dsrlte.exe

Keep-My-Search LTD

The application dsrlte.exe by Keep-My-Search has been detected as adware by 12 anti-malware scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Yahoo! Search’. This file is typically installed with the program Yahoo! Search by Pay-by-Ads Ltd which is a potentially unwanted software program. While running, it connects to the Internet address NY1WV3438 on port 80 using the HTTP protocol.
Publisher:
Keep-My-Search LTD  (signed and verified)

MD5:
058cbae5a6ffe4b61eab4957377d3d58

SHA-1:
998d802a1ead8048dacc2deabf6a8d1919d48d49

SHA-256:
e6f2020c2736c9036c5d4be8e2359456f1e20070ca9fa75b4391348de1aa49bf

Scanner detections:
12 / 68

Status:
Adware

Analysis date:
12/25/2024 5:05:59 PM UTC  (today)

Scan engine
Detection
Engine version

AVG
Generic
2016.0.2970

Bkav FE
W32.HfsAdware
1.3.0.7237

Dr.Web
Adware.Downware.12026
9.0.1.0274

ESET NOD32
Win32/Toolbar.Montiera.L potentially unwanted (variant)
9.12332

F-Secure
Application.OptiAds.A
11.2015-24-10_7

Kaspersky
not-a-virus:Downloader.Win32.Montiera
14.0.0.1345

Malwarebytes
PUP.Optional.PayByAds
v2015.10.01.02

Microsoft Security Essentials
Adware:Win32/Bayads
1.1.12101.0

Panda Antivirus
PUP/PayByAds
15.10.01.02

Qihoo 360 Security
HEUR/QVM10.1.Malware.Gen
1.0.0.1015

Reason Heuristics
PUP.Montiera.KeepMySearch (M)
15.10.1.2

VIPRE Antivirus
Trojan.Win32.Generic
44408

File size:
671.3 KB (687,360 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\pay-by-ads\yahoo! search\1.4.2.9\dsrlte.exe

Digital Signature
Authority:
DigiCert Inc

Valid from:
9/7/2014 8:00:00 PM

Valid to:
11/12/2015 7:00:00 AM

Subject:
CN=Keep-My-Search LTD, O=Keep-My-Search LTD, L=Tel Aviv, C=IL

Issuer:
CN=DigiCert Assured ID Code Signing CA-1, OU=www.digicert.com, O=DigiCert Inc, C=US

Serial number:
087407E453FFF7E46DB51873975E63CB

File PE Metadata
Compilation timestamp:
9/29/2015 12:10:16 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
12288:v1AdS2lUKPwoNR6UDMvKmzFqjNxdzW4brTc/hNRpYOnFKPkZrCX+73RjrN0G1GWG:9tpFqhtcx+OFBZr73R90qo

Entry address:
0x56F3A

Entry point:
E8, 93, AE, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 8B, 45, 08, 33, C9, 3B, 04, CD, 58, 64, 49, 00, 74, 13, 41, 83, F9, 2D, 72, F1, 8D, 48, ED, 83, F9, 11, 77, 0E, 6A, 0D, 58, 5D, C3, 8B, 04, CD, 5C, 64, 49, 00, 5D, C3, 05, 44, FF, FF, FF, 6A, 0E, 59, 3B, C8, 1B, C0, 23, C1, 83, C0, 08, 5D, C3, E8, E5, 38, 00, 00, 85, C0, 75, 06, B8, C0, 65, 49, 00, C3, 83, C0, 08, C3, E8, D2, 38, 00, 00, 85, C0, 75, 06, B8, C4, 65, 49, 00, C3, 83, C0, 0C, C3, 8B, FF, 55, 8B, EC, 56, E8, E2, FF, FF, FF, 8B, 4D, 08...
 
[+]

Entropy:
6.3288

Code size:
477 KB (488,448 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Yahoo! Search

Command:
C:\users\{user}\appdata\local\pay-by-ads\yahoo! search\1.4.2.9\dsrlte.exe


The file dsrlte.exe has been discovered within the following program.

Yahoo! Search  by Pay-by-Ads Ltd
This is NOT associated with Yahoo. Pay-By-Ads' Yahoo! Search is an adware web browser application that displays banner ads as well as contextual link ads that are injected in the web page.
66% remove it
 
Powered by Should I Remove It?

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to NY1WV3438  (204.145.82.24:80)

TCP (HTTP):
Connects to ny1wv3280.xglobe.net  (204.145.82.20:80)

TCP (HTTP):
Connects to NY1WV3561  (204.145.82.26:80)

TCP (HTTP):
Connects to NY1WV3659  (204.145.82.27:80)

TCP (HTTP):
Connects to 131.subnet180-250-66.speedy.telkom.net.id  (180.250.66.131:80)

TCP:
Connects to ip-172-30-35-134.ec2.internal  (172.30.35.134:9090)

TCP (HTTP):
Connects to server-52-85-74-230.lhr3.r.cloudfront.net  (52.85.74.230:80)

TCP (HTTP):
Connects to map2.hwcdn.net  (205.185.216.10:80)

TCP (HTTP SSL):
Connects to edge-star-mini-shv-01-fra3.facebook.com  (31.13.93.36:443)

TCP (HTTP):
Connects to ec2-54-235-244-28.compute-1.amazonaws.com  (54.235.244.28:80)

TCP (HTTP SSL):
Connects to ec2-54-214-238-137.us-west-2.compute.amazonaws.com  (54.214.238.137:443)

TCP (HTTP):
Connects to a92-123-180-194.deploy.akamaitechnologies.com  (92.123.180.194:80)

TCP (HTTP):
Connects to a92-123-180-178.deploy.akamaitechnologies.com  (92.123.180.178:80)

TCP (HTTP):
Connects to 209-88-193-137.barak.net.il  (209.88.193.137:80)

Remove dsrlte.exe - Powered by Reason Core Security