home

dsrsetup.exe

PayByAds ltd.

The application dsrsetup.exe by PayByAds ltd has been detected as adware by 29 anti-malware scanners. It runs as a scheduled task under the Windows Task Scheduler triggered by a time event. This file is typically installed with the program Yahoo! Search by Pay-by-Ads Ltd which is a potentially unwanted software program. While running, it connects to the Internet address NY1WV3561 on port 80 using the HTTP protocol.
Publisher:
Pay By Ads LTD  (signed by PayByAds ltd.)

Version:
1.3.0.0

MD5:
f69f826c0323da0c32e70f73d952f0ca

SHA-1:
489ae4c10a21a96b43a1b7fe9c9a4c411b890c9c

SHA-256:
0df768faeaabfd5f0b9e3d07a48bedae379b498db79202345074589c15538de8

Scanner detections:
29 / 68

Status:
Adware

Analysis date:
11/18/2024 9:19:24 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Adware.PayByAds.A
750

Agnitum Outpost
PUA.Toolbar.Montiera
7.1.1

Avira AntiVirus
APPL/Montiera.bob
7.11.201.138

AVG
Paybyads
2015.0.3357

Baidu Antivirus
Hacktool.Win32.Montiera
4.0.3.15116

Bitdefender
Adware.PayByAds.A
1.0.20.80

Bkav FE
W32.HfsAdware
1.3.0.6267

Comodo Security
UnclassifiedMalware
20717

Emsisoft Anti-Malware
Adware.PayByAds
8.15.01.16.01

ESET NOD32
Win32/Toolbar.Montiera
9.11018

F-Secure
Adware.PayByAds.A
11.2015-16-01_6

G Data
Adware.PayByAds
15.1.24

K7 AntiVirus
Riskware
13.191.14655

Kaspersky
not-a-virus:Downloader.Win32.Montiera
15.0.0.494

Malwarebytes
PUP.Optional.PayByAds.A
v2014.09.08.08

McAfee
Artemis!F69F826C0323
5600.6884

MicroWorld eScan
Adware.PayByAds.A
16.0.0.48

nProtect
Adware.PayByAds.A
15.01.15.01

Panda Antivirus
Trj/CI.A
15.01.16.01

Qihoo 360 Security
Trojan.Generic
1.0.0.1015

Quick Heal
Downloader.Montiera.r5 (Not a Virus)
1.15.14.00

Reason Heuristics
PUP.Task.Montiera
15.1.16.1

Sophos
PayByAds
4.98

Trend Micro House Call
ADW_TIERMON
7.2.16

Trend Micro
ADW_TIERMON
10.465.16

Vba32 AntiVirus
Downloader.Montiera
3.12.26.3

VIPRE Antivirus
Trojan.Win32.Generic
36680

ViRobot
Adware.Agent.334696[h]
2014.3.20.0

Zillya! Antivirus
Downloader.Montiera.Win32.7
2.0.0.2036

File size:
326.9 KB (334,696 bytes)

Copyright:
All rights reserved.

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\pay-by-ads\yahoo! search\1.3.12.4\dsrsetup.exe

Digital Signature
Signed by:
PayByAds ltd.

Authority:
COMODO CA Limited

Valid from:
7/27/2014 5:00:00 PM

Valid to:
7/28/2015 4:59:59 PM

Subject:
CN=PayByAds ltd., O=PayByAds ltd., STREET="Herbert Samuel, 46", L=Tel Aviv, S=Israel, PostalCode=6330303, C=IL

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00CA9E6FD9AC89FBB9BC192CA9530A98F5

File PE Metadata
Compilation timestamp:
8/28/2014 7:02:05 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
6144:LKl1C1EYiGc3FHQPoPZHN8My/yJq5FmTZ/KB2dl0NcU6w8:GlUWYZc1HQwPdN8j/Qq5FmTZ/KB0FU6L

Entry address:
0x29D60

Entry point:
E8, 41, 73, 00, 00, E9, 89, FE, FF, FF, B8, EB, 1B, 43, 00, A3, C0, 8F, 44, 00, C7, 05, C4, 8F, 44, 00, E1, 12, 43, 00, C7, 05, C8, 8F, 44, 00, 95, 12, 43, 00, C7, 05, CC, 8F, 44, 00, CE, 12, 43, 00, C7, 05, D0, 8F, 44, 00, 37, 12, 43, 00, A3, D4, 8F, 44, 00, C7, 05, D8, 8F, 44, 00, 63, 1B, 43, 00, C7, 05, DC, 8F, 44, 00, 53, 12, 43, 00, C7, 05, E0, 8F, 44, 00, B5, 11, 43, 00, C7, 05, E4, 8F, 44, 00, 41, 11, 43, 00, C3, 8B, FF, 55, 8B, EC, E8, 96, FF, FF, FF, 83, 7D, 08, 00, 74, 05, E8, 52, 7E, 00, 00, DB...
 
[+]

Entropy:
6.4467

Code size:
228.5 KB (233,984 bytes)

Scheduled Task
Task name:
Yahoo! Search Udpater

Trigger:
Time (Next runs on 9/8/2014 at 5:10 PM)


The file dsrsetup.exe has been discovered within the following program.

Yahoo! Search  by Pay-by-Ads Ltd
This is NOT associated with Yahoo. Pay-By-Ads' Yahoo! Search is an adware web browser application that displays banner ads as well as contextual link ads that are injected in the web page.
66% remove it
 
Powered by Should I Remove It?

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to c4.3e.559e.ip4.static.sl-reverse.com  (158.85.62.196:80)

TCP (HTTP):
Connects to ec2-52-45-84-141.compute-1.amazonaws.com  (52.45.84.141:80)

TCP (HTTP):
Connects to ec2-54-210-36-181.compute-1.amazonaws.com  (54.210.36.181:80)

TCP (HTTP):
Connects to e1.ttms.eu  (46.105.156.67:80)

TCP (HTTP):
Connects to 131.subnet180-250-66.speedy.telkom.net.id  (180.250.66.131:80)

TCP (HTTP):
Connects to NY1WV3561  (204.145.82.26:80)

TCP (HTTP):
Connects to ny1wv3280.xglobe.net  (204.145.82.20:80)

TCP (HTTP):
Connects to ec2-52-52-204-82.us-west-1.compute.amazonaws.com  (52.52.204.82:80)

TCP (HTTP):
Connects to ec2-52-220-63-57.ap-southeast-1.compute.amazonaws.com  (52.220.63.57:80)

TCP (HTTP):
Connects to 63.db.0cd8.ip4.static.sl-reverse.com  (216.12.219.99:80)

TCP (HTTP):
Connects to xx-fbcdn-shv-01-sin6.fbcdn.net  (157.240.7.26:80)

TCP (HTTP):
Connects to NY1WV3659  (204.145.82.27:80)

TCP (HTTP):
Connects to NY1WV3438  (204.145.82.24:80)

TCP (HTTP):
Connects to ec2-46-137-222-76.ap-southeast-1.compute.amazonaws.com  (46.137.222.76:80)

TCP (HTTP):
Connects to server-54-192-210-240.mnl50.r.cloudfront.net  (54.192.210.240:80)

TCP (HTTP):
Connects to a104-105-28-250.deploy.static.akamaitechnologies.com  (104.105.28.250:80)

TCP (HTTP):
Connects to 133.54.211.130.bc.googleusercontent.com  (130.211.54.133:80)

TCP (HTTP):
Connects to tardis-dpc3.omtrdc.net  (66.117.21.243:80)

TCP (HTTP SSL):
Connects to server-54-230-150-15.sin2.r.cloudfront.net  (54.230.150.15:443)

TCP (HTTP):
Connects to server-54-192-230-103.waw50.r.cloudfront.net  (54.192.230.103:80)

Remove dsrsetup.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.