home

updater36928.exe

hosts2

DownLite

The application updater36928.exe has been detected as a potentially unwanted program by 19 anti-malware scanners. It runs as a scheduled task under the Windows Task Scheduler triggered by a time event. This web browser addon will display additional advertisements in the user's browser including popup, banner, contextual hyperlinks as well as affiliate links. While running, it connects to the Internet address geoplugin.net on port 80 using the HTTP protocol.
Publisher:
DownLite

Product:
hosts2

Description:
hosts2 exe

Version:
1000.1000.1000.1000

MD5:
29679d5999112bfbf0144fa53345b28e

SHA-1:
816d7ed0002a141bf9c4a4da779bbe5ea3ebff18

SHA-256:
096f5d2dc99e4bfad057040cad58973151aec8d9c0bcaf6dff8a11200522ef5c

Scanner detections:
19 / 68

Status:
Potentially unwanted

Explanation:
Browser extension that injects additional advertisements (banner and text links) on web pages.

Analysis date:
4/25/2024 7:22:58 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Adware.Generic.667261
857

AegisLab AV Signature
Troj.W32.Gen
2.1.4+

avast!
Win32:Installer-M [Adw]
2014.9-140930

Baidu Antivirus
Adware.Win32.CrossRider
4.0.3.131229

Bitdefender
Adware.Generic.667261
1.0.20.1365

Bkav FE
W32.Clod944.Trojan
1.3.0.4613

Dr.Web
Adware.Downware.1306
9.0.1.0363

Emsisoft Anti-Malware
Adware.Generic.667261
8.14.09.30.04

ESET NOD32
Win32/Toolbar.CrossRider (variant)
7.9284

F-Secure
Adware.Generic.667261
11.2014-30-09_3

G Data
Adware.Generic.667261
14.9.24

K7 AntiVirus
Unwanted-Program
13.175.11046

Malwarebytes
PUP.Optional.SolidSavings.A
v2014.09.30.04

McAfee
Artemis!29679D599911
5600.7267

MicroWorld eScan
Adware.Generic.667261
15.0.0.819

Reason Heuristics
Threat.Win.Reputation.IMP
14.9.30.16

Sophos
AppRider
4.97

Trend Micro House Call
TROJ_GEN.F47V0715
7.2.363

VIPRE Antivirus
GamePlayLabs
26106

File size:
204.5 KB (209,408 bytes)

Product version:
1000.1000.1000.1000

Copyright:
Copyright 2011

Original file name:
hosts2.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\updater36928\updater36928.exe

File PE Metadata
Compilation timestamp:
6/18/2013 5:17:18 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
3072:60tGEYq1/nCPEWf2shob9lJqWm8Yy1zvkQr6S0WnAG/y9C:Ptzh1/nCM82+4JHPFzvkQr36U

Entry address:
0x16271

Entry point:
E8, 95, 83, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 8B, 45, 08, 85, C0, 74, 12, 83, E8, 08, 81, 38, DD, DD, 00, 00, 75, 07, 50, E8, 22, E2, FF, FF, 59, 5D, C3, 8B, FF, 55, 8B, EC, 83, EC, 10, A1, 20, 36, 43, 00, 33, C5, 89, 45, FC, 8B, 55, 18, 53, 33, DB, 56, 57, 3B, D3, 7E, 1F, 8B, 45, 14, 8B, CA, 49, 38, 18, 74, 08, 40, 3B, CB, 75, F6, 83, C9, FF, 8B, C2, 2B, C1, 48, 3B, C2, 7D, 01, 40, 89, 45, 18, 89, 5D, F8, 39, 5D, 24, 75, 0B, 8B, 45, 08, 8B, 00, 8B, 40, 04, 89, 45, 24, 8B, 35, 70, A0, 42, 00...
 
[+]

Code size:
160.5 KB (164,352 bytes)

Scheduled Task
Task name:
Updater36928.exe

Trigger:
Time (Next runs on 2013.12.29. at 13:20)

Action:
updater36928.exe \extensionid=36928 \extensionname="hosts2" \chrome


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to tlb.hwcdn.net  (69.16.175.10:80)

TCP (HTTP):
Connects to s3-website-us-east-1.amazonaws.com  (176.32.99.123:80)

TCP (HTTP):
Connects to hwcdn.net  (69.16.175.42:80)

TCP (HTTP):
Connects to geoplugin.net  (178.237.36.10:80)

Remove updater36928.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.