Malicious Qike PDF Converter Spreads via Silent Downloaders, Causes High CPU Usage

According to Huorong’s threat intelligence system, engineers found that the Qike PDF Converter carries a malicious proxy module and is being promoted via a download‑site downloader.

Users reported unexplained computer slowdown and high CPU usage.

Processes such as svchost.exe , FnClientService.exe , and FnClientService20.exe were observed accessing many unfamiliar URLs.

Engineers determined that the symptoms are caused by installing the Qike PDF Converter.

The converter spreads silently through the download‑site’s downloader, releasing the malicious proxy module to the %appdata%\tx directory during installation.

The hidden module runs in the background, consumes CPU resources, and makes the system sluggish.

Even after uninstalling the converter, the malicious module remains as a system service that starts automatically on boot.

Multiple versions of the converter contain similar malicious code.

Trace analysis linked the installer and the malicious svchost.exe to a company in Hangzhou, identified as “ZL Software,” which provides traffic‑proxy services.

The article explains the common practice of silent promotion by junk download sites, where a “high‑speed downloader” bundles unwanted software, similar to the previously known “Mala Xiang Guo” virus.

The Qike PDF Converter uses this method, turning infected machines into bots that are hard to detect.

Huorong reports tens of thousands of daily infections and advises users to be vigilant.

Huorong’s antivirus has updated its virus definitions to detect and remove the Qike Converter; users who have installed it should run a scan.