Sunday, January 25, 2009

ImIServer.IEPlugin Adware

Removing ImIServer.IEPlugin
Categories: Adware,BHO,Toolbar,Downloader
Adware are programs that facilitate delivery for advertising content
to the user and in some cases gather information from the user's computer.

The BHO (Browser Helper Object) waits for the user to post personal information to a monitored website.
As this information is entered by the user, it is captured by the BHO and sent back to the attacker.
Toolbar presents itself as a helpful add-on for Internet Explorer but it is a real pest.This family of Trojans downloads and installs new malware or adware on the computer.
The downloader then either launches the new malware or registers it to enable autorun
according to the local operating system requirements.

The names and locations of malware to be downloaded are either coded into the
Trojan or downloaded from a specified website.

ImIServer.IEPlugin Also known as:

[Kaspersky]TrojanDownloader.Win32.OneClickNetSearch.b,Trojan-Downloader.Win32.OneClickNetSearch.h;
[Panda]Adware/ClickTrack,Adware/IEPlugin,Adware/Imibar,Trj/Imiserv.B;
[Computer Associates]Win32.Imiserv.C,Win32.Imiserv.D,Win32.Imiserv.I,Win32/Imiserv.C!Trojan,Win32/Imiserv.C.DLL!Trojan,Win32/Imiserv.DLL!Trojan,Win32/Imiserv.I!Trojan

Visible Symptoms:
Files in system folders:
[%PROGRAM_FILES%]\Network Monitor\netmon.exe
[%PROGRAM_FILES%]\Network Monitor\netmon.exe~
[%WINDOWS%]\dsr.dll
[%WINDOWS%]\dsr.exe
[%WINDOWS%]\extract.exe
[%WINDOWS%]\ieunst.exe
[%WINDOWS%]\rgrt.exe
[%WINDOWS%]\systb.dll
[%WINDOWS%]\systb.dll_
[%WINDOWS%]\systb.dll_tobedeleted
[%WINDOWS%]\systb.exe
[%WINDOWS%]\ts.exe
[%WINDOWS%]\uninstall_nmon.vbs
[%WINDOWS%]\wupdt.exe
[%PROFILE_TEMP%]\thi1ce1.tmp\wupdt.exe
[%WINDOWS%]\temp\wupdt.exe
[%WINDOWS%]\vvpvww.dat
[%PROGRAM_FILES%]\Network Monitor\netmon.exe
[%PROGRAM_FILES%]\Network Monitor\netmon.exe~
[%WINDOWS%]\dsr.dll
[%WINDOWS%]\dsr.exe
[%WINDOWS%]\extract.exe
[%WINDOWS%]\ieunst.exe
[%WINDOWS%]\rgrt.exe
[%WINDOWS%]\systb.dll
[%WINDOWS%]\systb.dll_
[%WINDOWS%]\systb.dll_tobedeleted
[%WINDOWS%]\systb.exe
[%WINDOWS%]\ts.exe
[%WINDOWS%]\uninstall_nmon.vbs
[%WINDOWS%]\wupdt.exe
[%PROFILE_TEMP%]\thi1ce1.tmp\wupdt.exe
[%WINDOWS%]\temp\wupdt.exe
[%WINDOWS%]\vvpvww.dat

How to detect ImIServer.IEPlugin:

Files:
[%PROGRAM_FILES%]\Network Monitor\netmon.exe
[%PROGRAM_FILES%]\Network Monitor\netmon.exe~
[%WINDOWS%]\dsr.dll
[%WINDOWS%]\dsr.exe
[%WINDOWS%]\extract.exe
[%WINDOWS%]\ieunst.exe
[%WINDOWS%]\rgrt.exe
[%WINDOWS%]\systb.dll
[%WINDOWS%]\systb.dll_
[%WINDOWS%]\systb.dll_tobedeleted
[%WINDOWS%]\systb.exe
[%WINDOWS%]\ts.exe
[%WINDOWS%]\uninstall_nmon.vbs
[%WINDOWS%]\wupdt.exe
[%PROFILE_TEMP%]\thi1ce1.tmp\wupdt.exe
[%WINDOWS%]\temp\wupdt.exe
[%WINDOWS%]\vvpvww.dat
[%PROGRAM_FILES%]\Network Monitor\netmon.exe
[%PROGRAM_FILES%]\Network Monitor\netmon.exe~
[%WINDOWS%]\dsr.dll
[%WINDOWS%]\dsr.exe
[%WINDOWS%]\extract.exe
[%WINDOWS%]\ieunst.exe
[%WINDOWS%]\rgrt.exe
[%WINDOWS%]\systb.dll
[%WINDOWS%]\systb.dll_
[%WINDOWS%]\systb.dll_tobedeleted
[%WINDOWS%]\systb.exe
[%WINDOWS%]\ts.exe
[%WINDOWS%]\uninstall_nmon.vbs
[%WINDOWS%]\wupdt.exe
[%PROFILE_TEMP%]\thi1ce1.tmp\wupdt.exe
[%WINDOWS%]\temp\wupdt.exe
[%WINDOWS%]\vvpvww.dat

Folders:
[%DESKTOP%]\desktop toolbar
[%PROGRAM_FILES_COMMON%]\zumr
[%WINDOWS%]\zumr

Registry Keys:
HKEY_CLASSES_ROOT\CLSID\{69135BDE-5FDC-4B61-98AA-82AD2091BCCC}
HKEY_CLASSES_ROOT\IMIToolbar.imiTool
HKEY_CLASSES_ROOT\IMIToolbar.imiTool.1
HKEY_CLASSES_ROOT\Interface\{3E589169-86AD-44FE-B426-F0BF105D5582}
HKEY_CLASSES_ROOT\Interface\{E4458B4A-6149-4450-84F2-864ADB7E8C52}
HKEY_CLASSES_ROOT\Interface\{F9B9C9A3-9D2D-423D-ABA5-80D83A915023}
HKEY_CLASSES_ROOT\TypeLib\{57ADD57B-173E-418A-8F70-17E5C9F2BCC9}
HKEY_CLASSES_ROOT\Typelib\{58D419E8-1321-4DD2-A6FC-7B41C14DCD79}
HKEY_CLASSES_ROOT\Wbho.Band
HKEY_CLASSES_ROOT\Wbho.Band.1
HKEY_CURRENT_USER\Software\intexp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{556DDE35-E955-11D0-A707-000000521958}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{69135BDE-5FDC-4B61-98AA-82AD2091BCCC}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{a394e835-c8d6-4b4b-884b-d2709059f3be}
HKEY_CLASSES_ROOT\clsid\{69135bde-5fdc-4b61-98aa-82ad2091bccc}
HKEY_CLASSES_ROOT\imitoolbar.imitool
HKEY_CLASSES_ROOT\imitoolbar.imitool.1
HKEY_CLASSES_ROOT\interface\{3e589169-86ad-44fe-b426-f0bf105d5582}
HKEY_CLASSES_ROOT\interface\{e4458b4a-6149-4450-84f2-864adb7e8c52}
HKEY_CLASSES_ROOT\interface\{f9b9c9a3-9d2d-423d-aba5-80d83a915023}
HKEY_CLASSES_ROOT\typelib\{57add57b-173e-418a-8f70-17e5c9f2bcc9}
HKEY_CLASSES_ROOT\typelib\{58d419e8-1321-4dd2-a6fc-7b41c14dcd79}
HKEY_CLASSES_ROOT\wbho.band
HKEY_CLASSES_ROOT\wbho.band.1
HKEY_CURRENT_USER\software\intexp
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{556dde35-e955-11d0-a707-000000521958}
HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\extensions\{a80f2db2-80a9-4834-8f5a-4ab70f4ef4c3}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{69135bde-5fdc-4b61-98aa-82ad2091bccc}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}

Registry Values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CLASSES_ROOT\clsid\{dabc6f13-64fd-4f33-9d3b-948d31c87a64}\inprocserver32
HKEY_LOCAL_MACHINE\36
HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\toolbar
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run, hxr93f3e=rundll32.exe w38a581b.dll
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shareddlls
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\internet explorer toolbar - intelligent explorer
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\internet explorer toolbar - intelligent explorer, uninstallstring=rundll32 url.dll
HKEY_LOCAL_MACHINE\software\policies
HKEY_LOCAL_MACHINE\software\policies
HKEY_LOCAL_MACHINE\software\zumr
HKEY_LOCAL_MACHINE\software\zumr
HKEY_LOCAL_MACHINE\software\zumr
HKEY_LOCAL_MACHINE\software\zumr
HKEY_LOCAL_MACHINE\software\zumr
HKEY_LOCAL_MACHINE\software\zumr
HKEY_LOCAL_MACHINE\software\zumr
HKEY_LOCAL_MACHINE\software\zumr
HKEY_LOCAL_MACHINE\software\zumr
HKEY_LOCAL_MACHINE\software\zumr
HKEY_LOCAL_MACHINE\software\zumr\update
HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_network_monitor
HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_network_monitor\0000
HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_network_monitor\0000
HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_network_monitor\0000
HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_network_monitor\0000
HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_network_monitor\0000
HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_network_monitor\0000\control
HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_network_monitor\0000\control
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\network monitor
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\network monitor
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\network monitor
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\network monitor
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\network monitor
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\network monitor
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\network monitor\enum
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\network monitor\enum
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\network monitor\enum

Removing ImIServer.IEPlugin:

You can download trial version of "Exterminate-It" antivirus software here, to check your computer instantly.

Or buy it to remove ALL viruses from your computer.

Also Be Aware of the Following Threats:
Remove Delf.ci Trojan
Removing SillyDl.NP!Trojan Trojan
Remove Windows.Spy Spyware
LDPinch.Variant Trojan Symptoms
Pigeon.ECP Trojan Information

No comments: