home

hijackerremovaltool.exe

Security Stronghold LLC

The application hijackerremovaltool.exe by Security Stronghold has been detected as a potentially unwanted program by 3 anti-malware scanners. The program is a setup application that uses the Inno Setup installer. The installer uses the InstallMonetizer platform which will donwload and install adware toolbars and other potentially unwanted software offers during setup. The file has been seen being downloaded from software-files-a.cnet.com and multiple other hosts.
Publisher:
Security Stronghold   (signed by Security Stronghold LLC)

MD5:
c106218285ca56b72d2b1242155cdaff

SHA-1:
ed8254bd98f2f45df3d19bb6793395174c8e3e53

SHA-256:
a9f590e0a2b911f875851414ba44bc271ea430ff47a3023bd076a7ce952d4643

Scanner detections:
3 / 68

Status:
Potentially unwanted

Explanation:
Uses the InstallMonetizer distribution platform to bundle adware.

Analysis date:
4/25/2024 10:41:08 PM UTC  (today)

Scan engine
Detection
Engine version

Baidu Antivirus
Adware.Win32.InstallMonetizer
4.0.3.141011

ESET NOD32
Win32/SecurityStronghold (variant)
8.10530

Reason Heuristics
PUP.Optional.SecurityStronghold.T
14.10.11.0

File size:
3.1 MB (3,252,464 bytes)

Product version:
build_1.0.0.142_rev_3678_date_12:22:42 09-09-14

Copyright:
Copyright © 2003-2014 Security Stronghold

File type:
Executable application (Win32 EXE)

Installer:
Inno Setup

Language:
Language Neutral

Digital Signature
Signed by:
Security Stronghold LLC

Authority:
GlobalSign nv-sa

Valid from:
10/14/2013 12:55:31 PM

Valid to:
12/11/2014 5:49:56 AM

Subject:
E=manager@securitystronghold.com, CN=Security Stronghold LLC, O=Security Stronghold LLC, L=Astrakhan, C=RU

Issuer:
CN=GlobalSign CodeSigning CA - G2, O=GlobalSign nv-sa, C=BE

Serial number:
1121ACD1A0DCFFA94069288588DCC5FFCF18

File PE Metadata
Compilation timestamp:
6/19/1992 6:22:17 PM

OS version:
1.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
49152:K9okMIuhM5zYPM7T7X8Z/TWlZsMCC6/vfWNGQnW3231VLykjKsqn:EokMPAY8CKlZsbWRndusqn

Entry address:
0xA5F8

Entry point:
55, 8B, EC, 83, C4, C4, 53, 56, 57, 33, C0, 89, 45, F0, 89, 45, DC, E8, CE, 8A, FF, FF, E8, D5, 9C, FF, FF, E8, 64, 9F, FF, FF, E8, 07, A0, FF, FF, E8, A6, BF, FF, FF, E8, 11, E9, FF, FF, E8, 78, EA, FF, FF, 33, C0, 55, 68, C9, AC, 40, 00, 64, FF, 30, 64, 89, 20, 33, D2, 55, 68, 92, AC, 40, 00, 64, FF, 32, 64, 89, 22, A1, 14, C0, 40, 00, E8, 26, F5, FF, FF, E8, 11, F1, FF, FF, 80, 3D, 34, B2, 40, 00, 00, 74, 0C, E8, 23, F6, FF, FF, 33, C0, E8, C4, 97, FF, FF, 8D, 55, F0, 33, C0, E8, B6, C5, FF, FF, 8B, 55...
 
[+]

Entropy:
7.9974

Packer / compiler:
Inno Setup v5.x - Installer Maker

Code size:
39.5 KB (40,448 bytes)

The file hijackerremovaltool.exe has been seen being distributed by the following 4 URLs.

http://software-files-a.cnet.com/s/software/13/.../92/.../FakeAlertTrojanRemovalTool.exe

http://www.securitystronghold.com/gates/.../SnapDoToolbarRemovalTool.exe

http://www.securitystronghold.com/gates/link/0/.../?url=_d1_SnapDoToolbarRemovalTool.exe

http://www.securitystronghold.com/gates/.../HijackerRemovalTool.exe

Remove hijackerremovaltool.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.