Just a short post before getting back to work. I found a software download this morning that bundles some unwanted software. The download is digitally signed by Anton Melnikov. The problem with the Anton Melnikov download is that is bundles lots of unwanted software, such as “SaveOn”, “Y**tubeAdBlocker”, “SW-Booster”, “SW-Sustainer”, etc.
Windows will display Anton Melnikov as the publisher when running the file. The program name is “Installer for TopApp software“.
You can also check the digital signature under the file’s properties. The certificate says Anton Melnikov is located in Kiev, Ukraine.
Well, hope this blog post saved you a few hours by avoiding those unwanted programs. There are after all more interesting things to do than cleaning a computer from adware.
Did you also find a file signed by Anton Melnikov? Where did you find it and what kind of download was it? Thanks for sharing.
Getting bombarded with ads labeled “productivitypro Ads” and a large sidebar with search results called “Topic Torch by productivitypro” like in the screenshots below?
productivitypro will also appear in your web browser’s add-on list. It appears as “productivitypro 1.0.1” in Firefox:
So, how about the removal. Simply check the productivitypro files in FreeFixer for removal:
Out of curiosity, how did you get the productivitypro adware on your computer? Please let me know by posting a comment.
I found yet another Bitcoin miner this morning. You might have spotted it because of a new file called WiseManager.exe running at startup or the high CPU usage by CfjdkPfhrU.exe as shown in the screenshot of the Task Manager below:
The Wise Manager files are located in C:\Users\%USER%\AppData\Roaming\WiseManager\ and C:\Users\%USER%\AppData\Roaming\WiseManager\CGMInerDLLs.
Currently no anti-virus detects the two main files, WiseManager.exe and CfjdkPfhrU.exe when I uploaded them to VirusTotal, but I assume the scanners will start picking them up sooner than later. WiseManager.exe is digitally signed by Moresta Holdings Limited. CfjdkPfhrU.exe is unsigned.
By the way, CfjdkPfhrU.exe sounds like it been given a random file name. Does your computer show another file hogging the CPU?
Removing WiseManger.exe and CfjdkPfhrU.exe is easy with FreeFixer. Just check WiseManager.exe and CfjdkPfhrU.exe for removal and click the Fix button and the problem is solved.
Now you can remove the C:\Users\%USER%\AppData\Roaming\WiseManager\ folder manually in Explorer.
I found the Wise Manager Bitcoin miner while testing a free download. WiseManager was bundled inside the download. How did you get Wise Manager and CfjdkPfhrU.exe on your computer?
Just a quick post before starting todays programming on the FreeFixer tool. This is the second time I spot a file digitally signed by Daneil Jemoch that bundles lots of unwanted programs. Though I should warn you and hopefully save you from some unnecessary adware cleaning. You can see Daneil Jemoch appear as the publisher when running the file as shown below.
You can also check who signed a file by checking the digital signature tab. The screenshot below shows the Daneil Jemoch certificate. From the certificate info we can see that Daneil Jemoch appears to be located in Kiev, Ukraine.
The anti-virus programs have a decent detection rate for the Daneil Jemoch file:
The anti-virus scanners refers to the file as Graftor, MultiPlug and InstalleRex.
Where did you find the Daneil Jemoch signed file?
Hope you found this post useful. Please let me know by posting a comment.
One of the tools that I’m using quite often is DDS. It is a used to generate a log file containing the running processes, services, search settings, browser plugins, etc. Basically the same information as the items that appears in the FreeFixer log. From time to time I’m getting an error saying “PEV.DAT has stopped working” when running DDS and I’m wonder if anyone out there know of a work-around, or if there’s a more recent DDS download that solves this bug?
Just a short post before I call it a day. I found yet another file that bundled a bunch of unwanted programs, and the file was signed by Boris Burkin. Typically you’d see the Boris Burkin publisher name appear when double-clicking on the file:
You will also see Boris Burkin appear if you check the file’s digital signature.
If you are considering to run the Boris Burkin signed file, I’ll advice you not to. Delete it instead. Just check out detection list by some of the anti-virus program:
The anti-virus program calls the file Trojan.AntiFW, InstalleRex, Adware.Downware, Win32.InfoLeak, Downloader.AdLoad, etc.
Did you also find a file digitally signed by Boris Burkin? Where did you find it and are the anti-virus programs detecting it? Please share in the comments below.
Just got home after having an espresso with my friend Jon Kågström and started to check out a bunch of suspicious downloads. One of the downloads was signed by the Clovermedia SL publisher. If you came here wondering if the file is safe or not, I think you should avoid running the Clovermedia file.
You can also check who signed a file by looking under the file’s properties. The following screenshots shows how the Clovermedia SL certificate appears under the Digital Signature tab.
There is also additional info available, such as that Clovermedia SL is located on Tenerife.
Anyway, the problem with the Clovermedia file is that it bundles lots of potentially unwanted programs, such as MediaPlayer Plus, Freeven, etc. Many of the anti-virus programs are well aware of this, and flags the Clovermedia file with names such as DomaIQ.
Hope this helped you avoid some adware.
Did you also find a Clovermedia file. Where did you download it?
I was looking around for some adware to install on my lab machine to test a new cleaning feature that I’m working on for the FreeFixer tool, when I stumbled on a file digitally signed by HARASAN PRAPAPON. I’m writing this post to warn you about the file. Typically the files is named after some popular TV-series or movie.
If you are hesitating with the following UAC prompt saying HARASAN PRAPAPON is the publisher, I strongly suggest you click the No button.
Tip: You can also check a digital signature by right-clicking on a file -> Properties -> Digital Signature.
So what’s the problem with the HARASAN PRAPAPON signed file? Here’s the detection results, which should convince you:
- Malwarebytes PUP.Optional.OneClickDownloader.A
- Kingsoft Win32.Troj.Generic.a.(kcloud)
I’m sure the other anti-virus programs will pick up this file sooner than later.
Did you also find a file signed by HARASAN PRAPAPON? What are the anti-virus programs calling it? (Hint: upload it to www.virustotal.com)
To save you from some adware cleaning, I just want to give you the heads up on files that are digitally signed by WARP INSTALLER. Most versions of Windows will display the publisher when double-clicking on a downloaded file, as shown in the screenshot below.
If you get this prompt about Premium Installer by WARP INSTALLER, click No.
You can also see check the digital signature, by looking under digital signature tab on a file’s properties.
So, why should you avoid the WARP INSTALLER files? StartDownload.exe, which is digitally signed by WARP INSTALLER, is detected by 15 of the 50 anti-virus programs! Here are some of the detection names:
- ESET-NOD32 a variant of Win32/AdWare.iBryte.AD
- F-Secure Gen:Variant.Application.Bundler
- Kingsoft Win32.Troj.Generic.a.(kcloud)
- Malwarebytes Buy PUP.Optional.OptimumInstaller.A
Did you also download one of the WARP INSTALLER signed files? Where did you find it?
Getting bombarded by Findopolis ads like in the screenshot below. No problem, I’ll show how to remove the Findopolis adware. Read on…
The Findopolis adware has been are for some time, at least from the beginning of February 2014, but it is still being distributed. So I though I should write a few lines about it. I found Findopolis yesterday when a pop-up claimed that my computer needed a “Video Upgrade”.
All you need to do to remove Findopolis is to check the Findopolis files for removal in FreeFixer and click the Fix button.
Here’s a video showing demonstrating the removal:
Hope you found this useful.
How did you get Findopolis on your machine? Please share your story in a comment below.