Besoin d’aide ? Fais appel à la communauté ou embauche un spécialiste.
Aller à Avira Answers
Nom:Adware/InstallBrain.646
La date de la dcouverte:03/09/2012
Type:Logiciel publicitaire/Logiciel espion
En circulation:Non
Infections signales Faible a moyen
Potentiel de distribution:Faible
Potentiel de destruction:Faible
Taille du fichier:680.000 Octets
Somme de contrle MD5:df50e954d52e1b0A80d144890504f1c6
Version VDF:7.11.41.170 - lundi 3 septembre 2012
Version IVDF:7.11.41.170 - lundi 3 septembre 2012

 Gnral Mthode de propagation:
   • Il ne possde pas de propre routine de propagation


L'alias:
   •  Eset: a variant of Win32/InstallBrain.E application


Plateformes / Systmes d'exploitation:
   • Windows 2000
   • Windows XP
   • Windows 2003
    Windows Vista
    Windows Server 2008
    Windows 7


Effets secondaires:
   • Il modifie des registres


Immdiatement aprs l'excution l'information suivante est affiche:


 Fichiers Il s'autocopie dans les emplacements suivants:
   • %TEMP%Install PC Performer43349.exe
   • %ALLUSERSPROFILE%\Application Data\IBUpdaterService\ibsvc.exe



Il renom les fichiers suivants:

      %TEMP%\ibtmp1404376\component_383.part en %TEMP%\ibtmp1404376\component_383
      %TEMP%\ibtmp1404376\component_358.part en %TEMP%\ibtmp1404376\component_358



Les fichiers suivants sont crs:

Fichiers inoffensifs:
   • %SYSDIR%\wbem\Logs\wbemprox.log; %ALLUSERSPROFILE%\Application
      Data\IBUpdaterService\repository.xml;
      %WINDIR%\Prefetch\IPCONFIG.EXE-2395F30B.pf;
      %WINDIR%\Prefetch\FM.SCR-3175FC38.pf; %WINDIR%\Prefetch\RM.SCR-1F32C8B2.pf;
      %WINDIR%\Prefetch\PE.EXE-229E0722.pf; %WINDIR%\Prefetch\TV.SCR-16E1F612.pf;
      %WINDIR%\Prefetch\HOOKANALYZER.EXE-0541B1DE.pf;
      %WINDIR%\Prefetch\MEMDUMP.EXE-36CE8D46.pf; %TEMP%\734.bat;
      %WINDIR%\Prefetch\CMD.EXE-087B4001.pf

– Des fichiers qui peuvent tre supprims aprs:
   • %TEMP%\3.tmp
   • %HOME%\Desktop\Continue Install PC Performer installation.lnk
   • %TEMP%\4.tmp
   • %TEMP%\ibtmp1404376\config\1556.html
   • %TEMP%\ibtmp1404376\config\1558.html
   • %TEMP%\ibtmp1404376\config\1559.html
   • %TEMP%\ibtmp1404376\config\1966.html
   • %TEMP%\ibtmp1404376\config\1967.html
   • %TEMP%\ibtmp1404376\config\2055.html
   • %TEMP%\ibtmp1404376\config\2202.html
   • %TEMP%\ibtmp1404376\config\ib\main.css
   • %TEMP%\ibtmp1404376\config\js\config.js
   • %TEMP%\ibtmp1404376\config\events\events.js
   • %TEMP%\ibtmp1404376\config\js\jquery-1.7.min.js
   • %TEMP%\ibtmp1404376\config\js\jquery.noselect.min.js
   • %TEMP%\ibtmp1404376\config\js\smart.js
   • %TEMP%\ibtmp1404376\intallLog
   • %TEMP%\ibtmp1404376\component_383.decrpt
   • %TEMP%\ibtmp1404376\component_358.decrpt
   • %TEMP%\upd5.tmp
   • %WINDIR%\Temp\6.tmp
   • %TEMP%\ibtmp1404376\component_358
   • %TEMP%\ibtmp1404376\component_383
   • %TEMP%\ibtmp1404376\config\js
   • %TEMP%\ibtmp1404376\config\ib
   • %TEMP%\ibtmp1404376\config\events
   • %TEMP%\ibtmp1404376\config
   • %TEMP%\ibtmp1404376

 Registre Les cls de registre suivantes sont ajoutes afin de charger les services aprs le redmarrage:

[HKLM\SOFTWARE\Microsoft\Rpc]
   • "UuidSequenceNumber"=dword:017f6d21

[HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_SCHEDULE\0000\Control]
   • "ActiveService"="Schedule"



Les cls de registre suivantes sont ajoute:

[HKCU\Software\Microsoft\Windows Script\Settings]
   • "JITDebug"=dword:00000000

[HKLM\SYSTEM\ControlSet001\Services\IBUpdaterService]
   • "Type"=dword:00000020
   • "Start"=dword:00000002
   • "ErrorControl"=dword:00000001
   • "ImagePath"="\"C:\Documents and Settings\\All Users\\Application Data\\IBUpdaterService\\ibsvc.exe\" /SERVICE"
   • "DisplayName"="Updater Service"
   • "ObjectName"="LocalSystem"
   • "FailureActions"=hex:ff,ff,ff,ff,00,00,00,00,00,00,00,00,01,00,00,00,00,00,00,\00,01,00,00,00,30,75,00,00
   • "Description"="Updater Service"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
   Updater Service]
   • "NoModify"=dword:00000001
   • "NoRepair"=dword:00000001
   • "DisplayName"="Updater Service"
   • "UninstallString"="\"C:\Documents and Settings\\All Users\\Application Data\\IBUpdaterService\\ibsvc.exe\" /UNINSTALL"
   • "DisplayVersion"="14,12,8,9"
   • "VersionMajor"=dword:0000000e
   • "VersionMinor"=dword:0000000c
   • "InstallLocation"="C:\Documents and Settings\\All Users\\Application Data\\IBUpdaterService"

[HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_IBUPDATERSERVICE]
   • "NextInstance"=dword:00000001

[HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_IBUPDATERSERVICE\0000]
   • "Service"="IBUpdaterService"
   • "Legacy"=dword:00000001
   • "ConfigFlags"=dword:00000000
   • "Class"="LegacyDriver"
   • "ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
   • "DeviceDesc"="Updater Service"

[HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_IBUPDATERSERVICE\0000\
   Control]
   • "*NewlyCreated*"=dword:00000000
   • "ActiveService"="IBUpdaterService"

[HKLM\SYSTEM\ControlSet001\Services\IBUpdaterService\Enum]
   • "0"="Root\\LEGACY_IBUPDATERSERVICE\\0000"
   • "Count"=dword:00000001
   • "NextInstance"=dword:00000001

[HKLM\SOFTWARE\PerformerSoft\PC Performer]
   • "RCPURL"="http://performersoft.com/pcperformer/buy/pcp-buy-redirect.php?cid=290&clickid=0009814971143989483&tid=/pcperformer/rh/rh/st2/trial/pcperformer-rh-rh-st2-trial-jp.php"
   • "RENEWALURL"="http://performersoft.com/pcperformer/buy/pcp-buy-redirect.php?renew=1&cid=290&clickid=0009814971143989483&tid=/pcperformer/rh/rh/st2/trial/pcperformer-rh-rh-st2-trial-jp.php"
   • "INSTALL_URL"="http://performersoft.com/pcperformer/welcome/index.php?cid=290&clickid=0009814971143989483&tid=/pcperformer/rh/rh/st2/trial/pcperformer-rh-rh-st2-trial-jp.php&uniqueid=f90d803d7bb246b8a890d6d8b6800dd5_134099023964"
   • "UNINSTALL_URL"="http://performersoft.com/pcperformer/afteruninstall.php?cid=290&clickid=0009814971143989483"

[HKEY_USERS\.DEFAULT\Software\IBUpdaterService]
   • "selfupdate"=hex:3a,e3,ed,4f,00,00,00,00

[HKLM\SECURITY\Policy\Secrets\SAI]
   • @=hex:10,fd,a7,23,1b,56,cd,01

[HKLM\SECURITY\Policy\Secrets\SAC]
   • @=hex:2c,4b,b6,23,1b,56,cd,01

 Informations divers Accde des ressources Internet:
   • d2qsma9t6l5kt7.cloud**********.net;
      settings.price**********.com; xml.price**********.com;
      www.performer**********.com; cdn.optimi**********.com;
      log3.optimi**********.com; 10.xg4**********.com;
      swif**********.com; clk**********.com;
      dev.visualwebsite**********.com

Description insérée par Wensin Lee le mercredi 5 septembre 2012
Description mise à jour par Wensin Lee le mercredi 5 septembre 2012

Retour . . . .
https:// Cet écran est crypté pour votre sécurité.