Should I block it?
Yes, 98% block recommendation.
Possible reasons:
Multiple malware detections
Performance resource utilization
Additional versions
(Note, Righway Technologies publishes each variation of this file with the same version, but the hashes are unique.)
Relationships
 PE file structure
|
Show functions |
Import table
advapi32.dll
GetTokenInformation
htmlayout.dll
HTMLayoutUpdateWindow
kernel32.dll
GetVersion, InterlockedIncrement, GetModuleFileNameW, GetModuleHandleA, LoadLibraryA, LocalAlloc, LocalFree, GetModuleFileNameA, ExitProcess
ole32.dll
CoUninitialize
shell32.dll
ShellExecuteW
shlwapi.dll
StrStrIW
user32.dll
FindWindowExA
userenv.dll
DestroyEnvironmentBlock
wininet.dll
HttpOpenRequestW
wtsapi32.dll
WTSQueryUserToken
gffupdater.exe
GoforFiles Application by Righway Technologies (Signed)
| Version: | 3, 0, 0, 1 |
| MD5: | 7af38d476c757509ae47e9aa292b3c6b |
| SHA1: | aa9fc79d519472c700bd38a830f120036e0cf574 |
| SHA256: | f81e4396c9787496c10d61ae98124984b3be01ac43eab73023b9509e71123a85 |
Warning 7 antivirus scanners has detected malware.
Overview
gffupdater.exe is malware that executes as a process with the local user's privileges. It is an auto-starting process that used the Windows Task Scheduler service to load when the user logs into Windows (sometimes this is required to bypass the UAC protection). It is installed with a couple of know programs including GoforFiles published by Righway Technologies, Inc, GoforFiles from Righway Technologies, Inc and GoforFiles by Righway Technologies, Inc. The file is digitally signed by Righway Technologies which was issued by the COMODO CA Limited certificate authority (CA).
Details
| File name: | gffupdater.exe |
| Publisher: | http://goforfiles.com/ |
| Product name: | GoforFiles Application |
| Description: | GoforFiles Updater Application |
| Typical file path: | C:\Program Files\goforfiles\gffupdater.exe |
| Original name: | GoforFiles.exe |
| File version: | 3, 0, 0, 1 |
| Product version: | 3,0,0,0 |
| Size: | 237.58 KB (243,280 bytes) |
| Build date: | 8/8/2013 11:21 PM |
| Certificate |
| Issued to: | Righway Technologies |
| Authority (CA): | COMODO CA Limited |
| Expiration date: | Sunday, August 23, 2015 |
| Digital DNA |
| File packed: | No |
| .NET CLR: | No |
More details
Programs
The following programs will install this file
|
Righway Technologies, Inc |
|
GoforFiles bundles various adware toolbars including the Delta Search Toolbar (an adware toolbar that modifies the user's web browser home page, search settings and other settings).
Behaviors
Scheduled tasks
- The job 'GoforFilesUpdate' runs on logon in the path '\GoforFilesUpdate'
Scheduled tasks startups
Set to load on user login (bypasses Windows UAC if enabled)
- Login entry path '\GoforFilesUpdate'
Malware detections
Based on 40+ industry antivirus scanners, 7 of them detected the following malware.
| Antivirus engine | Engine version | Detection |
| avast! |
8.0.1489.320 |
Win32:Adware-AHK [PUP] |
| ESET NOD32 |
7.8861 |
a variant of Win32/YourFileDownloader.B |
| Kingsoft |
2013.4.9.267 |
Win32.Troj.Generic.a.(kcloud) |
| McAfee |
5.600.1067 |
Artemis!7AF38D476C75 |
| McAfee Gateway Anti-Malware |
v2013-dat |
Artemis!7AF38D476C75 |
| Trend Micro HouseCall |
9.700.0.1001 |
TROJ_GEN.F47V0808 |
| VIPRE Antivirus |
21986 |
ExpressFiles Installer (fs) |
Distribution by Windows OS
| OS version | distribution |
| Windows 8.1 Pro Preview |
40.00% |
|
| Windows 7 Ultimate |
40.00% |
|
| Windows 8 Pro |
20.00% |
|
Distribution by country
Saudi Arabia installs about 40.00% of GoforFiles Application.
Distribution by PC manufacturer
| PC Manufacturer | distribution |
| Acer |
66.67% |
|
| Alienware |
33.33% |
|
