Author’s Note: We at Malwarebytes continue to do our part in educating our product users and constant blog readers about day-to-day online threats and how they can avoid falling prey to them. “PUP Friday”, our latest attempt at getting users acquainted with files they may need to watch out for in the Wild Web, offers an in-depth look at some interesting and quite notable potentially unwanted programs (PUPs). Expect to see this type of content pushed out twice a month at the end of a work week.
We have discussed DNS hijackers in general in the past. This week, we like to have a look at an example called TopFlix. It belongs to a family of adware that we call DNSUnlocker.
How do people get infected?
This one is pushed by a bundle wrapper called SoftPulse. SoftPulse uses advertisements to lure users into downloading and installing “useful” applications like Java or Flash Player from their servers and to spice things up a bit they add some extra ingredients of their own.

A current example of how the SoftPulse bundle installer looks
Depending on your geolocation and maybe some other parameters, you’d see some additional offers to digest along with the main course.
TopFlix was presented as a media-player during recent install procedures.
Installation
Once the bundle wrapper triggers the installation of TopFlix, you’d be able to read their EULA as it should be, but in these cases, it’s not always shown. Since you have already allowed the wrapper to run, they don’t need to ask for your permission to install the extras. You have implicitly and are probably unaware that you already allowed them. This one also includes a link to their Privacy Policy.

Scrolling down a bit in the EULA, you may notice this warning about you giving the “Services” permission to change your DNS settings:

In my book, that’s a deal breaker. Do not ever allow anyone to control your DNS settings. The ramifications of changing them can range from extra content to being unable to reach any Web address at all.
The installer offers us another warning still further down, and lets us know that the Service “may”—trust me, it will—contain unsupervised third-party content:

Third-party content
From what we’ve seen, the above-mentioned third-party content comes as text popups, which are little advertisements that show up when you hover over certain keywords—

—and some others that open a new browser tab or window.
One of the examples that we were served led to the potentially unwanted program called “OneSafe PC Cleaner” by “Avanquest”.

As you can see, that advertisement was marked as “Ad by adsupply”, but many of them do not reveal any information about their origin at all.
Removal and detection
The SoftPulse bundle wrapper is detected by Malwarebytes Anti-Malware as PUP.Optional.SoftPulse. The TopFlix installer is detected as Adware.TopGuard.

A full removal guide and logs of the install can be found on our forums.
Prevention
In the case of bundle wrappers, a few habits can go a long way to prevent unwanted side-dishes:
- Download software from the publisher’s own site whenever possible.
- Review the extra offers carefully. In many bundles you can “Skip” or “Deny” them.
- Create a “Restore Point” before you install or use software that can undo the changes made to your system, such as Total Uninstall or Ashampoo Uninstaller.
Summary
We looked at a DNS hijacker called TopFlix. It poses as a media player and is brought to you by one of the mainstream bundle wrappers called SoftPulse.
Pieter Arntz