1. Symantec/
  2. Security Response/
  3. SpyKillerPro

SpyKillerPro

Updated:
March 3, 2008 1:32:51 PM
Type:
Misleading Application
Name:
SpyKillerPro
Publisher:
mastertools.us
Risk Impact:
Medium
Systems Affected:
Windows
Behavior
The program must be manually installed.

The program reports false or exaggerated system security threats on the computer.





The user is then prompted to pay for a full license of the application in order to remove the errors.





Installation
When the program is executed, it creates the following files:
  • %UserProfile%\Desktop\SpyKillerPro.lnk
  • %UserProfile%\Start Menu\Programs\SpyKillerPro\SpyKillerPro.lnk
  • %UserProfile%\Start Menu\Programs\SpyKillerPro\Uninstall.lnk
  • %ProgramFiles%\SpyKillerPro\backup.lst
  • %ProgramFiles%\SpyKillerPro\helper.sys
  • %ProgramFiles%\SpyKillerPro\icon.ico
  • %ProgramFiles%\SpyKillerPro\license.txt
  • %ProgramFiles%\SpyKillerPro\pn.cfg
  • %ProgramFiles%\SpyKillerPro\SpyKillerPro.exe
  • %ProgramFiles%\SpyKillerPro\SpyKillerProUpdate.exe
  • %ProgramFiles%\SpyKillerPro\SpyKillerPro_log.txt
  • %ProgramFiles%\SpyKillerPro\spyware.dat
  • %ProgramFiles%\SpyKillerPro\uninstall.exe
  • %ProgramFiles%\SpyKillerPro\ver.dat
  • %ProgramFiles%\SpyKillerPro\whitelist.cfg


Next, the program creates the following registry entries so that it executes whenever Windows starts:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Outerinfo" = "C:\WINDOWS\Outerinfo.exe"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"SpyKillerPro" = "C:\Program Files\SpyKillerPro\SpyKillerPro.exe"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"anti_troj" = "C:\WINDOWS\system32\anti_troj.exe"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"dmime" = "C:\WINDOWS\System32\dmime.exe"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"quartz" = "C:\WINDOWS\System32\quartz.exe"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"winavx" = "C:\WINDOWS\system32\WinAvXX.exe"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"windows update loader" = "C:\WINDOWS\xpupdate.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"System" = "C:\WINDOWS\krln32.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Tapicfg.exe" = "tapicfg.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Windows Framework" = "C:\WINDOWS\system32\scvh0st.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"anti_troj" = "C:\WINDOWS\system32\anti_troj.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"bantool" = "bantool.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"cssrss.exe" = "cssrss.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"mmnext06" = "C:\WINDOWS\trjdwnl.dll"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"shellbn" = "C:\WINDOWS\shlext32.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"vmlib" = "vmlib.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"winavx" = "C:\WINDOWS\system32\WinAvXX.exe"


It also creates the following registry subkeys:
  • HKEY_CURRENT_USER\Software\SpyKillerPro
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6C6B8C69-9285-4D94-8492-9E920C8C2B65}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9a19966f-ae0e-4699-8cce-9b6f5f1c352c}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ABCDECF0-4B15-11D1-ABED-709549C10000}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D714A94F-123A-45CC-8F03-040BCAF82AD6}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpyKillerPro
  • HKEY_LOCAL_MACHINE\SOFTWARE\SpyKillerPro
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SpyKillerProFilter
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4e7bd74f-2b8d-469e-dcf7-f96da086b434}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{74f25a2c-22b3-4023-8f1a-ca616c30a8b5}
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
2016 Internet Security Threat Report, Volume 21
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube