Forums Security analysis Offerware, Potentially unwanted software (PUP/LPI)

Keywords : , , ,

Viewing 1 Message (on 1 total)
  • Author
    Messages
  • Nicolas CoolmanNicolas Coolman
    • Administrator
    @nicocoolmann
    Nombre d'articles : 1323

    The program Offerware ranks in the category of the Optionnels software potentially unwanted (LPI/PUP).

    LPIs, or PUP, usually install as a program or as a browser extension and are loaded with each start of the operating system.

    Potentially unwanted software (PUP/LPI) can launch services, Start scheduled tasks and create shortcuts on your desktop. All these operations are carried out with or without your consent under the terms of his contract of use. Once installed, a LPI may change some settings in your browsers, like for example the pages of research, the start page or even your error page. It can collect your browsing habits and communicate them to a server by the method of tracking. During navigation it can display ads (coupons) and banner ads (popups). The goal of this program is often to win money by generating Web traffic to sponsored sites.

    Potentially unwanted software (LPI)

    Potentially unwanted software (LPI) or potentially Unwanted Programs (PUP) are the cause of many infections.
    The most frequently encountered example is adware InstallCore, CrossRider, Graftor or Boxore pollute your data storage units and the Base of records. They usually settled without your knowledge via freeware download. In fact some sites use the repaquetage method, an operation that is to repeat the installation of the software module by adding download options. These options allow you to add other software as for example browser tool bars, the adware, potentially unwanted software, intrusive ads software, and even browser hijackers.

    Spyware (spyware) and adware (Adware) unwanted, as malware, can use the vulnerabilities of writing the legitimate software or operating systems. It is therefore essential to have official software and that they have an automatic update. Your Windows operating system must be programmed in mode update automatic and active, in order to have the latest updates of critical security vulnerabilities.

    Main shares :
    – He settled as a process launched at system startup (RP),
    It installs a program extension for Google Chrome browser (G2),
    It installs an extension for the Mozilla Firefox browser program (M2),
    It installs as a Browser Helper Object (BHO) internet browser (O2),
    – He moved as the AppInit_DLLs registry value (O20),
    It starts a scheduled automatic task (Ø38),
    He settled as a program (O42)
    Add additional folders (O43),
    Registration in the Windows prefetcher folder (O45)
    – It pollutes the system registry with many keys and values (O88 ),
    – He creates multiple files and folders (O88 ),

    Overview ZHPDiag :
    [MD5.2960400094498DAE47B36173286D76A0] – (.Pas de propriétaire – Updater.) — C:\ProgramData\BetterSoft\ContinueToSave\ContinueToSave.exe [348160] [PID.3696]
    M2 – MFEP: prefs.js [Coolman – pvda42x7.default\lpag1vdrud1@jleys.net] [] coNttienuetoosaavee v3.9 (..)
    M2 – MFEP: prefs.js [Coolman – pvda42x7.default\hfbhti0au@eo-dcmojl.com] [] CoNtoinnueyTTosoaave v3.9 (..)
    M2 – MFEP: prefs.js [Coolman – pvda42x7.default\hfbhti0au@eo-dcmojl.com] [] CoNtoinnueyTTosoaave v3.9 (..)
    M2 – MFEP: prefs.js [Coolman – pvda42x7.default\fkbg@uuuu.net] [] caOnutinuetOOsave v3.9 (..)
    O2 – BHO: continuetosave [64Bits] – {766B7FB8-CB68-76CC-A41B-0DDB58862878} . (…) — C:\ProgramData\continuetosave\511a5fd740475.dll
    O2 – BHO: continuetosiavee [64Bits] – {108BB739-E41F-EC5D-F33B-0577AA221711} . (…) — C:\ProgramData\continuetosiavee\518424cbcad93.dll
    O2 – BHO: coontinouuetosoAve – {1C4B81E7-CF47-D06D-7967-35BFF7EE01F8} . (…) — C:\ProgramData\coontinouuetosoAve\519d26f946d28.dll
    O2 – BHO: caOntuinueattousavve – {39D3C41B-613E-8E6B-773C-1E118AA2D4E9} . (…) — C:\ProgramData\caOntuinueattousavve\51a100b9accab.dll
    O39 – APT:Automatic Planified Task – C:\Windows\Tasks\schedule!1143840799.job [436]
    [MD5.2960400094498DAE47B36173286D76A0] [APT] [schedule!1143840799] (…) — C:\ProgramData\BetterSoft\ContinueToSave\ContinueToSave.exe [348160]
    O42 – Logiciel: ContinueToSave – (.BetterSoft.) [HKLM][64Bits] — ContinueToSave
    O42 – Logiciel: ContinueToSave 1.74 – (…) [HKLM][64Bits] — SP_e14dcdfa
    O42 – Logiciel: continuetosave – (.continue to save.) [HKLM][64Bits] — {C1C6816E-CBB3-A748-85F9-A8B47B68985B}
    O42 – Logiciel: coNttienuetoosaavee – (.continue to save.) [HKLM][64Bits] — {C1C6816E-CBB3-A748-85F9-A8B47B68985B}
    O42 – Logiciel: ContinueToSave – (…) [HKLM][64Bits] — {1D7F1AA8-B058-45CE-A725-F87AC69C385E}
    O43 – CFD: 12/02/2013 – 17:01:01 – [1,536] —-D C:\Program Files (x86)\ContinueToSave
    O43 – CFD: 2013-04-16 – 14:45:35 – [0,072] —-D C:\ProgramData\coNttienuetoosaavee
    O45 – LFCP:[MD5.F94E198DEDAD7A1B0534362329BB8110] – 15/05/2013 – 14:20:08 —A- – C:\Windows\Prefetch\CONTINUETOSAVE.EXE-13D5D185.pf
    [HKLMSoftwareMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{766B7FB8-CB68-76CC-A41B-0DDB58862878}]
    [HKLMSoftwareClassesCLSID{766B7FB8-CB68-76CC-A41B-0DDB58862878}]
    [HKCUSoftwareMicrosoftWindowsCurrentVersionExtStats{766B7FB8-CB68-76CC-A41B-0DDB58862878}]
    [HKCUSoftwareMicrosoftWindowsCurrentVersionExtSettings{766B7FB8-CB68-76CC-A41B-0DDB58862878}]
    [HKLMSoftwareMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{108BB739-E41F-EC5D-F33B-0577AA221711}]
    [HKLMSoftwareClassesCLSID{108BB739-E41F-EC5D-F33B-0577AA221711}]
    [HKCUSoftwareMicrosoftWindowsCurrentVersionExtStats{108BB739-E41F-EC5D-F33B-0577AA221711}]
    [HKCUSoftwareMicrosoftWindowsCurrentVersionExtSettings{108BB739-E41F-EC5D-F33B-0577AA221711}]
    [HKLMSoftwareMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{1C4B81E7-CF47-D06D-7967-35BFF7EE01F8}]
    [HKLMSoftwareClassesCLSID{1C4B81E7-CF47-D06D-7967-35BFF7EE01F8}]
    [HKCUSoftwareMicrosoftWindowsCurrentVersionExtStats{1C4B81E7-CF47-D06D-7967-35BFF7EE01F8}]
    [HKCUSoftwareMicrosoftWindowsCurrentVersionExtSettings{1C4B81E7-CF47-D06D-7967-35BFF7EE01F8}]
    [HKLMSoftwareMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{39D3C41B-613E-8E6B-773C-1E118AA2D4E9}]
    [HKLMSoftwareClassesCLSID{39D3C41B-613E-8E6B-773C-1E118AA2D4E9}]
    [HKCUSoftwareMicrosoftWindowsCurrentVersionExtStats{39D3C41B-613E-8E6B-773C-1E118AA2D4E9}]
    [HKCUSoftwareMicrosoftWindowsCurrentVersionExtSettings{39D3C41B-613E-8E6B-773C-1E118AA2D4E9}]
    [HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\ContinueToSave]
    [HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\SP_{random}]
    [HKLMSoftwareMicrosoftWindowsCurrentVersionUninstall{C1C6816E-CBB3-A748-85F9-A8B47B68985B}]
    [HKLMSoftwareMicrosoftWindowsCurrentVersionUninstall{1D7F1AA8-B058-45CE-A725-F87AC69C385E}]
    C:\Program Files (x86)\continuetosave
    C:\ProgramData\continuetosave
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\continuetosave
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\contiNuetoasavve
    C:\Users\Jean-Paul.TAFFE\AppData\LocalLow\continuetosave
    C:\ProgramData\continuetosave
    C:\ProgramData\coNttienuetoosaavee
    C:\Windows\Tasks\schedule!1143840799.job

    Alias :
    Win32/Adware.MultiPlug [ESET Nod32]
    Adware.Win32.FastSaveApp [Microsoft]
    Pup. Optional.Multiplug.A [Malwarebytes]
    Adware.MegaSearch
    Pup. Multiplug

    Diagnose with ZHPSuite..  Uninstall with Windows..  Delete with ZHPCleaner..  Delete with Malwarebytes..

Viewing 1 Message (on 1 total)
  • You need to be logged in to answer about it.