Tag Archives: Eldorado

Stepan Rybin – 44% Detection Rate – MultiPlug / Adware.Mikey

February 22, 2015digital signatureAdware.Mikey, Eldorado, MultiPlugRoger Karlsson

Hello! Did you see a file, such as WhatsApp.exe, on your system signed by Stepan Rybin? Then read on..

I found this Stepan Rybin file while reviewing some of the submissions to the FreeFixer web site. I thought it looked a little bit like a typical “MultiPlug” adware file and the VirusTotal scan result showed that was the case. Ad-Aware reports WhatsApp.exe as Gen:Variant.Adware.Mikey.7658, Avast calls it Win32:MultiPlug-TP [PUP], Cyren names it W32/S-05e718fa!Eldorado, F-Prot calls it W32/S-05e718fa!Eldorado and Sophos detects it as MultiPlug.

Did you also find a Stepan Rybin download? Do you remember where you downloaded it? Please post the URL in the comments below. I’d like to install this download on my lab machine to have a closer look at it.

Thank you for reading.

Fileadventure – Fake Java Update – 38% Detection Rate

November 18, 2014digital signatureAdKnowledge, Eldorado, iBryteRoger Karlsson

Hello! Just a short note on a publisher called Fileadventure.

If you have a Fileadventure file on your machine you may have noticed that Fileadventure is displayed as the publisher in the UAC dialog when double-clicking on the file. You can also look at the Fileadventure certificate and digital signature by looking under the Digital Signatures tab on the file’s properties. According to the certificate, Fileadventure is located in Kansas City, USA.

The problem here is that if setup.exe really was an installer file for Java, it would be digitally signed by Oracle America Inc. and not by some unknown company.

The Fileadventure file was promoted by adware that showed a pop-up in the browser saying “Your Java Version is Outdated“. The pop-up opened up a faked Java update site.

When I uploaded the Fileadventure file to VirusTotal, it came up with a 38% detection rate. The file is detected as Win32:IBryte-HL [PUP] by Avast, W32/A-138dbbfa!Eldorado by F-Prot, PUP.Optional.iBryte by Malwarebytes and AdKnowledge (fs) by VIPRE.

Did you also find a Fileadventure file? Was it also promoted as a “Java Update”?

Thanks for reading.

R2D2 Tech Software LLC – 27% Detection Rate – Eldorado/InstallBrain

November 14, 2014UncategorizedEldorado, InstallBrainRoger Karlsson

Hi there! Just a note post this morning on a publisher called R2D2 Tech Software LLC. The R2D2 Tech Software LLC download – CodecPerformerSetup.exe – was detected when I uploaded it to VirusTotal. Did you also find a download by R2D2 Tech Software LLC? Was it also detected when you uploaded it to VirusTotal?

If you have a R2D2 Tech Software LLC file on your machine you may have noticed that R2D2 Tech Software LLC is displayed as the publisher in the UAC dialog when double-clicking on the file. Viewing the certificate information is also possible by looking under the digital signature tab for the file. Here the certificate says that R2D2 Tech Software LLC is located in Beaverton, Oregon, USA.

So, why am I writing about the R2D2 Tech Software LLC file? Check out what the anti-virus scanners report about the file:

F-Prot reports CodecPerformerSetup.exe as W32/A-3442f84d!Eldorado, Qihoo-360 classifies it as Malware.QVM06.Gen and VIPRE detects it as InstallBrain (fs) are a few of the detection names for CodecPerformerSetup.exe.

Did you also find an R2D2 Tech Software LLC? Do you remember the download link? Please post it in the comments below and I’ll upload it to VirusTotal to see if that one is also detected.

Thank you for reading.

ICS Setup – 16% Detection Rate By VirusTotal

October 11, 2014digital signatureCryptInno, Eldorado, InstallCoreRoger Karlsson

Hello! Just a quick post on a file named ChromeSetup.exe signed by ICS Setup before calling it a day. This is how appears when running the file:

To get more details on the publisher, you can view the certificate by right-clicking on the file, and looking under the Digital Signatures tab. According to the certificate we can see that ICS Setup seems to be located in Tel-Aviv, Israel and that the certificate is issued by COMODO Code Signing CA 2.

9 of the anti-virus scanners detected the file. Some of the detection names for the ChromeSetup.exe file are W32/InstallCore.AC.gen!Eldorado, BehavesLike.Win32.CryptInno.bc and InstallCore.b (fs).

Did you also find a ICS Setup file? What kind of download was it? If you remember the download link, please post it in the comments below.

Thank you for reading.

Remove Browser App Adware

July 13, 2014adware, freefixerCrossRider, EldoradoRoger Karlsson

Getting ads labled “Ad by Browser App” or “Ads by Browser App“, like in the screenshots below:

Then you have the BrowserApp adware installed on your machine. You will also Browser App listed as a browser add-on. Here it is in Firefox:

The detection rate by the anti-virus programs are currently very low. Only 3 of the 50+ anti-virus scanners at VirusTotal detects the Browser App files. Eldorado and Crossrider are two of the detection names:

How to remove Browser App? No problem, just selected the Browser App files in FreeFixer and you will no longer see the ads:

How did you get the BrowserApp adware on your machine?

These are the variants I’ve found:

Browser_AppS 1.1
Browseri_Appe 1.2
Browsers App
Browsers Apps +

Context2pro, conadvanced.exe, contextprod.exe and contextfr.exe – Removal Instructions

June 15, 2014freefixerCycloneAd, EldoradoRoger Karlsson

Just a quick post. Found something called Cyclon or Context2Pro bundled in a free download. This is how it appeared in the installer.

Clicking the EULA link opened up a 404 Not Found page. Once installed I noticed pop-ups from markettizer.net.

The anti-virus programs have a relatively good detection rate for Context2Pro:

To remove Context2Pro, check conadvanced.exe, contextprod.exe and contextfr.exe for removal in FreeFixer. During my testing there was no entry in the Add/Remove programs dialog for Context2pro.

How did you get Context2Pro on your computer?