bestremovaltool_setup.exe

Best Removal Tool

Guangxi Nanning Qiwang Co. Ltd.

The application bestremovaltool_setup.exe, “Best Removal Tool Setup ” by Guangxi Nanning Qiwang Co has been detected as a potentially unwanted program by 2 anti-malware scanners. The program is a setup application that uses the Inno Setup installer. It is also typically executed from an Internet Explorer cache folder. The file has been seen being downloaded from www.googleadservices.com and multiple other hosts.
Publisher:
www.bestremovaltool.com   (signed by Guangxi Nanning Qiwang Co. Ltd.)

Product:
Best Removal Tool

Description:
Best Removal Tool Setup

Version:
6.3.3.9

MD5:
c3e983189e289e28ba49d1c3be9e75b7

SHA-1:
876cdd795a161ae3bed309079f69dc205ef9fb58

SHA-256:
ecd741bf70c2015ad050eae4de9ac06037e9393f9da08fc32a8d965590383c28

Scanner detections:
2 / 68

Status:
Potentially unwanted

Analysis date:
11/15/2024 8:37:46 PM UTC  (today)

Scan engine
Detection
Engine version

ESET NOD32
Win32/PerfectUninstaller (variant)
8.9383

Reason Heuristics
Adware.Installer.GuangxiNanningQiwangCo.V
14.2.5.9

File size:
3.2 MB (3,372,904 bytes)

Product version:
6.3.3.9

Copyright:
Copyright (C) 2006-2012 Best Removal Tool, Inc.

File type:
Executable application (Win32 EXE)

Installer:
Inno Setup

Common path:
C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\bestremovaltool_setup.exe

Digital Signature
Authority:
VeriSign, Inc.

Valid from:
6/29/2011 2:00:00 AM

Valid to:
6/29/2014 1:59:59 AM

Subject:
CN=Guangxi Nanning Qiwang Co. Ltd., OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Guangxi Nanning Qiwang Co. Ltd., L=Nanning, S=Guangxi, C=CN

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
058EFD81CFC178B930CAA249710DE3B1

File PE Metadata
Compilation timestamp:
6/20/1992 12:22:17 AM

OS version:
1.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
98304:aJtRhC4NPfbFsfoaI5HWtY3W8HO1ufqekG:IeGRFaIhvdHquix

Entry address:
0x9A58

Entry point:
55, 8B, EC, 83, C4, C4, 53, 56, 57, 33, C0, 89, 45, F0, 89, 45, DC, E8, 6E, 96, FF, FF, E8, 75, A8, FF, FF, E8, A0, CA, FF, FF, E8, E7, CA, FF, FF, E8, 0E, F3, FF, FF, E8, 75, F4, FF, FF, 33, C0, 55, 68, 0B, A1, 40, 00, 64, FF, 30, 64, 89, 20, 33, D2, 55, 68, D4, A0, 40, 00, 64, FF, 32, 64, 89, 22, A1, 14, C0, 40, 00, E8, 9B, FE, FF, FF, E8, 02, FA, FF, FF, 8D, 55, F0, 33, C0, E8, AC, D0, FF, FF, 8B, 55, F0, B8, E4, CD, 40, 00, E8, 1F, 97, FF, FF, 6A, 02, 6A, 00, 6A, 01, 8B, 0D, E4, CD, 40, 00, B2, 01, B8...
 
[+]

Packer / compiler:
Inno Setup v5.x - Installer Maker

Code size:
36.5 KB (37,376 bytes)

The file bestremovaltool_setup.exe has been seen being distributed by the following 5 URLs.

http://www.googleadservices.com/pagead/aclk?sa=L&ai=Cq4bQVxWgVoD6OJfubozzh6gG8Z_6jwLx0a-eQ53uy6YCEAIg3MiqIygCYNW12IL8CKAB_4zP4APIAQHIAxuqBCRP0NvZAHtcK1Eo2V4IIKo3G3PG1HIjFMA8Sk7HbE2pFq5ndI2IBgHSBgsQseFZGNnD6wQoAYAH6fKwH5AHAagHpr4b2AcB&num=2&ohost=www.google.com&cid=CAASJORo59Bqdz4efFGdKad9NmuRuhfLzV3hq7Hx6u5lR7CZ3W1rWg&sig=AOD64_17sZUIWJL0Oli8k5jrj5oMw_efdA&adurl=http://cdn.bestremovaltool.com/BestRemovalTool_Setup.exe&ctype=4&clui=3&nb=6&res_url=http://sourceforge.net/directory/os:windows/?q=revounistaller&rurl=http://sourceforge.net/projects/.../?source=typ_redirect&nm=15&nx=53&ny=10&is=613x195&clkt=119

http://www.googleadservices.com/.../aclk?sa=L&ai=DChcSEwigvryPoYzOAhVhsdsKHRRUCTIYABAC&ohost=www.google.co.za&cid=CAESIuD2necajBnBzRZ5ZGezmWUawAZjBH3IxqdrcnsuNLtCO9k&sig=AOD64_0IwhcLRpJmKSvyDglEH1D1L28Yug&ctype=4&q=&ved=0ahUKEwj37biPoYzOAhXGBsAKHfgaCFIQpigIIygB&adurl=

Remove bestremovaltool_setup.exe - Powered by Reason Core Security