You’ve installed one of their packages before? Then beware: we’ve discovered they have a mechanism that can silently install adware on a user’s PC.
The issue is with a component called FSSUpdaterService, which is installed as a part of some FSS applications.
Sounds like just another innocent software update checker, right? But it’s not as well behaved as some other applications. The installer doesn’t ask if you want to allow the package to phone home, and we can see no option to turn it off.
And, crucially, in our tests with FSS ePub Reader and FSS Google Books Downloader, the updater isn’t removed by the uninstaller. Once it’s there, you could have it forever.
Why does this matter? Yesterday Bitdefender Internet Security 2016 warned us that FSSUpdaterService.exe had tried to access an “infected web resource”, “h**p://mp3kaif.com/wincl*cks/wincl*cks.exe”, which was identified as “Gen.Variant.Kazy.771294” – a Trojan.
This seemed strange as we didn’t realise there was any FSS software installed on this system, but closer inspection revealed a couple of traces.
We found FSSUpdaterService.exe, FSSUpdaterService.exe.config and TaskDb.fss installed in a C:\Users\<username>\AppData\Roaming\UpdaterService folder.
Launching Task Scheduler and browsing to Task Scheduler (Local) > Task Scheduler Library displayed an FFSUpdaterService scheduled task, which launched the component daily and whenever any user logged on.
This looked suspicious, but we wanted to know more about this “winclocks.exe” – was it really malware, could there be some other explanation?
We downloaded the package via another route and submitted it to VirusTotal. It was “only” flagged as malware by 9 engines, but as it was also less than two days old, this was still a concern.
To find out more, we ran FSSUpdaterService on a test system. It accessed winclocks.exe as before, but saved it locally using a cryptic filename (d35449ea-9395-4288 — .exe), then executed it using a /VERYSILENT command line switch to avoid any prompts.
The dropped file then went to work, downloading and trying to install Wajam, PC Speed Up and other apps, as well as changing our browser home page.
The C:\Users\[UserName]\AppData\Local\Temp folder had other traces of the file’s activities, including a “chrome_installer.log” file which indicated attempts to overwrite per-menu Start Menu shortcuts for Chrome. (This log may only have been created because our system didn’t have Chrome installed.)
If you spotted this and didn’t realise the cause, you might spend a while uninstalling these “extras”, restoring your browser settings, tweaking any browser shortcut properties.
That might solve the problem for a while, too, but we found that at some point, FSSUpdaterService would just download another installer and our system would be messed up all over again.
This reinfection doesn’t occur immediately, presumably because the authors don’t want to make users suspicious, but we could make it happen repeatedly by deleting its “TaskDb.fss” file and running the program again.
We reported our concerns to FreeSmartSoft, asking why their software appears to download adware/ malware on mp3kaif.com.
David Smith replied:
“Website (http://mp3kaif.com) was our partner (MP3-search etc). Software from mp3kaif.com are detected as malware now and we stopped all relations with them. We don’t want a bad reputation. Our software are safe and clean completely.”
But how all the blame be shifted onto a partner, we asked, when it was FSSUpdaterService, an integral component of FreeSmartSoft’s own applications, which had downloaded the adware?
Smith initially refused to accept this:
FSSUpdaterService.exe determines and verifies the topicality of the FreeSmartSoft applications. If we have updates, UpdaterService offers to install them. Only this.
Although later he seemed to say his software was using some mp3kaif “engine”:
UpdaterService can offer to install other FreeSmartSoft programs, for example, YouTube MP3 Converter or Video Downloader. This required mp3kaif engine. We will change this scheme.
What should I do?
Tests this morning show that FSSUpdaterService no longer appears to be accessing adware, so any immediate risks seem low. But the fact that it’s capable of doing this at all, while keeping out of sight, and could presumably start downloading at any time, means you need to get rid of it immediately.
To see whether you might be affected by this issue, open Task Scheduler, and browse to Task Scheduler (Local) > Task Scheduler (Library) in the left-hand pane.
Scroll down the list, looking for an FSSUpdaterService task.
If you see it:
1. Double-click the task and click Actions.
2. Look for the “Start a program” action, and check the path in the “Details” column to find out where FSSUpdaterService.exe is stored.
3. Click OK to close the task window, then right-click the FSSUpdaterService task and click Delete.
4. Browse to the path you noted earlier and delete FSSUpdaterService.exe.
If you don’t see it, you’re probably safe, but search your system for FSSUpdaterService.exe anyway (ours was in C:\Users\<username>\AppData\Roaming\UpdaterService). If you find something you’re sure was associated with a previous FSS installation, delete it; if you’re uncertain, investigate it further.
What should you do about any installed FreeSmartSoft programs? We don’t believe the apps are malicious, so if you rely on one, and FSSUpdaterService has been deleted, then you can probably continue to use it safely. Just be wary of updates, at least until the company is more open about what it’s installing and why.