home

antitoolbarpackage1004.exe

AntiToolbar

Reimage Limited

The application antitoolbarpackage1004.exe, “AntiToolbar Installation Package” by Reimage Limited has been detected as adware by 3 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. It is built using the Crossrider cross-browser extension toolkit. While the file utilizes the Crossrider framework and delivery services, it is not owned by Crossrider. It is also typically executed from an Internet Explorer cache folder. The file has been seen being downloaded from cdn.anti-toolbar.com.
Publisher:
Reimage®  (signed by Reimage Limited)

Product:
AntiToolbar

Description:
AntiToolbar Installation Package

Version:
1.004

MD5:
d1c4bb6a972ecc361c91884b3a259c90

SHA-1:
64ecbfc9acc1e93f2c479b54f027ddb5d7b88ad9

SHA-256:
ecac1e519da92a69ef0776b43f6657560fb0a1b139ee61e8825e28f8b47f6d32

Scanner detections:
3 / 68

Status:
Adware

Explanation:
The software may change the browser's home page and search provider settings as well as display advertisements.

Analysis date:
4/26/2024 3:09:33 AM UTC  (today)

Scan engine
Detection
Engine version

Dr.Web
riskware program Program.Unwanted.35
9.0.1.05190

ESET NOD32
Win32/ReImageRepair.D potentially unwanted application
7.0.302.0

Reason Heuristics
PUP.Crossrider.Reimage.Installer.W
14.9.12.17

File size:
5.2 MB (5,424,856 bytes)

Product version:
1.004

Copyright:
© Reimage 2012

Original file name:
AntiToolbarPackage.exe

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
English (United States)

Common path:
C:\Documents and Settings\{user}\Local settings\temporary internet files\content.ie5\{random}\antitoolbarpackage1004.exe

Digital Signature
Signed by:
Reimage Limited

Authority:
VeriSign, Inc.

Valid from:
4/10/2012 9:00:00 PM

Valid to:
5/3/2014 8:59:59 PM

Subject:
CN=Reimage Limited, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Reimage Limited, L=Nicosia, S=Nicosia, C=CY

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
08242D065B8CE1035215AAA943CF9166

File PE Metadata
Compilation timestamp:
12/5/2009 8:50:46 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
98304:CzQSooyst8IParMgxB6SUNoiQwPUvHdLav1QRPpvbDFcYC0eNa4VOQnSA:GQSooaMFgxARo0sv9LqWvVc503rA

Entry address:
0x323C

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 30, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 58, 3F, 42, 00, E8, 09, 2C, 00, 00, A3, A4, 3E, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 58, F4, 41, 00, FF, 15, 58, 71, 40, 00, 68, B8, 91, 40, 00, 68, A0, 36, 42, 00, E8, BC, 28, 00, 00, FF, 15, B0, 70, 40, 00, BF, 00, 90, 42, 00, 50, 57, E8, AA, 28, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
23 KB (23,552 bytes)

The file antitoolbarpackage1004.exe has been seen being distributed by the following URL.

http://cdn.anti-toolbar.com/.../AntiToolbarPackage1004.exe

Remove antitoolbarpackage1004.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.