PUA.Win32.ReimageRepair.D.component

September 16, 2021

Analysis by: Maria Emreen Viray

ALIASES:

Win32/ReImageRepair.P (NOD32)

PLATFORM:

Windows

OVERALL RISK RATING:

DAMAGE POTENTIAL:

DISTRIBUTION POTENTIAL:

REPORTED INFECTION:

INFORMATION EXPOSURE:

Threat Type: Potentially Unwanted Application
Destructiveness: No
Encrypted:
In the wild: Yes

OVERVIEW

This Potentially Unwanted Application arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

TECHNICAL DETAILS

Tamaño del archivo 586,224 bytes

Tipo de archivo EXE

Residente en memoria No

Fecha de recepción de las muestras iniciales 09 Sep 2021

Arrival Details

This Potentially Unwanted Application arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Potentially Unwanted Application drops the following files:

%Program Files%\Reimage\Reimage Repair\LZMA.EXE
%Program Files%\Reimage\Reimage Repair\REI_AVIRA.exe
%Program Files%\Reimage\Reimage Repair\REI_Axcontrol.dll
%Program Files%\Reimage\Reimage Repair\REI_Axcontrol.lza
%Program Files%\Reimage\Reimage Repair\REI_Engine.dll
%Program Files%\Reimage\Reimage Repair\REI_Engine.lza
%Program Files%\Reimage\Reimage Repair\REI_SupportInfoTool.exe
%Program Files%\Reimage\Reimage Repair\Reimage Repair Help & Support.url
%Program Files%\Reimage\Reimage Repair\Reimage Repair Privacy Policy.url
%Program Files%\Reimage\Reimage Repair\Reimage Repair Terms of Use.url
%Program Files%\Reimage\Reimage Repair\Reimage Repair Uninstall Instructions.url
%Program Files%\Reimage\Reimage Repair\Reimage.exe
%Program Files%\Reimage\Reimage Repair\ReimageReminder.exe
%Program Files%\Reimage\Reimage Repair\ReimageRepair.exe
%Program Files%\Reimage\Reimage Repair\ReimageSafeMode.exe
%Program Files%\Reimage\Reimage Repair\Reimage_SafeMode.ico
%Program Files%\Reimage\Reimage Repair\Reimage_uninstall.ico
%Program Files%\Reimage\Reimage Repair\Reimage_website.ico
%Program Files%\Reimage\Reimage Repair\Reimageicon.ico
%Program Files%\Reimage\Reimage Repair\msvcr120.dll
%Program Files%\Reimage\Reimage Repair\savapi.dll
%Program Files%\Reimage\Reimage Repair\uninst.exe
%Program Files%\Reimage\Reimage Repair\version.rei
%Programs%\Reimage Repair\Help & Support.lnk
%Programs%\Reimage Repair\Privacy Policy.lnk
%Programs%\Reimage Repair\Reimage Repair.lnk
%Programs%\Reimage Repair\Run in safe mode.lnk
%Programs%\Reimage Repair\Terms of Use.lnk
%Programs%\Reimage Repair\Uninstall Instructions.lnk
%Programs%\Reimage Repair\Uninstall.lnk
%Public%\Desktop\PC Scan & Repair by Reimage.lnk
%System Root%\rei\AV\HBEDV.KEY
%System Root%\rei\AV\avupdate.exe
%System Root%\rei\AV\avupdate_msg.avr
%System Root%\rei\AV\cacert.crt
%System Root%\rei\AV\msvcr120.dll
%System Root%\rei\AV\productname.dat
%System Root%\rei\AV\savapi.exe
%System Root%\rei\AV\savapi_restart.exe
%System Root%\rei\AV\savapi_stub.exe
%System Root%\rei\AV\xbvRei.vdf
%System Root%\rei\About.txt
%System Root%\rei\SupportInfoTool.ini
%System Root%\rei\cfl.rei
%System Root%\rei\rpe1.rei
%User Temp%\ReimagePackage.exe
%User Temp%\ack.txt
%User Temp%\downloader log.txt
%User Temp%\downloader_version.xml
%User Temp%\ns{random}.tmp\Banner.dll
%User Temp%\ns{random}.tmp\ExecDos.dll
%User Temp%\ns{random}.tmp\UserInfo.dll
%User Temp%\ns{random}.tmp\ns934E.tmp
%User Temp%\ns{random}.tmp\registry.dll
%User Temp%\ns{random}.tmp\stack.dll
%User Temp%\ns{random}.tmp\xml.dll
%User Temp%\repair setup log.txt
%User Temp%\repair_version.xml
%User Temp%\ProtectorPackage.log
%Windows%\Reimage.ini
Temporary files (deleted afterwards):
- %Application Data%\Microsoft\Windows\Cookies\dyituser_732@reimageplus[1].txt
- %Application Data%\Microsoft\Windows\Cookies\dyituser_732@reimageplus[2].txt
- %Program Files%\Reimage\Reimage Repair\engine.dat
- %Program Files%\Reimage\Reimage Repair\reimage.dat
- %Public%\Desktop\Resume Reimage Repair Installation.lnk
- %User Temp%\Chrome.txt
- %User Temp%\FF.bat
- %User Temp%\FF.txt
- %User Temp%\InstallationPixel.txt
- %User Temp%\IsProcessActive.txt
- %User Temp%\cfl.rei
- %User Temp%\ns{random}.tmp
- %User Temp%\ns{random}.tmp\DcryptDll.dll
- %User Temp%\ns{random}.tmp\LogEx.dll
- %User Temp%\ns{random}.tmp\ProtectorUpdater.exe
- %User Temp%\ns{random}.tmp\System.dll
- %User Temp%\ns{random}.tmp\inetc.dll
- %User Temp%\ns{random}.tmp\installer-164x314.bmp
- %User Temp%\ns{random}.tmp\modern-header.bmp
- %User Temp%\ns{random}.tmp\nsDialogs.dll
- %User Temp%\ns{random}.tmp\nsExec.dll
- %User Temp%\ns{random}.tmp\ns{random}.tmp
- %User Temp%\sqlite3.exe

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000(32-bit), Server 2003(32-bit), XP, Vista(64-bit), 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit) , or C:\Program Files (x86) in Windows XP(64-bit), Vista(64-bit), 7(64-bit), 8(64-bit), 8.1(64-bit), 2008(64-bit), 2012(64-bit) and 10(64-bit).. %Programs% is the folder that contains the user’s program groups, which is usually C:\Windows\Start Menu\Programs or C:\Documents and Settings\{User name}\Start Menu\Programs on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs on Windows Vista, 7, and 8.. %Public% is the folder that serves as a repository of files or folders common to all users, which is usually C:\Users\Public in Windows Vista, 7, and 8.. %System Root% is the Windows root folder, where it usually is C:\ on all Windows operating system versions.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.. %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following processes:

%Program Files%\Reimage\Reimage Repair\lzma.exe "d" "%Program Files%\Reimage\Reimage Repair\REI_Axcontrol.lza" "%Program Files%\Reimage\Reimage Repair\REI_Axcontrol.dll"
%Program Files%\Reimage\Reimage Repair\lzma.exe "d" "%Program Files%\Reimage\Reimage Repair\REI_Engine.lza" "%Program Files%\Reimage\Reimage Repair\REI_Engine.dll"
%User Temp%\ReimagePackage.exe /GUI=http://www.reimageplus.com/GUI/GUI1957/layout.php?consumer=1&gui_branch=0&trackutil=&MinorSessionID=2121df41158a4db49b16a66b97&lang_code=en&bundle=0&loadresults=0&ShowSettings=false "/Location=%System Root%\_Tset\asf.exe" /trackutil= /CookieTracking= /CookieCampaign= /EventUser=New /Update=1 /DownloaderVersion=1956 /RunSilent=false /SessionID=1991edc7-d4d6-4d92-8de3-4ade0df88bb2 /IDMinorSession=2121df41158a4db49b16a66b97 /pxkp=Delete /ScanSilent=0 /Close=0 /cil=DISABLED /ShowName=False /Language=1033 /GuiLang=en /AgentStatus=DISABLED /StartScan=1 /VersionInfo=versionInfo /ShowSettings=true
%User Temp%\ns{random}.tmp\ns{random}.tmp "%Program Files%\Reimage\Reimage Repair\lzma.exe" "d" "%Program Files%\Reimage\Reimage Repair\REI_Axcontrol.lza" "%Program Files%\Reimage\Reimage Repair\REI_Axcontrol.dll"
%User Temp%\ns{random}.tmp\ns{random}.tmp "%Program Files%\Reimage\Reimage Repair\lzma.exe" "d" "%Program Files%\Reimage\Reimage Repair\REI_Engine.lza" "%Program Files%\Reimage\Reimage Repair\REI_Engine.dll"
%User Temp%\ns{random}.tmp\ns{random}.tmp "%User Temp%\FF.bat" > %User Temp%\FF.txt
%User Temp%\ns{random}.tmp\ns{random}.tmp cmd /C tasklist /FI "IMAGENAME eq Fiddler.exe" > %User Temp%\IsProcessActive.txt
%User Temp%\ns{random}.tmp\ns{random}.tmp cmd /C tasklist /FI "IMAGENAME eq GeoProxy.exe" > %User Temp%\IsProcessActive.txt
%User Temp%\ns{random}.tmp\ns{random}.tmp cmd /C tasklist /FI "IMAGENAME eq HMA! Pro VPN.exe" > %User Temp%\IsProcessActive.txt
%User Temp%\ns{random}.tmp\ns{random}.tmp cmd /C tasklist /FI "IMAGENAME eq REI_avira.exe" > %User Temp%\IsProcessActive.txt
%User Temp%\ns{random}.tmp\ns{random}.tmp cmd /C tasklist /FI "IMAGENAME eq Reimage.exe" > %User Temp%\IsProcessActive.txt
%User Temp%\ns{random}.tmp\ns{random}.tmp cmd /C tasklist /FI "IMAGENAME eq Reimage.exe" > %User Temp%\IsProcessActive.txt
%User Temp%\ns{random}.tmp\ns{random}.tmp cmd /C tasklist /FI "IMAGENAME eq ReimagePackage.exe" > %User Temp%\IsProcessActive.txt
%User Temp%\ns{random}.tmp\ns{random}.tmp cmd /C tasklist /FI "IMAGENAME eq Wireshark.exe" > %User Temp%\IsProcessActive.txt
%User Temp%\ns{random}.tmp\ns{random}.tmp cmd /C tasklist /FI "IMAGENAME eq avupdate.exe" > %User Temp%\IsProcessActive.txt
%User Temp%\ns{random}.tmp\ns{random}.tmp cmd /C tasklist /FI "IMAGENAME eq avupdate.exe" > %User Temp%\IsProcessActive.txt
%User Temp%\sqlite3.exe "%Application Data%\Mozilla\Firefox\Profiles\dxxbjsgn.default\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'reimageplus.com' and name='_campaign'
%User Temp%\sqlite3.exe "%Application Data%\Mozilla\Firefox\Profiles\dxxbjsgn.default\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'reimageplus.com' and name='_country'
%User Temp%\sqlite3.exe "%Application Data%\Mozilla\Firefox\Profiles\dxxbjsgn.default\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'reimageplus.com' and name='_trackid'
%User Temp%\sqlite3.exe "%Application Data%\Mozilla\Firefox\Profiles\dxxbjsgn.default\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'reimageplus.com' and name='_tracking'
%User Temp%\sqlite3.exe %AppDataLocal%\Google\Chrome\User Data\Default\Cookies" "select name, expires_utc from cookies where host_key like '%reimageplus.com' and name like '_campaign_%'
%User Temp%\sqlite3.exe %AppDataLocal%\Google\Chrome\User Data\Default\Cookies" "select name, expires_utc from cookies where host_key like '%reimageplus.com' and name like '_country_%'
%User Temp%\sqlite3.exe %AppDataLocal%\Google\Chrome\User Data\Default\Cookies" "select name, expires_utc from cookies where host_key like '%reimageplus.com' and name like '_trackid_%'
%User Temp%\sqlite3.exe %AppDataLocal%\Google\Chrome\User Data\Default\Cookies" "select name, expires_utc from cookies where host_key like '%reimageplus.com' and name like '_tracking_%'
%User Temp%\sqlite3.exe %AppDataLocal%\Google\Chrome\User Data\Default\Cookies" "select value, expires_utc from cookies where host_key like '%reimageplus.com' and name='_campaign'
%User Temp%\sqlite3.exe %AppDataLocal%\Google\Chrome\User Data\Default\Cookies" "select value, expires_utc from cookies where host_key like '%reimageplus.com' and name='_country'
%User Temp%\sqlite3.exe %AppDataLocal%\Google\Chrome\User Data\Default\Cookies" "select value, expires_utc from cookies where host_key like '%reimageplus.com' and name='_trackid'
%User Temp%\sqlite3.exe %AppDataLocal%\Google\Chrome\User Data\Default\Cookies" "select value, expires_utc from cookies where host_key like '%reimageplus.com' and name='_tracking'
regsvr32 /s "%Program Files%\Reimage\Reimage Repair\REI_Axcontrol.dll"
regsvr32 /s "%Program Files%\Reimage\Reimage Repair\REI_Engine.dll"
regsvr32 /s "%Windows%\system32\jscript.dll"

Other System Modifications

This Potentially Unwanted Application adds the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Reimage\
Reimage Repair
Installer Language = {value)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
Reimage Repair
DownloaderVersion = 1.9.5.6

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\App Paths\
Reimage.exe
(default) = %Program Files%\Reimage\Reimage Repair\Reimage.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
Reimage Repair
DisplayName = Reimage Repair

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
Reimage Repair
UninstallString = %Program Files%\Reimage\Reimage Repair\uninst.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
Reimage Repair
DisplayIcon = %Program Files%\Reimage\Reimage Repair\Reimage_uninstall.ico

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
Reimage Repair
DisplayVersion = 1.9.5.6

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
Reimage Repair
URLInfoAbout = http://www.{BLOCKED}plus.com

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
Reimage Repair
Publisher = Reimage

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
Reimage Repair
InstallFile = %Program Files%\Reimage\Reimage Repair\Reimage.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
Reimage Repair
InstallLocation = %Program Files%\Reimage\Reimage Repair

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
Reimage Repair
VersionMajor = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
Reimage Repair
VersionMinor = 956

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{28FF42B8-A0DA-4BE5-9B81-E26DD59B350A}
(default) = REI_AxControl

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\REI_AxControl.DLL
AppID = {28FF42B8-A0DA-4BE5-9B81-E26DD59B350A}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{801B440B-1EE3-49B0-B05D-2AB076D4E8CB}
(default) = CompReg Class

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{801B440B-1EE3-49B0-B05D-2AB076D4E8CB}\InprocServer32
(default) = %Program Files%\Reimage\Reimage Repair\REI_Axcontrol.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{801B440B-1EE3-49B0-B05D-2AB076D4E8CB}\InprocServer32
ThreadingModel = Apartment

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{801B440B-1EE3-49B0-B05D-2AB076D4E8CB}\TypeLib
(default) = {FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
REI_AxControl.ReiEngine.1
(default) = ReiEngine Class

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
REI_AxControl.ReiEngine.1\CLSID
(default) = {10ECCE17-29B5-4880-A8F5-EAD298611484}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
REI_AxControl.ReiEngine
(default) = ReiEngine Class

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
REI_AxControl.ReiEngine\CLSID
(default) = {10ECCE17-29B5-4880-A8F5-EAD298611484}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
REI_AxControl.ReiEngine\CurVer
(default) = REI_AxControl.ReiEngine.1

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}
(default) = ReiEngine Class

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\ProgID
(default) = REI_AxControl.ReiEngine.1

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\VersionIndependentProgID
(default) = REI_AxControl.ReiEngine

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\InprocServer32
(default) = %Program Files%\Reimage\Reimage Repair\REI_Axcontrol.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\InprocServer32
ThreadingModel = Apartment

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}
AppID = {28FF42B8-A0DA-4BE5-9B81-E26DD59B350A}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\ToolboxBitmap32
(default) = %Program Files%\Reimage\Reimage Repair\REI_Axcontrol.dll, 102

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\MiscStatu
(default) = 0

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\MiscStatus\
1
(default) = 132497

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\TypeLib
(default) = {FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\Version
(default) = 1.0

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}\1.0
(default) = REI_AxControl 1.0 Type Library

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}\1.0\
FLAGS
(default) = 0

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}\1.0\
0\win32
(default) = %Program Files%\Reimage\Reimage Repair\REI_Axcontrol.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}\1.0\
HELPDIR
(default) = %Program Files%\Reimage\Reimage Repair

HKEY_LOCAL_MACHINE\SOFTWARE\Volatile\
00\MACHINE\SOFTWARE\
Classes\Interface\{A817E7A2-43FA-11D0-9E44-00AA00B6770A}\
ProxyStubClsid
(default) = {00020424-0000-0000-C000-000000000046}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{BD51A48E-EB5F-4454-8774-EF962DF64546}
(default) = _IReiEngineEvents

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{BD51A48E-EB5F-4454-8774-EF962DF64546}\ProxyStubClsid
(default) = {00020420-0000-0000-C000-000000000046}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{BD51A48E-EB5F-4454-8774-EF962DF64546}\ProxyStubClsid32
(default) = {00020420-0000-0000-C000-000000000046}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{BD51A48E-EB5F-4454-8774-EF962DF64546}\TypeLib
(default) = {FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{BD51A48E-EB5F-4454-8774-EF962DF64546}\TypeLib
Version = 1.0

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}
(default) = IReiEngine

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}\ProxyStubClsid
(default) = {00020424-0000-0000-C000-000000000046}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}\ProxyStubClsid32
(default) = {00020424-0000-0000-C000-000000000046}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}\TypeLib
(default) = {FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}\TypeLib
Version = 1.0

It modifies the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\Session Manager
PendingFileRenameOperations = {Original data}, \??\%User Temp%\ns{random}.tmp\registry.dll, \??\%User Temp%\ns{random}.tmp\stack.dll, \??\%User Temp%\ns{random}.tmp\, \??\%User Temp%\ns{random}.tmp\xml.dll

Other Details

This Potentially Unwanted Application adds the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Reimage

HKEY_LOCAL_MACHINE\SOFTWARE\Reimage\
Reimage Repair

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
Reimage Repair

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{28FF42B8-A0DA-4BE5-9B81-E26DD59B350A}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\REI_AxControl.DLL

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{801B440B-1EE3-49B0-B05D-2AB076D4E8CB}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{801B440B-1EE3-49B0-B05D-2AB076D4E8CB}\InprocServer32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{801B440B-1EE3-49B0-B05D-2AB076D4E8CB}\TypeLib

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
REI_AxControl.ReiEngine.1

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
REI_AxControl.ReiEngine.1\CLSID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
REI_AxControl.ReiEngine

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
REI_AxControl.ReiEngine\CLSID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
REI_AxControl.ReiEngine\CurVer

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\ProgID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\VersionIndependentProgID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\Programmable

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\InprocServer32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\Control

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\ToolboxBitmap32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\MiscStatus

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\MiscStatus\
1

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\TypeLib

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\Version

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}\1.0

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}\1.0\
FLAGS

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}\1.0\
0

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}\1.0\
0\win32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}\1.0\
HELPDIR

HKEY_LOCAL_MACHINE\SOFTWARE\Volatile

HKEY_LOCAL_MACHINE\SOFTWARE\Volatile\
00

HKEY_LOCAL_MACHINE\SOFTWARE\Volatile\
00\MACHINE

HKEY_LOCAL_MACHINE\SOFTWARE\Volatile\
00\MACHINE\SOFTWARE

HKEY_LOCAL_MACHINE\SOFTWARE\Volatile\
00\MACHINE\SOFTWARE\
Classes

HKEY_LOCAL_MACHINE\SOFTWARE\Volatile\
00\MACHINE\SOFTWARE\
Classes\Interface

HKEY_LOCAL_MACHINE\SOFTWARE\Volatile\
00\MACHINE\SOFTWARE\
Classes\Interface\{A817E7A2-43FA-11D0-9E44-00AA00B6770A}

HKEY_LOCAL_MACHINE\SOFTWARE\Volatile\
00\MACHINE\SOFTWARE\
Classes\Interface\{A817E7A2-43FA-11D0-9E44-00AA00B6770A}\
ProxyStubClsid

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{BD51A48E-EB5F-4454-8774-EF962DF64546}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{BD51A48E-EB5F-4454-8774-EF962DF64546}\ProxyStubClsid

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{BD51A48E-EB5F-4454-8774-EF962DF64546}\ProxyStubClsid32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{BD51A48E-EB5F-4454-8774-EF962DF64546}\TypeLib

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}\ProxyStubClsid

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}\ProxyStubClsid32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}\TypeLib

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\App Paths\
Reimage.exe

It connects to the following possibly malicious URL:

http://www.{BLOCKED}eplus.com/includes/install_start.php?m_trackid=&m_tracking=&m_campaign=&minorsessionid={generated Minor Session ID}&sessionid={generated Session ID}&t=CONSUMER&a=ENABLED&u=ENABLED&c=DISABLED&v={version}
http://cdnrep.{BLOCKED}e.com/downloader_version.xml
http://cdnrep.{BLOCKED}e.com/repair_version.xml
http://www.{BLOCKED}eplus.com/events4mem.php?version={version}&SessionID={generated Session ID}&MinorSessionID={generated Minor Session ID}&id=INSVR¶m={version}&trackutil=
http://www.{BLOCKED}eplus.com/events4mem.php?version={version}&SessionID={generated Session ID}&MinorSessionID={generated Minor Session ID}&id=LANG¶m=en&trackutil=
http://cdnrep.{BLOCKED}eplus.com/ver/ReimagePackage{version}b.exe
http://cdnrep.{BLOCKED}eplus.com/cfl/cfl{version}b.rei
http://www.{BLOCKED}eplus.com/events4mem.php?version={version}&SessionID={generated Session ID}&MinorSessionID={generated Minor Session ID}&id=PKSPA¶m=Skip<*>New&trackutil=
http://www.{BLOCKED}eplus.com/includes/install_end.php?m_trackid=&m_tracking=&m_campaign=&minorsessionid={generated Minor Session ID}&sessionid={generated Session ID}&v=1.9.5.6
http://www.{BLOCKED}eplus.com/events4mem.php?version={version}&SessionID={generated Session ID}&MinorSessionID={generated Minor Session ID}&id=INSST¶m=Downloader%20Started<*>New&trackutil=
http://www.{BLOCKED}eplus.com/events4mem.php?version={version}&SessionID={generated Session ID}&MinorSessionID={generated Minor Session ID}&id=PKGEX¶m=user%20closed%20installer%20on%20finish%20page<*>New&trackutil=

PUA.Win32.ReimageRepair.D.component

OVERVIEW

TECHNICAL DETAILS

Recursos

Soporte

Acerca de Trend

PUA.Win32.ReimageRepair.D.component

OVERVIEW

TECHNICAL DETAILS

Recursos

Soporte

Acerca de Trend

América

Medio Oriente & África

Europa

Asia & Pacífico