For about a week now there have been repeated posts on the BleepingComputer and Malwarebytes forums regarding a BITSADMIN 3.0 command prompt that repeatedly opens on its own and downloads files. What all of these users had in common were numerous adware and unwanted programs installed on the computer.
Bitsadmin 3.0 Prompt
It wasn't until yesterday that researchers at these forums, such as
Aura &
Djordje Lukic, discovered that this behavior was being caused by an adware bundle called FileTour. FileTour is an adware bundle that downloads adware, unwanted extensions, PUPs, and miners to an infected computer. An interesting characteristic of FileTour is that it almost always installs PUPs written for Russian victims. These include programs related to Mail.ru and extensions whose titles are written in Russian.
Mail.ru Program
Recently FileTour seems to have decided to add persistence to its behavior in order to further download and install unwanted programs on a victim's computer. It does this by creating various batch files which are executed by scheduled tasks at login and every 3 hours thereafter.
