Avira Virus Lab

‹ Back

PUA/Iolo.EL.3

Summary
  • Name
    PUA/Iolo.EL.3
  • Date discovered
    Dec 13, 2017
  • VDF version
    7.14.37.244 (2017-12-13 11:16)
Description

This class of detection flags, Potentially Unwanted Applications (PUA), may compromise the user's privacy and the security of the local system. These are legitimate applications that often try to use social engineering to make the user install additional offers during the installation of the software the user originally wanted. A PUA application classification is the result of software, an advert, or a website exhibiting one or more offending behaviors and/or properties. A full PUA list is available at http://www.avira.com/en/potentially-unwanted-applications. This detection doesn't mean that the file is malicious. However, if the file was installed on the system without the user's knowledge, the user's privacy or system security might be compromised. Disabling this detection is only recommended for advanced users who understand the risks and how to use these applications.

  • VDF
    7.14.37.244 (2017-12-13 11:16)
  • Files
    The following files are created:
    • %SYSDIR%\mfc45.dat
    • %WINDIR%\SysWOW64\mfc45.dat
    The following files are changed:
    • %WINDIR%\SysWOW64\mfc45.dat
    The following files are deleted:
    • %TEMPDIR%\%executed_sample_name%.madExcept
    • %TEMPDIR%
    The following drivers are loaded:
    • %WINDIR%\Globalization\Sorting\sortdefault.nls
    • %WINDIR%\SysWOW64\mfc45.dat
    • %TEMPDIR%\%executed_sample%
    • %WINDIR%\SysWOW64\en-US\KERNELBASE.dll.mui
    The following files are executed:
    • %WINDIR%\Globalization\Sorting\sortdefault.nls
    • %WINDIR%\SysWOW64\mfc45.dat
    • %TEMPDIR%\%executed_sample%
    • %WINDIR%\SysWOW64\en-US\KERNELBASE.dll.mui
  • Registry
    The following registry entries are added:
    • HKEY_CURRENT_USER\Software\Embarcadero\Locales (""%executed_sample%"": ""en"")
    • HKEY_CURRENT_USER\Software\Embarca
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\iolo Applications
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\iolo Applications (""MaxSize"": "dword:00100000") (""Retention"": "dword:00000000")
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\iolo Applications\System Mechanic
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\iolo Applications\System Mechanic (""EventMessageFile"": ""%APPDATA%\\Roaming\\iolo\\EventMsg.dll"") (""TypesSupported"": "dword:00000007")
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\iolo Applications\Service Manager
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\iolo Applications\Service Manager (""EventMessageFile"": ""%APPDATA%\\Roaming\\iolo\\EventMsg.dll"") (""TypesSupported"": "dword:00000007")
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\iolo Applications\System Shield
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\iolo Applications\System Shield (""EventMessageFile"": ""%APPDATA%\\Roaming\\iolo\\EventMsg.dll"") (""TypesSupported"": "dword:00000007")
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\iolo Applications\ActiveCare
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\iolo Applications\ActiveCare (""EventMessageFile"": ""%APPDATA%\\Roaming\\iolo\\EventMsg.dll"") (""TypesSupported"": "dword:00000007")
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\iolo Applications\Search and Recover
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\iolo Applications\Search and Recover (""EventMessageFile"": ""%APPDATA%\\Roaming\\iolo\\EventMsg.dll"") (""TypesSupported"": "dword:00000007")
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\iolo Applications\DriveScrubber
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\iolo Applications\DriveScrubber (""EventMessageFile"": ""%APPDATA%\\Roaming\\iolo\\EventMsg.dll"") (""TypesSupported"": "dword:00000007")
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\iolo Applications\Installer
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\iolo Applications\Installer (""EventMessageFile"": ""%APPDATA%\\Roaming\\iolo\\EventMsg.dll"") (""TypesSupported"": "dword:00000007")
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\iolo Applications\System Guard
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\iolo Applications\System Guard (""EventMessageFile"": ""%APPDATA%\\Roaming\\iolo\\EventMsg.dll"") (""TypesSupported"": "dword:00000007")
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\iolo Applications\Launch Manager
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\iolo Applications\Launch Manager (""EventMessageFile"": ""%APPDATA%\\Roaming\\iolo\\EventMsg.dll"") (""TypesSupported"": "dword:00000007")
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\iolo Applications\Tune-Up Definitions
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\iolo Applications\Tune-Up Definitions (""EventMessageFile"": ""%APPDATA%\\Roaming\\iolo\\EventMsg.dll"") (""TypesSupported"": "dword:00000007")
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\iolo Applications\Governor
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\iolo Applications\Governor (""EventMessageFile"": ""%APPDATA%\\Roaming\\iolo\\EventMsg.dll"") (""TypesSupported"": "dword:00000007")
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\iolo Applications\Memory Mechanic
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\iolo Applications\Memory Mechanic (""EventMessageFile"": ""%APPDATA%\\Roaming\\iolo\\EventMsg.dll"") (""TypesSupported"": "dword:00000007")
    • HKEY_CURRENT_USER\Software\Embarcadero\Locales ("%TEMPDIR%\%executed_sample%": "en")
    • HKEY_CURRENT_USER\Software\Embarcadero\Locales
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\iolo Applications ("MaxSize": "1048576")
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\iolo Applications ("Retention": "0")
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\iolo Applications\System Mechanic ("EventMessageFile": "%APPDATA%\Roaming\iolo\EventMsg.dll")
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\iolo Applications\System Mechanic ("TypesSupported": "7")
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\iolo Applications\Service Manager ("EventMessageFile": "%APPDATA%\Roaming\iolo\EventMsg.dll")
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\iolo Applications\Service Manager ("TypesSupported": "7")
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\iolo Applications\System Shield ("EventMessageFile": "%APPDATA%\Roaming\iolo\EventMsg.dll")
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\iolo Applications\System Shield ("TypesSupported": "7")
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\iolo Applications\ActiveCare ("EventMessageFile": "%APPDATA%\Roaming\iolo\EventMsg.dll")
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\iolo Applications\ActiveCare ("TypesSupported": "7")
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\iolo Applications\Search and Recover ("EventMessageFile": "%APPDATA%\Roaming\iolo\EventMsg.dll")
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\iolo Applications\Search and Recover ("TypesSupported": "7")
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\iolo Applications\DriveScrubber ("EventMessageFile": "%APPDATA%\Roaming\iolo\EventMsg.dll")
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\iolo Applications\DriveScrubber ("TypesSupported": "7")
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\iolo Applications\Installer ("EventMessageFile": "%APPDATA%\Roaming\iolo\EventMsg.dll")
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\iolo Applications\Installer ("TypesSupported": "7")
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\iolo Applications\System Guard ("EventMessageFile": "%APPDATA%\Roaming\iolo\EventMsg.dll")
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\iolo Applications\System Guard ("TypesSupported": "7")
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\iolo Applications\Launch Manager ("EventMessageFile": "%APPDATA%\Roaming\iolo\EventMsg.dll")
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\iolo Applications\Launch Manager ("TypesSupported": "7")
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\iolo Applications\Tune-Up Definitions ("EventMessageFile": "%APPDATA%\Roaming\iolo\EventMsg.dll")
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\iolo Applications\Tune-Up Definitions ("TypesSupported": "7")
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\iolo Applications\Governor ("EventMessageFile": "%APPDATA%\Roaming\iolo\EventMsg.dll")
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\iolo Applications\Governor ("TypesSupported": "7")
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\iolo Applications\Memory Mechanic ("EventMessageFile": "%APPDATA%\Roaming\iolo\EventMsg.dll")
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\iolo Applications\Memory Mechanic ("TypesSupported": "7")
    The following registry entries are changed:
    • HKEY_CURRENT_USER\Software\Embarcadero\Locales ("%TEMPDIR%\%executed_sample%": "en")
    • HKEY_CURRENT_USER\Software\Embarcadero\Locales
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\iolo Applications ("MaxSize": "1048576")
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\iolo Applications ("Retention": "0")
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\iolo Applications
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\iolo Applications\System Mechanic ("EventMessageFile": "%APPDATA%\Roaming\iolo\EventMsg.dll")
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\iolo Applications\System Mechanic ("TypesSupported": "7")
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\iolo Applications\System Mechanic
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\iolo Applications\Service Manager ("EventMessageFile": "%APPDATA%\Roaming\iolo\EventMsg.dll")
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\iolo Applications\Service Manager ("TypesSupported": "7")
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\iolo Applications\Service Manager
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\iolo Applications\System Shield ("EventMessageFile": "%APPDATA%\Roaming\iolo\EventMsg.dll")
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\iolo Applications\System Shield ("TypesSupported": "7")
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\iolo Applications\System Shield
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\iolo Applications\ActiveCare ("EventMessageFile": "%APPDATA%\Roaming\iolo\EventMsg.dll")
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\iolo Applications\ActiveCare ("TypesSupported": "7")
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\iolo Applications\ActiveCare
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\iolo Applications\Search and Recover ("EventMessageFile": "%APPDATA%\Roaming\iolo\EventMsg.dll")
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\iolo Applications\Search and Recover ("TypesSupported": "7")
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\iolo Applications\Search and Recover
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\iolo Applications\DriveScrubber ("EventMessageFile": "%APPDATA%\Roaming\iolo\EventMsg.dll")
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\iolo Applications\DriveScrubber ("TypesSupported": "7")
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\iolo Applications\DriveScrubber
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\iolo Applications\Installer ("EventMessageFile": "%APPDATA%\Roaming\iolo\EventMsg.dll")
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\iolo Applications\Installer ("TypesSupported": "7")
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\iolo Applications\Installer
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\iolo Applications\System Guard ("EventMessageFile": "%APPDATA%\Roaming\iolo\EventMsg.dll")
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\iolo Applications\System Guard ("TypesSupported": "7")
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\iolo Applications\System Guard
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\iolo Applications\Launch Manager ("EventMessageFile": "%APPDATA%\Roaming\iolo\EventMsg.dll")
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\iolo Applications\Launch Manager ("TypesSupported": "7")
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\iolo Applications\Launch Manager
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\iolo Applications\Tune-Up Definitions ("EventMessageFile": "%APPDATA%\Roaming\iolo\EventMsg.dll")
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\iolo Applications\Tune-Up Definitions ("TypesSupported": "7")
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\iolo Applications\Tune-Up Definitions
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\iolo Applications\Governor ("EventMessageFile": "%APPDATA%\Roaming\iolo\EventMsg.dll")
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\iolo Applications\Governor ("TypesSupported": "7")
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\iolo Applications\Governor
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\iolo Applications\Memory Mechanic ("EventMessageFile": "%APPDATA%\Roaming\iolo\EventMsg.dll")
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\iolo Applications\Memory Mechanic ("TypesSupported": "7")
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\iolo Applications\Memory Mechanic