home

nvgswmqjr.exe

Crime Watch

Mathematical Applications

This is part of an adware program designed to inject advertising in the web browser (banners, text-links) as well as modify the normal behavior of the browser as well as modify the computer’s system settings that control applications to run on startup. Part of the Injekt brand of unwanted programs. The application nvgswmqjr.exe, “CrimeWatch Service” by Mathematical Applications has been detected as adware by 10 anti-malware scanners. It runs as a separate (within the context of its own process) windows Service named “nVGswMqJr”. This file is typically installed with the program CrimeWatch by Mathematical Applications which is a potentially unwanted software program. According to AVG, this software downloads additional adware offers during setup.
Publisher:
Mathematical Applications  (signed and verified)

Product:
Crime Watch

Description:
CrimeWatch Service

Version:
1.0.0.0

MD5:
f7c5c47d232acc37a7f50ae715cff523

SHA-1:
7ac3abcc861ec91c2719c459ac61d16c61b1b2dc

SHA-256:
c37f87c1d42787c9fbc99a4edbf99229518f97304914799806aa67a0f7d8ceb2

Scanner detections:
10 / 68

Status:
Adware

Explanation:
Injects display ads (banner ads), in-text ads, interstitial ads, or other types of ads in the web browser as well as alters the browsers settings (home page, search, DNS, and security protocols).

Analysis date:
4/24/2024 11:58:50 AM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
ADWARE/Adware.Gen7
7.11.197.26

AVG
Downloader
2015.0.3253

Comodo Security
ApplicUnwnt
20436

Dr.Web
Adware.Yontoo.55
9.0.1.0355

ESET NOD32
MSIL/Adware.PullUpdate.G.gen (variant)
8.10912

Fortinet FortiGate
Adware/PullUpdate
12/21/2014

Malwarebytes
PUP.Optional.CrimeWatch.A
v2014.12.21.10

Reason Heuristics
PUP.Service.MathematicalApplications.J
14.12.21.22

Sophos
Generic PUA HK
4.98

Trend Micro House Call
Suspicious_GEN.F47V1220
7.2.355

File size:
2.6 MB (2,733,896 bytes)

Product version:
1.0.0.0

Copyright:
Copyright © Mathematical Applications 2014

Original file name:
CrimeWatchService.exe

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\ProgramData\zddiejimvy\nvgswmqjr.exe

Digital Signature
Signed by:
Mathematical Applications

Authority:
VeriSign, Inc.

Valid from:
10/26/2014 7:00:00 PM

Valid to:
10/27/2015 6:59:59 PM

Subject:
CN=Mathematical Applications, O=Mathematical Applications, L=St. James, S=St. James, C=BB

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
79F6406432970C77D2FA7772E5EB6BDC

File PE Metadata
Compilation timestamp:
12/18/2014 6:10:33 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
49152:AYS9Hib1QVTeUPUA7ylhr1nN/bXGwmMx/6ywt01SFe8I:D9yVTeUsAeBBbXNm8/6ywt01S0b

Entry address:
0x29B38E

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
7.9996

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
2.6 MB (2,724,864 bytes)

Service
Display name:
nVGswMqJr

Type:
Win32OwnProcess

Depends on:
Winmgmt CryptSvc


The file nvgswmqjr.exe has been discovered within the following program.

CrimeWatch  by Mathematical Applications
CrimeWatch (by Injekts Media, dba Mathematical Applications) is an ad-supported program that may deliver third-party advertisements in the form of coupons, price-comparisons, display media, affiliate links, banners, popups/popunders and other links through means including but not limited to the content of any web page accessed, plug-ins, add-ons, or the browser itself.
88% remove it
 
Powered by Should I Remove It?

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ec2-54-76-91-10.eu-west-1.compute.amazonaws.com  (54.76.91.10:80)

TCP (HTTP):
Connects to ec2-54-246-181-97.eu-west-1.compute.amazonaws.com  (54.246.181.97:80)

TCP (HTTP):
Connects to ec2-52-16-174-255.eu-west-1.compute.amazonaws.com  (52.16.174.255:80)

TCP (HTTP):
Connects to ec2-54-171-43-206.eu-west-1.compute.amazonaws.com  (54.171.43.206:80)

TCP (HTTP):
Connects to ec2-54-171-226-204.eu-west-1.compute.amazonaws.com  (54.171.226.204:80)

TCP (HTTP):
Connects to ec2-52-16-46-192.eu-west-1.compute.amazonaws.com  (52.16.46.192:80)

TCP (HTTP):
Connects to a23-37-139-27.deploy.static.akamaitechnologies.com  (23.37.139.27:80)

Remove nvgswmqjr.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.