Tweet
take care of a software called "UnSpyPC"
this software pretends to be a spyware removal tool
you may find something like this on your pc:
source: symantec
Removal Instructions:
Delete the following directories
%programfilesdir%\UnSpyPC
Delete the following files
UnSpyPC.exe
UnSpyPCUpdate.exe
uninstall.exe
uns.ico
%programfilesdir%\UnSpyPC\warez.dat
%programfilesdir%\UnSpyPC\wover.dat
%desktopdir%\UnSpyPC Scanner & Monitor.lnk
Delete the following cookies
UnSpyPC does not create any cookies
Delete the following registry keys
UnSpyPC
UnSpyPC
{BF69DF00-4734-477F-8257-27CD04F88779}
{BF69DF00-4734-477F-8257-27CD04F88779}
UnSpyPC
Delete the following registry values
UnSpyPC
{BF69DF00-4734-477F-8257-27CD04F88779}
this software pretends to be a spyware removal tool
you may find something like this on your pc:
File names:
UnSpyPC.exe
UnSpyPCUpdate.exe
When UnSpyPC is executed, it performs the following actions:
1. Creates the following files:
* %ProgramFiles%\UnSpyPC\UnSpyPC.exe
* %ProgramFiles%\UnSpyPC\UnSpyPCUpdate.exe
* %ProgramFiles%\UnSpyPC\uninstall.exe
* %ProgramFiles%\UnSpyPC\uns.ico
* %ProgramFiles%\UnSpyPC\warez.dat
* %ProgramFiles%\UnSpyPC\wover.dat
* %Desktop%\UnSpyPC Scanner & Monitor.lnk
Note:
* %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
* %Desktop% is a variable that refers to the Windows Desktop folder. By default, this is C:\Documents and Settings\Administrator\Desktop (Windows 95/98/Me) or C:\Documents and Settings\Administrator\Desktop (Windows NT/2000/XP).
2. Creates the following registry subkeys:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\
{BF69DF00-4734-477F-8257-27CD04F88779}
HKEY_CURRENT_USER\Software\UnSpyPC
HKEY_LOCAL_MACHINE\Software\UnSpyPC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Uninstall\UnSpyPC
3. Adds the values:
"UnSpyPC" = "%ProgramFiles%\UnSpyPC\UnSpyPC.exe"
"[RANDOM STRING 1]" = "[RANDOM STRING 2].exe"
to the registry subkey:
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run
so that the risk runs every time Windows starts.
The variables [RANDOM STRING 1] and [RANDOM STRING 2] represent randomly chosen strings.
4. May add random registry entries. The added entries may look similar to the following registry entries:
HKCR\CLSID\{94A0E512-EFBE-18DE-9964-820E962F7FAD}\InprocServer32\
"(Default)" = "34763.dll"
HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
"{94A0E512-EFBE-18DE-9964-820E962F7FAD}" = "DCC_send"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run \"SysSupport" = "sysconf16.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run \"newbreed" = "backorif.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run \"utsgmon" = "driver64.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run \"MON76234" = "NopeZ.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run \"cmon14" = "borlandg.exe"
UnSpyPC.exe
UnSpyPCUpdate.exe
When UnSpyPC is executed, it performs the following actions:
1. Creates the following files:
* %ProgramFiles%\UnSpyPC\UnSpyPC.exe
* %ProgramFiles%\UnSpyPC\UnSpyPCUpdate.exe
* %ProgramFiles%\UnSpyPC\uninstall.exe
* %ProgramFiles%\UnSpyPC\uns.ico
* %ProgramFiles%\UnSpyPC\warez.dat
* %ProgramFiles%\UnSpyPC\wover.dat
* %Desktop%\UnSpyPC Scanner & Monitor.lnk
Note:
* %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
* %Desktop% is a variable that refers to the Windows Desktop folder. By default, this is C:\Documents and Settings\Administrator\Desktop (Windows 95/98/Me) or C:\Documents and Settings\Administrator\Desktop (Windows NT/2000/XP).
2. Creates the following registry subkeys:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\
{BF69DF00-4734-477F-8257-27CD04F88779}
HKEY_CURRENT_USER\Software\UnSpyPC
HKEY_LOCAL_MACHINE\Software\UnSpyPC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Uninstall\UnSpyPC
3. Adds the values:
"UnSpyPC" = "%ProgramFiles%\UnSpyPC\UnSpyPC.exe"
"[RANDOM STRING 1]" = "[RANDOM STRING 2].exe"
to the registry subkey:
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run
so that the risk runs every time Windows starts.
The variables [RANDOM STRING 1] and [RANDOM STRING 2] represent randomly chosen strings.
4. May add random registry entries. The added entries may look similar to the following registry entries:
HKCR\CLSID\{94A0E512-EFBE-18DE-9964-820E962F7FAD}\InprocServer32\
"(Default)" = "34763.dll"
HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
"{94A0E512-EFBE-18DE-9964-820E962F7FAD}" = "DCC_send"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run \"SysSupport" = "sysconf16.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run \"newbreed" = "backorif.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run \"utsgmon" = "driver64.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run \"MON76234" = "NopeZ.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run \"cmon14" = "borlandg.exe"
Removal Instructions:
Delete the following directories
%programfilesdir%\UnSpyPC
Delete the following files
UnSpyPC.exe
UnSpyPCUpdate.exe
uninstall.exe
uns.ico
%programfilesdir%\UnSpyPC\warez.dat
%programfilesdir%\UnSpyPC\wover.dat
%desktopdir%\UnSpyPC Scanner & Monitor.lnk
Delete the following cookies
UnSpyPC does not create any cookies
Delete the following registry keys
UnSpyPC
UnSpyPC
{BF69DF00-4734-477F-8257-27CD04F88779}
{BF69DF00-4734-477F-8257-27CD04F88779}
UnSpyPC
Delete the following registry values
UnSpyPC
{BF69DF00-4734-477F-8257-27CD04F88779}
Comment