Sample_37157dcb88

by malwarelabrobot on October 29th, 2014 in Malware Descriptions.

Behaviour: Malware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 37157dcb88ba930d5262bd534f241a5a
SHA1: e6a142419e3b50b77fdf0950f7494aa1f7ae12fd
SHA256: 935d5f98f9a73e6b3643edf1cff18939891354e75c29f76dcc27ad09cc1acf5c
SSDeep: 12288:C0gdVSCry b7sRE9YzewxnK3RTo9 pqNTO0gcCre50ET3cfE/KyZ2welOq8:N VSCryS7sRE0pnmq/X0EwfE/P28
Size: 756712 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Reimage
Created at: 2012-02-24 21:20:04
Analyzed on: WindowsXPESX SP3 32-bit


Summary:

Malware. Malware, short for malicious software, is any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems.

Payload

No specific payload has been found.

Process activity

The Malware creates the following process(es):

tasklist.exe:1848
tasklist.exe:1312
tasklist.exe:336
tasklist.exe:1784
tasklist.exe:388
tasklist.exe:1508
tasklist.exe:348
mscorsvw.exe:172

The Malware injects its code into the following process(es):

%original file name%.exe:924

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:924 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nskB5.tmp\installer-164x314.bmp (3504 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskB5.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskB5.tmp\nsB7.tmp (6 bytes)
%WinDir%\Reimage.ini (142 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskB5.tmp\avg-seal.bmp (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OXIB8PMR\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskB5.tmp\registry.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WPING9EJ\desktop.ini (67 bytes)
%Documents and Settings%\All Users\Desktop\Resume Reimage Repair Installation.lnk (747 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\InstallationPixel.txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0TA7GD2R\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskB5.tmp\nsExec.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskB5.tmp\LogEx.dll (1568 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskB5.tmp\UserInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sqlite3.exe (9421 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskB5.tmp\WmiInspector.dll (2498 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CXMR09I7\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskB5.tmp\nsB9.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskB5.tmp\nsDialogs.dll (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskB5.tmp\Banner.dll (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskB5.tmp\nsB8.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskB5.tmp\modern-header.bmp (2104 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskB5.tmp\nsBC.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskB5.tmp\nsBB.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskB5.tmp\inetc.dll (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\downloader log.txt (49484 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (6220 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskB5.tmp\nsBA.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskB5.tmp\nsB6.tmp (6 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@reimageplus[2].txt (18163 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@reimageplus[1].txt (13274 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nskB5.tmp (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@reimageplus[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskB5.tmp\nsB8.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskB5.tmp\nsB7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskB5.tmp\nsBC.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskB5.tmp\nsBB.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskB5.tmp\nsB9.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskB5.tmp\nsBA.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskB5.tmp\nsB6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IsProcessActive.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@reimageplus[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\InstallationPixel.txt (0 bytes)

Registry activity

The process tasklist.exe:1848 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "31 FC 86 F0 E7 00 46 DE 86 F3 39 0D 84 68 DD BE"

The process tasklist.exe:1312 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "66 95 49 0B A7 8B 40 48 4B 07 25 F2 3B 9D 86 14"

The process tasklist.exe:336 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5D 98 35 38 BE 86 AD 30 4D CE 86 1C 18 C4 CC AB"

The process tasklist.exe:1784 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C6 8C F1 25 A1 54 2E E2 4D F9 26 CD 65 F1 DC 6F"

The process tasklist.exe:388 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F1 AB 04 10 83 3E 08 EF 5C A9 D1 41 88 D8 93 DE"

The process tasklist.exe:1508 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9D E4 F9 CA 95 42 FE 53 48 7F 72 A8 9C 8E FB CE"

The process tasklist.exe:348 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FD 2A DA 81 79 3E B4 81 E0 E9 A3 FD F1 2D 4F B7"

The process mscorsvw.exe:172 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\State]
"AccumulatedWaitIdleTime" = "1260000"

The process %original file name%.exe:924 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 13 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B5 61 2E 85 96 18 3F 4E E6 B2 49 3B 03 8C 9B F9"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Malware modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Malware modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Malware modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Malware deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5 File path
e264d0f91103758bc5b088e8547e0ec1 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nskB5.tmp\Banner.dll
0f96d9eb959ad4e8fd205e6d58cf01b8 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nskB5.tmp\LogEx.dll
bf712f32249029466fa86756f5546950 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nskB5.tmp\System.dll
c7ce0e47c83525983fd2c4c9566b4aad c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nskB5.tmp\UserInfo.dll
1a0b4ff3847dc729ed2ee669c8ac0519 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nskB5.tmp\WmiInspector.dll
5da9df435ff20853a2c45026e7681cef c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nskB5.tmp\inetc.dll
4ccc4a742d4423f2f0ed744fd9c81f63 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nskB5.tmp\nsDialogs.dll
132e6153717a7f9710dcea4536f364cd c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nskB5.tmp\nsExec.dll
2b7007ed0262ca02ef69d8990815cbeb c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nskB5.tmp\registry.dll
91cdcea4be94624e198d3012f5442584 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\sqlite3.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: NVIDIA Corporation
Product Name: Reimage Repair
Product Version: 1.501
Legal Copyright: (c) Reimage 2014
Legal Trademarks:
Original Filename: ReimageRepair.exe
Internal Name: Reimage Repair
File Version: 1.501
File Description: Reimage Downloader
Comments: Reimage Downloader
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 29324 29696 4.50526 419d4e1be1ac35a5db9c47f553b27cea
.rdata 36864 11118 11264 3.11773 cca1ca3fbf99570f6de9b43ce767f368
.data 49152 469916 512 1.25109 77f0839f8ebea31040e462523e1c770e
.ndata 520192 2527232 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 3047424 23328 23552 2.67292 4fea29d6f9c2f83c0291639385a4abc7
.reloc 3072000 4054 4096 2.80877 e063636159726c3015651e655429f7b7

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 1
da444e4e572cde6f73825e1e8206e466

URLs

URL IP
hxxp://reimageplus.com/includes/install_start.php?trackid=&tracking=&campaign=&minorsessionid=c5346c074f914d8ca138477a7e&sessionid=b3fa4b68-e12d-4305-bf31-09ac67f2b56c
hxxp://www.reimageplus.com/includes/install_start.php?trackid=&tracking=&campaign=&minorsessionid=c5346c074f914d8ca138477a7e&sessionid=b3fa4b68-e12d-4305-bf31-09ac67f2b56c 198.61.250.104


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /includes/install_start.php?trackid=&tracking=&campaign=&minorsessionid=a7458dcb3096479fb19ceeebe2&sessionid=2a1febea-e521-45c7-889c-2ee9f9a90f97 HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.reimageplus.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: Apache/2.2.15 (CentOS)
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Tue, 28 Oct 2014 12:54:25 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Set-Cookie: X-Mapping-fjhppofk=6E8587D3C0354C5AB165B41779D30F86; path=/
Set-Cookie: PHPSESSID=7hh6i5me4ofgcov6fqmpet91n3; path=/
Set-Cookie: _refcook=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/
Set-Cookie: _source=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/
Set-Cookie: _refcook=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/
Set-Cookie: _source=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/
Set-Cookie: _trackid=121023162; expires=Sat, 13-Dec-2014 08:22:20 GMT; path=/; domain=reimageplus.com
Set-Cookie: _trackid_121023162=121023162; expires=Sat, 13-Dec-2014 08:22:20 GMT; path=/; domain=reimageplus.com
Set-Cookie: _tracking=PiyushSites; expires=Sat, 13-Dec-2014 08:22:20 GMT; path=/; domain=reimageplus.com
Set-Cookie: _tracking_PiyushSites=PiyushSites; expires=Sat, 13-Dec-2014 08:22:20 GMT; path=/; domain=reimageplus.com
Set-Cookie: _campaign=sandeep-reimage; expires=Sat, 13-Dec-2014 08:22:20 GMT; path=/; domain=reimageplus.com
Set-Cookie: _campaign_sandeep-reimage=sandeep-reimage; expires=Sat, 13-Dec-2014 08:22:20 GMT; path=/; domain=reimageplus.com
Set-Cookie: _adgroup=direct; expires=Sat, 13-Dec-2014 08:22:20 GMT; path=/; domain=reimageplus.com
Set-Cookie: _adgroup_direct=direct; expires=Sat, 13-Dec-2014 08:22:20 GMT; path=/; domain=reimageplus.com
Set-Cookie: _keyword=direct; expires=Sat, 13-Dec-2014 08:22:20 GMT; path=/; domain=reimageplus.com
Set-Cookie: _keyword_direct=direct; expires=Sat, 13-Dec-2014 08:22:20 GMT; path=/; domain=reimageplus.com
Set-Cookie: _ads=direct; expires=Sat, 13-Dec-2014 08:22:20 GMT; path=/; domain=reimageplus.com
Set-Cookie: _ads_direct=direct; expires=Sat, 13-Dec-2014 08:22:20 GMT; path=/; domain=reimageplus.com
Set-Cookie: _browser=Python-urllib; expires=Sat, 13-Dec-2014 08:22:20 GMT; path=/; domain=reimageplus.com
Set-Cookie: _browser_Python-urllib=Python-urllib; expires=Sat, 13-Dec-2014 08:22:20 GMT; path=/; domain=reimageplus.com
Set-Cookie: _country=Canada; expires=Sat, 13-Dec-2014 08:22:20 GMT; path=/; domain=reimageplus.com
Set-Cookie: _country_Canada=Canada; expires=Sat, 13-Dec-2014 08:22:20 GMT; path=/; domain=reimageplus.com
Content-Length: 2
-1..
<<< skipped >>>


GET /includes/install_start.php?trackid=&tracking=&campaign=&minorsessionid=c5346c074f914d8ca138477a7e&sessionid=b3fa4b68-e12d-4305-bf31-09ac67f2b56c HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.reimageplus.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: Apache/2.2.15 (CentOS)
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Tue, 28 Oct 2014 12:54:25 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Set-Cookie: X-Mapping-fjhppofk=16E57E367C346D63F7C6366081F3F593; path=/
Set-Cookie: PHPSESSID=dm0jgosb09s7slf33fg9epmot5; path=/
Set-Cookie: _refcook=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/
Set-Cookie: _source=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/
Set-Cookie: _refcook=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/
Set-Cookie: _source=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/
Set-Cookie: _trackid=121023162; expires=Sat, 13-Dec-2014 08:22:20 GMT; path=/; domain=reimageplus.com
Set-Cookie: _trackid_121023162=121023162; expires=Sat, 13-Dec-2014 08:22:20 GMT; path=/; domain=reimageplus.com
Set-Cookie: _tracking=PiyushSites; expires=Sat, 13-Dec-2014 08:22:20 GMT; path=/; domain=reimageplus.com
Set-Cookie: _tracking_PiyushSites=PiyushSites; expires=Sat, 13-Dec-2014 08:22:20 GMT; path=/; domain=reimageplus.com
Set-Cookie: _campaign=sandeep-reimage; expires=Sat, 13-Dec-2014 08:22:20 GMT; path=/; domain=reimageplus.com
Set-Cookie: _campaign_sandeep-reimage=sandeep-reimage; expires=Sat, 13-Dec-2014 08:22:20 GMT; path=/; domain=reimageplus.com
Set-Cookie: _adgroup=direct; expires=Sat, 13-Dec-2014 08:22:20 GMT; path=/; domain=reimageplus.com
Set-Cookie: _adgroup_direct=direct; expires=Sat, 13-Dec-2014 08:22:20 GMT; path=/; domain=reimageplus.com
Set-Cookie: _keyword=direct; expires=Sat, 13-Dec-2014 08:22:20 GMT; path=/; domain=reimageplus.com
Set-Cookie: _keyword_direct=direct; expires=Sat, 13-Dec-2014 08:22:20 GMT; path=/; domain=reimageplus.com
Set-Cookie: _ads=direct; expires=Sat, 13-Dec-2014 08:22:20 GMT; path=/; domain=reimageplus.com
Set-Cookie: _ads_d
<<< skipped >>>






The Malware connects to the servers at the folowing location(s):







%original file name%.exe_924:




.text
`.rdata
@.data
.ndata
.rsrc
@.reloc
RegDeleteKeyExW
Kernel32.DLL
PSAPI.DLL
%s=%s
GetWindowsDirectoryW
KERNEL32.dll
ExitWindowsEx
GetAsyncKeyState
USER32.dll
GDI32.dll
SHFileOperationW
ShellExecuteW
SHELL32.dll
RegDeleteKeyW
RegCloseKey
RegEnumKeyW
RegOpenKeyExW
RegCreateKeyExW
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
w:\AB
GetProcessHeap
COMDLG32.dll
nsDialogs.dll
c'%U~
RXd.bn
}%cL5n
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46.5-Unicode</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
logging set to %d
settings logging to %d
created uninstaller: %d, "%s"
WriteReg: error creating key "%s\%s"
WriteReg: error writing into "%s\%s" "%s"
WriteRegBin: "%s\%s" "%s"="%s"
WriteRegDWORD: "%s\%s" "%s"="0xx"
WriteRegExpandStr: "%s\%s" "%s"="%s"
WriteRegStr: "%s\%s" "%s"="%s"
DeleteRegKey: "%s\%s"
DeleteRegValue: "%s\%s" "%s"
WriteINIStr: wrote [%s] %s=%s in %s
CopyFiles "%s"->"%s"
CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
Error registering DLL: Could not load %s
Error registering DLL: %s not found in %s
GetTTFFontName(%s) returned %s
GetTTFVersionString(%s) returned %s
Exec: failed createprocess ("%s")
Exec: success ("%s")
Exec: command="%s"
ExecShell: success ("%s": file:"%s" params:"%s")
ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
Exch: stack < %d elements
RMDir: "%s"
MessageBox: %d,"%s"
Delete: "%s"
File: wrote %d to "%s"
File: skipped: "%s" (overwriteflag=%d)
File: error creating "%s"
File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"
Rename failed: %s
Rename on reboot: %s
Rename: %s
IfFileExists: file "%s" does not exist, jumping %d
IfFileExists: file "%s" exists, jumping %d
CreateDirectory: "%s" created
CreateDirectory: can't create "%s" - a file already exists
CreateDirectory: can't create "%s" (err=%d)
CreateDirectory: "%s" (%d)
SetFileAttributes: "%s":X
Sleep(%d)
detailprint: %s
Call: %d
Aborting: "%s"
Jump: %d
verifying installer: %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
install.log
%u.%u%s%s
Skipping section: "%s"
Section: "%s"
New install of "%s" to "%s"
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
*?|<>/":
invalid registry key
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
x%c
RMDir: RemoveDirectory failed("%s")
RMDir: RemoveDirectory on Reboot("%s")
RMDir: RemoveDirectory("%s")
RMDir: RemoveDirectory invalid input("%s")
Delete: DeleteFile failed("%s")
Delete: DeleteFile on Reboot("%s")
Delete: DeleteFile("%s")
%s: failed opening file "%s"
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nskB5.tmp\nsDialogs.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nskB5.tmp\nsDialogs.dll
mage Repair Installation.lnk
InstallationPixelStart.txt
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nskB5.tmp
onPixelStart.txt
All Files|*.*
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IsProcessActive.txt
IsProcessActive.txt
ISPROC~1.TXT
File: skipped: "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nskB5.tmp\nsDialogs.dll" (overwriteflag=1)
p\nsDialogs.dll"
in: "c:\%original file name%.exe /ResumeInstall=1 /Language=1033 /AStatus=ENABLED /USStatus=ENABLED /pxkp=Delete", icon: ,0, sw=0, hk=0
sActive.txt
074f914d8ca138477a7e&sessionid=b3fa4b68-e12d-4305-bf31-09ac67f2b56c
1114398
eimageplus.com/includes/install_start.php
-1895496581
lus[2].txt
-2079719026
8-e12d-4305-bf31-09ac67f2b56c
18458940
1884168
E~1\"%CurrentUserName%"\LOCALS~1\Temp\IsProcessActive.txt
0414509
c:\%original file name%.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp
%original file name%.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nspB4.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
151650802
reimageplus.com
1418458940
2AA04D56-46AD-69BB-3CD6-2089F35DCBC0
WINDOWS
5.0.1
b3fa4b68-e12d-4305-bf31-09ac67f2b56c
1442034
1442022
ReimageRepair.exe

%original file name%.exe_1180:




.text
`.rdata
@.data
.ndata
.rsrc
@.reloc
RegDeleteKeyExW
Kernel32.DLL
PSAPI.DLL
%s=%s
GetWindowsDirectoryW
KERNEL32.dll
ExitWindowsEx
GetAsyncKeyState
USER32.dll
GDI32.dll
SHFileOperationW
ShellExecuteW
SHELL32.dll
RegDeleteKeyW
RegCloseKey
RegEnumKeyW
RegOpenKeyExW
RegCreateKeyExW
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
w:\AB
GetProcessHeap
COMDLG32.dll
nsDialogs.dll
c'%U~
RXd.bn
}%cL5n
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46.5-Unicode</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
logging set to %d
settings logging to %d
created uninstaller: %d, "%s"
WriteReg: error creating key "%s\%s"
WriteReg: error writing into "%s\%s" "%s"
WriteRegBin: "%s\%s" "%s"="%s"
WriteRegDWORD: "%s\%s" "%s"="0xx"
WriteRegExpandStr: "%s\%s" "%s"="%s"
WriteRegStr: "%s\%s" "%s"="%s"
DeleteRegKey: "%s\%s"
DeleteRegValue: "%s\%s" "%s"
WriteINIStr: wrote [%s] %s=%s in %s
CopyFiles "%s"->"%s"
CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
Error registering DLL: Could not load %s
Error registering DLL: %s not found in %s
GetTTFFontName(%s) returned %s
GetTTFVersionString(%s) returned %s
Exec: failed createprocess ("%s")
Exec: success ("%s")
Exec: command="%s"
ExecShell: success ("%s": file:"%s" params:"%s")
ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
Exch: stack < %d elements
RMDir: "%s"
MessageBox: %d,"%s"
Delete: "%s"
File: wrote %d to "%s"
File: skipped: "%s" (overwriteflag=%d)
File: error creating "%s"
File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"
Rename failed: %s
Rename on reboot: %s
Rename: %s
IfFileExists: file "%s" does not exist, jumping %d
IfFileExists: file "%s" exists, jumping %d
CreateDirectory: "%s" created
CreateDirectory: can't create "%s" - a file already exists
CreateDirectory: can't create "%s" (err=%d)
CreateDirectory: "%s" (%d)
SetFileAttributes: "%s":X
Sleep(%d)
detailprint: %s
Call: %d
Aborting: "%s"
Jump: %d
verifying installer: %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
install.log
%u.%u%s%s
Skipping section: "%s"
Section: "%s"
New install of "%s" to "%s"
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
*?|<>/":
invalid registry key
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
x%c
RMDir: RemoveDirectory failed("%s")
RMDir: RemoveDirectory on Reboot("%s")
RMDir: RemoveDirectory("%s")
RMDir: RemoveDirectory invalid input("%s")
Delete: DeleteFile failed("%s")
Delete: DeleteFile on Reboot("%s")
Delete: DeleteFile("%s")
%s: failed opening file "%s"
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsx40.tmp\nsDialogs.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsx40.tmp\nsDialogs.dll
mage Repair Installation.lnk
InstallationPixelStart.txt
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsx40.tmp
onPixelStart.txt
All Files|*.*
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IsProcessActive.txt
IsProcessActive.txt
ISPROC~1.TXT
File: skipped: "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsx40.tmp\nsDialogs.dll" (overwriteflag=1)
p\nsDialogs.dll"
in: "c:\%original file name%.exe /ResumeInstall=1 /Language=1033 /AStatus=ENABLED /USStatus=ENABLED /pxkp=Delete", icon: ,0, sw=0, hk=0
sActive.txt
cb3096479fb19ceeebe2&sessionid=2a1febea-e521-45c7-889c-2ee9f9a90f97
1507532
eimageplus.com/includes/install_start.php
855966206
lus[2].txt
-1626733418
a-e521-45c7-889c-2ee9f9a90f97
18458940
1704236
1884168
E~1\"%CurrentUserName%"\LOCALS~1\Temp\IsProcessActive.txt
0414509
c:\%original file name%.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp
%original file name%.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsm3F.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
940180545
reimageplus.com
1418458940
16B44D56-287E-D250-3BBE-A5B6DAD6C59B
WINDOWS
5.0.1
2a1febea-e521-45c7-889c-2ee9f9a90f97
2097368
1507496
2097480
1048814
1966308
ReimageRepair.exe






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):
    

    tasklist.exe:1848
    tasklist.exe:1312
    tasklist.exe:336
    tasklist.exe:1784
    tasklist.exe:388
    tasklist.exe:1508
    tasklist.exe:348
    mscorsvw.exe:172
    

    2. 

  2. Delete the original Malware file.
    3. 

  3. Delete or disinfect the following files created/modified by the Malware:
    

    %Documents and Settings%\%current user%\Local Settings\Temp\nskB5.tmp\installer-164x314.bmp (3504 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nskB5.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nskB5.tmp\nsB7.tmp (6 bytes)
    %WinDir%\Reimage.ini (142 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nskB5.tmp\avg-seal.bmp (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OXIB8PMR\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nskB5.tmp\registry.dll (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WPING9EJ\desktop.ini (67 bytes)
    %Documents and Settings%\All Users\Desktop\Resume Reimage Repair Installation.lnk (747 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\InstallationPixel.txt (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0TA7GD2R\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nskB5.tmp\nsExec.dll (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nskB5.tmp\LogEx.dll (1568 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nskB5.tmp\UserInfo.dll (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\sqlite3.exe (9421 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nskB5.tmp\WmiInspector.dll (2498 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CXMR09I7\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nskB5.tmp\nsB9.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nskB5.tmp\nsDialogs.dll (9 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nskB5.tmp\Banner.dll (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nskB5.tmp\nsB8.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nskB5.tmp\modern-header.bmp (2104 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nskB5.tmp\nsBC.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nskB5.tmp\nsBB.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nskB5.tmp\inetc.dll (32 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\downloader log.txt (49484 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (6220 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nskB5.tmp\nsBA.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nskB5.tmp\nsB6.tmp (6 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@reimageplus[2].txt (18163 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@reimageplus[1].txt (13274 bytes)
    

    4. 

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    5. 

  5. Reboot the computer.
    6. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2026 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now