You're in: Panda Security > Home Users > security-info > about-malware > encyclopedia > overview
Active Scan. Scan your PC free
Panda Security Product Line 2012

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard

YourPCProtector

 
Threat LevelLow threatDamageHighDistributionNot widespread

Effects 

YourPCProtector is an adware program that, once installed, prevents users from working with the computer properly, as it does not allow the files with an EXE extension to be run. In fact, when any of these files is run, a message like the following is displayed informing users that this file is infected:

Message displayed by YourPCProtector.

Additionally, it carries out the following actions, which are common of this type of fake antivirus programs:

  • It reaches the computer in a file with the following icon:

    Icon of YourPCProtector
  • When it is run and installed, the interface of the program is displayed and starts scanning the system in search for possible malware:

    Interface of YourPCProtector
  • Once finished, it displays a warning message informing users that the program has found infected programs and documents in the computer:

    Alert message displayed by YourPCProtector
  • If users decide to repair these files, the program will require them to register the license of the fake antivirus program and then they will be redirected to the website where the product can be purchased:

    Registration of YourPCProtector
  • If, on the contrary, they decide not to follow the program's instructions, different annoying messages will be displayed in order to make them think that their computer is really infected .
  • Some of the messages that are displayed on screen are like the following:

    - Security alert messages:

    Alert message displayed by YourPCProtector

    Alert message displayed by YourPCProtector

    - It also display a message that seems to be from the Windows Security Center in order to warn users that no antivirus has been found in the computer:

    Message imitating Windows Security Center

Infection strategy 

YourPCProtector creates a directory called Your PC Protector in the Program Files directory and a group of programs in the Start menu with the same name.

YourPCProtector creates the following files:

  • YOUR PC PROTECTOR.EXE, which is a copy of itself, in the folder Your PC Protector of the Program Files directory.
  • ALGGUI.EXESVCHOST.EXEADC32.DLLWP3.DATWP4.DATNUAR.OLD and SKYNET.DAT, in the Program Files directory.
  • YOUR PC PROTECTOR.LNK, in the Desktop. This file is a shortcut to the program:

    Shortcut to YourPCProtector

 

YourPCProtector creates the following entries in the Windows Registry:

  • HKEY_CURRENT_USER\Software\Your PC Protector
  • HKEY_CLASSES_ROOT\CLSID\{77DC0Baa-3235-4ba9-8BE8-aa9EB678FA02}
    By creating this entry, YourPCProtector registers itself as a BHO (Browser Helper Object). This way, it can monitor the websites accessed by the user.
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\ Your PC Protector
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AdbUpd

 

YourPCProtector modifies the following Windows Registry entry, so that whenever a file with an EXE extension is run, the file belonging to the fake antivirus program is run instead of the corresponding file:

  • HKEY_CLASSES_ROOT\exefile\shell\open\command
    (Default) = "%1" %*
    It changes this entry to:
    HKEY_CLASSES_ROOT\exefile\shell\open\command
    (Default) = C:\Program Files\alggui.exe "%1" %*

Means of transmission 

YourPCProtector can reach the computer when the user accesses certain websites which display banners or pop-up windows which lead to the download of this program. It can also reach the computer in a link that can be received via spam messages, fraudulent websites, etc.

Further Details  

YourPCProtector is 1,057,800 bytes in size and is compressed with UPX.