home

{42e5d6be-c70e-4bea-b577-de4ecee47d9d}w64.sys

Spring Smart

Part of the Yontoo adware component, a web browser plugin that injects unwanted ads in the browser. The file {42e5d6be-c70e-4bea-b577-de4ecee47d9d}w64.sys by Spring Smart has been detected as adware by 28 anti-malware scanners. It runs as a Windows 64-bit kernel mode device driver named “{42e5d6be-c70e-4bea-b577-de4ecee47d9d}w64”. It will plug into the web browser and display context-based advertisements by overwriting existing ads or by inserting new ones on various web pages.
Publisher:
StdLib  (signed by Spring Smart)

Product:
StdLib

Version:
1.4.4.6 built by: WinDDK

MD5:
41da1e2cc8f44eb1b80bffe71bc5e791

SHA-1:
997db340546e61efcb2c034856dc31d45f736093

SHA-256:
92e1efbc7f07e238e36e137c51b5b31b5ccd3252a5dbcfc0b22c60400618a37c

Scanner detections:
28 / 68

Status:
Adware

Explanation:
Injects advertising in the web browser in various formats.

Analysis date:
4/25/2024 2:20:07 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Adware.SwiftBrowse.CH
368

Agnitum Outpost
Riskware.Agent
7.1.1

avast!
Win32:BrowseFox-GQ [PUP]
2014.9-160202

AVG
AdPlugin
2017.0.2846

Baidu Antivirus
Adware.Win32.BrowseFox
4.0.3.1622

Bitdefender
Adware.SwiftBrowse.CH
1.0.20.165

Bkav FE
W64.HfsAdware
1.3.0.7237

Clam AntiVirus
Win.Adware.Swiftbrowse-497
0.98/21511

Dr.Web
Trojan.Yontoo.1741
9.0.1.033

Emsisoft Anti-Malware
Adware.SwiftBrowse.CH
8.16.02.02.08

ESET NOD32
Win64/BrowseFox.CG potentially unwanted application
10.7.0.302.0

F-Prot
W64/A-59c9c70a
v6.4.7.1.166

F-Secure
Adware.SwiftBrowse.CH
11.2016-02-02_3

G Data
Adware.SwiftBrowse.CH
16.2.25

K7 AntiVirus
Adware
13.210.17264

Malwarebytes
PUP.Optional.SpringSmart
v2016.02.02.08

McAfee
Artemis!02D69E6426EC
5600.6502

MicroWorld eScan
Adware.SwiftBrowse.CH
17.0.0.99

NANO AntiVirus
Riskware.Win64.BPlug.dwtdyz
0.30.24.3283

Norman
Adware.SwiftBrowse.CH
11.20160202

nProtect
Adware.SwiftBrowse.CH
15.09.18.01

Reason Heuristics
PUP.Yontoo.SpringSmart (M)
16.2.2.8

Rising Antivirus
PE:Malware.Generic/QRS!1.9E2D[F1]
23.00.65.16131

SUPERAntiSpyware
Adware.BrowseFox/Variant
9348

Trend Micro House Call
TROJ_GEN.R08NC0OC615
7.2.33

Trend Micro
TROJ_GEN.R08NC0OGD15
10.465.02

VIPRE Antivirus
Trojan.Win32.Generic
43862

Zillya! Antivirus
Adware.Yotoon.Win64.14
2.0.0.2403

File size:
47.7 KB (48,832 bytes)

Product version:
1.4.4.6

Copyright:
Copyright © 2013 StdLib

Original file name:
StdLib.sys

File type:
Driver (Win64 SYS)

Language:
English (United States)

Common path:
C:\Windows\System32\drivers\{42e5d6be-c70e-4bea-b577-de4ecee47d9d}w64.sys

Digital Signature
Signed by:
Spring Smart

Authority:
VeriSign, Inc.

Valid from:
8/21/2013 6:00:00 PM

Valid to:
8/22/2015 5:59:59 PM

Subject:
CN=Spring Smart, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Spring Smart, L=Santa Monica, S=California, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
5D69FD87A1BCECDB8891F45F148E34E2

File PE Metadata
Compilation timestamp:
12/1/2014 3:28:04 AM

OS version:
6.1

OS bitness:
Win64

Subsystem:
Native (none required)

Linker version:
9.0

CTPH (ssdeep):
768:lS7G2EjsnyXeOUEGG0LA8tWFZuL470h6aqxcCT2kvsVRwlZD3gcCf:kFID6EGnLA8AFJTNEVmDI

Entry address:
0xC064

Entry point:
48, 83, EC, 28, 4C, 8B, C2, 4C, 8B, C9, E8, 95, FF, FF, FF, 49, 8B, D0, 49, 8B, C9, 48, 83, C4, 28, E9, E2, 50, FF, FF, CC, CC, 78, C2, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 54, C6, 00, 00, A0, 91, 00, 00, 28, C1, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, DA, CA, 00, 00, 50, 90, 00, 00, D8, C0, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, D2, CB, 00, 00, 00, 90, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, B6, CB, 00, 00, 00, 00, 00, 00, A2, CB, 00, 00...
 
[+]

Entropy:
6.3935

Code size:
34.5 KB (35,328 bytes)

Driver
Display name:
{42e5d6be-c70e-4bea-b577-de4ecee47d9d}w64

Type:
Kernel device driver (KernelDriver)

Group:
PNP_TDI


herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.