This adware program must be downloaded manually from a website as part of ad supported software packages.
When the program is executed, it creates one of the following files:
- C:\Documents and Settings\All Users\Application Data\bProtector\protector.dll
- %System%\protector.dll
Next, the program creates one of the following registry entries so that it executes whenever Windows starts:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\"AppInit_DLLs" = "%System%\protector.dll"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\"AppInit_DLLs" = "C:\Documents and Settings\All Users\Application Data\bProtector\protector.dll"
It also creates the following registry subkey:
HKEY_CURRENT_USER\Software\bProtector
It may inject the file protector.dll into several processes.
It then contacts the following URL:
[http://]guardstats.smartiengine.com/service/kupdat[REMOVED]
It may also modify browser search settings.
