Home / malware BrowserModifier:Win32/IminentSProtection
First posted on 09 June 2015.
Source: MicrosoftAliases :
There are no other names known for BrowserModifier:Win32/IminentSProtection.
Explanation :
Threat behavior
Installation
This browser modifier is installed on your computer when you visit the following download page:
- http://www.iminent.com/en/Download
NOTE: The new installation version might no longer have search protection.
Connects to remote hosts
This browser modifier connects to the following websites to download additional installers (search engine and Internet Explorer toolbar), report an installation, and check the geographical location of your PC:Adds files
- hxxp://geoloc.iminent.com/
- hxxp://vzapp.iminent.com/vz/08B41628-E2B5-44C7-970F-6847FDCBD8E1/201/MinibarChrome.exe
- hxxp://vzapp.iminent.com/vz/c2c3ac84-2b90-47a7-8e0b-a48cbcac2cec/1/MinibarFirefox.exe
- hxxp://vzapp.iminent.com/vz/be4bdd6c-d5c2-42a6-a5b8-294f35a87a7c/1/IminentMinibarIE.exe
- hxxp://vzapp.iminent.com/vz/2fe796a5-06cc-48f6-8c8f-bdcc0abb0d92/1/IMinentToolbar.exe
- hxxp://reports.montiera.com/reports/jsRprt.srf?rid=nsis&nsisState=0&prdct=iminent&tlbrId=LDCHN&aflt=orgnl&vrsn=1.8.28.3&instlRef=&hardId=1c6dac1b00000000000000155d0a0e55&hostApp=IE&smplGrp=none&bho=0&tlbr=0&ie=9.11.9600.17501&ffx=&os=6.1&hp=&ds=&nt=&Installation:
For the Search:
- C:\Program Files (x86)\Iminent\inst\Bootstrapper
- C:\Program Files (x86)\Iminent\inst\Bootstrapper\CustomActionsIminent.dll
- C:\Program Files (x86)\Iminent\inst\Bootstrapper\MetroConfig.json
- C:\Program Files (x86)\Iminent\inst\Bootstrapper\uninstall.exe
- C:\Program Files (x86)\Iminent\inst\main.ico
- C:\Program Files (x86)\Iminent\inst\SearchTheWeb.ico
- C:\Program Files (x86)\Iminent\inst\Universely.ico
- C:\Program Files (x86)\Iminent\Iminent.WebBooster.InternetExplorer.dll
- C:\Program Files (x86)\Iminent\Minibar.InternetExplorer.BHOx64.dll
- C:\Program Files (x86)\Iminent\Minibar.InternetExplorer.BHOx86.dll
- C:\Program Files (x86)\Iminent\SearchTheWeb.xml
- C:\Program Files (x86)\Iminent\StartWeb.xml
- C:\Program Files (x86)\Iminent\USearch.xml
- C:\Program Files (x86)\Iminent\WinkHandler.exe
For the Toolbar:
- C:\Program Files (x86)\IminentToolbar\1.8.28.3\bh\iminent.dll
- C:\Program Files (x86)\IminentToolbar\1.8.28.3\iminentApp.dll
- C:\Program Files (x86)\IminentToolbar\1.8.28.3\iminentEng.dll
- C:\Program Files (x86)\IminentToolbar\1.8.28.3\iminentsrv.exe
- C:\Program Files (x86)\IminentToolbar\1.8.28.3\iminentTlbr.dll
- C:\Program Files (x86)\IminentToolbar\1.8.28.3\sqlite3.dll
- C:\Program Files (x86)\IminentToolbar\1.8.28.3\uninstall.exe
For the Search Protection service:
The following main file contains the search protection, downloading updates, and notification icon on the taskbar. It runs each time you start your PC:This threat also adds the following registry entries during the installation:
- C:\Program Files (x86)\Common Files\Umbrella\Umbrella0.exe
In subkey: HKEY_CURRENT_USER\Software\Iminent
Sets value: "CurrentLcid"
With data: "dword:00000409"
In subkey: HKEY_CURRENT_USER\Software\Iminent\SearchTheWeb
Sets value: "CheckHammerTime"
With data: "dword:556bc1cb"
Sets value: "MonetisationID"
With data: "dword:000001ba"
Sets value: "Scope"
With data: "http://search.iminent.com/?appId=&ref={reference}&q={searchTerms}"
Sets value: "BHO_catchAboutPages"
With data: "0"
Sets value: "UserHomePageDecision"
With data: "1"
Sets value: "UserSTWDecision"
With data: "1"
Sets value: "OldDefaultScope"
With data: "{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
In subkey: HKEY_CURRENT_USER\Software\IminentToolbar\iminent
Sets value: "tlbrSrchUrl"
With data: "http://search.iminent.com/?ref=toolbarm#q="
Sets value: "lastB"
With data: "http://search.iminent.com/?appId=00000000-0000-0000-0000-000000000000"
In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Iminent
Sets value: "CountryCode"
With data: "US"
Sets value: "AppInstanceUid"
With data: ""
Sets value: "UserTBLDecision"
With data: "1"
Sets value: "Rebirth"
With data: "1"
Sets value: "BagKey"
With data: "wCI0m76"
Sets value: "Version"
With data: "8.18.1.1"
Sets value: "SearchIndex"
With data: "dword:00000002"
Sets value: "CurrentLcid"
With data: "dword:00000409"
Sets value: "MonetizationOption"
With data: "dword:0000000a"
Sets value: "BirthDate"
With data: "dword:556bc284"
In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Iminent\SearchTheWeb
Sets value: "UserHomePageDecision"
With data: "1"
In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Iminent\WebBooster
Sets value: "XmlConfigUrl"
With data: "http://apix.iminent.com/webbooster/config.xml"
In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\IminentToolbar\iminent\Instl
Sets value: "InstallDir"
With data: "C:\Program Files (x86)\IminentToolbar\1.8.28.3"
Runs process
It has the following process that runs as a service:
Adds a service
This threat adds the SProtection
service. It is the main service for Iminent and it automatically runs each time you start your PC.
It is responsible for various functionalities including, but not limited to:
- Downloading and installing updates
- Search protection
- Taskbar menu
Modifies browser settings
- Changes the Default Search Page and Adds a Toolbar:
- Adds Browser Add-Ons:
- Changes the Default Search Engine.
Payload
Search Protection
This threat uses search protection which limits you from choosing the search provider that you prefer. The restriction can be implemented through additional questioning when you or another program tries to change your default search provider.
Uninstallation
This threat adds the following uninstaller. The uninstaller can completely remove this application from your PC.
Related information
- A timeline of consent and control provides an overview of Microsoft's BrowserModifier detection criteria.
- Detection changes: search protection code provides an overview of Microsoft's detection criteria update for browser search protection functionality.
Analysis by James Dee SymptomsThe following can indicate that you have this program on your PC:
- You might have a browser extension, toolbar, or add-on installed and enabled without your consent. See the Threat behavior
section for examples of these prompts.Last update 09 June 2015
