home

setup.exe

GoHD

City Road labs (Extreme White Limited)

The application setup.exe by City Road labs (Extreme White Limited) has been detected as adware by 24 anti-malware scanners. The program is a setup application that uses the Nullsoft Install System installer. It is built using the Crossrider cross-browser extension platform. While the file utilizes the Crossrider framework and delivery services, it is not owned by Crossrider. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from dl.ourinputinfonet.com and multiple other hosts.
Publisher:
InstallMoon  (signed by City Road labs (Extreme White Limited))

Product:
GoHD

Description:
GoHD Installer

Version:
1.36.01.22

MD5:
a36c37d636b5903655518f7aaff18a65

SHA-1:
55edba18acf162eb7bc7f0c4a620e4da3c52c002

SHA-256:
79e6a54a03501494458cf4992c9bdf356ca996b41b02c1d89d0761d1d4b368cd

Scanner detections:
24 / 68

Status:
Adware

Explanation:
The software may change the browser's home page and search provider settings as well as display advertisements.

Analysis date:
6/29/2025 5:51:08 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Adware.Generic.1249134
469

Agnitum Outpost
Riskware.ScrambleWrapper
7.1.1

AhnLab V3 Security
PUP/Win32.CrossRider
2015.07.14

Avira AntiVirus
ADWARE/CrossRider.Gen7
8.3.1.6

avast!
Win32:ScrambleWrapper-A [PUP]
2014.9-151023

AVG
AdLoad
2016.0.2947

Bkav FE
W32.HfsAdware
1.3.0.6979

Clam AntiVirus
Win.Trojan.Crossrider-36
0.98/21511

Dr.Web
Trojan.Crossrider1.42769
9.0.1.0296

ESET NOD32
Win32/Packed.ScrambleWrapper.O potentially unwanted application
9.7.0.302.0

Fortinet FortiGate
PossibleThreat
10/23/2015

G Data
Win32.Adware.CrossriderWrapper
15.10.25

IKARUS anti.virus
PUA.ScrambleWrapper
t3scan.1.9.5.0

K7 AntiVirus
Adware
13.205.16213

Malwarebytes
PUP.Optional.GoHD.A
v2015.10.23.06

McAfee
Artemis!CD9EC9BA8523
5600.6603

MicroWorld eScan
Adware.Generic.1238912
16.0.0.888

NANO AntiVirus
Trojan.Win32.MLW.dpnylv
0.30.24.2487

Panda Antivirus
Generic Suspicious
15.10.23.06

Reason Heuristics
PUP.ExtremeWhite.CityRoadlabsExtremeWhiteLimited.Installer (M)
15.10.23.18

Rising Antivirus
PE:Malware.Adwapper!6.25A8
23.00.65.151021

Trend Micro House Call
Suspici.CF2FA188
7.2.296

Vba32 AntiVirus
Trojan.GoogUpdate
3.12.26.4

VIPRE Antivirus
Trojan.Win32.Generic
40082

File size:
11.2 MB (11,737,400 bytes)

Copyright:
Copyright InstallMoon

File type:
Executable application (Win32 EXE)

Installer:
Nullsoft Install System

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\setup.exe

Digital Signature
Signed by:
City Road labs (Extreme White Limited)

Authority:
COMODO CA Limited

Valid from:
4/15/2015 1:00:00 AM

Valid to:
4/15/2016 12:59:59 AM

Subject:
CN=City Road labs (Extreme White Limited), O=City Road labs (Extreme White Limited), STREET=Tassou Papadopulu 6 (flat/office 22), L=Nicosia, S=Agios Dometios, PostalCode=2373, C=CY

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00AE3B988EFE11AFE67F31C19E83D194B6

File PE Metadata
Compilation timestamp:
12/4/2012 1:55:11 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.22

CTPH (ssdeep):
196608:pPWVPKVNsHKbe4Qkzd6HBE7vWq7V+sjQQx3q2nkMDzsWoEmkEK25u/5jWkf3C:puVP+sHYeRkkSmNy1DgLkD25upWkfS

Entry address:
0x412D

Entry point:
55, 89, E5, 57, 56, 53, 81, EC, AC, 01, 00, 00, FF, 15, 74, 73, 45, 00, C7, 04, 24, 01, 80, 00, 00, FF, 15, 58, 74, 45, 00, 53, C7, 04, 24, 00, 00, 00, 00, FF, 15, 98, 74, 45, 00, 56, A3, F4, E7, 44, 00, C7, 04, 24, 08, 00, 00, 00, E8, 8B, 3B, 00, 00, A3, 50, E8, 44, 00, 8D, 85, 84, FE, FF, FF, 57, C7, 44, 24, 10, 00, 00, 00, 00, C7, 44, 24, 0C, 60, 01, 00, 00, 89, 44, 24, 08, C7, 44, 24, 04, 00, 00, 00, 00, C7, 04, 24, A9, B2, 40, 00, FF, 15, AC, 74, 45, 00, 83, EC, 14, C7, 44, 24, 04, AA, B2, 40, 00, C7...
 
[+]

Code size:
33.5 KB (34,304 bytes)

The file setup.exe has been seen being distributed by the following 2 URLs.

http://dl.ourinputinfonet.com/monti/llyun/.../setup.exe

http://d1jpj265kni4hm.cloudfront.net/setup.exe

Remove setup.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.