Need to fix your PC?
Hire an Expert
Virus:Adware/InstallRex.A
Date discovered:21/11/2012
Type:Adware/Spyware
In the wild:No
Reported Infections:Low to medium
Distribution Potential:Low
Damage Potential:Low
VDF version:7.11.50.196 - Wednesday, November 21, 2012
IVDF version:7.11.50.196 - Wednesday, November 21, 2012

 General Method of propagation:
   • No own spreading routine


Alias:
   •  Eset: Win32/InstalleRex.E.Gen application


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7


Side effects:
   • Registry modification


Right after execution the following information is displayed:


 Files The following files are created:

– Non malicious files:
   • %temp%\88.log
   • %temp%\3946B197.dat
   • %temp%\{1F23EA60-4881-4EDC-AC37-00A3C4C0C896}\_Setup.dll
   • %temp%\{1F23EA60-4881-4EDC-AC37-00A3C4C0C896}\Setup.ico
   • %temp%\{1F23EA60-4881-4EDC-AC37-00A3C4C0C896}\Readme.txt
   • %temp%\{1F23EA60-4881-4EDC-AC37-00A3C4C0C896}\_Setupx.dll
   • %temp%\{1F23EA60-4881-4EDC-AC37-00A3C4C0C896}\Setup.exe

– A file that is for temporary use and it might be deleted afterwards:
   • %temp%\Tsu55A4AB9A.dll

 Registry The following registry keys are added in order to load the services after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
   • "LoadAppInit_DLLs"="dword:0x00000001"

– [HKLM\SYSTEM\ControlSet001\Control\Session Manager]
   • "PendingFileRenameOperations"="\??\C:\DOCUME~1\VANCIE~1\LOCALS~1\Temp\Tsu3F3FC0E0.dll"



The following registry keys are added:

– [HKCR\CLSID\{3F0B614B-A408-43C7-FEC1-4EBBED7257D7}]
   • "(Default)"="continuetosave"

– [HKCR\CLSID\{3F0B614B-A408-43C7-FEC1-4EBBED7257D7}\ProgID]
   • "(Default)"="continuetosave.1"

– [HKCR\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32]
   • "(Default)"="%ALLUSERSPROFILE%\Application Data\continuetosave\50eb7f9eb5e3c.tlb"

– [HKCR\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR]
   • "(Default)"="%ALLUSERSPROFILE%\Application Data\continuetosave"

– [HKCU\Software\AppDataLow\SProtector\_09b71135]
   • "date"="1357669189"

– [HKCU\Software\AppDataLow\SProtector\_09b71135\eae10f9d]
   • "0c230bcb"="///%"
   • "340d3099"="/P////%%"
   • "37b7a6d8"="UlAp/X2/blAh/XD/a/Am/Xh/FPAh/XJ/UlAl/Xx/b//k/YV/b/Af/X6/c/Au/XV/c/Ak/YZ/UxAl/Xx/b/////%%"
   • "414bc593"="///%"
   • "51d2f2ea"="PlAk/X2/c/Ap/X2/cPAu/WP/alAI/XD/cxAu/B//VP/j/CF/Mx////%%"
   • "72758a5d"="/P////%%"
   • "b10ed930"="///%"
   • "d94388d2"="clA1/Yb/UxAh/YZ/FPAs/Xm/axAm/B2/HPAj/XF/al////%%"
   • "e46c271e"="///%"
   • "f0bf0bde"="///%"

– [HKCU\Software\AppDataLow\SProtector\_09b71135]
   • "uiid"="844804067"
   • "upid"="538"
   • "usid"="952665102"
   • "uuid"="b6826bde-d88147f2-be999560-01cdedcc"

– [HKLM\SOFTWARE\Classes\CLSID\
   {3F0B614B-A408-43C7-FEC1-4EBBED7257D7}]
   • "(Default)"="continuetosave"

– [HKLM\SOFTWARE\Classes\CLSID\{3F0B614B-A408-43C7-FEC1-4EBBED7257D7}\
   ProgID]
   • "(Default)"="continuetosave.1"

– [HKLM\SOFTWARE\Classes\TypeLib\
   {E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32]
   • "(Default)"="%ALLUSERSPROFILE%\Application Data\continuetosave\50eb7f9eb5e3c.tlb"

– [HKLM\SOFTWARE\Classes\TypeLib\
   {E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR]
   • "(Default)"="%ALLUSERSPROFILE%\Application Data\continuetosave"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
   {83C2D41C-5B78-4EE8-AC03-135A5821F6EA}]
   • "CategoryName"="ContinueToSave"
   • "DisplayIcon"="%ALLUSERSPROFILE%\Application Data\InstallMate\{83C2D41C-5B78-4EE8-AC03-135A5821F6EA}\Setup.ico"
   • "DisplayName"="ContinueToSave"
   • "InstallLocation"="C:\DOCUME~1\VANCIE~1\LOCALS~1\Temp"
   • "InstallSource"="C:\DOCUME~1\VANCIE~1\LOCALS~1\Temp\{1F23EA60-4881-4EDC-AC37-00A3C4C0C896}\Addons"
   • "ModifyPath"="C:\DOCUME~1\ALLUSE~1\APPLIC~1\INSTAL~1\{83C2D~1\Setup.exe /q0"
   • "QuietUninstallString"="C:\DOCUME~1\ALLUSE~1\APPLIC~1\INSTAL~1\{83C2D~1\Setup.exe /remove /q"
   • "TinFolder"="%ALLUSERSPROFILE%\Application Data\InstallMate\{83C2D41C-5B78-4EE8-AC03-135A5821F6EA}"
   • "TinVersion"="7026"
   • "TizPath"="C:\DOCUME~1\VANCIE~1\LOCALS~1\Temp\{1F23EA60-4881-4EDC-AC37-00A3C4C0C896}\Addons\uninstaller_setup.exe"
   • "UninstallString"="C:\DOCUME~1\ALLUSE~1\APPLIC~1\INSTAL~1\{83C2D~1\Setup.exe /remove /q0"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
   {C1C6816E-CBB3-A748-85F9-A8B47B68985B}]
   • "CategoryName"="ContinueToSave"
   • "DisplayIcon"="%ALLUSERSPROFILE%\Application Data\continuetosave\uninstall.exe"
   • "UninstallString"=""%ALLUSERSPROFILE%\Application Data\continuetosave\uninstall.exe" /path=%ALLUSERSPROFILE%\Application Data\continuetosave"
   • "URLInfoAbout"="http://continuetosave.info/"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
   {CFE9DCA9-6AAF-294D-751F-E9BB5579F2C0}]
   • "TizPath"="c:\sample.exe"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
   ContinueToSave]
   • "CategoryName"="ContinueToSave"
   • "DisplayIcon"="%ALLUSERSPROFILE%\Application Data\InstallMate\ContinueToSave\Setup.ico"
   • "DisplayName"=""
   • "DisplayVersion"="1.0"
   • "EstimatedSize"="dword:0x000000e4"
   • "InstallDate"="20120108"
   • "InstallLocation"="%ALLUSERSPROFILE%\Application Data\Premium\ContinueToSave"
   • "InstallSource"="C:\DOCUME~1\VANCIE~1\LOCALS~1\Temp\{1F23EA60-4881-4EDC-AC37-00A3C4C0C896}\Addons"
   • "Language"="dword:0x00000409"
   • "ModifyPath"="C:\DOCUME~1\ALLUSE~1\APPLIC~1\INSTAL~1\CONTIN~1\Setup.exe /q0"
   • "Publisher"="Premium"
   • "QuietUninstallString"="C:\DOCUME~1\ALLUSE~1\APPLIC~1\INSTAL~1\CONTIN~1\Setup.exe /remove /q"
   • "TinFolder"="%ALLUSERSPROFILE%\Application Data\InstallMate\ContinueToSave"
   • "TinVersion"="7025"
   • "TizPath"="C:\DOCUME~1\VANCIE~1\LOCALS~1\Temp\{1F23EA60-4881-4EDC-AC37-00A3C4C0C896}\Addons\agent_setup.exe"
   • "TSAware"="dword:0x00000001"
   • "UninstallString"="C:\DOCUME~1\ALLUSE~1\APPLIC~1\INSTAL~1\CONTIN~1\Setup.exe /remove /q0"
   • "Version"="dword:0x01000000"
   • "VersionMajor"="dword:0x00000001"
   • "VersionMinor"="dword:0x00000000"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
   SP_09b71135]
   • "UninstallString"=""%PROGRAM FILES%\ContinueToSave\uninstall.exe" /FULLPATH="%PROGRAM FILES%\ContinueToSave""

– [HKLM\SOFTWARE\SP Global]
   • "9c193b40"="c:\progra~1\contin~1\sprote~1.dll"

– [HKLM\SOFTWARE\SProtector\_09b71135]
   • "date"="1357669189"

– [HKLM\SOFTWARE\SProtector\_09b71135\eae10f9d]
   • "0c230bcb"="///%"
   • "340d3099"="/P////%%"
   • "37b7a6d8"="UlAp/X2/blAh/XD/a/Am/Xh/FPAh/XJ/UlAl/Xx/b//k/YV/b/Af/X6/c/Au/XV/c/Ak/YZ/UxAl/Xx/b/////%%"
   • "414bc593"="///%"
   • "72758a5d"="/P////%%"
   • "b10ed930"="///%"
   • "d94388d2"="clA1/Yb/UxAh/YZ/FPAs/Xm/axAm/B2/HPAj/XF/al////%%"
   • "e46c271e"="///%"
   • "f0bf0bde"="///%"

– [HKLM\SOFTWARE\SProtector\_09b71135]
   • "Install_Dir"="%PROGRAM FILES%\ContinueToSave"
   • "state"="dword:0x00000000"
   • "uiid"="844804067"
   • "upid"="538"
   • "usid"="952665102"
   • "uuid"="b6826bde-d88147f2-be999560-01cdedcc"
   • "version"="dword:0x0142046d"



The following registry key is changed:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
   Old value:
   • "AppInit_DLLs"=""
   New value:
   • "AppInit_DLLs"="c:\progra~1\contin~1\sprote~1.dll"

 Miscellaneous In order to check for its internet connection the following DNS servers are contacted:
   • r1.stora**********l1.info
   • c1.stora**********l1.info
   • plu**********es.info

Description inserted by Wensin Lee on Tuesday, January 8, 2013
Description updated by Wensin Lee on Tuesday, January 8, 2013

Back . . . .
 
 
 
 

© 2013 Avira Operations GmbH & Co. KG. All rights reserved.

My Account

https:// This window is encrypted for your security.