home

AntiToolbar.exe

AntiToolbar

Reimage LTD

The application AntiToolbar.exe, “AntiToolbar Downloader” by Reimage has been detected as a potentially unwanted program by 5 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. This will display context specific advertisements in the browser as well as attempt to modify the browser's search provider. The file has been seen being downloaded from cdn.anti-toolbar.com.
Publisher:
Reimage®  (signed by Reimage LTD)

Product:
AntiToolbar

Description:
AntiToolbar Downloader

Version:
1.009

MD5:
2a428605c1e196e35e2f1ba74f3b00dd

SHA-1:
82eb43d1b2271b124e2083991a8cfb50493fa4b8

SHA-256:
61bf38326348da3e352c293b749f55db998b1ae327b830ffd6fdb82cdb8088cf

Scanner detections:
5 / 68

Status:
Potentially unwanted

Explanation:
The installer may include an offer for the Babylon Toolbar (a homepage/search hijacker), which is potentially installed with minimal user consent.

Analysis date:
12/27/2024 5:04:30 PM UTC  (today)

Scan engine
Detection
Engine version

Dr.Web
Adware.Plugin.171
9.0.1.0242

herdProtect (fuzzy)
variant of anti-toolbar.exe (Adware)
2015.8.30.0

NANO AntiVirus
Riskware.Nsis.Babylon.cvvuwk
0.28.0.59608

Reason Heuristics
PUP.Reimage.Optional.Installer.Meta (L)
15.7.27.13

Trend Micro House Call
TROJ_GEN.F47V0501
7.2.242

File size:
659.9 KB (675,744 bytes)

Product version:
1.009

Copyright:
© Reimage 2013

Original file name:
AntiToolbar.exe

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
English (United States)

Common path:
C:\users\{user}\downloads\antitoolbar.exe

Digital Signature
Signed by:
Reimage LTD

Authority:
Symantec Corporation

Valid from:
7/2/2015 9:00:00 PM

Valid to:
7/1/2016 8:59:59 PM

Subject:
CN=Reimage LTD, OU=-, O=Reimage LTD, L=Nicosia, S=Nicosia, C=CY

Issuer:
CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US

Serial number:
6988C02FBD89DC8085934C775596A221

File PE Metadata
Compilation timestamp:
12/5/2009 8:50:52 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:Lo0dVF+ZPPfnEUnsEWfXsbKop0xBlf+MO0gcCre50ET3cfE/Ky0jXTkqeVOJgL:LlklvANcODX0EwfE/i6VO6

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, EC, 42, 00, E8, F1, 2B, 00, 00, A3, 64, EB, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 8F, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, E3, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 40, 43, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file AntiToolbar.exe has been seen being distributed by the following URL.

http://cdn.anti-toolbar.com/.../AntiToolbar.exe

Remove AntiToolbar.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.