home

What is the Freeven pro 1.2 malware and how does it work?

2
I've noticed on my computer that I have malware running called Freeven pro 1.2 which is detected and removed by herdProtect, but what is this Freeven and what exactly does it do? I'm assuming it has something to do with the banner ads I am noticing in Internet Exlorer that says "Ads by Freeven", which are typically ads for things like fake Flash and Java updates.
adware  Freeven  
Share
Asked Apr 23 '14 at 22:32
Did you happen to install at anytime one of the following programs; “DVDX Player″, “Youtube Downloader HD”, “Video Media Player″ and “Fast Free Converter”? These are some of the programs that are bundlers of Freeven. - JohnS 128 months ago
Add a comment

2 Answers

 
0
Freeven is an ad-injector adware program that dispays in-text advertisements and pop-up ads from “Ads by Freeven” that is commonly bundled with other free programs that you download off of the Internet. Freeven may also display pop-up advertisements, in-text ads and and as you browse Internet, it will show coupons and other deals available on different websites.
Share
Answered Apr 24 '14 at 23:28
Add a comment
 
 
1
Freeven, Freven (and various other variations) is a web browser extension that utilizes the Crossrider platform to distributed an extension for all the major web browsers. The program itself which is typically bundled through 3rd-party distribution deals (also known as insertion offers) is designed for the purpose of injecting various forms of advertisements, mostly banner ads within a random set of web pages a user is visiting, These ads are either injected  in various locations of a page or designed to overwrite existing banner spots on a page.

The installation log (Freeven pro 1.2Installer.log) below is a sample that the Freeven Pro installer generates in the user's temp directory after install. This will provide a good example of what the setup program does.

09 - --------------------------- Installer started --------------------------- 
09 - installerfullversion: 1.34.4.10 
09 - version compile date: 23-04-14 
09 - appid: 54253 
09 - appname: Freeven pro 1.2 
09 - publisherid: 21636 
09 - publisher: Freeven 
09 - installername: 54253.exe 
09 - installertype: 12289 
09 - bhoguid: 11111111-1111-1111-1111-110511421153 
09 - scrambletoken: daf8e490ad660131b665cbf55cb 
09 - unmixed_file_path: C:\Users\test\AppData\Local\Temp\nsj945.tmp\147482 
09 - mixed_file_path: C:\Users\test\AppData\Local\Temp\nsj945.tmp\470377 
09 - PU: 
09 - Installation time: 09 
10 - SID: S-1-5-21-41101986666-32666122348-6666131986-1000 
10 - Local Appdata: C:\Users\test\AppData\Local 
10 - LocalLow Appdata: C:\Users\test\AppData\LocalLow 
10 - Roaming Appdata: C:\Users\test\AppData\Roaming 
10 - Installation folder: C:\Program Files\Freeven pro 1.2 
10 - User Profile folder: C:\Users\test 
10 - Command line: /subid=verticals- 
10 - No browsers installations commands were passed via the command line. 
10 - Function onInit started. 
10 - Read the OS: 7 
10 - App registry path: Software\AppDataLow\Software\Freeven pro 1.2 
10 - Build: 7601 
10 - ProductName: Windows 7 Ultimate N 
10 - Read cmd line subid: verticals- 
10 - srcid: 001361 10 - subid: verticals- 10 - zdata: 0 
10 - Bic was not found in Software\AppDataLow\Software\Crossrider. Need to create one. 
10 - Bic: 4B5FB2039666666D88A53340A6661709IE. 
10 - Verifier: 3fe9194e66666e567c40efd7666669. 
10 - Read the full IE version from the registry: 8.0.7601.17514 
10 - IE short version: 8 
10 - Chrome.exe was found 
10 - Chrome version: 34 
10 - Firefox is not installed 
10 - Read the default browser: ch 
10 - User is admin. 
11 - ASW: 00000000000000100000000000001000 
11 - ASW: 00000000000000000010000000000001 
12 - no installer update needed 
12 - Attempting to send ping: http://stats.clientdemostack.com/installer.gif?action=started
22 - CH is open 
24 - installing_agent_path: C:\Program Files\Freeven pro 1.2 
24 - Creating folder: C:\Program Files\Freeven pro 1.2 
24 - Extracting to C:\Users\test\AppData\Local\Temp\nsj945.tmp\470377 
24 - Unmixing C:\Users\test\AppData\Local\Temp\nsj945.tmp\470377 to C:\Users\test\AppData\Local\Temp\nsj945.tmp\147482 
25 - Copying from C:\Users\test\AppData\Local\Temp\nsj945.tmp\147482 to C:\Program Files\Freeven pro 1.2\Uninstall.exe 
25 - Setting uninstallation registry keys. 
25 - Installing Chrome extension 
25 - chromeid: dmgpbjjcdccinnndjdgmegndbmhbgglb 
25 - chromeversion: 1.26.18 
25 - Extracting to C:\Users\test\AppData\Local\Temp\nsj945.tmp\470377 
25 - Unmixing C:\Users\test\AppData\Local\Temp\nsj945.tmp\470377 to C:\Users\test\AppData\Local\Temp\nsj945.tmp\147482 
25 - Copying from C:\Users\test\AppData\Local\Temp\nsj945.tmp\147482 to C:\Program Files\Freeven pro 1.2\54253.crx 
25 - Extracting to C:\Users\test\AppData\Local\Temp\nsj945.tmp\470377 
25 - Unmixing C:\Users\test\AppData\Local\Temp\nsj945.tmp\470377 to C:\Users\test\AppData\Local\Temp\nsj945.tmp\147482 
25 - Copying from C:\Users\test\AppData\Local\Temp\nsj945.tmp\147482 to C:\Program Files\Freeven pro 1.2\a83664e0-b5d5-41f6-3.exe 
25 - ScheduleAgentTask started 
25 - Scheduling task: a83664e0-b5d5-3 
25 - Task file path: C:\Program Files\Freeven pro 1.2\a83664e0-b5d5-3.exe 
25 - Task account name: NT AUTHORITY\SYSTEM 
29 - Installing Firefox extension 
29 - ffextensionid: 2ab9302c-551a-4804-9971-9932d6d5b0f9@2bfa4cf8-298a-4792-80d5-75352ee81de1.com 
29 - ffprefsbranch: a2ab9302c551a480499719932e81de1com54253 
29 - ffversion: 0.94 
29 - ffupdateurl: https://w9u6a2p6.ssl.hwcdn.net/plugin/ff/update/54253.rdf 
29 - Extracting to C:\Users\test\AppData\Local\Temp\nsj945.tmp\470377 
29 - Unmixing C:\Users\test\AppData\Local\Temp\nsj945.tmp\470377 to C:\Users\test\AppData\Local\Temp\nsj945.tmp\147482 
30 - Copying from C:\Users\test\AppData\Local\Temp\nsj945.tmp\147482 to C:\Program Files\Freeven pro 1.2\a83664e0-4.exe 
30 - ScheduleAgentTask started 
30 - Scheduling task: a83664e0-b5d5-666666-4 
30 - Task file path: C:\Program Files\Freeven pro 1.2\a83664e0-4.exe 
30 - Task cmd line: /TSfwjB /xqifpTQ='Freeven pro 1.2' /sNAWmV='C:\Program Files\Freeven pro 1.2\54253.xpi'
31 - Deploying IE extension files 
31 - Extracting to C:\Users\test\AppData\Local\Temp\nsj945.tmp\470377 
31 - Setting code downloader elevation policy. Guid: 709d2004
32 - Executing Freeven pro 1.2-codedownloader.exe
34 - Extracting to C:\Program Files\Freeven pro 1.2\Freeven pro 1.2.ico 
34 - Extracting to C:\Users\test\AppData\Local\Temp\nsj945.tmp\470377 
35 - Copying from C:\Users\test\AppData\Local\Temp\nsj945.tmp\147482 to C:\Program Files\Freeven pro 1.2\Freeven pro 1.2-bg.exe 
35 - Setting bg elevation policy. Guid: d96edca7-d996-4670-9c44-c52cd5459121. 
35 - Executing Freeven pro 1.2-bg.exe /executebg /ienvKI='C:\Users\test\AppData\Local\Temp\Freeven pro 1.2Installer_09.log' 
35 - ScheduleAgentTask started 
35 - Scheduling task: a83664e0-ad2d15029cad-2 
39 - Attempting to send ping: http://stats.clientdemostack.com/installer.gif?...
40 - Ping result: 1 
40 - Attempting to send ping: http://logs.clientdemostack.com/monetization.gif?xxx
40 - --------------------------- Installer ended ---------------------------
Share Edited on Apr 23 '14 at 22:48
Answered Apr 23 '14 at 22:48
Also, check the registry entry HKEY_LOCAL_MACHINE\SOFTWARE\Freeven pro 1.2 - JohnS 128 months ago
Add a comment

Know someone who can answer? Share a link to this question via email, Google+, Twitter, or Facebook.

Your Answer

Not the answer you're looking for? Ask your own question.

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.