Found a few new variants of SaveNet this morning. The new variant appear as Save On, SO.Booster and SO.Sustainer 1.80 in the Add/Remove programs dialog. These where found in a camera related software, and the setup file was digitally signed by Daneil Jemoch. Save On inserts ad links while you browse. The links are underlined with a green small arrow and are labeled “Click to Continue > by save on” as shown in the screenshot below:
These are the detection results from VirusTotal for SO.Booster.exe:
If you have Save On, SO.Booster and SO.Sustainer 1.80 on your machine, you may have noticed a file called SO.Booster.exe or SO;Booster.exe running on your computer at startup or that new add-ons have appeared in your browser. Here’s a screenshot from Firefox that shows the SaveOn add-on:
The removal is pretty straightforward with the FreeFixer removal tool. Simply check the SaveOn, SO.Booster and SO.Sustainer files, as shown in the screenshots:
How did you get SaveOn on your machine?
By downloading the player from this website: hxxp://www.opensubtitles.us/nl/opensubtitles-player.save-it-now/sub/5719156
Horrible people who are behind this.
I noticed that the dates of installation were wrong too. I downloaded a program yesterday and that’s when I noticed something was wrong. I looked through my programs to see what was downloaded on said date, SAve on said it had been downloaded 2 yrs ago but I didn’t remember seeing it in my programs list til today. I tried looking it up on the net and all I got was a bunch of “how to save on” links…was starting to get pretty frustrated. It also said that it was a microsoft program, certified and all…hmm. I still thought something was fishy about it and that’s when I stumbled across this article. Thanks for sharing this info with us. I for one greatly appreciate it!
Labrat, thank you for the feedback!
By downloading a movie from this website:
hxxp://conscienciarevolucionariabrasileira.blogspot.com.br/2012/05/colecao-completa-do-mazzaropi.html
Thank you Edmar!
I got this from trying to get off the ‘OzLance’ mailing list!