» uninstall.webinternetsecurity.exe
Overview
Analysis
File Details
Behaviors (2)
Programs (1)
Downloads (1)
Network (1)

uninstall.webinternetsecurity.exe

Distributed by Adknowledge's installers (Optimum/Fusion/Tiny), the trojan adware will proxy various web traffic and inject advertising in the browser. BrowserProtect was programmed by Danny Miller of Adknowledge. The software uses Fiddler, web debugging proxy, for capturing HTTP traffic and will install a root certificate named DO_NOT_TRUST_FiddlerRoot. The application uninstall.webinternetsecurity.exe has been detected as adware by 2 anti-malware scanners. This is a setup program which is used to install the application. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘WebInternetSecurity Update Task’. This is the uninstaller utility registered in the Windows Control Panel for the program WebInternetSecurity by Webinternetsecurity. This file is typically installed with the program WebInternetSecurity by Adknowledge, Inc. which is a potentially unwanted software program.

File name:

Version:

1.0.0.0

MD5:

294d8bf17879e177b92ab3c04233b892

SHA-1:

93c27a793edb72128dea1c4bdf1a7273479dfda7

SHA-256:

5ece39c2286346ed47c4b2de0ebb7e0887f65b0c9f561b395382ce7a424f829d

Scanner detections:

2 / 68

Status:

Adware

Explanation:

Part of an adware program delivered by Adknowledge that will modify the web browser's settings (preferred home page and default search settings) and install a local proxy to intercept and inject various forms of advertising.

Analysis date:

4/25/2024 12:40:10 AM UTC (today)

Scan engine

Detection

Engine version

Reason Heuristics

PUP.Webinternetsecurity.Startup.CC

14.5.8.14

Trend Micro House Call

TROJ_GEN.F47V0206

7.2.135

File size:

3.4 MB (3,548,160 bytes)

Product version:

1.0.0.0

Original file name:

Installer.exe

File type:

Executable application (Win32 EXE)

Language:

Language Neutral

Common path:

C:\Documents and Settings\{user}\Application data\webinternetsecurity\uninstall.webinternetsecurity.exe

File PE Metadata

Compilation timestamp:

12/30/2013 9:12:23 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

8.0

.NET CLR dependent:

Yes

CTPH (ssdeep):

49152:HqPMGzITJPwLJVcFb+qQMorF2i2C61fN8ABn1hZqVNWi0/4Y9BUCzyCzAxaB:GMG8NoLPchbNorolzffzhkwQYmaB

Entry address:

0x35B20A

Entry point:

FF, 25, 18, B2, 75, 00, 00, 00, 00, 00, 00, 00, 00, 00, EC, B1, 35, 00, 00, 00, 00, 00, 00, 00, 00, 00, A7, D3, C1, 52, 00, 00, 00, 00, 02, 00, 00, 00, 76, 00, 00, 00, 3C, B2, 35, 00, 3C, 94, 35, 00, 52, 53, 44, 53, 57, E3, 59, 27, 6B, 1A, ED, 45, AB, 71, CF, F9, A2, 67, 31, 0F, 01, 00, 00, 00, 43, 3A, 5C, 55, 73, 65, 72, 44, 61, 74, 61, 5C, 50, 72, 6F, 6A, 65, 63, 74, 73, 5C, 72, 64, 5C, 64, 73, 5C, 4F, 4F, 5C, 49, 6E, 73, 74, 61, 6C, 6C, 65, 72, 73, 5C, 57, 65, 62, 49, 6E, 74, 65, 72, 6E, 65, 74, 53, 65... 
[+]

Code size:

3.3 MB (3,511,296 bytes)

Program Uninstaller

Program name:

WebInternetSecurity

Display publisher:

Webinternetsecurity

Uninstall string:

"C:\Program Files (x86)\Webinternetsecurity\uninstall.webinternetsecurity.exe" /u /UserID=398b2684-f6c4-4ff7-b3f6-20b6751c3d44 /SourceID=1875936-3134165 /ImplementationID=webinternetsecurity-dl

Startup File (User Run)

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

WebInternetSecurity Update Task

Command:

"C:\Documents and Settings\{user}\Application data\webinternetsecurity\uninstall.webinternetsecurity.exe" \checkupdate=true

The file uninstall.webinternetsecurity.exe has been discovered within the following program.

WebInternetSecurity by Adknowledge, Inc.

The Plugin is supported by third-party advertising, and when you download the Plugin you will see various types of advertisements displayed through your browser as you visit locations on the Internet.

webinternetsecurity.com/Legal/Terms

84% remove it

The file uninstall.webinternetsecurity.exe has been seen being distributed by the following URL.

http://install.webinternetsecurity.com/.../installer-wis-dl.exe

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):

Connects to ip-184-168-221-96.ip.secureserver.net (184.168.221.96:80)

Remove uninstall.webinternetsecurity.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.