Monthly Archives: August 2015

Vega Resource, LLC – 16% Detection Rate – HEUR:AdWare.Win32.Generic

Hello readers! Just a short post on a publisher called Vega Resource, LLC. I just found a download named “Download.exe” that was digitally by this publisher, and it turns out that it is detected by some anti-virus programs.

Vega Resource, LLC publisher

This is how it looks when double-clicking on the file and Vega Resource, LLC appears as the publisher. It is also possible to check a digital signature by looking at a file’s properties. Here’s a screenshot of the Vega Resource, LLC certificate.

Vega Resource, LLC certificate

By clicking at the Certificate Path tab, we can see that Thawte has issued the certificate:

Vega Resource LLC cert path

The scan result from VirusTotal below clearly shows why you should avoid the Vega Resource, LLC file. It is detected under names such as Generic6.BURQ, a variant of Win32/Adware.MultiPlug.NX, Unwanted-Program ( 004ccd421 ), not-a-virus:HEUR:AdWare.Win32.Generic, PE:Packer.Win32.Mian007.a!1074235325 and Trojan.Agent/Gen-Downloader.

Vega Resource anti-virus report

Did you also run into a download that was digitally signed by Vega Resource, LLC? What kind of download was it and was it reported by the anti-malwares at VirusTotal? Please share in posting comments below.

Hope this blog post helped you avoid some unwanted software on your machine.

Thanks for reading.

BEst inSTall TLl – 49% Detection Rate

Hello readers! If you are a regular here on the FreeFixer blog you know that I’ve been looking on the certificates used to sign files that bundled various types of unwanted software. Today I found another certificate, used by a publisher called BEst inSTall TLl.

BEst inSTall TLl publisher

If you have a BEst inSTall TLl file on your machine you may have noticed that BEst inSTall TLl is displayed as the publisher in the UAC dialog when double-clicking on the file. You can also check the digital signature under the file’s properties. According to the embedded certificate we can see that BEst inSTall TLl is located in Dublin, Ireland and that the certificate is issued by thawte SHA256 Code Signing CA.

BEst inSTall TLl certificate

Thawte has issued the certificate.

BEst inSTall TLl cert chain

So, what does the anti-virus programs say about the BEst inSTall TLl file? No problem, I just uploaded the file to VirusTotal and it turned out that many of the anti-virus programs detects the BEst inSTall TLl file, with names such as NSIS:OutBrowse-DQ [PUP], Downloader.QWU, Gen:Variant.Adware.Mikey.21084, HEUR/QVM30.1.Malware.Gen and Generic PUA AA (PUA).

BEst inSTall TLl anti-virus report

Did you also find a BEst inSTall TLl file? What kind of download was it? If you remember the download link, please post it in the comments below.

Thanks for reading.

Update 2015-08-18: Found another download, also signed by Best Install TLl, claiming to be an episode of a famous TV series. The detection rate for this file was 45%. Notice that the installer does not have any button to cancel the installation.

BEst inSTall TLl installer window

Semen Korzuba – VirusTotal: 33% Detection – MultiPlug, Trj/Genetic.gen

Hello! Just a short post before I call it a day. I found yet another file that bundled a bunch of unwanted programs, and the file was signed by Semen Korzuba.

Semen Korzuba warning

Windows will display Semen Korzuba as the publisher when running the file. The certificate is issued by Certum Code Signing CA.

Semen Korzuba cert chain Semen Korzuba certificate

The VirusTotal report shows that the Semen Korzuba file should be avoided, since Download Uc Browser V Handler Zip.exe is detected as TR/Dropper.Gen by Avira, a variant of Win32/Adware.MultiPlug.NU by ESET-NOD32, PUP.Optional.Multiplug by Malwarebytes, Trj/Genetic.gen by Panda and MultiPlug (v) by VIPRE.

Semen Korzuba anti-virus report

Did you also find a file digitally signed by Semen Korzuba? Where did you find it and are the anti-virus programs detecting it? Please share in the comments below.

Thanks for reading.

starT PlaYInG – 53% Detection Rate – Mikey / PUGO / OutBrowse

Hi there! Just wanted to let you know about a publisher called starT PlaYInG before going back to writing some code for FreeFixer.

starT PlaYInG publisher

If you have a starT PlaYInG file on your machine you may have noticed that starT PlaYInG is displayed as the publisher in the UAC dialog when double-clicking on the file. It is also possible to check a digital signature by looking at a file’s properties. Here’s a screenshot of the starT PlaYInG certificate.

starT PlaYInG certificate

Thawte has issued the certificate:

starT PlaYInG thawte

If you are considering to run the starT PlaYInG signed file, I’ll advice you not to. Delete it instead. Just check out detection list by some of the anti-virus program:

Avast reports Player.exe as NSIS:OutBrowse-DQ [PUP], AVG calls it Downloader.OPP, BitDefender detects it as Gen:Variant.Adware.Mikey.21084, Cyren reports W32/Adware.PUGO-0761 and VIPRE reports OutBrowse (fs).

starT PlaYInG anti-virus report

Did you also find a starT PlaYInG file?

Thank you for reading.

Trend Interactive – 19% Detection Rate – DownloadAdmin / Application.Jaik

Hello! Just a short post before I call it a day. I found yet another file that bundled a bunch of unwanted programs, and the file was signed by Trend Interactive.

Trend Interactive publisher

It is also possible to check a digital signature by looking at a file’s properties. Here’s a screenshot of the Trend Interactive certificate.

Trend Interactive certificate

Versign has issued the certificate:

Trend Interactive cert path

When I uploaded the Trend Interactive file to VirusTotal, it came up with a 19% detection rate. The file is detected as PUA/DownloadAdmin.Gen7 by Avira, Gen:Variant.Application.Jaik.8223 by BitDefender and Adware ( 004c86ce1 ) by K7GW.

Trend Interactive anti-virus report

Did you also find a file digitally signed by Trend Interactive? What kind of download was it and where did you find it?

Hope this blog post helped you avoid some unwanted software on your machine.

Thanks for reading.

Vladimir Suvorov – 46% Detection – InstalleRex / MPlug / MultiPlug

Hi there! Just a note on a publisher called Vladimir Suvorov. The Vladimir Suvorov download – Download Uc Browser V Handler Zip.exe – was detected when I uploaded it to VirusTotal. Did you also find a download by Vladimir Suvorov? Was it also detected when you uploaded it to VirusTotal?

Here how Vladimir Suvorov appears in the UAC dialog when double-clicking on the Download Uc Browser V Handler Zip.exe file:

Vladimir  Suvorov publisher

The certificate is issued by Certum Code Signing CA and mr. Suvorov is located in Poland:

Vladimir  Suvorov certum Vladimir  Suvorov certificate

The problem with the Vladimir Suvorov file is that it is detected by many of the anti-viruses. Here are some of the detection names: Generic6.BRAN, W32/S-a2e0b166!Eldorado, Gen:Variant.Adware.MPlug, SoftwareBundler:Win32/InstalleRex and MultiPlug (v).

Vladimir Suvorov anti-virus report

Did you also find a Vladimir Suvorov file?

Thank you for reading.

Remove easydriverpro.com Pop Up Ads Caused By Adware

Did you just get a pop-up from easydriverpro.com and ask yourself where it came from? Did the easydriverpro.com ad appear to have been initiated from a web site that under normal circumstances don’t use advertising such as pop-up windows? Or did the easydriverpro.com pop-up show up while you clicked a link on one of the major search engines, such as Google, Bing or Yahoo?

Here’s a screenshot of the easydriverpro.com pop-up ad when it showed up on my machine:

easydriverpro.com pop up

Does this sound like your experience, you almost certainly have some adware installed on your computer that pops up the easydriverpro.com ads. There’s no use contacting the owners of the site you currently were browsing. The ads are not coming from them. I’ll do my best to help you with the easydriverpro.com removal in this blog post.

For those that are new to the blog: Some time ago I dedicated some of my lab systems and knowingly installed a few adware programs on them. Since then I’ve been following the actions on these computers to see what kinds of advertisements that are displayed. I’m also looking on other interesting things such as if the adware auto-updates, or if it downloads additional unwanted software on the computers. I first noticed the easydriverpro.com pop-up on one of these lab machines.

easydriverpro.com resolves to 107.22.218.171.

So, how do you remove the easydriverpro.com pop-up ads? On the machine where I got the easydriverpro.com ads I had CPUMiner, PineTree and GamesDesktop installed. I removed them with FreeFixer and that stopped the easydriverpro.com pop-ups and all the other ads I was getting in Mozilla Firefox.

The issue with pop-ups like this one is that it can be popped up by many variants of adware. This makes it impossible to say exactly what you need to remove to stop the pop-ups.

Anyway, here’s my suggestion for the easydriverpro.com ads removal:

  1. What software do you have installed if you look in the Add/Remove programs dialog in the Windows Control Panel? Something that you don’t remember installing yourself or that was recently installed?
  2. How about your add-ons you installed in your browsers. Anything in the list that you don’t remember installing?
  3. If that didn’t solve the problem, I’d recommend a scan with FreeFixer to manually track down the adware. FreeFixer is a freeware tool that I’m working on that scans your computer at lots of locations, such as browser add-ons, processes, Windows services, recently modified files, etc. If you want to get additional details about a file in the scan result, you can click the More Info link for that file and a web page will open up with a VirusTotal report which will be very useful to determine if the file is safe or malware:

    FreeFixer More Info link example
    An example of FreeFixer’s “More Info” links. Click for full size.

Here’s a video guide showing how to remove pop-up ads with FreeFixer:

Did this blog post help you to remove the easydriverpro.com pop-up ads? Please let me know or how I can improve this blog post.

Thank you!

Redirected from Google Search To Yahoo Search – How To Fix It

Are you getting redirected from from Google’s search engine to Yahoo search? If you do, you probably have potentially unwanted software installed on your machine.

yahoo google redirect

In my case, I had four potentially unwanted programs installed. There were called WNet, CashReminder, ActSys and PlainSavings. I removed them with FreeFixer and that stopped the browser from hijacking my Google searches. I don’t know which one of that sent me to Yahoo instead of Google.

The issue with these redirects, is that they can also be done by other potentially unwanted programs. This makes it impossible to say exactly what you need to remove to stop the unwanted redirects.

Anyway, here’s my suggestion for the b removal:

  1. Examine what programs you have installed in the Add/Remove programs dialog in the Windows Control Panel. Do you see anything that you don’t remember installing or that was recently installed?
  2. You can also examine the browser add-ons. Same thing here, do you see something that you don’t remember installing?
  3. If that didn’t solve the problem, I’d recommend a scan with FreeFixer to manually track down the potentially unwanted program. FreeFixer is a freeware tool that I’m working on that scans your computer at lots of locations, such as browser add-ons, processes, Windows services, recently modified files, etc. If you want to get additional details about a file in the scan result, you can click the More Info link for that file and a web page will open up with a VirusTotal report which will be very useful to determine if the file is safe or malware:

    FreeFixer More Info link example
    An example of FreeFixer’s “More Info” links. Click for full size.

Did you find any potentially unwanted program on your machine? Did that stop Google from redirecting to Yahoo? Please post the name of the potentially unwanted program you uninstalled from your machine in the comment below.

Thank you!

Taras Lapin – 16% Detection Rate According to VirusTotal

Hi there! If you’ve been following me for the last year you know that I’ve been examining many software publishers that put a digital signature on their downloads. Today I found another publisher called Taras Lapin.

Taras Lapin publisher

If you have a Taras Lapin file on your machine you may have noticed that Taras Lapin is displayed as the publisher in the UAC dialog when double-clicking on the file.

Taras Lapin certificate

The certificate is issued by Certum Code Signing CA.

Taras Lapin certum

9 of the scanners detected the file. Some of the detection names for the Download Uc Browser V Handler Zip.exe file are Trojan.Crossrider1.45643, PUA.Multiplug, Multiplug-FAJ and MultiPlug (v).

Taras Lapin anti-virus report

Did you also find an Taras Lapin? Do you remember the download link? Please post it in the comments below and I’ll upload it to VirusTotal to see if that one is also detected.

Thanks for reading.

MICHAIL SUDAREV – 16% Anti-Virus Detection Rate

Hello readers! Did you just find a file that’s digitally signed by MICHAIL SUDAREV and came here to find more about it?

MICHAIL SUDAREV publisher

Windows will display MICHAIL SUDAREV as the publisher when running the file. The certificate is issued by Certum Code Signing CA.

MICHAIL SUDAREV SPD CGISOFT ltd. certificate

The cert mentions SPD CGISOFT ltd. Certum Trusted Network CA is the root in the certificate chain:

MICHAIL SUDAREV Certum

So, what does the anti-virus programs say about the MICHAIL SUDAREV file? No problem, I just uploaded the file to VirusTotal and it turned out that some of the anti-virus programs detects the MICHAIL SUDAREV file, with names such as Win32:Evo-gen [Susp], TR/Crypt.XPACK.Gen, SoftwareBundler:Win32/InstalleRex and MultiPlug (v).

MICHAIL SUDAREV anti-virus report

Did you also find a MICHAIL SUDAREV download? What kind of download was it?

Hope this blog post helped you avoid some unwanted software on your machine.

Thank you for reading.