web_assistant_v2.exe

The application web_assistant_v2.exe has been detected as a potentially unwanted program by 12 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer, however the file is not signed with an authenticode signature from a trusted source. Also know as BrowserDefender, this bundled service will prevent various web browser toolbars and extensions from running as well as block changes to the search page and provider. The file has been seen being downloaded from i1.installbox1.info.
MD5:
6a35844c753efe3ac946dcbda386a23a

SHA-1:
a86c99e5dcc55143282d560dbe9af444d4456483

SHA-256:
896bbef62ef8453fdd23d5f78a7357dcd5f5f3471e2a2c7cae4c9874b759ba38

Scanner detections:
12 / 68

Status:
Potentially unwanted

Explanation:
This service will prevent resources from modifying the web browser's home and search pages as well as the search provider set by the product, an affiliate search engine partner.

Analysis date:
12/25/2024 12:54:22 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Adware.BHO.Bprotector.1
506

avast!
NSIS:SProtector-A [PUP]
2014.9-150916

Baidu Antivirus
Trojan.Win32.SProtector
4.0.3.15916

Bitdefender
Gen:Variant.Adware.BHO.Bprotector.1
1.0.20.1295

Dr.Web
Adware.BGuard.9
9.0.1.0259

Emsisoft Anti-Malware
Gen:Variant.Adware.BHO.Bprotector
8.15.09.16.01

ESET NOD32
Win32/SProtector (variant)
9.9348

F-Secure
Gen:Variant.Adware.BHO.Bprotector.1
11.2015-16-09_4

G Data
Gen:Variant.Adware.BHO.Bprotector
15.9.24

K7 AntiVirus
Trojan
13.175.10988

MicroWorld eScan
Gen:Variant.Adware.BHO.Bprotector.1
16.0.0.777

VIPRE Antivirus
Trojan.Win32.Generic
25896

File size:
1.5 MB (1,581,213 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\addons\web_assistant_v2.exe

File PE Metadata
Compilation timestamp:
12/5/2009 10:50:52 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
24576:sufhoKlK9IQSjZwFmG8XTCYdnfVRdd1o+Y0eq6Z9T4IhoKlK9IQSjZwFmb:CKlEFEVnU+l6Z9EPKlEFW

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, EC, 42, 00, E8, F1, 2B, 00, 00, A3, 64, EB, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 8F, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, E3, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 40, 43, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Entropy:
7.9922

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file web_assistant_v2.exe has been seen being distributed by the following URL.

Remove web_assistant_v2.exe - Powered by Reason Core Security