» ProtectorUpdater.exe
Overview
Analysis
File Details

ProtectorUpdater.exe

Reimage Protector Updater

Reimage Limited

The application ProtectorUpdater.exe by Reimage Limited has been detected as a potentially unwanted program by 10 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. The setup routine uses the RevenYou.Com Pay Per Install platform (OutBrowse) which bundles additional software offers inclduing toolbars, extensions, PC utilities as well as other PUPs.

File name:

Publisher:

Reimage® (signed by Reimage Limited)

Product:

Reimage Protector Updater

Version:

2.007

MD5:

c988264c81970b24b7d3cc075a8dfe17

SHA-1:

dc8ed3dcb158741fe23a606d5cbf76f5e662fa1e

SHA-256:

b41d9da4c2ceff3f956edee743c80ad40316384449b226ab74fafda4fffb03b9

Scanner detections:

10 / 68

Status:

Potentially unwanted

Explanation:

Bundles additional adware offers during download and installation using the OutBrowse installer.

Analysis date:

4/25/2024 1:46:06 PM UTC (today)

Scan engine

Detection

Engine version

Baidu Antivirus

PUA.Win32.ReImageRepair

4.0.3.1628

Bkav FE

W32.HfsAdware

1.3.0.6379

Dr.Web

Adware.Plugin.171

9.0.1.039

ESET NOD32

Win32/ReImageRepair.F potentially unwanted

10.11411

Fortinet FortiGate

Riskware/ReImageRepair

2/8/2016

McAfee

Artemis!AD472E02F2AE

5600.6495

Panda Antivirus

PUP/ReImage

16.02.08.06

Reason Heuristics

Win32.Generic

16.2.8.18

Trend Micro House Call

Suspicious_GEN.F47V0118

7.2.39

Vba32 AntiVirus

AdWare.MSIL.OutBrowse

3.12.26.3

File size:

354.8 KB (363,288 bytes)

Product version:

2.007

Original file name:

ProtectorUpdater.exe

File type:

Executable application (Win32 EXE)

Installer:

NSIS (Nullsoft Scriptable Install System)

Common path:

C:\users\{user}\appdata\local\temp\{random}.tmp\protectorupdater.exe

Digital Signature

Signed by:

Reimage Limited

Authority:

VeriSign, Inc.

Valid from:

3/19/2014 3:00:00 AM

Valid to:

6/10/2016 2:59:59 AM

Subject:

CN=Reimage Limited, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Reimage Limited, L=Nicosia, S=Nicosia, C=CY

Issuer:

CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:

3F75B6FA72B8CDE336A61550C70978D2

File PE Metadata

Compilation timestamp:

2/24/2012 10:20:04 PM

OS version:

5.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

10.0

CTPH (ssdeep):

6144:j50gUCRTndM5qK3RTGzh2hQ8E9QcwtzH+gTBxnlim/2qb8GVNVOaj7g0EgVI:10gdTdM573RT7E9Yzewxnl92elOq8B

Entry address:

0x38AF

Entry point:

81, EC, D4, 02, 00, 00, 53, 55, 56, 57, 6A, 20, 33, ED, 5E, 89, 6C, 24, 18, C7, 44, 24, 10, 68, A2, 40, 00, 89, 6C, 24, 14, FF, 15, 30, 90, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 90, 40, 00, 55, FF, 15, C0, 92, 40, 00, 6A, 08, A3, 98, EB, 47, 00, E8, 36, 2A, 00, 00, 55, 68, B4, 02, 00, 00, A3, B0, EA, 47, 00, 8D, 44, 24, 38, 50, 55, 68, 64, A2, 40, 00, FF, 15, 84, 91, 40, 00, 68, 4C, A2, 40, 00, 68, A0, 6A, 47, 00, E8, 18, 27, 00, 00, FF, 15, B0, 90, 40, 00, 50, BF, A0, F0, 4C, 00, 57, E8, 06, 27, 00, 00... 
[+]

Entropy:

7.7328

Packer / compiler:

Nullsoft install system v2.x

Code size:

29 KB (29,696 bytes)

Remove ProtectorUpdater.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.