Нужен совет? Обратитесь за помощью к сообществу или специалистам.
Перейти к Avira Answers
Virus:ADWARE/InstallBrain.AF.3
Date discovered:29/04/2013
Type:Adware
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low
VDF version:7.11.74.206 - Monday, April 29, 2013
IVDF version:7.11.74.206 - Monday, April 29, 2013

 General Method of propagation:
   • No own spreading routine


Alias:
   •  Eset: a variant of Win32/InstallBrain.Y application


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7


Side effects:
   • Registry modification


Right after execution the following information is displayed:


 Files The following files are created:

– Temporary files that might be deleted afterwards:
   • %temp%\ibtmpf990472\config\softango-mask.bmp
   • %temp%\ibtmpf990472\config\speedanalysis.ico
   • %temp%\ibtmpf990472\config\2074.html
   • %temp%\ibtmpf990472\config\2075.html
   • %temp%\ibtmpf990472\config\2077.html
   • %temp%\ibtmpf990472\config\3186.html
   • %temp%\ibtmpf990472\config\3466.html
   • %temp%\ibtmpf990472\config\3572.html
   • %temp%\ibtmpf990472\config\run.html
   • %temp%\ibtmpf990472\config\softango\main.css
   • %temp%\ibtmpf990472\config\conditions\conditions.js
   • %temp%\ibtmpf990472\config\js\config.js
   • %temp%\ibtmpf990472\config\events\events.js
   • %temp%\ibtmpf990472\config\js\jquery-1.7.min.js
   • %temp%\ibtmpf990472\config\js\jquery.noselect.min.js
   • %temp%\ibtmpf990472\config\js\smart.j
   • %temp%\ibtmpf990472\component_358.par
   • %temp%\ibtmpf990472\component_625.part
   • %temp%\ibtmpf990472\component_613.part
   • %temp%\ibtmpf990472\intallLog
   • %temp%\ibtmpf990472\component_358.decrpt
   • %temp%\A.tmp

– %ALLUSERSPROFILE%\Application Data\IBUpdaterService\ibsvc.exe Furthermore it gets executed after it was fully created.
– %appdata%\speedanalysis.ico
– %HOME%\Desktop\SpeedanAlysis.lnk
– %ALLUSERSPROFILE%\Application Data\IBUpdaterService\repository.xml Furthermore it gets executed after it was fully created.

 Registry One of the following values is added in order to run the process after reboot:

–  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "RDReminder"="%PROGRAM FILES%\PC Performer\PCPerformer.exe -rem"
   • "Softango Downloader213706.exe"=""%temp%\Softango Downloader213706.exe" /XML="%temp%\9.tmp" /ROS /STP=0:1"



The following registry keys are added:

– [HKCR\2.ScriptHostObject.1]
   • "(Default)"="Speed Analysis 2"

– [HKCR\2.ScriptHostObject.1\CLSID]
   • "(Default)"="{18DBB6CE-3148-4FEC-B481-103CB3290427}"

– [HKCR\2.ScriptHostObject]
   • "(Default)"="Speed Analysis 2"

– [HKCR\2.ScriptHostObject\CLSID]
   • "(Default)"="{18DBB6CE-3148-4FEC-B481-103CB3290427}"

– [HKCR\2.ScriptHostObject\CurVer]
   • "(Default)"="Speed Analysis 2.ScriptHostObject.1"

– [HKCR\AddonsFramework.Navbar.1]
   • "(Default)"="Navbar Class"

– [HKCR\AddonsFramework.Navbar.1\CLSID]
   • "(Default)"="{E65CE95B-56E9-47C9-8707-A1D1DE30760F}"

– [HKCR\AddonsFramework.Navbar]
   • "(Default)"="Navbar Class"

– [HKCR\AddonsFramework.Navbar\CLSID]
   • "(Default)"="{E65CE95B-56E9-47C9-8707-A1D1DE30760F}"

– [HKCR\AddonsFramework.Navbar\CurVer]
   • "(Default)"="AddonsFramework.Navbar.1"

– [HKCR\AddonsFramework.PropertySyncObj.1]
   • "(Default)"="PropertySyncObj Class"

– [HKCR\AddonsFramework.PropertySyncObj.1\CLSID]
   • "(Default)"="{EB93AADE-9884-47F0-AA9D-0920E1D1203F}"

– [HKCR\AddonsFramework.PropertySyncObj]
   • "(Default)"="PropertySyncObj Class"

– [HKCR\AddonsFramework.PropertySyncObj\CLSID]
   • "(Default)"="{EB93AADE-9884-47F0-AA9D-0920E1D1203F}"

– [HKCR\AddonsFramework.PropertySyncObj\CurVer]
   • "(Default)"="AddonsFramework.PropertySyncObj.1"

– [HKCR\AppID\{18B9B16E-716F-43DF-A6AD-512C7D2EB983}]
   • "(Default)"="PropertySync"

– [HKCR\AppID\{19975B78-1907-4DD6-A437-4C48120F46A4}]
   • "(Default)"="AddonsFramework"

– [HKCR\AppID\{562B9316-C08A-444A-9482-62080DD851AE}]
   • "(Default)"="Speed Analysis 2"

– [HKCR\AppID\{562B9317-C08A-444A-9482-62080DD851AE}]
   • "(Default)"="ButtonSite"

– [HKCR\AppID\AddonsFramework.DLL]
   • "AppID"="{19975B78-1907-4DD6-A437-4C48120F46A4}"

– [HKCR\AppID\ButtonSite.DLL]
   • "AppID"="{562B9317-C08A-444A-9482-62080DD851AE}"

– [HKCR\AppID\PropertySync.EXE]
   • "AppID"="{18B9B16E-716F-43DF-A6AD-512C7D2EB983}"

– [HKCR\AppID\ScriptHost.DLL]
   • "AppID"="{562B9316-C08A-444A-9482-62080DD851AE}"

– [HKCR\CLSID\{18DBB6CE-3148-4FEC-B481-103CB3290427}]
   • "(Default)"="Speed Analysis 2"

– [HKCR\CLSID\{18DBB6CE-3148-4FEC-B481-103CB3290427}\InprocServer32]
   • "(Default)"="%PROGRAM FILES%\Speed Analysis 2\ScriptHost.dll"

– [HKCR\ScriptHost.Tool.1]
   • "(Default)"="Tool Class"

– [HKCR\ScriptHost.Tool.1\CLSID]
   • "(Default)"="{4B48FBF2-BA2B-44C5-A20F-8E25D17FEF29}"

– [HKCR\ScriptHost.Tool]
   • "(Default)"="Tool Class"

– [HKCR\ScriptHost.Tool\CLSID]
   • "(Default)"="{4B48FBF2-BA2B-44C5-A20F-8E25D17FEF29}"

– [HKCR\ScriptHost.Tool\CurVer]
   • "(Default)"="ScriptHost.Tool.1"

– [HKCU\Software\Mozilla\Firefox\Extensions]
   • "speedanalysis02@SpeedAnalysis.com"="%appdata%\Mozilla\Extensions\speedanalysis02@SpeedAnalysis.com"

– [HKLM\SOFTWARE\Classes\2.ScriptHostObject.1]
   • "(Default)"="Speed Analysis 2"

– [HKLM\SOFTWARE\Classes\2.ScriptHostObject.1\CLSID]
   • "(Default)"="{18DBB6CE-3148-4FEC-B481-103CB3290427}"

– [HKLM\SOFTWARE\Classes\2.ScriptHostObject\CurVer]
   • "(Default)"="Speed Analysis 2.ScriptHostObject.1"

– [HKLM\SOFTWARE\Classes\AddonsFramework.Navbar.1]
   • "(Default)"="Navbar Class"

– [HKLM\SOFTWARE\Classes\AddonsFramework.Navbar.1\CLSID]
   • "(Default)"="{E65CE95B-56E9-47C9-8707-A1D1DE30760F}"

– [HKLM\SOFTWARE\Classes\AddonsFramework.Navbar]
   • "(Default)"="Navbar Class"

– [HKLM\SOFTWARE\Classes\AddonsFramework.Navbar\CLSID]
   • "(Default)"="{E65CE95B-56E9-47C9-8707-A1D1DE30760F}"

– [HKLM\SOFTWARE\Classes\AddonsFramework.Navbar\CurVer]
   • "(Default)"="AddonsFramework.Navbar.1"

– [HKLM\SOFTWARE\Classes\AddonsFramework.PropertySyncObj.1]
   • "(Default)"="PropertySyncObj Class"

– [HKLM\SOFTWARE\Classes\AddonsFramework.PropertySyncObj.1\CLSID]
   • "(Default)"="{EB93AADE-9884-47F0-AA9D-0920E1D1203F}"

– [HKLM\SOFTWARE\Classes\AddonsFramework.PropertySyncObj]
   • "(Default)"="PropertySyncObj Class"

– [HKLM\SOFTWARE\Classes\AddonsFramework.PropertySyncObj\CLSID]
   • "(Default)"="{EB93AADE-9884-47F0-AA9D-0920E1D1203F}"

– [HKLM\SOFTWARE\Classes\AddonsFramework.PropertySyncObj\CurVer]
   • "(Default)"="AddonsFramework.PropertySyncObj.1"

– [HKLM\SOFTWARE\Classes\AppID\
   {18B9B16E-716F-43DF-A6AD-512C7D2EB983}]
   • "(Default)"="PropertySync"

– [HKLM\SOFTWARE\Classes\AppID\
   {19975B78-1907-4DD6-A437-4C48120F46A4}]
   • "(Default)"="AddonsFramework"

– [HKLM\SOFTWARE\Classes\AppID\
   {562B9316-C08A-444A-9482-62080DD851AE}]
   • "(Default)"="Speed Analysis 2"

– [HKLM\SOFTWARE\Classes\AppID\
   {562B9317-C08A-444A-9482-62080DD851AE}]
   • "(Default)"="ButtonSite"

– [HKLM\SOFTWARE\Classes\AppID\AddonsFramework.DLL]
   • "AppID"="{19975B78-1907-4DD6-A437-4C48120F46A4}"

– [HKLM\SOFTWARE\Classes\AppID\ButtonSite.DLL]
   • "AppID"="{562B9317-C08A-444A-9482-62080DD851AE}"

– [HKLM\SOFTWARE\Classes\AppID\PropertySync.EXE]
   • "AppID"="{18B9B16E-716F-43DF-A6AD-512C7D2EB983}"

– [HKLM\SOFTWARE\Classes\AppID\ScriptHost.DLL]
   • "AppID"="{562B9316-C08A-444A-9482-62080DD851AE}"

– [HKLM\SOFTWARE\Classes\ScriptHost.Tool.1]
   • "(Default)"="Tool Class"

– [HKLM\SOFTWARE\Classes\ScriptHost.Tool.1\CLSID]
   • "(Default)"="{4B48FBF2-BA2B-44C5-A20F-8E25D17FEF29}"

– [HKLM\SOFTWARE\Classes\ScriptHost.Tool]
   • "(Default)"="Tool Class"

– [HKLM\SOFTWARE\Classes\ScriptHost.Tool\CLSID]
   • "(Default)"="{4B48FBF2-BA2B-44C5-A20F-8E25D17FEF29}"

– [HKLM\SOFTWARE\Classes\ScriptHost.Tool\CurVer]
   • "(Default)"="ScriptHost.Tool.1"

– [HKLM\SOFTWARE\Google\Chrome\Extensions\
   dgjkhjdcljddbedokogakmmdjgnbeanf]
   • "path"="%appdata%\SpeedAnalysis2\speedanalysis.crx"
   • "version"="1.0.0.0"

 Miscellaneous Internet connection:
In order to check for its internet connection the following DNS servers are contacted:
   • certificates.**********daddy.com
   • crl.**********daddy.com
   • softo**********.com
   • **********ango.com

Описание добавил Wensin Lee в(о) четверг, 2 мая 2013 г.
Описание обновил Wensin Lee в(о) четверг, 2 мая 2013 г.

Назад . . . .
https:// Это окно зашифровано для вашей безопасности.