Análisis realizado por : Maria Emreen Viray   

 Alias

Win32/ReImageRepair.P (NOD32)

 Plataforma:

Windows

 Riesgo general:
 Potencial de destrucción:
 Potencial de distribución:
 Infección divulgada:
 Revelación de la información:
Bajo
Medio
High
Crítico

  • Tipo de malware
    Potentially Unwanted Application

  • Destructivo?
    No

  • Cifrado
     

  • In the Wild:

  Resumen y descripción

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

  Detalles técnicos

Tamaño del archivo 586,224 bytes
Tipo de archivo EXE
Residente en memoria No
Fecha de recepción de las muestras iniciales 09 de septiembre de 2021

Detalles de entrada

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Instalación

Infiltra los archivos siguientes:

  • %Program Files%\Reimage\Reimage Repair\LZMA.EXE
  • %Program Files%\Reimage\Reimage Repair\REI_AVIRA.exe
  • %Program Files%\Reimage\Reimage Repair\REI_Axcontrol.dll
  • %Program Files%\Reimage\Reimage Repair\REI_Axcontrol.lza
  • %Program Files%\Reimage\Reimage Repair\REI_Engine.dll
  • %Program Files%\Reimage\Reimage Repair\REI_Engine.lza
  • %Program Files%\Reimage\Reimage Repair\REI_SupportInfoTool.exe
  • %Program Files%\Reimage\Reimage Repair\Reimage Repair Help & Support.url
  • %Program Files%\Reimage\Reimage Repair\Reimage Repair Privacy Policy.url
  • %Program Files%\Reimage\Reimage Repair\Reimage Repair Terms of Use.url
  • %Program Files%\Reimage\Reimage Repair\Reimage Repair Uninstall Instructions.url
  • %Program Files%\Reimage\Reimage Repair\Reimage.exe
  • %Program Files%\Reimage\Reimage Repair\ReimageReminder.exe
  • %Program Files%\Reimage\Reimage Repair\ReimageRepair.exe
  • %Program Files%\Reimage\Reimage Repair\ReimageSafeMode.exe
  • %Program Files%\Reimage\Reimage Repair\Reimage_SafeMode.ico
  • %Program Files%\Reimage\Reimage Repair\Reimage_uninstall.ico
  • %Program Files%\Reimage\Reimage Repair\Reimage_website.ico
  • %Program Files%\Reimage\Reimage Repair\Reimageicon.ico
  • %Program Files%\Reimage\Reimage Repair\msvcr120.dll
  • %Program Files%\Reimage\Reimage Repair\savapi.dll
  • %Program Files%\Reimage\Reimage Repair\uninst.exe
  • %Program Files%\Reimage\Reimage Repair\version.rei
  • %Programs%\Reimage Repair\Help & Support.lnk
  • %Programs%\Reimage Repair\Privacy Policy.lnk
  • %Programs%\Reimage Repair\Reimage Repair.lnk
  • %Programs%\Reimage Repair\Run in safe mode.lnk
  • %Programs%\Reimage Repair\Terms of Use.lnk
  • %Programs%\Reimage Repair\Uninstall Instructions.lnk
  • %Programs%\Reimage Repair\Uninstall.lnk
  • %Public%\Desktop\PC Scan & Repair by Reimage.lnk
  • %System Root%\rei\AV\HBEDV.KEY
  • %System Root%\rei\AV\avupdate.exe
  • %System Root%\rei\AV\avupdate_msg.avr
  • %System Root%\rei\AV\cacert.crt
  • %System Root%\rei\AV\msvcr120.dll
  • %System Root%\rei\AV\productname.dat
  • %System Root%\rei\AV\savapi.exe
  • %System Root%\rei\AV\savapi_restart.exe
  • %System Root%\rei\AV\savapi_stub.exe
  • %System Root%\rei\AV\xbvRei.vdf
  • %System Root%\rei\About.txt
  • %System Root%\rei\SupportInfoTool.ini
  • %System Root%\rei\cfl.rei
  • %System Root%\rei\rpe1.rei
  • %User Temp%\ReimagePackage.exe
  • %User Temp%\ack.txt
  • %User Temp%\downloader log.txt
  • %User Temp%\downloader_version.xml
  • %User Temp%\ns{random}.tmp\Banner.dll
  • %User Temp%\ns{random}.tmp\ExecDos.dll
  • %User Temp%\ns{random}.tmp\UserInfo.dll
  • %User Temp%\ns{random}.tmp\ns934E.tmp
  • %User Temp%\ns{random}.tmp\registry.dll
  • %User Temp%\ns{random}.tmp\stack.dll
  • %User Temp%\ns{random}.tmp\xml.dll
  • %User Temp%\repair setup log.txt
  • %User Temp%\repair_version.xml
  • %User Temp%\ProtectorPackage.log
  • %Windows%\Reimage.ini
  • Temporary files (deleted afterwards):
    • %Application Data%\Microsoft\Windows\Cookies\dyituser_732@reimageplus[1].txt
    • %Application Data%\Microsoft\Windows\Cookies\dyituser_732@reimageplus[2].txt
    • %Program Files%\Reimage\Reimage Repair\engine.dat
    • %Program Files%\Reimage\Reimage Repair\reimage.dat
    • %Public%\Desktop\Resume Reimage Repair Installation.lnk
    • %User Temp%\Chrome.txt
    • %User Temp%\FF.bat
    • %User Temp%\FF.txt
    • %User Temp%\InstallationPixel.txt
    • %User Temp%\IsProcessActive.txt
    • %User Temp%\cfl.rei
    • %User Temp%\ns{random}.tmp
    • %User Temp%\ns{random}.tmp\DcryptDll.dll
    • %User Temp%\ns{random}.tmp\LogEx.dll
    • %User Temp%\ns{random}.tmp\ProtectorUpdater.exe
    • %User Temp%\ns{random}.tmp\System.dll
    • %User Temp%\ns{random}.tmp\inetc.dll
    • %User Temp%\ns{random}.tmp\installer-164x314.bmp
    • %User Temp%\ns{random}.tmp\modern-header.bmp
    • %User Temp%\ns{random}.tmp\nsDialogs.dll
    • %User Temp%\ns{random}.tmp\nsExec.dll
    • %User Temp%\ns{random}.tmp\ns{random}.tmp
    • %User Temp%\sqlite3.exe

(Nota: %Program Files% es la carpeta Archivos de programa predeterminada, que suele estar en C:\Archivos de programa).

. %System Root% es la carpeta raíz, normalmente C:\. También es la ubicación del sistema operativo).

. %User Temp% es la carpeta Temp del usuario activo, que en el caso de Windows 2000(32-bit), XP y Server 2003(32-bit) suele estar en C:\Documents and Settings\{nombre de usuario}\Local Settings\Temp y en el case de Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) y 10(64-bit) en C:\Users\{nombre de usuario}\AppData\Local\Temp).

. %Windows% es la carpeta de Windows, que suele estar en C:\Windows o C:\WINNT).

. %Application Data% es la carpeta Application Data del usuario activo, que en el caso de Windows 98 y ME suele estar ubicada en C:\Windows\Profiles\{nombre de usuario}\Application Data, en el caso de Windows NT en C:\WINNT\Profiles\{nombre de usuario}\Application Data, en el caso de Windows 2000(32-bit), XP y Server 2003(32-bit) en C:\Documents and Settings\{nombre de usuario}\Local Settings\Application Data y en el caso de Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) y 10(64-bit) en C:\Users\{nombre de usuario}\AppData\Roaming.).

)

Agrega los procesos siguientes:

  • %Program Files%\Reimage\Reimage Repair\lzma.exe "d" "%Program Files%\Reimage\Reimage Repair\REI_Axcontrol.lza" "%Program Files%\Reimage\Reimage Repair\REI_Axcontrol.dll"
  • %Program Files%\Reimage\Reimage Repair\lzma.exe "d" "%Program Files%\Reimage\Reimage Repair\REI_Engine.lza" "%Program Files%\Reimage\Reimage Repair\REI_Engine.dll"
  • %User Temp%\ReimagePackage.exe /GUI=http://www.reimageplus.com/GUI/GUI1957/layout.php?consumer=1&gui_branch=0&trackutil=&MinorSessionID=2121df41158a4db49b16a66b97&lang_code=en&bundle=0&loadresults=0&ShowSettings=false "/Location=%System Root%\_Tset\asf.exe" /trackutil= /CookieTracking= /CookieCampaign= /EventUser=New /Update=1 /DownloaderVersion=1956 /RunSilent=false /SessionID=1991edc7-d4d6-4d92-8de3-4ade0df88bb2 /IDMinorSession=2121df41158a4db49b16a66b97 /pxkp=Delete /ScanSilent=0 /Close=0 /cil=DISABLED /ShowName=False /Language=1033 /GuiLang=en /AgentStatus=DISABLED /StartScan=1 /VersionInfo=versionInfo /ShowSettings=true
  • %User Temp%\ns{random}.tmp\ns{random}.tmp "%Program Files%\Reimage\Reimage Repair\lzma.exe" "d" "%Program Files%\Reimage\Reimage Repair\REI_Axcontrol.lza" "%Program Files%\Reimage\Reimage Repair\REI_Axcontrol.dll"
  • %User Temp%\ns{random}.tmp\ns{random}.tmp "%Program Files%\Reimage\Reimage Repair\lzma.exe" "d" "%Program Files%\Reimage\Reimage Repair\REI_Engine.lza" "%Program Files%\Reimage\Reimage Repair\REI_Engine.dll"
  • %User Temp%\ns{random}.tmp\ns{random}.tmp "%User Temp%\FF.bat" > %User Temp%\FF.txt
  • %User Temp%\ns{random}.tmp\ns{random}.tmp cmd /C tasklist /FI "IMAGENAME eq Fiddler.exe" > %User Temp%\IsProcessActive.txt
  • %User Temp%\ns{random}.tmp\ns{random}.tmp cmd /C tasklist /FI "IMAGENAME eq GeoProxy.exe" > %User Temp%\IsProcessActive.txt
  • %User Temp%\ns{random}.tmp\ns{random}.tmp cmd /C tasklist /FI "IMAGENAME eq HMA! Pro VPN.exe" > %User Temp%\IsProcessActive.txt
  • %User Temp%\ns{random}.tmp\ns{random}.tmp cmd /C tasklist /FI "IMAGENAME eq REI_avira.exe" > %User Temp%\IsProcessActive.txt
  • %User Temp%\ns{random}.tmp\ns{random}.tmp cmd /C tasklist /FI "IMAGENAME eq Reimage.exe" > %User Temp%\IsProcessActive.txt
  • %User Temp%\ns{random}.tmp\ns{random}.tmp cmd /C tasklist /FI "IMAGENAME eq Reimage.exe" > %User Temp%\IsProcessActive.txt
  • %User Temp%\ns{random}.tmp\ns{random}.tmp cmd /C tasklist /FI "IMAGENAME eq ReimagePackage.exe" > %User Temp%\IsProcessActive.txt
  • %User Temp%\ns{random}.tmp\ns{random}.tmp cmd /C tasklist /FI "IMAGENAME eq Wireshark.exe" > %User Temp%\IsProcessActive.txt
  • %User Temp%\ns{random}.tmp\ns{random}.tmp cmd /C tasklist /FI "IMAGENAME eq avupdate.exe" > %User Temp%\IsProcessActive.txt
  • %User Temp%\ns{random}.tmp\ns{random}.tmp cmd /C tasklist /FI "IMAGENAME eq avupdate.exe" > %User Temp%\IsProcessActive.txt
  • %User Temp%\sqlite3.exe "%Application Data%\Mozilla\Firefox\Profiles\dxxbjsgn.default\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'reimageplus.com' and name='_campaign'
  • %User Temp%\sqlite3.exe "%Application Data%\Mozilla\Firefox\Profiles\dxxbjsgn.default\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'reimageplus.com' and name='_country'
  • %User Temp%\sqlite3.exe "%Application Data%\Mozilla\Firefox\Profiles\dxxbjsgn.default\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'reimageplus.com' and name='_trackid'
  • %User Temp%\sqlite3.exe "%Application Data%\Mozilla\Firefox\Profiles\dxxbjsgn.default\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'reimageplus.com' and name='_tracking'
  • %User Temp%\sqlite3.exe %AppDataLocal%\Google\Chrome\User Data\Default\Cookies" "select name, expires_utc from cookies where host_key like '%reimageplus.com' and name like '_campaign_%'
  • %User Temp%\sqlite3.exe %AppDataLocal%\Google\Chrome\User Data\Default\Cookies" "select name, expires_utc from cookies where host_key like '%reimageplus.com' and name like '_country_%'
  • %User Temp%\sqlite3.exe %AppDataLocal%\Google\Chrome\User Data\Default\Cookies" "select name, expires_utc from cookies where host_key like '%reimageplus.com' and name like '_trackid_%'
  • %User Temp%\sqlite3.exe %AppDataLocal%\Google\Chrome\User Data\Default\Cookies" "select name, expires_utc from cookies where host_key like '%reimageplus.com' and name like '_tracking_%'
  • %User Temp%\sqlite3.exe %AppDataLocal%\Google\Chrome\User Data\Default\Cookies" "select value, expires_utc from cookies where host_key like '%reimageplus.com' and name='_campaign'
  • %User Temp%\sqlite3.exe %AppDataLocal%\Google\Chrome\User Data\Default\Cookies" "select value, expires_utc from cookies where host_key like '%reimageplus.com' and name='_country'
  • %User Temp%\sqlite3.exe %AppDataLocal%\Google\Chrome\User Data\Default\Cookies" "select value, expires_utc from cookies where host_key like '%reimageplus.com' and name='_trackid'
  • %User Temp%\sqlite3.exe %AppDataLocal%\Google\Chrome\User Data\Default\Cookies" "select value, expires_utc from cookies where host_key like '%reimageplus.com' and name='_tracking'
  • regsvr32 /s "%Program Files%\Reimage\Reimage Repair\REI_Axcontrol.dll"
  • regsvr32 /s "%Program Files%\Reimage\Reimage Repair\REI_Engine.dll"
  • regsvr32 /s "%Windows%\system32\jscript.dll"

Otras modificaciones del sistema

Agrega las siguientes entradas de registro:

HKEY_LOCAL_MACHINE\SOFTWARE\Reimage\
Reimage Repair
Installer Language = {value)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
Reimage Repair
DownloaderVersion = 1.9.5.6

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\App Paths\
Reimage.exe
(default) = %Program Files%\Reimage\Reimage Repair\Reimage.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
Reimage Repair
DisplayName = Reimage Repair

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
Reimage Repair
UninstallString = %Program Files%\Reimage\Reimage Repair\uninst.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
Reimage Repair
DisplayIcon = %Program Files%\Reimage\Reimage Repair\Reimage_uninstall.ico

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
Reimage Repair
DisplayVersion = 1.9.5.6

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
Reimage Repair
URLInfoAbout = http://www.{BLOCKED}plus.com

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
Reimage Repair
Publisher = Reimage

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
Reimage Repair
InstallFile = %Program Files%\Reimage\Reimage Repair\Reimage.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
Reimage Repair
InstallLocation = %Program Files%\Reimage\Reimage Repair

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
Reimage Repair
VersionMajor = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
Reimage Repair
VersionMinor = 956

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{28FF42B8-A0DA-4BE5-9B81-E26DD59B350A}
(default) = REI_AxControl

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\REI_AxControl.DLL
AppID = {28FF42B8-A0DA-4BE5-9B81-E26DD59B350A}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{801B440B-1EE3-49B0-B05D-2AB076D4E8CB}
(default) = CompReg Class

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{801B440B-1EE3-49B0-B05D-2AB076D4E8CB}\InprocServer32
(default) = %Program Files%\Reimage\Reimage Repair\REI_Axcontrol.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{801B440B-1EE3-49B0-B05D-2AB076D4E8CB}\InprocServer32
ThreadingModel = Apartment

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{801B440B-1EE3-49B0-B05D-2AB076D4E8CB}\TypeLib
(default) = {FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
REI_AxControl.ReiEngine.1
(default) = ReiEngine Class

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
REI_AxControl.ReiEngine.1\CLSID
(default) = {10ECCE17-29B5-4880-A8F5-EAD298611484}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
REI_AxControl.ReiEngine
(default) = ReiEngine Class

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
REI_AxControl.ReiEngine\CLSID
(default) = {10ECCE17-29B5-4880-A8F5-EAD298611484}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
REI_AxControl.ReiEngine\CurVer
(default) = REI_AxControl.ReiEngine.1

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}
(default) = ReiEngine Class

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\ProgID
(default) = REI_AxControl.ReiEngine.1

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\VersionIndependentProgID
(default) = REI_AxControl.ReiEngine

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\InprocServer32
(default) = %Program Files%\Reimage\Reimage Repair\REI_Axcontrol.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\InprocServer32
ThreadingModel = Apartment

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}
AppID = {28FF42B8-A0DA-4BE5-9B81-E26DD59B350A}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\ToolboxBitmap32
(default) = %Program Files%\Reimage\Reimage Repair\REI_Axcontrol.dll, 102

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\MiscStatu
(default) = 0

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\MiscStatus\
1
(default) = 132497

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\TypeLib
(default) = {FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\Version
(default) = 1.0

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}\1.0
(default) = REI_AxControl 1.0 Type Library

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}\1.0\
FLAGS
(default) = 0

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}\1.0\
0\win32
(default) = %Program Files%\Reimage\Reimage Repair\REI_Axcontrol.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}\1.0\
HELPDIR
(default) = %Program Files%\Reimage\Reimage Repair

HKEY_LOCAL_MACHINE\SOFTWARE\Volatile\
00\MACHINE\SOFTWARE\
Classes\Interface\{A817E7A2-43FA-11D0-9E44-00AA00B6770A}\
ProxyStubClsid
(default) = {00020424-0000-0000-C000-000000000046}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{BD51A48E-EB5F-4454-8774-EF962DF64546}
(default) = _IReiEngineEvents

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{BD51A48E-EB5F-4454-8774-EF962DF64546}\ProxyStubClsid
(default) = {00020420-0000-0000-C000-000000000046}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{BD51A48E-EB5F-4454-8774-EF962DF64546}\ProxyStubClsid32
(default) = {00020420-0000-0000-C000-000000000046}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{BD51A48E-EB5F-4454-8774-EF962DF64546}\TypeLib
(default) = {FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{BD51A48E-EB5F-4454-8774-EF962DF64546}\TypeLib
Version = 1.0

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}
(default) = IReiEngine

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}\ProxyStubClsid
(default) = {00020424-0000-0000-C000-000000000046}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}\ProxyStubClsid32
(default) = {00020424-0000-0000-C000-000000000046}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}\TypeLib
(default) = {FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}\TypeLib
Version = 1.0

Modifica las siguientes entradas de registro:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\Session Manager
PendingFileRenameOperations = {Original data}, \??\%User Temp%\ns{random}.tmp\registry.dll, \??\%User Temp%\ns{random}.tmp\stack.dll, \??\%User Temp%\ns{random}.tmp\, \??\%User Temp%\ns{random}.tmp\xml.dll

Otros detalles

Agrega las siguientes entradas de registro como parte de la rutina de instalación:

HKEY_LOCAL_MACHINE\SOFTWARE\Reimage

HKEY_LOCAL_MACHINE\SOFTWARE\Reimage\
Reimage Repair

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
Reimage Repair

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{28FF42B8-A0DA-4BE5-9B81-E26DD59B350A}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\REI_AxControl.DLL

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{801B440B-1EE3-49B0-B05D-2AB076D4E8CB}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{801B440B-1EE3-49B0-B05D-2AB076D4E8CB}\InprocServer32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{801B440B-1EE3-49B0-B05D-2AB076D4E8CB}\TypeLib

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
REI_AxControl.ReiEngine.1

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
REI_AxControl.ReiEngine.1\CLSID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
REI_AxControl.ReiEngine

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
REI_AxControl.ReiEngine\CLSID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
REI_AxControl.ReiEngine\CurVer

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\ProgID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\VersionIndependentProgID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\Programmable

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\InprocServer32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\Control

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\ToolboxBitmap32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\MiscStatus

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\MiscStatus\
1

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\TypeLib

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\Version

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}\1.0

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}\1.0\
FLAGS

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}\1.0\
0

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}\1.0\
0\win32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}\1.0\
HELPDIR

HKEY_LOCAL_MACHINE\SOFTWARE\Volatile

HKEY_LOCAL_MACHINE\SOFTWARE\Volatile\
00

HKEY_LOCAL_MACHINE\SOFTWARE\Volatile\
00\MACHINE

HKEY_LOCAL_MACHINE\SOFTWARE\Volatile\
00\MACHINE\SOFTWARE

HKEY_LOCAL_MACHINE\SOFTWARE\Volatile\
00\MACHINE\SOFTWARE\
Classes

HKEY_LOCAL_MACHINE\SOFTWARE\Volatile\
00\MACHINE\SOFTWARE\
Classes\Interface

HKEY_LOCAL_MACHINE\SOFTWARE\Volatile\
00\MACHINE\SOFTWARE\
Classes\Interface\{A817E7A2-43FA-11D0-9E44-00AA00B6770A}

HKEY_LOCAL_MACHINE\SOFTWARE\Volatile\
00\MACHINE\SOFTWARE\
Classes\Interface\{A817E7A2-43FA-11D0-9E44-00AA00B6770A}\
ProxyStubClsid

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{BD51A48E-EB5F-4454-8774-EF962DF64546}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{BD51A48E-EB5F-4454-8774-EF962DF64546}\ProxyStubClsid

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{BD51A48E-EB5F-4454-8774-EF962DF64546}\ProxyStubClsid32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{BD51A48E-EB5F-4454-8774-EF962DF64546}\TypeLib

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}\ProxyStubClsid

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}\ProxyStubClsid32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}\TypeLib

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\App Paths\
Reimage.exe

It connects to the following possibly malicious URL:

  • http://www.{BLOCKED}eplus.com/includes/install_start.php?m_trackid=&m_tracking=&m_campaign=&minorsessionid={generated Minor Session ID}&sessionid={generated Session ID}&t=CONSUMER&a=ENABLED&u=ENABLED&c=DISABLED&v={version}
  • http://cdnrep.{BLOCKED}e.com/downloader_version.xml
  • http://cdnrep.{BLOCKED}e.com/repair_version.xml
  • http://www.{BLOCKED}eplus.com/events4mem.php?version={version}&SessionID={generated Session ID}&MinorSessionID={generated Minor Session ID}&id=INSVR¶m={version}&trackutil=
  • http://www.{BLOCKED}eplus.com/events4mem.php?version={version}&SessionID={generated Session ID}&MinorSessionID={generated Minor Session ID}&id=LANG¶m=en&trackutil=
  • http://cdnrep.{BLOCKED}eplus.com/ver/ReimagePackage{version}b.exe
  • http://cdnrep.{BLOCKED}eplus.com/cfl/cfl{version}b.rei
  • http://www.{BLOCKED}eplus.com/events4mem.php?version={version}&SessionID={generated Session ID}&MinorSessionID={generated Minor Session ID}&id=PKSPA¶m=Skip<*>New&trackutil=
  • http://www.{BLOCKED}eplus.com/includes/install_end.php?m_trackid=&m_tracking=&m_campaign=&minorsessionid={generated Minor Session ID}&sessionid={generated Session ID}&v=1.9.5.6
  • http://www.{BLOCKED}eplus.com/events4mem.php?version={version}&SessionID={generated Session ID}&MinorSessionID={generated Minor Session ID}&id=INSST¶m=Downloader%20Started<*>New&trackutil=
  • http://www.{BLOCKED}eplus.com/events4mem.php?version={version}&SessionID={generated Session ID}&MinorSessionID={generated Minor Session ID}&id=PKGEX¶m=user%20closed%20installer%20on%20finish%20page<*>New&trackutil=