_CLASSES_ROOT\AppID\IEAddon.DLL
- HKEY_CLASSES_ROOT\AppID\{C0E56AC2-9F72-436E-B6E7-AEC28AF9E4EB}
- HKEY_CLASSES_ROOT\CLSID\{CCB5551D-8594-4999-85F9-1E3EABCB95AC}
- HKEY_CLASSES_ROOT\IEAddon.StatusBarPane.1 HKEY_CLASSES_ROOT\IEAddon.StatusBarPane
- HKEY_CLASSES_ROOT\Interface\{5B184B9D-B7BD-4FEA-8D1F-5E27182206A5}
- HKEY_CLASSES_ROOT\TypeLib\{3ED0E410-5C8E-47B6-A75D-D10B886E903C}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CCB5551D-8594-4999-85F9-1E3EABCB95AC}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UnVirex
- HKEY_LOCAL_MACHINE\SOFTWARE\UnVirex
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DrvFltIp
