I was helping out a FreeFixer user this morning, trying to track down some malware in his FreeFixer log that he sent me.
While searching for information about a .DLL file, I found a spam post on imgur.com, which linked to another web page that started a download of an executable file.
And this one is pretty nasty. Look at the executable file. As you can see the file is digitally signed by Free Sky Business LP.
Typically, when you double-click on a file like this, Windows pops up an User Account Control dialog asking if you trust “Free Sky Business LP”. However, this one manage to pop-up and UAC for Microsoft’s WMI Commandline Utility.
If you click no, the UAC dialog will pop-up again and again and again…
Until you click Yes, which starts the installation of FileFinder.exe.
So watch out! Don’t click Yes if the Microsoft’s WMI Commandline Utility UAC dialog pops up.
I’m in a hurry here, trying to wrap up the v1.12 release of FreeFixer, but I though I must write a few lines of about a file, digitally signed by Plugin Update SL, that was promoted as a Java update. Here’s how the ad appeared:
When clicking on the ad, a download for something called Player_Setup.exe appeared. That file, is not a Java Update.
The file is digitally signed by Plugin Update SL, which is a company that appears to be located on Tenerife, and if you run the file, it will start an installation of something called NewPlayer. During the installation, it offers lots of bundled unwanted software, such as Findopolis, FreeSoftToday, IStartSurf, etc, etc.
The VirusTotal scan also clearly shows why you should stay away from the Plugin Update SL malware file:
Some of the scanners report it as DomaIQ and SoftPulse.
Did you also find a file signed by Plugin Update SL? Was it also promoted as a Java update?
If you installed any of the bundled software, you can remove those with FreeFixer.
Hope this helped you avoid the Plugin Update SL software. Thanks for reading.
Played around with another download this morning. This time a bunch of new files and settings appeared. The first notable change was a new process and scheduled task called SW-Booster.exe appearing:
SW-Booster.exe is detected under names such as “a variant of Win32/TrojanDownloader.Agent.AFD” and “PUP.Optional.MultiPlug.A”
Two new Firefox extensions also appeared, Y**tubeAdBlocker and saVee aNete 5.14:
I’ve verified that FreeFixer removed these completely. There are also entries in the Programs and Features dialog.
Please let me know if this helped you remove the SW-Booster malware by posting a comment.
Update 2014-11-21: Seems to be a variant around called SoftwareBooster.exe:
Back in July I was first notified about the eGdpSvc.exe file. At that time, only one of the 45 engines at VirusTotal detected the file and I didn’t know how it was distributed or how it ended up and the users’ machines.
Today, I noticed that eGdpSvc.exe is still distributed so I thought I’d make a quick uninstall guide that shows how to delete eGdpSvc.exe with the help of FreeFixer. This video also shows that the “more info” links in FreeFixer can be quite useful to determine if a file is legitimate or malware.
When looking at the “more info” page of eGdpSvc.exe in the video you’ll see that eGdpSvc.exe is currently detected by 14 of the anti-virus scanners at VirusTotal.
Do you click on the more info links while trying to determine if a files is legitimate or malware?