PUA.Win32.ReimageRepair.D.component

Publish Date: 16 de сентября de 2021

Author: Maria Emreen Viray

Win32/ReImageRepair.P (NOD32)

PLATFORM:

Windows

OVER ALL RISK RATING:

DAMAGE POTENTIAL::

DISTRIBUTION POTENTIAL::

REPORTED INFECTION:

INFORMATION EXPOSURE:

Low

Medium

High

Critical

Threat Type:
Potentially Unwanted Application
Destructiveness:
No
Encrypted:
In the wild::
Yes

OVERVIEW

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

TECHNICAL DETAILS

File size: 586,224 bytes

File type: EXE

Memory resident: No

INITIAL SAMPLES RECEIVED DATE: 09 сентября 2021

Detalles de entrada

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Instalación

Infiltra los archivos siguientes:

%Program Files%\Reimage\Reimage Repair\LZMA.EXE
%Program Files%\Reimage\Reimage Repair\REI_AVIRA.exe
%Program Files%\Reimage\Reimage Repair\REI_Axcontrol.dll
%Program Files%\Reimage\Reimage Repair\REI_Axcontrol.lza
%Program Files%\Reimage\Reimage Repair\REI_Engine.dll
%Program Files%\Reimage\Reimage Repair\REI_Engine.lza
%Program Files%\Reimage\Reimage Repair\REI_SupportInfoTool.exe
%Program Files%\Reimage\Reimage Repair\Reimage Repair Help & Support.url
%Program Files%\Reimage\Reimage Repair\Reimage Repair Privacy Policy.url
%Program Files%\Reimage\Reimage Repair\Reimage Repair Terms of Use.url
%Program Files%\Reimage\Reimage Repair\Reimage Repair Uninstall Instructions.url
%Program Files%\Reimage\Reimage Repair\Reimage.exe
%Program Files%\Reimage\Reimage Repair\ReimageReminder.exe
%Program Files%\Reimage\Reimage Repair\ReimageRepair.exe
%Program Files%\Reimage\Reimage Repair\ReimageSafeMode.exe
%Program Files%\Reimage\Reimage Repair\Reimage_SafeMode.ico
%Program Files%\Reimage\Reimage Repair\Reimage_uninstall.ico
%Program Files%\Reimage\Reimage Repair\Reimage_website.ico
%Program Files%\Reimage\Reimage Repair\Reimageicon.ico
%Program Files%\Reimage\Reimage Repair\msvcr120.dll
%Program Files%\Reimage\Reimage Repair\savapi.dll
%Program Files%\Reimage\Reimage Repair\uninst.exe
%Program Files%\Reimage\Reimage Repair\version.rei
%Programs%\Reimage Repair\Help & Support.lnk
%Programs%\Reimage Repair\Privacy Policy.lnk
%Programs%\Reimage Repair\Reimage Repair.lnk
%Programs%\Reimage Repair\Run in safe mode.lnk
%Programs%\Reimage Repair\Terms of Use.lnk
%Programs%\Reimage Repair\Uninstall Instructions.lnk
%Programs%\Reimage Repair\Uninstall.lnk
%Public%\Desktop\PC Scan & Repair by Reimage.lnk
%System Root%\rei\AV\HBEDV.KEY
%System Root%\rei\AV\avupdate.exe
%System Root%\rei\AV\avupdate_msg.avr
%System Root%\rei\AV\cacert.crt
%System Root%\rei\AV\msvcr120.dll
%System Root%\rei\AV\productname.dat
%System Root%\rei\AV\savapi.exe
%System Root%\rei\AV\savapi_restart.exe
%System Root%\rei\AV\savapi_stub.exe
%System Root%\rei\AV\xbvRei.vdf
%System Root%\rei\About.txt
%System Root%\rei\SupportInfoTool.ini
%System Root%\rei\cfl.rei
%System Root%\rei\rpe1.rei
%User Temp%\ReimagePackage.exe
%User Temp%\ack.txt
%User Temp%\downloader log.txt
%User Temp%\downloader_version.xml
%User Temp%\ns{random}.tmp\Banner.dll
%User Temp%\ns{random}.tmp\ExecDos.dll
%User Temp%\ns{random}.tmp\UserInfo.dll
%User Temp%\ns{random}.tmp\ns934E.tmp
%User Temp%\ns{random}.tmp\registry.dll
%User Temp%\ns{random}.tmp\stack.dll
%User Temp%\ns{random}.tmp\xml.dll
%User Temp%\repair setup log.txt
%User Temp%\repair_version.xml
%User Temp%\ProtectorPackage.log
%Windows%\Reimage.ini
Temporary files (deleted afterwards):
- %Application Data%\Microsoft\Windows\Cookies\dyituser_732@reimageplus[1].txt
- %Application Data%\Microsoft\Windows\Cookies\dyituser_732@reimageplus[2].txt
- %Program Files%\Reimage\Reimage Repair\engine.dat
- %Program Files%\Reimage\Reimage Repair\reimage.dat
- %Public%\Desktop\Resume Reimage Repair Installation.lnk
- %User Temp%\Chrome.txt
- %User Temp%\FF.bat
- %User Temp%\FF.txt
- %User Temp%\InstallationPixel.txt
- %User Temp%\IsProcessActive.txt
- %User Temp%\cfl.rei
- %User Temp%\ns{random}.tmp
- %User Temp%\ns{random}.tmp\DcryptDll.dll
- %User Temp%\ns{random}.tmp\LogEx.dll
- %User Temp%\ns{random}.tmp\ProtectorUpdater.exe
- %User Temp%\ns{random}.tmp\System.dll
- %User Temp%\ns{random}.tmp\inetc.dll
- %User Temp%\ns{random}.tmp\installer-164x314.bmp
- %User Temp%\ns{random}.tmp\modern-header.bmp
- %User Temp%\ns{random}.tmp\nsDialogs.dll
- %User Temp%\ns{random}.tmp\nsExec.dll
- %User Temp%\ns{random}.tmp\ns{random}.tmp
- %User Temp%\sqlite3.exe

(Nota: %Program Files% es la carpeta Archivos de programa predeterminada, que suele estar en C:\Archivos de programa).

. %System Root% es la carpeta raíz, normalmente C:\. También es la ubicación del sistema operativo).

. %User Temp% es la carpeta Temp del usuario activo, que en el caso de Windows 2000(32-bit), XP y Server 2003(32-bit) suele estar en C:\Documents and Settings\{nombre de usuario}\Local Settings\Temp y en el case de Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) y 10(64-bit) en C:\Users\{nombre de usuario}\AppData\Local\Temp).

. %Windows% es la carpeta de Windows, que suele estar en C:\Windows o C:\WINNT).

. %Application Data% es la carpeta Application Data del usuario activo, que en el caso de Windows 98 y ME suele estar ubicada en C:\Windows\Profiles\{nombre de usuario}\Application Data, en el caso de Windows NT en C:\WINNT\Profiles\{nombre de usuario}\Application Data, en el caso de Windows 2000(32-bit), XP y Server 2003(32-bit) en C:\Documents and Settings\{nombre de usuario}\Local Settings\Application Data y en el caso de Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) y 10(64-bit) en C:\Users\{nombre de usuario}\AppData\Roaming.).

)

Agrega los procesos siguientes:

%Program Files%\Reimage\Reimage Repair\lzma.exe "d" "%Program Files%\Reimage\Reimage Repair\REI_Axcontrol.lza" "%Program Files%\Reimage\Reimage Repair\REI_Axcontrol.dll"
%Program Files%\Reimage\Reimage Repair\lzma.exe "d" "%Program Files%\Reimage\Reimage Repair\REI_Engine.lza" "%Program Files%\Reimage\Reimage Repair\REI_Engine.dll"
%User Temp%\ReimagePackage.exe /GUI=http://www.reimageplus.com/GUI/GUI1957/layout.php?consumer=1&gui_branch=0&trackutil=&MinorSessionID=2121df41158a4db49b16a66b97&lang_code=en&bundle=0&loadresults=0&ShowSettings=false "/Location=%System Root%\_Tset\asf.exe" /trackutil= /CookieTracking= /CookieCampaign= /EventUser=New /Update=1 /DownloaderVersion=1956 /RunSilent=false /SessionID=1991edc7-d4d6-4d92-8de3-4ade0df88bb2 /IDMinorSession=2121df41158a4db49b16a66b97 /pxkp=Delete /ScanSilent=0 /Close=0 /cil=DISABLED /ShowName=False /Language=1033 /GuiLang=en /AgentStatus=DISABLED /StartScan=1 /VersionInfo=versionInfo /ShowSettings=true
%User Temp%\ns{random}.tmp\ns{random}.tmp "%Program Files%\Reimage\Reimage Repair\lzma.exe" "d" "%Program Files%\Reimage\Reimage Repair\REI_Axcontrol.lza" "%Program Files%\Reimage\Reimage Repair\REI_Axcontrol.dll"
%User Temp%\ns{random}.tmp\ns{random}.tmp "%Program Files%\Reimage\Reimage Repair\lzma.exe" "d" "%Program Files%\Reimage\Reimage Repair\REI_Engine.lza" "%Program Files%\Reimage\Reimage Repair\REI_Engine.dll"
%User Temp%\ns{random}.tmp\ns{random}.tmp "%User Temp%\FF.bat" > %User Temp%\FF.txt
%User Temp%\ns{random}.tmp\ns{random}.tmp cmd /C tasklist /FI "IMAGENAME eq Fiddler.exe" > %User Temp%\IsProcessActive.txt
%User Temp%\ns{random}.tmp\ns{random}.tmp cmd /C tasklist /FI "IMAGENAME eq GeoProxy.exe" > %User Temp%\IsProcessActive.txt
%User Temp%\ns{random}.tmp\ns{random}.tmp cmd /C tasklist /FI "IMAGENAME eq HMA! Pro VPN.exe" > %User Temp%\IsProcessActive.txt
%User Temp%\ns{random}.tmp\ns{random}.tmp cmd /C tasklist /FI "IMAGENAME eq REI_avira.exe" > %User Temp%\IsProcessActive.txt
%User Temp%\ns{random}.tmp\ns{random}.tmp cmd /C tasklist /FI "IMAGENAME eq Reimage.exe" > %User Temp%\IsProcessActive.txt
%User Temp%\ns{random}.tmp\ns{random}.tmp cmd /C tasklist /FI "IMAGENAME eq Reimage.exe" > %User Temp%\IsProcessActive.txt
%User Temp%\ns{random}.tmp\ns{random}.tmp cmd /C tasklist /FI "IMAGENAME eq ReimagePackage.exe" > %User Temp%\IsProcessActive.txt
%User Temp%\ns{random}.tmp\ns{random}.tmp cmd /C tasklist /FI "IMAGENAME eq Wireshark.exe" > %User Temp%\IsProcessActive.txt
%User Temp%\ns{random}.tmp\ns{random}.tmp cmd /C tasklist /FI "IMAGENAME eq avupdate.exe" > %User Temp%\IsProcessActive.txt
%User Temp%\ns{random}.tmp\ns{random}.tmp cmd /C tasklist /FI "IMAGENAME eq avupdate.exe" > %User Temp%\IsProcessActive.txt
%User Temp%\sqlite3.exe "%Application Data%\Mozilla\Firefox\Profiles\dxxbjsgn.default\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'reimageplus.com' and name='_campaign'
%User Temp%\sqlite3.exe "%Application Data%\Mozilla\Firefox\Profiles\dxxbjsgn.default\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'reimageplus.com' and name='_country'
%User Temp%\sqlite3.exe "%Application Data%\Mozilla\Firefox\Profiles\dxxbjsgn.default\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'reimageplus.com' and name='_trackid'
%User Temp%\sqlite3.exe "%Application Data%\Mozilla\Firefox\Profiles\dxxbjsgn.default\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'reimageplus.com' and name='_tracking'
%User Temp%\sqlite3.exe %AppDataLocal%\Google\Chrome\User Data\Default\Cookies" "select name, expires_utc from cookies where host_key like '%reimageplus.com' and name like '_campaign_%'
%User Temp%\sqlite3.exe %AppDataLocal%\Google\Chrome\User Data\Default\Cookies" "select name, expires_utc from cookies where host_key like '%reimageplus.com' and name like '_country_%'
%User Temp%\sqlite3.exe %AppDataLocal%\Google\Chrome\User Data\Default\Cookies" "select name, expires_utc from cookies where host_key like '%reimageplus.com' and name like '_trackid_%'
%User Temp%\sqlite3.exe %AppDataLocal%\Google\Chrome\User Data\Default\Cookies" "select name, expires_utc from cookies where host_key like '%reimageplus.com' and name like '_tracking_%'
%User Temp%\sqlite3.exe %AppDataLocal%\Google\Chrome\User Data\Default\Cookies" "select value, expires_utc from cookies where host_key like '%reimageplus.com' and name='_campaign'
%User Temp%\sqlite3.exe %AppDataLocal%\Google\Chrome\User Data\Default\Cookies" "select value, expires_utc from cookies where host_key like '%reimageplus.com' and name='_country'
%User Temp%\sqlite3.exe %AppDataLocal%\Google\Chrome\User Data\Default\Cookies" "select value, expires_utc from cookies where host_key like '%reimageplus.com' and name='_trackid'
%User Temp%\sqlite3.exe %AppDataLocal%\Google\Chrome\User Data\Default\Cookies" "select value, expires_utc from cookies where host_key like '%reimageplus.com' and name='_tracking'
regsvr32 /s "%Program Files%\Reimage\Reimage Repair\REI_Axcontrol.dll"
regsvr32 /s "%Program Files%\Reimage\Reimage Repair\REI_Engine.dll"
regsvr32 /s "%Windows%\system32\jscript.dll"

Otras modificaciones del sistema

Agrega las siguientes entradas de registro:

HKEY_LOCAL_MACHINE\SOFTWARE\Reimage\
Reimage Repair
Installer Language = {value)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
Reimage Repair
DownloaderVersion = 1.9.5.6

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\App Paths\
Reimage.exe
(default) = %Program Files%\Reimage\Reimage Repair\Reimage.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
Reimage Repair
DisplayName = Reimage Repair

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
Reimage Repair
UninstallString = %Program Files%\Reimage\Reimage Repair\uninst.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
Reimage Repair
DisplayIcon = %Program Files%\Reimage\Reimage Repair\Reimage_uninstall.ico

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
Reimage Repair
DisplayVersion = 1.9.5.6

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
Reimage Repair
URLInfoAbout = http://www.{BLOCKED}plus.com

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
Reimage Repair
Publisher = Reimage

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
Reimage Repair
InstallFile = %Program Files%\Reimage\Reimage Repair\Reimage.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
Reimage Repair
InstallLocation = %Program Files%\Reimage\Reimage Repair

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
Reimage Repair
VersionMajor = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
Reimage Repair
VersionMinor = 956

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{28FF42B8-A0DA-4BE5-9B81-E26DD59B350A}
(default) = REI_AxControl

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\REI_AxControl.DLL
AppID = {28FF42B8-A0DA-4BE5-9B81-E26DD59B350A}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{801B440B-1EE3-49B0-B05D-2AB076D4E8CB}
(default) = CompReg Class

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{801B440B-1EE3-49B0-B05D-2AB076D4E8CB}\InprocServer32
(default) = %Program Files%\Reimage\Reimage Repair\REI_Axcontrol.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{801B440B-1EE3-49B0-B05D-2AB076D4E8CB}\InprocServer32
ThreadingModel = Apartment

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{801B440B-1EE3-49B0-B05D-2AB076D4E8CB}\TypeLib
(default) = {FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
REI_AxControl.ReiEngine.1
(default) = ReiEngine Class

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
REI_AxControl.ReiEngine.1\CLSID
(default) = {10ECCE17-29B5-4880-A8F5-EAD298611484}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
REI_AxControl.ReiEngine
(default) = ReiEngine Class

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
REI_AxControl.ReiEngine\CLSID
(default) = {10ECCE17-29B5-4880-A8F5-EAD298611484}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
REI_AxControl.ReiEngine\CurVer
(default) = REI_AxControl.ReiEngine.1

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}
(default) = ReiEngine Class

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\ProgID
(default) = REI_AxControl.ReiEngine.1

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\VersionIndependentProgID
(default) = REI_AxControl.ReiEngine

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\InprocServer32
(default) = %Program Files%\Reimage\Reimage Repair\REI_Axcontrol.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\InprocServer32
ThreadingModel = Apartment

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}
AppID = {28FF42B8-A0DA-4BE5-9B81-E26DD59B350A}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\ToolboxBitmap32
(default) = %Program Files%\Reimage\Reimage Repair\REI_Axcontrol.dll, 102

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\MiscStatu
(default) = 0

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\MiscStatus\
1
(default) = 132497

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\TypeLib
(default) = {FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\Version
(default) = 1.0

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}\1.0
(default) = REI_AxControl 1.0 Type Library

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}\1.0\
FLAGS
(default) = 0

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}\1.0\
0\win32
(default) = %Program Files%\Reimage\Reimage Repair\REI_Axcontrol.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}\1.0\
HELPDIR
(default) = %Program Files%\Reimage\Reimage Repair

HKEY_LOCAL_MACHINE\SOFTWARE\Volatile\
00\MACHINE\SOFTWARE\
Classes\Interface\{A817E7A2-43FA-11D0-9E44-00AA00B6770A}\
ProxyStubClsid
(default) = {00020424-0000-0000-C000-000000000046}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{BD51A48E-EB5F-4454-8774-EF962DF64546}
(default) = _IReiEngineEvents

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{BD51A48E-EB5F-4454-8774-EF962DF64546}\ProxyStubClsid
(default) = {00020420-0000-0000-C000-000000000046}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{BD51A48E-EB5F-4454-8774-EF962DF64546}\ProxyStubClsid32
(default) = {00020420-0000-0000-C000-000000000046}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{BD51A48E-EB5F-4454-8774-EF962DF64546}\TypeLib
(default) = {FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{BD51A48E-EB5F-4454-8774-EF962DF64546}\TypeLib
Version = 1.0

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}
(default) = IReiEngine

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}\ProxyStubClsid
(default) = {00020424-0000-0000-C000-000000000046}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}\ProxyStubClsid32
(default) = {00020424-0000-0000-C000-000000000046}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}\TypeLib
(default) = {FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}\TypeLib
Version = 1.0

Modifica las siguientes entradas de registro:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\Session Manager
PendingFileRenameOperations = {Original data}, \??\%User Temp%\ns{random}.tmp\registry.dll, \??\%User Temp%\ns{random}.tmp\stack.dll, \??\%User Temp%\ns{random}.tmp\, \??\%User Temp%\ns{random}.tmp\xml.dll

Otros detalles

Agrega las siguientes entradas de registro como parte de la rutina de instalación:

HKEY_LOCAL_MACHINE\SOFTWARE\Reimage

HKEY_LOCAL_MACHINE\SOFTWARE\Reimage\
Reimage Repair

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
Reimage Repair

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{28FF42B8-A0DA-4BE5-9B81-E26DD59B350A}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\REI_AxControl.DLL

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{801B440B-1EE3-49B0-B05D-2AB076D4E8CB}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{801B440B-1EE3-49B0-B05D-2AB076D4E8CB}\InprocServer32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{801B440B-1EE3-49B0-B05D-2AB076D4E8CB}\TypeLib

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
REI_AxControl.ReiEngine.1

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
REI_AxControl.ReiEngine.1\CLSID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
REI_AxControl.ReiEngine

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
REI_AxControl.ReiEngine\CLSID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
REI_AxControl.ReiEngine\CurVer

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\ProgID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\VersionIndependentProgID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\Programmable

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\InprocServer32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\Control

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\ToolboxBitmap32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\MiscStatus

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\MiscStatus\
1

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\TypeLib

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\Version

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}\1.0

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}\1.0\
FLAGS

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}\1.0\
0

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}\1.0\
0\win32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}\1.0\
HELPDIR

HKEY_LOCAL_MACHINE\SOFTWARE\Volatile

HKEY_LOCAL_MACHINE\SOFTWARE\Volatile\
00

HKEY_LOCAL_MACHINE\SOFTWARE\Volatile\
00\MACHINE

HKEY_LOCAL_MACHINE\SOFTWARE\Volatile\
00\MACHINE\SOFTWARE

HKEY_LOCAL_MACHINE\SOFTWARE\Volatile\
00\MACHINE\SOFTWARE\
Classes

HKEY_LOCAL_MACHINE\SOFTWARE\Volatile\
00\MACHINE\SOFTWARE\
Classes\Interface

HKEY_LOCAL_MACHINE\SOFTWARE\Volatile\
00\MACHINE\SOFTWARE\
Classes\Interface\{A817E7A2-43FA-11D0-9E44-00AA00B6770A}

HKEY_LOCAL_MACHINE\SOFTWARE\Volatile\
00\MACHINE\SOFTWARE\
Classes\Interface\{A817E7A2-43FA-11D0-9E44-00AA00B6770A}\
ProxyStubClsid

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{BD51A48E-EB5F-4454-8774-EF962DF64546}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{BD51A48E-EB5F-4454-8774-EF962DF64546}\ProxyStubClsid

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{BD51A48E-EB5F-4454-8774-EF962DF64546}\ProxyStubClsid32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{BD51A48E-EB5F-4454-8774-EF962DF64546}\TypeLib

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}\ProxyStubClsid

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}\ProxyStubClsid32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}\TypeLib

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\App Paths\
Reimage.exe

It connects to the following possibly malicious URL:

http://www.{BLOCKED}eplus.com/includes/install_start.php?m_trackid=&m_tracking=&m_campaign=&minorsessionid={generated Minor Session ID}&sessionid={generated Session ID}&t=CONSUMER&a=ENABLED&u=ENABLED&c=DISABLED&v={version}
http://cdnrep.{BLOCKED}e.com/downloader_version.xml
http://cdnrep.{BLOCKED}e.com/repair_version.xml
http://www.{BLOCKED}eplus.com/events4mem.php?version={version}&SessionID={generated Session ID}&MinorSessionID={generated Minor Session ID}&id=INSVR¶m={version}&trackutil=
http://www.{BLOCKED}eplus.com/events4mem.php?version={version}&SessionID={generated Session ID}&MinorSessionID={generated Minor Session ID}&id=LANG¶m=en&trackutil=
http://cdnrep.{BLOCKED}eplus.com/ver/ReimagePackage{version}b.exe
http://cdnrep.{BLOCKED}eplus.com/cfl/cfl{version}b.rei
http://www.{BLOCKED}eplus.com/events4mem.php?version={version}&SessionID={generated Session ID}&MinorSessionID={generated Minor Session ID}&id=PKSPA¶m=Skip<*>New&trackutil=
http://www.{BLOCKED}eplus.com/includes/install_end.php?m_trackid=&m_tracking=&m_campaign=&minorsessionid={generated Minor Session ID}&sessionid={generated Session ID}&v=1.9.5.6
http://www.{BLOCKED}eplus.com/events4mem.php?version={version}&SessionID={generated Session ID}&MinorSessionID={generated Minor Session ID}&id=INSST¶m=Downloader%20Started<*>New&trackutil=
http://www.{BLOCKED}eplus.com/events4mem.php?version={version}&SessionID={generated Session ID}&MinorSessionID={generated Minor Session ID}&id=PKGEX¶m=user%20closed%20installer%20on%20finish%20page<*>New&trackutil=

PUA.Win32.ReimageRepair.D.component

OVERVIEW

TECHNICAL DETAILS

Ресурсы

Поддержка

О компании Trend

PUA.Win32.ReimageRepair.D.component

OVERVIEW

TECHNICAL DETAILS

Ресурсы

Поддержка

О компании Trend

Северная и Южная Америка

Ближний Восток и Африка

Европа

Азиатско-Тихоокеанский регион