home

crextp39.exe

Mindspark Toolbar Platform for Internet Explorer

Mindspark Interactive Network

The application crextp39.exe, “Mindspark Toolbar Platform” by Mindspark Interactive Network has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. Additionally, the file is typically installed by a number of programs including PuzzleGamesDaily Internet Explorer Toolbar by Mindspark Interactive Network and Motitags Internet Explorer Toolbar by Mindspark Interactive Network, both potentially unwanted software. While running, it connects to the Internet address edge-z-1-p2-shv-01-lhr3.facebook.com on port 443.
Publisher:
Mindspark  (signed by Mindspark Interactive Network)

Product:
Mindspark Toolbar Platform for Internet Explorer

Description:
Mindspark Toolbar Platform

Version:
1.0.7.247

MD5:
b5a25fe2553f5deb182f67582db5970b

SHA-1:
1c593d71df706afbbe21115ea4f837e11745ff40

SHA-256:
5baca8173739a39c2dc3172f1375e505362eae0ccdb4b7da62269e069054dbb6

Scanner detections:
1 / 68

Status:
Potentially unwanted

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
4/19/2024 1:35:15 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Mindspark.MindsparkInteractiveNetwork.Toolbar (M)
15.6.28.5

File size:
1.1 MB (1,158,168 bytes)

Product version:
2.5.15.19

Copyright:
Copyright © 2009-2015 Mindspark Interactive Network, Inc.

Original file name:
CrExtProc.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\Program Files\mapsgalaxy_39\bar\1.bin\crextp39.exe

Digital Signature
Signed by:
Mindspark Interactive Network

Authority:
VeriSign, Inc.

Valid from:
4/19/2015 5:00:00 PM

Valid to:
6/18/2018 4:59:59 PM

Subject:
CN=Mindspark Interactive Network, O=Mindspark Interactive Network, L=Yonkers, S=New York, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
438D4291E43C2DFFEEAAAEE5B6C070B5

File PE Metadata
Compilation timestamp:
6/17/2015 7:47:44 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
24576:uJycIf6ofvu/PrBTgxC/YnhrUwUpY9VYgiuz6L8D61:uJq6ofvu/jBEx0YrUwCY9VYgJ6LK61

Entry address:
0x6154F

Entry point:
E8, 0D, B4, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 8D, 45, 14, 50, 6A, 00, FF, 75, 10, FF, 75, 0C, FF, 75, 08, E8, 82, 73, 00, 00, 83, C4, 14, 5D, C3, CC, CC, CC, CC, CC, CC, CC, CC, CC, 55, 8B, EC, 56, 33, C0, 50, 50, 50, 50, 50, 50, 50, 50, 8B, 55, 0C, 8D, 49, 00, 8A, 02, 0A, C0, 74, 09, 83, C2, 01, 0F, AB, 04, 24, EB, F1, 8B, 75, 08, 83, C9, FF, 8D, 49, 00, 83, C1, 01, 8A, 06, 0A, C0, 74, 09, 83, C6, 01, 0F, A3, 04, 24, 73, EE, 8B, C1, 83, C4, 20, 5E, C9, C3, 8B, FF, 55, 8B, EC, 83, EC, 20, 53...
 
[+]

Entropy:
6.5049

Code size:
547.5 KB (560,640 bytes)

The file crextp39.exe has been discovered within the following programs.

CouponXplorer Firefox Toolbar  by Mindspark Interactive Network
Installs a potentailly unwanted Ask.com powered toolbr - "As part of the download process for the Toolbar, you may be given the option to reset your homepage and/or reset your new tab page to an Ask® home page and new tab product.
support.mindspark.com
70% remove it
DictionaryBoss Internet Explorer Toolbar  by Mindspark Interactive Network
Publisher's description - “The My Web Search Toolbar sends a configuration request when you start your browser.”
71% remove it
DownSpeedTest Internet Explorer Toolbar  by Mindspark Interactive Network
64% remove it
Elite Unzip Internet Explorer Toolbar  by Mindspark Interactive Network
Publisher's description - “The Toolbar, in the course of processing a given search query, sends a request to our servers.”
64% remove it
FilmFanatic Internet Explorer Toolbar  by Mindspark Interactive Network
73% remove it
GetFormsOnline Internet Explorer Toolbar  by Mindspark Interactive Network
70% remove it
HeadlineAlley Internet Explorer Toolbar  by Mindspark Interactive Network
HeadlineAlley is a Mindspark web browser toolbar that is designed to modify the users search and home pages to Ask.com (or MyWebSearch).
63% remove it
HowToSimplified Internet Explorer Toolbar  by Mindspark Interactive Network
Publisher's description - “The My Web Search Toolbar, in the course of processing a given search query, sends a request to our servers.”
74% remove it
InboxAce Internet Explorer Toolbar  by Mindspark Interactive Network
This is a web browser extension/toolbar that will modify the user's home page and search provider to Ask.com.
70% remove it
Internet Speed Tracker Internet Explorer Toolbar  by Mindspark Interactive Network
From the Terms of Service: "As part of the download process for the Toolbar, you may be given the option to reset your Internet browser's homepage to an Ask homepage product and/or reset your new tab page to an Ask new tab product.
69% remove it
 
Latest 20 of 20 programs
Powered by Should I Remove It?

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to xx-fbcdn-shv-01-cdg2.fbcdn.net  (179.60.192.7:80)

TCP (HTTP):
Connects to a104-118-7-9.deploy.static.akamaitechnologies.com  (104.118.7.9:80)

TCP (HTTP SSL):
Connects to edge-star-mini-shv-01-cdg2.facebook.com  (179.60.192.36:443)

TCP (HTTP):
Connects to 74.113.237.189.lv.iaccap.com  (74.113.237.189:80)

TCP (HTTP):
Connects to a92-123-182-42.deploy.akamaitechnologies.com  (92.123.182.42:80)

TCP (HTTP SSL):
Connects to edge-star-mini-shv-01-lht6.facebook.com  (157.240.1.35:443)

TCP (HTTP):
Connects to xx-fbcdn-shv-01-lhr3.fbcdn.net  (31.13.90.6:80)

TCP (HTTP):
Connects to xx-fbcdn-shv-01-lht6.fbcdn.net  (157.240.1.23:80)

TCP (HTTP SSL):
Connects to edge-z-1-p2-shv-01-lhr3.facebook.com  (31.13.90.40:443)

TCP (HTTP SSL):
Connects to edge-star-mini-shv-02-dft4.facebook.com  (31.13.66.36:443)

TCP (HTTP SSL):
Connects to xx-fbcdn-shv-02-dft4.fbcdn.net  (31.13.66.5:443)

TCP (HTTP SSL):
Connects to xx-fbcdn-shv-01-atl3.fbcdn.net  (31.13.65.7:443)

TCP (HTTP):
Connects to a72-246-196-17.deploy.akamaitechnologies.com  (72.246.196.17:80)

TCP (HTTP SSL):
Connects to edge-z-1-p2-shv-01-lht6.facebook.com  (157.240.1.41:443)

TCP (HTTP SSL):
Connects to edge-star-mini-shv-01-atl3.facebook.com  (31.13.65.36:443)

TCP (HTTP SSL):
Connects to xx-fbcdn-shv-01-ort2.fbcdn.net  (157.240.2.25:443)

TCP (HTTP SSL):
Connects to edge-star-shv-01-iad3.facebook.com  (31.13.69.197:443)

TCP (HTTP SSL):
Connects to edge-star-mini-shv-01-iad3.facebook.com  (31.13.69.228:443)

TCP (HTTP):
Connects to a184-51-113-11.deploy.static.akamaitechnologies.com  (184.51.113.11:80)

TCP (HTTP):
Connects to a96-7-54-67.deploy.akamaitechnologies.com  (96.7.54.67:80)

Remove crextp39.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.