Follow:

 

SoftwareBundler:Win32/SquareNet


Microsoft security software detects and removes this unwanted software.

This software bundler installs other unwanted software.

The program installs adware, including Adware:Win32/CostMin and Adware:Win32/InvisibleBrowser, and malware such as TrojanProxy:Win32/Bedri and members of the Clikug family of trojans that use your PC for click fraud, such as TrojanDownloader:Win32/Clikug.A. It calls these threats by other names, such as idle Crawler.

We have also seen it try to install the following programs:

  • Cloud Backup
  • DriverSupport
  • Find Ultra Premium Merchants
  • FreeSoftToday
  • HD_Quality
  • idle Crawler
  • iStart123 - Polypower
  • Okiitan
  • PC Safe Pro - Fusion Tech Software
  • Radsteroids - Deals Interactive Media
  • v-bates
  • Yontoo18 - EMG Technology, AIRZIP
  • Youtub_Videos_Downloader

It might get on your PC as an updater or installer for Java or a program called "FLV Player".

Find out more about how and why we identify unwanted software.



What to do now

This program poses a severe threat to your PC.

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find hidden threats.

Update Java

Make sure you install Java updates from the official Java website:

You should remove older versions of Java, as keeping old and unsupported versions of Java on your PC is a serious security risk:

It's also important to keep your other software up to date:

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

This program downloads other software onto your pc, without giving you adequate consent or control.

We have seen it try to download and install adware including Adware:Win32/CostMin and Adware:Win32/InvisibleBrowser. It can install these adware and other threats, including malware, silently, without your knowledge.

It can try to install malware including TrojanProxy:Win32/Bedri and members of the Clikug family of trojans that use your PC for click fraud, such as TrojanDownloader:Win32/Clikug.A.

The program presents itself as a Java updater or installer. Even though it does install Java, often it installs old or outdated versions - having old versions of Java on your PC can open you up to infection by malware. In the following example it will also install other software, including "idle Crawler" which we detect as a variant of the Clikug family.

We have seen it try to install programs including:

  • Cloud Backup
  • DriverSupport
  • Find Ultra Premium Merchants
  • FreeSoftToday
  • HD_Quality
  • idle Crawler
  • iStart123 - Polypower
  • Okiitan
  • PC Safe Pro - Fusion Tech Software
  • Radsteroids - Deals Interactive Media
  • v-bates
  • Yontoo18 - EMG Technology, AIRZIP
  • Youtub_Videos_Downloader

It might also install a number of services, but gives you no way to uninstall them. For example, we've seen it install the following services, which may be used to update software installed by SoftwareBundler:Win32/SquareNet or protect some components from removal.

Service name: WinDevSrv
Display name: WinDevSrv
Description: Web Device Service
Path: %APPDATA%\UpdateServ\UpdaterService.exe or <commonappdata>\Online\sv.exe

Service name: MediaDeviceSvc
Display name: MediaDeviceSvc
Description: Media Management Instrumention
Path to executable: <commonappdata>\MediaDev\<numbers>\mediadev.exe, for example <commonappdata>\MediaDev\1405901676\mediadev.exe

The program might also install a file called vmhost.exe. This file may be used to browse the Internet without your knowledge and open ads that then redirect to exploit kits that try to infect your PC with malware.

Analysis by Hamish O'Dea


Symptoms

You see a program try to install Java that looks like this:

 


Prevention


Alert level: High
First detected by definition: 1.177.1441.0
Latest detected by definition: 1.187.1909.0 and higher
First detected on: Jul 02, 2014
This entry was first published on: Jul 02, 2014
This entry was updated on: Nov 20, 2014

This threat is also detected as:
No known aliases