onlysearch.exe

Visual Tools Client Setup 1.0

Visual Tools

The application onlysearch.exe, “Visual Tools Client Setup” by Visual Tools has been detected as adware by 14 anti-malware scanners. This is a self-extracting archive and installer and has been known to bundle potentially unwanted software. This will display context specific advertisements in the browser as well as attempt to modify the browser's search provider. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from dl.cdn-services.com.
Publisher:
Visual Tools Ltd.  (signed by Visual Tools)

Product:
Visual Tools Client Setup 1.0

Description:
Visual Tools Client Setup

Version:
1.0.5.0

MD5:
8afa0fe39cbb6928833b9a3bc672da5e

SHA-1:
c435ab68049d56bf265013c267238216f2ca79b8

SHA-256:
6245c3b4dd2a597479048c6553067a388902ccd33123ba84f3ee4c5dbeee5b78

Scanner detections:
14 / 68

Status:
Adware

Explanation:
The installer may include an offer for the Babylon Toolbar (a homepage/search hijacker), which is potentially installed with minimal user consent.

Analysis date:
12/25/2024 3:17:11 AM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
PUA.Toolbar.Babylon
7.1.1

AhnLab V3 Security
Adware/Win32.BHO
14.12.03

avast!
Win32:Adware-gen [Adw]
2014.9-141203

Baidu Antivirus
Adware.Win32.Bbylon
4.0.3.14123

Dr.Web
Adware.Downware.1733
9.0.1.0337

ESET NOD32
Win32/Toolbar.Babylon (variant)
8.9688

Fortinet FortiGate
Riskware/Toolbar_Babylon
12/3/2014

IKARUS anti.virus
PUA.VisualTools
t3scan.1.7.8.0

McAfee
Artemis!E569050C46CA
5600.6928

NANO AntiVirus
Trojan.Win32.Downware.ctimdd
0.28.0.59288

Reason Heuristics
PUP.Installer.VisualTools.K
14.9.10.16

Trend Micro House Call
Suspicious_GEN.F47V0804
7.2.337

Trend Micro
ADW_BABYLON
10.465.03

VIPRE Antivirus
Babylon
32738

File size:
667.6 KB (683,592 bytes)

Copyright:
2011(c) Visual Tools Ltd. All rights reserved.

Original file name:
Setup.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\onlysearch.exe

Digital Signature
Signed by:

Authority:
Thawte, Inc.

Valid from:
1/10/2013 1:00:00 AM

Valid to:
1/11/2015 12:59:59 AM

Subject:
CN=Visual Tools, O=Visual Tools, L=Belgrade, S=Serbia, C=RS

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
789958B0264F06055619270074AFA61F

File PE Metadata
Compilation timestamp:
8/6/2014 11:55:41 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
12288:wbJmFmpuGc1dIsLeQAm5qXN8VcOZYeK+08HHFI4N5AGoCZ42DZkVyuPyI:iJm8plcLIae85q8MUHFPsGdZ1oyuPH

Entry address:
0x2DB4

Entry point:
E8, DC, 20, 00, 00, E9, 00, 00, 00, 00, 6A, 14, 68, 68, 3B, 41, 00, E8, 96, 22, 00, 00, E8, 19, 0E, 00, 00, 0F, B7, F0, 6A, 02, E8, 6F, 20, 00, 00, 59, B8, 4D, 5A, 00, 00, 66, 39, 05, 00, 00, 40, 00, 74, 04, 33, DB, EB, 33, A1, 3C, 00, 40, 00, 81, B8, 00, 00, 40, 00, 50, 45, 00, 00, 75, EB, B9, 0B, 01, 00, 00, 66, 39, 88, 18, 00, 40, 00, 75, DD, 33, DB, 83, B8, 74, 00, 40, 00, 0E, 76, 09, 39, 98, E8, 00, 40, 00, 0F, 95, C3, 89, 5D, E4, E8, 50, 1A, 00, 00, 85, C0, 75, 08, 6A, 1C, E8, DC, 00, 00, 00, 59, E8...
 
[+]

Code size:
50.5 KB (51,712 bytes)

The file onlysearch.exe has been seen being distributed by the following URL.

Remove onlysearch.exe - Powered by Reason Core Security