plus-hd-2.3-updater.exe

Plus-HD-2.3

Kimahri Software inc.

This adware uses the Crossrider platform to build and distribute this web browser advertising injection extension. Once installed in the browser it will hijack various browser settings (homepage, search) and may interfere and track behaviors as well as deliver ads. The application plus-hd-2.3-updater.exe by Kimahri Software inc has been detected as adware by 33 anti-malware scanners. It runs as a scheduled task under the Windows Task Scheduler triggered to execute each time a user logs in. It is built using the Crossrider browser extension toolkit; the Updater component is used to dynamically connects to the Crossrider API (update.srvstatsdata.com/.../{CAMP_ID}/update.json) and download additional code in order to automatically update Plus HD extension/toolbar. It is distributed as part of the Brightcircle group of browser-extensions.
Publisher:
Plus HD  (signed by Kimahri Software inc.)

Product:
Plus-HD-2.3

Description:
Plus-HD-2.3 exe

Version:
1000.1000.1000.1000

MD5:
0cbc4533652083eb4b3710df3a5d8cfa

SHA-1:
70ee052c3bafd15fbcb133f8eea628b592275dea

SHA-256:
cd8ebf99c618e54cca9a1251c68603c56ab7aa656a3663a62b079ed9742b65c1

Scanner detections:
33 / 68

Status:
Adware

Explanation:
Part of the Crossrider toolbar platform. This is the updater mechanism that runs in the background as a scheduled task. Distributed through the Brightcircle investments brand.

Note:
Crossrider is the owner of a platform that enables the creation of cross-browser extensions by developers but is not the owner of this detected application. The owner/publisher of this file is Kimahri Software inc..

Analysis date:
11/14/2024 8:37:20 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Adware.Plush.1
390

Agnitum Outpost
PUA.Toolbar.CrossRider
7.1.1

AhnLab V3 Security
Win-PUP/CrossRider
2014.11.04

Avira AntiVirus
Adware/CrossRider.A.13596
7.11.182.236

avast!
Win32:Adware-BMP [PUP]
2014.9-160111

AVG
Generic_r
2017.0.2868

Baidu Antivirus
Adware.Win32.CrossAd
4.0.3.16111

Bitdefender
Gen:Adware.Plush.1
1.0.20.55

Bkav FE
W32.Clodc63.Trojan
1.3.0.4613

Clam AntiVirus
Win.Adware.Addlyrics-2
0.98/19360

Dr.Web
Trojan.Crossrider.12167
9.0.1.011

Emsisoft Anti-Malware
Gen:Adware.Plush
8.16.01.11.03

ESET NOD32
Win32/Toolbar.CrossRider (variant)
10.10664

Fortinet FortiGate
Riskware/Toolbar_CrossRider
1/11/2016

F-Prot
W32/A-eb9ef301
v6.4.7.1.166

F-Secure
Gen:Adware.Plush.1
11.2016-11-01_2

G Data
Gen:Adware.Plush
16.1.24

IKARUS anti.virus
AdWare.AddLyrics
t3scan.2.2.29

K7 AntiVirus
Unwanted-Program
13.185.13888

Kaspersky
not-a-virus:WebToolbar.Win32.CroRi
14.0.0.834

Malwarebytes
PUP.Optional.HDPlus.A
v2016.01.11.03

McAfee
Artemis!C32038A55431
5600.6524

MicroWorld eScan
Gen:Adware.Plush.1
17.0.0.33

NANO AntiVirus
Trojan.Win32.Crossrider.cwsaki
0.28.6.62995

nProtect
Adware.AddLyrics.AK
14.02.02.01

Panda Antivirus
PUP/PlusHD
16.01.11.03

Qihoo 360 Security
HEUR/Malware.QVM10.Gen
1.0.0.1015

Reason Heuristics
Adware.Crossrider.Brightcircle (M)
16.1.11.3

Sophos
AppRider
4.98

Trend Micro House Call
ADW_CROSSRIDER
7.2.11

Trend Micro
ADW_CROSSRIDER
10.465.11

VIPRE Antivirus
Crossrider
34480

Zillya! Antivirus
Adware.CroRi.Win32.392
2.0.0.1975

File size:
358.9 KB (367,464 bytes)

Product version:
1000.1000.1000.1000

Copyright:
Copyright 2011

Original file name:
Plus-HD-2.3.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\Program Files\plus-hd-2.3\plus-hd-2.3-updater.exe

Digital Signature
Authority:
COMODO CA Limited

Valid from:
3/7/2013 1:00:00 AM

Valid to:
3/7/2016 12:59:59 AM

Subject:
CN=Kimahri Software inc., O=Kimahri Software inc., STREET=666 Sherbrooke Rue w, L=Montreal, S=Quebec, PostalCode=H3A 1E7, C=CA

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00A1BB8569950C0B2080A11A0E2F618B33

File PE Metadata
Compilation timestamp:
7/11/2013 5:22:00 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
6144:lIbVvIAWk5wD5JEHuRgUe1mHAMlxi3mSlPK3WRfHe6echpTBJfhC5:+ZvIvk5wD7EH/Ue1mHAMlx5SdK3WRfHQ

Entry address:
0x2E174

Entry point:
E8, 2F, AA, 00, 00, E9, 89, FE, FF, FF, CC, CC, 57, 56, 53, 33, FF, 8B, 44, 24, 14, 0B, C0, 7D, 14, 47, 8B, 54, 24, 10, F7, D8, F7, DA, 83, D8, 00, 89, 44, 24, 14, 89, 54, 24, 10, 8B, 44, 24, 1C, 0B, C0, 7D, 14, 47, 8B, 54, 24, 18, F7, D8, F7, DA, 83, D8, 00, 89, 44, 24, 1C, 89, 54, 24, 18, 0B, C0, 75, 18, 8B, 4C, 24, 18, 8B, 44, 24, 14, 33, D2, F7, F1, 8B, D8, 8B, 44, 24, 10, F7, F1, 8B, D3, EB, 41, 8B, D8, 8B, 4C, 24, 18, 8B, 54, 24, 14, 8B, 44, 24, 10, D1, EB, D1, D9, D1, EA, D1, D8, 0B, DB, 75, F4, F7...
 
[+]

Code size:
275.5 KB (282,112 bytes)

Scheduled Task
Task name:
Plus-HD-2.3-updater

Trigger:
Logon (Runs on logon)


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to lb-212-222.above.com  (103.224.212.222:80)

TCP (HTTP):
Connects to ip-70.32.1.32.hosted.by.gigenet.com  (70.32.1.32:80)

Remove plus-hd-2.3-updater.exe - Powered by Reason Core Security