Besoin d’aide ? Fais appel à la communauté ou embauche un spécialiste.
Aller à Avira Answers
Virus:ADWARE/Privitize.A
Date discovered:02/01/2013
Type:Adware
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low
File size:~809288 Bytes
VDF version:7.11.55.84 - Wednesday, January 2, 2013
IVDF version:7.11.55.84 - Wednesday, January 2, 2013

 General ADWARE/ - Adware

This class of detection flags software that display ads, usually in the internet browser by modifying displayed pages or opening aditional pages with ads. These adware programs are usually installed by the users themselves or come with other software that the users install themselves (usually in exchange for using the software for free or as a default install option).

Users might be unaware that this software was installed or of its behaviour. This detection is meant to flag the file and the behaviour as part of legitimate ad displaying software.

This detection can be disabled and is recommended if the user is aware of the software installed on his/her system and doesn't want this type of software to be detected.
Method of propagation:
   • No own spreading routine


Aliases:
   •  TrendMicro: TROJ_SPNR.08LS12
   •  Sophos: PrivitizeVPN
     Avast: NSIS:Adware-HT [PUP]
     AVG: Skodna.Generic_c.DA
   •  Eset: Win32/TopMedia.B
     Fortinet: Adware/TopMedia


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
    Windows Vista
    Windows Server 2008
    Windows 7


Side effects:
   • Can be used by rogue users or malware to lower security settings
   • Downloads a file
   • Drops files

 Files  It creates the following directories:
   • %HOME%\Local Settings\Temp\nsj1.tmp
   • %HOME%\Local Settings\Temp\nsj2.tmp



The following files are created:

Non malicious files:
   • %HOME%\Local Settings\Temp\nsj2.tmp\System.dll; %HOME%\Local
      Settings\Temp\nsj2.tmp\Math.dll; %HOME%\Local
      Settings\Temp\PromoEngineInstaller\InstallerService.dll; %HOME%\Local
      Settings\Temp\PromoEngineInstaller\NETWrapper.dll; %HOME%\Local
      Settings\Temp\nsj2.tmp\lzma.exe; %HOME%\Local
      Settings\Temp\nsj2.tmp\NSISList.dll; %HOME%\Local
      Settings\Temp\nsj2.tmp\NSISdl.dll; %HOME%\Local Settings\Temp\gui.xml;
      %HOME%\Local Settings\Temp\nsj2.tmp\xml.dll; %HOME%\Local
      Settings\Temporary Internet Files\Content.IE5\index.dat;
      %HOME%\Cookies\index.dat; %HOME%\Local
      Settings\History\History.IE5\index.dat;
      %HOME%\Cookies\biluta@privitize[1].txt; %HOME%\Local
      Settings\Temp\nsj2.tmp\ioSpecial.ini; %HOME%\Local
      Settings\Temp\nsj2.tmp\modern-wizard.bmp; %HOME%\Local
      Settings\Temp\nsj2.tmp\nsDialogs.dll; %HOME%\Local
      Settings\Temp\nsj2.tmp\ButtonEvent.dll; %HOME%\Local
      Settings\Temp\nsj2.tmp\ThreadTimer.dll




It tries to download a file:

The location is the following:
   • http://c1.zoomex.net/addons/prvtzd_dub.exe
Furthermore this file gets executed after it was fully downloaded.

 Registry The following registry keys are added:

[HKCU\Software\StartSearch\plug-in]
   • "uudata"="d568313c-570f-11e2-978a-000c291a3bc6"

[HKCU\SOFTWARE\StartSe]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
   • "MigrateProxy"=dword:00000001
   • "ProxyEnable"=dword:00000000
   • "ProxyServer"=-
   • "ProxyOverride"=-
   • "AutoConfigURL"=-

Description insérée par Elias Lan le samedi 5 janvier 2013
Description mise à jour par Elias Lan le samedi 5 janvier 2013

Retour . . . .
https:// Cet écran est crypté pour votre sécurité.