Closed Bug 936214 Opened 7 years ago Closed 2 years ago

Blocklist Plus-HD add-ons... somehow

Categories

(Toolkit :: Blocklist Policy Requests, defect)

defect
Not set

Tracking

()

RESOLVED INVALID

People

(Reporter: kmag, Unassigned)

References

Details

Attachments

(1 file)

I haven't come across an XPI for these, but they use a new ID for each version, in the form "${guid1}@{guid2}.com". E.g.,


d23e182d-ad35-4aaa-95fb-034be094ab34@2799ccf6-49fc-43ce-9a4c-b3d39badc04e.com Plus-HD-1.1
509508ef-0b14-4616-a557-0d58601be33d@c4a581e9-0ea6-46db-a185-58e021ee138c.com Plus-HD-1.3
e180d6e8-52cd-41d9-9002-9e43f22d4c91@7466a5f3-05bd-4c4d-a0e9-9442a8ea8a0e.com Plus-HD-1.5
6c937ed6-be66-4f72-9a60-ce5789cc7f09@53ba6712-2cae-46e2-b821-95baea44e049.com Plus-HD-1.6
dcf3d940-5475-4c1f-9347-73a47512ee99@8520e31e-fc61-48c8-ae31-09d4d65bc369.com Plus-HD-1.7
4fdacf00-e9c4-4ad5-b4cf-bf9800f184f6@36857116-74e0-4973-936f-860cd2a102a9.com Plus-HD-2.2
7125a285-7e68-47aa-9d72-e81874f4d47e@d3fcdb92-135d-4a8a-8cf6-11e3b57c5fda.com Plus-HD-2.3
ad80235d-5e5a-4a1d-a891-51b66a3e70f8@8f877d80-6977-415f-ac14-b52043838c19.com Plus-HD-2.4
75c9b989-a6e6-4455-971f-45304161eb23@02648b91-49b2-4d7f-99ef-7e959a8e6505.com Plus-HD-2.5
7f404ccc-b0a9-4faf-b3c0-89ceea949aea@a6724a05-9380-4ebe-be02-e67e35a3402c.com Plus-HD-2.6
d8222698-19e5-4827-b79e-0a077ea8eb7a@7b662f6d-3899-41e4-8864-6393447568da.com Plus-HD-3.5
de9372bd-c6d6-4690-9bf6-238a8622d6b1@09af4fd9-64cf-4b1b-9464-1de3f20e38f7.com Plus-HD-3.7
c17236e8-fd66-44bc-aeef-1e00981cbb64@0a4ee0fe-5356-4fd3-b37c-5cd5671a315c.com Plus-HD-3.8
1c4760d9-6efb-48d1-b650-e82623c8612e@982da7d4-d829-4a76-8b83-32a7fa75255f.com Plus-HD-4.1
7d04e0dd-e717-4311-bcbc-b7636adb99a5@300322bc-0824-4364-854a-6105e7ba1d2f.com Plus-HD-4.4
a892fa08-2d07-49e8-adce-f650222629ca@82592752-c212-4885-b999-cb2a1d2f9d09.com Plus-HD-4.5
This seems to be the official source: http://www.plus-hd.com/

Care to give it a try?
Yeah, that installer silently installs it.
Except that it installs 'Plus HD' 9.91.10 with ID 2b2750af-b61c-4f40-ac60-659fa3e3def0@199d3f78-54fd-45d9-ab43-235d38c159ee.com
Kris, do you want a xpi and installer with that file? Furthermore, it creates tasks to install (and reinstall?) itself and terminates running browsers.
Flags: needinfo?(kmaglione+bmo)
I'm not sure what you mean
Flags: needinfo?(kmaglione+bmo)
(In reply to Kris Maglione [:kmag] from comment #0)
> I haven't come across an XPI for these, but they use a new ID for each
> version, in the form "${guid1}@{guid2}.com". E.g.,

(In reply to Kris Maglione [:kmag] from comment #3)
> Except that it installs 'Plus HD' 9.91.10 with ID
> 2b2750af-b61c-4f40-ac60-659fa3e3def0@199d3f78-54fd-45d9-ab43-235d38c159ee.com

Do you need a software which silently installs Plus HD 7.6 (and the stuff like install log etc.)?
If you have it, then yes, I'd like to see it. The installer from comment 1 installs something, but I don't know that it's related.
This is an installer of the ExtractNow application. The homepage http:// www . extractnow . com/ offers a download from cnet which seems to be a stub. The download from CHIP http://www . chip . de/downloads/ExtractNow_48251973.html offers to install third party stuff, but even after unchecking the checkbox and declining that TOS, Plus HD 7.6 gets installed.

More information on changes to the system can be found on http://www.drwebhk.com/en/virus_techinfo/Trojan.Crossrider.41.htmlr

TL;DR

- Tasks created at %WINDIR%\Tasks\
- %PROGRAM_FILES%\Plus-HD-6.0
- %TEMP%\nsq3.tmp
- In Temp:
binsis142.xml
binsischeck654.xml
bitool.dll
nsr701.tmp
plus-hd-7-6de.exe
Plus-HD-7.6Installer_1393425650.log
UpdateCheckerSetup.exe
Folders with *.tmp folder, one containing Setup50131.exe
Hrm. That installer changes my homepage and search engine to snapdo.com. It doesn't seem to install any extensions, though.
OK, it's pretty flaky, but eventually it does install a snap.do extension. Which we should block. But that's another bug. It also uses an external app to draw its toolbar over our browser window. Ugh.
Blocks: 1048672
Product: addons.mozilla.org → Toolkit
Closing old blocklist requests that shouldn't be valid after the move to WebExtensions-only in Firefox 57. Please comment if you think this bug is still valid and should be reopened.
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.