home

{9acd1534-e8f8-40cb-b5ac-4996fe01175b}gw64.sys

Scan Tack

Part of the Yontoo adware component, a web browser plugin that injects unwanted ads in the browser. The file {9acd1534-e8f8-40cb-b5ac-4996fe01175b}gw64.sys by Scan Tack has been detected as adware by 27 anti-malware scanners. It runs as a Windows 64-bit kernel mode device driver named “{9acd1534-e8f8-40cb-b5ac-4996fe01175b}Gw64”. It will plug into the web browser and display context-based advertisements by overwriting existing ads or by inserting new ones on various web pages.
Publisher:
StdLib  (signed by Scan Tack)

Product:
StdLib

Version:
1.4.4.6 built by: WinDDK

MD5:
20cd394b79320fecbca4f3e8e2867d4f

SHA-1:
039ab78925f4d153cb4faac94969c6deb16c13c1

SHA-256:
1d7e7989d17cbebf85b289eb23c59615a0aaf98134893f0ca512859ffa8a954e

Scanner detections:
27 / 68

Status:
Adware

Explanation:
Injects advertising in the web browser in various formats.

Analysis date:
4/19/2024 8:33:10 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Adware.SwiftBrowse.CH
478

Agnitum Outpost
Trojan.BPlug
7.1.1

avast!
Win32:BrowseFox-J [PUP]
2014.9-151014

AVG
Generic
2016.0.2956

Baidu Antivirus
Adware.Win32.BrowseFox
4.0.3.151014

Bitdefender
Adware.SwiftBrowse.CH
1.0.20.1435

Bkav FE
W64.HfsAdware
1.3.0.6379

Clam AntiVirus
Win.Adware.Swiftbrowse-497
0.98/21511

Dr.Web
Trojan.BPlug.123
9.0.1.0287

Emsisoft Anti-Malware
Adware.SwiftBrowse.CH
8.15.10.14.09

ESET NOD32
Win64/BrowseFox (variant)
9.10542

F-Prot
W64/A-59c9c70a
v6.4.7.1.166

F-Secure
Adware.SwiftBrowse.CH
11.2015-14-10_4

G Data
Adware.SwiftBrowse.CH
15.10.25

IKARUS anti.virus
AdWare.SpadeCast
t3scan.1.6.1.0

K7 AntiVirus
Adware
13.202.15641

McAfee
Artemis!72C69E7BEF97
5600.6612

MicroWorld eScan
Adware.SwiftBrowse.CH
16.0.0.861

Norman
Adware.SwiftBrowse.CH
11.20151014

nProtect
Adware.SwiftBrowse.CH
15.04.17.01

Reason Heuristics
PUP.Yontoo.ScanTack (M)
15.10.14.21

Sophos
BrowseSmart
4.98

SUPERAntiSpyware
Adware.BrowseFox/Variant
9569

Trend Micro House Call
Suspicious_GEN.F47V0613
7.2.287

Trend Micro
HS_BROWSEFOX.SM
10.465.14

VIPRE Antivirus
Trojan.Win32.Generic
30472

Zillya! Antivirus
Adware.Yotoon.Win64.3
2.0.0.1899

File size:
47.7 KB (48,824 bytes)

Product version:
1.4.4.6

Copyright:
Copyright © 2013 StdLib

Original file name:
StdLib.sys

File type:
Driver (Win64 SYS)

Language:
English (United States)

Common path:
C:\Windows\System32\drivers\{9acd1534-e8f8-40cb-b5ac-4996fe01175b}gw64.sys

Digital Signature
Signed by:
Scan Tack

Authority:
VeriSign, Inc.

Valid from:
1/21/2014 7:00:00 PM

Valid to:
1/22/2015 6:59:59 PM

Subject:
CN=Scan Tack, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Scan Tack, L=San Diego, S=California, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
44D91A3142283CE62B23F23C84838B0D

File PE Metadata
Compilation timestamp:
9/22/2014 3:01:54 PM

OS version:
6.1

OS bitness:
Win64

Subsystem:
Native (none required)

Linker version:
9.0

CTPH (ssdeep):
768:l97G2EjsnyXeOUEGG0LA8tWFZuL470h6aqxcCT2kvsVRwlZD3mKe:zFID6EGnLA8AFJTNEVmDmv

Entry address:
0xC064

Entry point:
48, 83, EC, 28, 4C, 8B, C2, 4C, 8B, C9, E8, 95, FF, FF, FF, 49, 8B, D0, 49, 8B, C9, 48, 83, C4, 28, E9, E2, 50, FF, FF, CC, CC, 78, C2, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 54, C6, 00, 00, A0, 91, 00, 00, 28, C1, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, DA, CA, 00, 00, 50, 90, 00, 00, D8, C0, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, D2, CB, 00, 00, 00, 90, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, B6, CB, 00, 00, 00, 00, 00, 00, A2, CB, 00, 00...
 
[+]

Code size:
34.5 KB (35,328 bytes)

Driver
Display name:
{9acd1534-e8f8-40cb-b5ac-4996fe01175b}Gw64

Type:
Kernel device driver (KernelDriver)

Group:
PNP_TDI


herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.