ewssi_gya3.exe

Artur Semanin

This program bundles adware during the download and install process using the InstaleRex pay-per-install app monetizer. The application ewssi_gya3.exe by Artur Semanin has been detected as adware by 33 anti-malware scanners. It is built using the Crossrider cross-browser extension platform. While the file utilizes the Crossrider framework and delivery services, it is not owned by Crossrider. It is also typically executed from an Internet Explorer cache folder.
Remove ewssi_gya3.exe - Powered by Reason Core Security
Publisher:
Artur Semanin  (signed and verified)

MD5:
6e9bfc660ae23825138faf38ca0daf62

SHA-1:
e1b01bf33b2ff359a99d8fe740f9e7bbe2d2bf2b

SHA-256:
ef72e5bbcbd33258c0a363409d333c70cfa26897e47208571e13b43c10a6d29b

Scanner detections:
33 / 68

Status:
Adware

Explanation:
The software may change the browser's home page and search provider settings as well as display advertisements.

Analysis date:
12/11/2016 7:25:52 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Adware.Dropper.101
970

Agnitum Outpost
PUA.Downloader
7.1.1

AhnLab V3 Security
Adware/Win32.BHO
2014.06.11

Avira AntiVirus
Adware/Graftor.77543
7.11.154.46

Antiy Labs AVL
Spyware[AdWare:not-a-virus]/Win32.MegaSearch
1.0.0.1

avast!
Win32:PUP-gen [PUP]
140608-0

AVG
Adware Generic_s.Q
2014.0.3955

Bitdefender
Gen:Variant.Adware.Dropper.101
1.0.20.805

Comodo Security
Application.Win32.Preloader.A
18499

Dr.Web
Trojan.Crossrider.3
9.0.1.05190

Emsisoft Anti-Malware
Gen:Variant.Adware.Dropper.101
8.14.06.10.10

ESET NOD32
Win32/Preloader.A potentially unwanted application
7.0.302.0

Fortinet FortiGate
Adware/MultiPlug
6/10/2014

F-Prot
W32/Preloader.A.gen
4.6.5.141

F-Secure
Gen:Variant.Adware.Dropper.101
11.2014-10-06_3

G Data
Gen:Variant.Adware.Dropper.101
14.6.24

IKARUS anti.virus
AdWare.Graftor
t3scan.1.6.1.0

K7 AntiVirus
Trojan
13.1712358

K7 Gateway Antivirus
Trojan
13.1712358

Kaspersky
not-a-virus:WebToolbar.Win32.Cossder
15.0.0.463

Kingsoft AntiVirus
Win32.Troj.MegaSearch.am.(kcloud)
331020.49267

Malwarebytes
PUP.Optional.PreLoader.A
v2014.06.10.10

McAfee
PUP-FDQ!6E9BFC660AE2
5600.7104

McAfee Web Gateway
PUP-FDQ!6E9BFC660AE2
7.7104

MicroWorld eScan
Gen:Variant.Adware.Dropper.101
15.0.0.483

NANO AntiVirus
Riskware.Win32.MegaSearch.cmtagu
0.28.0.60253

Panda Antivirus
Trj/Downloader.JBL
14.06.10.10

Qihoo 360 Security
Malware.QVM10.Gen
1.0.0.1015

Reason Heuristics
PUP.ArturSemanin.K
14.8.8.0

Rising Antivirus
PE:PUF.Graftor!1.9C49
23.00.65.14608

Sophos
Preload
4.98

Vba32 AntiVirus
AdWare.MegaSearch
3.12.26.0

VIPRE Antivirus
Threat.4150696
30086

Remove ewssi_gya3.exe - Powered by Reason Core Security
File size:
1 MB (1,096,280 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\ewssi_gya3.exe

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
8/6/2013 2:00:00 AM

Valid to:
8/7/2014 1:59:59 AM

Subject:
CN=Artur Semanin, O=Artur Semanin, STREET=Radishcheva 8, L=Kyiv, S=Kyiv, PostalCode=03164, C=UA

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
38BEDBA31B62D500B998286A80E230EB

File PE Metadata
Compilation timestamp:
7/11/2013 6:52:38 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
24576:4LiVemQGYCSaFvTKoDojuuJuFRfhWL9eCxirDlfT:4LLPGY2KRE34LkCxirDlfT

Entry address:
0xD374

Entry point:
E8, B2, 50, 00, 00, E9, 78, FE, FF, FF, 8B, FF, 55, 8B, EC, 8B, 45, 08, 33, C9, 3B, 04, CD, 38, 72, 41, 00, 74, 13, 41, 83, F9, 2D, 72, F1, 8D, 48, ED, 83, F9, 11, 77, 0E, 6A, 0D, 58, 5D, C3, 8B, 04, CD, 3C, 72, 41, 00, 5D, C3, 05, 44, FF, FF, FF, 6A, 0E, 59, 3B, C8, 1B, C0, 23, C1, 83, C0, 08, 5D, C3, E8, 87, 19, 00, 00, 85, C0, 75, 06, B8, A0, 73, 41, 00, C3, 83, C0, 08, C3, E8, 74, 19, 00, 00, 85, C0, 75, 06, B8, A4, 73, 41, 00, C3, 83, C0, 0C, C3, 8B, FF, 55, 8B, EC, 56, E8, E2, FF, FF, FF, 8B, 4D, 08...
 
[+]

Code size:
87.5 KB (89,600 bytes)

Remove ewssi_gya3.exe - Powered by Reason Core Security