Symantec Write up about SpyKiller Pro
(Hum, the logo looks familiar)
http://www.symantec.com/business/security_...-99&tabid=2
Installation
When the program is executed, it creates the following files:
%UserProfile%\Desktop\SpyKillerPro.lnk
%UserProfile%\Start Menu\Programs\SpyKillerPro\SpyKillerPro.lnk
%UserProfile%\Start Menu\Programs\SpyKillerPro\Uninstall.lnk
%ProgramFiles%\SpyKillerPro\backup.lst
%ProgramFiles%\SpyKillerPro\helper.sys
%ProgramFiles%\SpyKillerPro\icon.ico
%ProgramFiles%\SpyKillerPro\license.txt
%ProgramFiles%\SpyKillerPro\pn.cfg
%ProgramFiles%\SpyKillerPro\SpyKillerPro.exe
%ProgramFiles%\SpyKillerPro\SpyKillerProUpdate.exe
%ProgramFiles%\SpyKillerPro\SpyKillerPro_log.txt
%ProgramFiles%\SpyKillerPro\spyware.dat
%ProgramFiles%\SpyKillerPro\uninstall.exe
%ProgramFiles%\SpyKillerPro\ver.dat
%ProgramFiles%\SpyKillerPro\whitelist.cfg
Next, the program creates the following registry entries so that it executes whenever Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Outerinfo" = "C:\WINDOWS\Outerinfo.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"SpyKillerPro" = "C:\Program Files\SpyKillerPro\SpyKillerPro.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"anti_troj" = "C:\WINDOWS\system32\anti_troj.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"dmime" = "C:\WINDOWS\System32\dmime.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"quartz" = "C:\WINDOWS\System32\quartz.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"winavx" = "C:\WINDOWS\system32\WinAvXX.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"windows update loader" = "C:\WINDOWS\xpupdate.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"System" = "C:\WINDOWS\krln32.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Tapicfg.exe" = "tapicfg.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Windows Framework" = "C:\WINDOWS\system32\scvh0st.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"anti_troj" = "C:\WINDOWS\system32\anti_troj.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"bantool" = "bantool.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"cssrss.exe" = "cssrss.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"mmnext06" = "C:\WINDOWS\trjdwnl.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"shellbn" = "C:\WINDOWS\shlext32.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"vmlib" = "vmlib.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"winavx" = "C:\WINDOWS\system32\WinAvXX.exe"
It also creates the following registry subkeys:
HKEY_CURRENT_USER\Software\SpyKillerPro
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6C6B8C69-9285-4D94-8492-9E920C8C2B65}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9a19966f-ae0e-4699-8cce-9b6f5f1c352c}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ABCDECF0-4B15-11D1-ABED-709549C10000}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D714A94F-123A-45CC-8F03-040BCAF82AD6}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpyKillerPro
HKEY_LOCAL_MACHINE\SOFTWARE\SpyKillerPro
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SpyKillerProFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4e7bd74f-2b8d-469e-dcf7-f96da086b434}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{74f25a2c-22b3-4023-8f1a-ca616c30a8b5}