» eGdpSvc.exe
Overview
Analysis
File Details
Behaviors (1)
Programs (1)
Downloads (1)
Network (1)

eGdpSvc.exe

Wsys Control

Banyan Tree Technology Limited

The application eGdpSvc.exe, “Wsys Control 10.2.1.2612” by Banyan Tree Technology Limited has been detected as adware by 30 anti-malware scanners. This is a setup program which is used to install the application. It runs as a separate (within the context of its own process) windows Service named “Wsys Service”. This file is typically installed with the program DProtect by DProtect Lab which is a potentially unwanted software program. This is an adware bundler (AKA ElexNetDownload) that will include additional unwanted offers in the download and install process. During install it will establish a connection to twonext.com and xingcloud.com to determine what offers to show the user (based on what is already installed and where they live).

File name:

eGdpSvc.exe

Publisher:

Wsys Co., Ltd. (signed by Banyan Tree Technology Limited)

Product:

Wsys Control

Description:

Wsys Control 10.2.1.2612

Version:

10.2.1.2612

MD5:

6ff3cfb85b18c032af8f242498dfc8d9

SHA-1:

e7cf4aeaad0373ad0c421f7767f428d78d826dd7

SHA-256:

40cbe211d1058cbb5af43186ad83f8af9855314d6e4e2e71d5ceb8d490170844

Scanner detections:

30 / 68

Status:

Adware

Explanation:

Software bundler and update mechanism that will attempt to install adware offers.

Analysis date:

2/25/2025 8:17:18 AM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Application.ExqPage.F

1150

Agnitum Outpost

Trojan.Staser

7.1.1

AhnLab V3 Security

Trojan/Win32.Staser

2013.12.25

Avira AntiVirus

TR/Wysotot.Gen

7.11.121.222

AVG

Startpage.A

2014.0.3643

Baidu Antivirus

Trojan.Win32.StartPage

4.0.3.131127

Bitdefender

Application.ExqPage.F

1.0.20.1655

Boost by Reason

Optional.Service.BanyanTreeTechnologyLimited.H

188163

Comodo Security

Heur.Suspicious

17495

Dr.Web

Adware.Mutabaha.20

9.0.1.0241

ESET NOD32

Win32/ELEX (variant)

7.9149

Fortinet FortiGate

Adware/Agent

8/29/2013

F-Secure

Application.ExqPage.F

11.2013-27-11_4

G Data

Application.ExqPage

13.11.22

IKARUS anti.virus

Application.ExqPage

t3scan.2.2.29

K7 AntiVirus

Riskware

13.174.10623

Kaspersky

Trojan.Win32.Staser

14.0.0.3812

Malwarebytes

PUP.Optional.Wsys.A

v2013.11.27.03

McAfee

Adware-Bprotect

5600.7271

Microsoft Security Essentials

Trojan:Win32/Wysotot.A

1.165.247.01

MicroWorld eScan

Application.ExqPage.F

14.0.0.993

Quick Heal

Trojan.Agent.gen

11.13.12.00

Reason Heuristics

PUP.Service.BanyanTreeTechnologyLimited.H

14.3.1.0

Sophos

Elex

4.96

SUPERAntiSpyware

PUP.Wsys/Variant

10913

Trend Micro House Call

TROJ_GEN.R0CBH07IJ13

7.2.331

Trend Micro

TROJ_GEN.R0CBC0DLO13

10.465.27

Vba32 AntiVirus

Trojan.Staser

3.12.24.3

VIPRE Antivirus

Elex Installer

24726

ViRobot

Trojan.Win32.S.Staser.303680

2011.4.7.4223

File size:

296.6 KB (303,680 bytes)

Product version:

10.2.1.2612

Original file name:

eGdpSvc.exe

File type:

Executable application (Win32 EXE)

Language:

English (United Kingdom)

Common path:

C:\ProgramData\esafe\egdpsvc.exe

Digital Signature

Signed by:

Banyan Tree Technology Limited

Authority:

GlobalSign nv-sa

Valid from:

1/9/2013 9:18:54 PM

Valid to:

1/10/2015 9:18:54 PM

Subject:

CN=Banyan Tree Technology Limited, O=Banyan Tree Technology Limited, L=HongKong, S=HongKong, C=HK

Issuer:

CN=GlobalSign CodeSigning CA - G2, O=GlobalSign nv-sa, C=BE

Serial number:

1121C63E4490F9D28667737C8DE7D3B6805D

File PE Metadata

Compilation timestamp:

8/21/2013 9:02:29 PM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

11.0

CTPH (ssdeep):

6144:VXOK+vo5APTuxeWG++BFoqjHH6oHI4CnYsDAhWqajU1:EK+fukWQFnHUY801

Entry address:

0x1000

Entry point:

68, 01, 10, 46, 00, E8, 01, 00, 00, 00, C3, C3, 6B, 51, 73, 33, 2F, C2, C9, 20, 08, FB, 14, B9, C8, 02, 80, 85, CB, B6, EB, 8B, 4F, 73, 46, 95, FA, 5E, CE, 12, 8B, 21, BC, 43, B5, 98, ED, 83, E9, 1A, A8, 01, CF, 40, DD, 0D, A2, A4, CA, 62, 65, 99, BA, D3, 06, B1, 51, F7, A6, C7, D7, E0, AC, A6, B9, DD, EB, C6, DA, E6, A1, A7, AD, F7, 5F, 51, B3, 6C, 3A, EC, C8, 9E, 61, DF, F1, 5F, D7, 3E, 01, 3A, F0, D8, 9F, 95, D9, 68, C5, 01, FE, 03, 15, 75, 64, 29, 21, AA, 6D, E0, 69, 81, DA, EC, 79, 26, B9, BE, 66, E6... 
[+]

Entropy:

7.9083

Packer / compiler:

ASProtect v1.2x (New Strain)

Code size:

235 KB (240,640 bytes)

Service

Display name:

Wsys Service

Service name:

WsysSvc

Description:

Wsys update service

Type:

Win32OwnProcess

The file eGdpSvc.exe has been discovered within the following program.

DProtect by DProtect Lab

DProtect is an adware web browser extension that will display various popup and banner ads as well as modify the user's web browser search and home page settings.

78% remove it

The file eGdpSvc.exe has been seen being distributed by the following URL.

http://www.twonext.com/download/.../eGdpSvc.exe

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):

Connects to 7d.a0.a86c.ip4.static.sl-reverse.com (108.168.160.125:80)

Remove eGdpSvc.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.