Author’s Note: We at Malwarebytes continue to do our part in educating our product users and constant blog readers about day-to-day online threats and how they can avoid falling prey to them. “PUP Friday”, our latest attempt at getting users acquainted with files they may need to watch out for in the Wild Web, offers an in-depth look at some interesting and quite notable potentially unwanted programs (PUPs). Expect to see this type of content pushed out twice a month at the end of a work week.
In this episode we take a look at a hijacker that installs a new browser rather than hijacking an existing one. It even attempts to replace Chrome if that is already installed. To make sure that you will use your new browser, eFast makes itself the default browser and takes over some file-associations. File-associations are settings that determine which program will run when files with a certain extension are opened.
This one hijacks these file-associations:
Looking there on an affected computer, selecting eFast in the list of programs will show you something like this:
It also places a set of shortcuts to popular sites on your desktop which are all set to open with the eFast browser.
Another point that raises some concerns about this install is that it dropped a file called predm.exe in the folder %Program Files%\efas_en_110010107. Looking at the details for that file we see that it is misdated by a week earlier than the actual date of install and that the “File description” is “AA setup”.scanresults at Virustotal.
Detection and protection
Malwarebytes Anti-Malware detects and removes eFast as PUP.Optional.eFast, PUP.Optional.Clara and PUP.Optional.Tuto4PC. This only works if PUP detections are set to “Treat detections as malware”. You can change or check this under “Settings” > “Detection and Protection”. A removal guide for eFast can be found on our forums.