A few days ago I found a download that was digitally signed by a company called Overall Media, Inc. What caught my attentions was that the download was called SkypeSetup.exe and used the Skype icon for the installer file. This might look like an official Skype download, but it is not.
When running the Overall Media, Inc. SkypeSetup.exe file I could see that it bundled Search Protect and the Qone8.com web site.
When running the Overall Media, Inc. file through the scanners at VirusTotal, 4 of the anti-virus programs detected the file:
Did you also find an Overall Media, Inc. download? Where did you find it and what kind of download was it?
Sorry for not posting anything during the days. I’ve been having a few days off visiting friends and family. Before my time off I found another publisher called DIGITAL PLUGIN S.L that bundles some potentially unwanted programs. The file I found was called Player.exe and I could see DIGITAL PLUGIN S.L appear when double-clicking on the file.
Update 2015-06-29: Found another download with the publisher name “Digital Plugin SL“.
Viewing the certificate information is also possible by looking under the digital signature tab for the file. Here the certificate says that DIGITAL PLUGIN S.L is located in Tenerife.
And the certificate was issued by GlobalSign.
The reason for posting about DIGITAL PLUGIN S.L is that the file is detected by many of the anti-virus programs. Currently player.exe is detected by 13 of the 52 anti-virus scanners:
Hope you found this post useful.
Did you also find a download signed by DIGITAL PLUGIN S.L? What kind of download was it?
Update 2015-09-12: Today I noticed another download called google_chrome.exe, signed by Digital Plugin SL.
This is another certificate, issued by VeriSign. VirusTotal reports a 19/57 detection ratio.
If you’ve been following my recent posts here on the FreeFixer blog, you know that I’ve been looking at files that have a valid digital signature and bundle various types of potentially unwanted programs. A few days ago I found another publisher named V.X. Technocom that bundles software.
The file was called Game_of_Thrones_S04E02_HDTV_x264-2HD[ettv].exe.
If you have a V.X. Technocom download on your computer you may have noticed that Closed Joint-Stock Company “V.X. Technocom appears as the publisher in the UAC dialog when double-clicking on the file.
You can also see the V.X. Technocom certificate by looking under the Digital Signature tab on the file’s properties. According to the certificate, V.X. Technocom is located in Moscow, Russia.
These are the current VirusTotal detections for the file. Adware/Savy.ahdd and GetPrivate are the detection names by AntiVir and VIPRE:
Since the download was detected I decided to give it a try to see what it installed. During my test I could see Aducky, Sweet-Page, ShopperFriend and Block-N-Surf, as shown in the screenshots below:
After accepting the offers a bunch of new files and settings appeared. Here are some of the files:
A bunch of new ads also started to pop up, labeled monkeytize and RightCoupon.
You can remove these unwanted ads, files and settings with help from the FreeFixer tool.
Where did you find the V.X. Technocom download? What kind of download was it?
Found another adware variant called Bellaphant today. It was bundled with a download called MediaFinder. Here’s how Bellaphant is disclosed in the MediaFinder installer:
According to the disclosure, Bellaphant
provides special offers and coupons, website ratings and reviews, multi-site searching, comparison shopping and related search results. Additional features may be auto-enabled after installing.
13 of the 51 anti-virus programs are clearly aware of the Bellaphant adware, as you can see in the scan result from VirusTotal:
If you have Bellaphant on your machine you can see it in Mozilla Firefox’ and Internet Explorer’s Add-Ons menu:
If you’d like to remove Bellaphant with FreeFixer, you can just check the Mozilla Firefox Extension and the Internet Exlorer browser helper object called bellaphantbho.dll:
I found Bellaphant bundled with MediaFinder. How did you get Bellaphant on your machine?
Did you find something called Adobe Flash Player Packages in the programs list and wonder what it is? Chances are that this was added when downloading and installing an unofficial Adobe Flash Player. Here’s how Adobe Flash Player Packages appears in the programs list:
To avoid this in the future, please keep in mind to always download software from its official site. For example, get the Adobe Flash Player from http://get.adobe.com/se/flashplayer/
How did you get Adobe Flash Player Packages on your machine?
Did you just find something called Site Matcher Pro in Mozilla Firefox’ Add-on dialog?
Site Matcher Pro is a piece of software that suggests similar web site based on the sites that you are currently browsing.
How did you get Site Matcher Pro on your computer? I found it bundled with an unofficial Adobe Flash Player download. The Flash download was signed by the SuperCool Applications publisher. Here’s a screenshot of Site Matcher Pro appearing in the installer:
If you’d like to remove Site Matcher Pro, you can do so from inside Firefox, or by selecting the Site Matcher Pro extension for removal in FreeFixer:
Hope this helped you to figure out what Site Matcher Pro is and how to remove it.
Update 2014-10-06: Found Site Matcher Pro in another installer:
Another adware find this morning. This one is called Greener Web. You might have noticed Greener Web when starting up Firefox and being asked to install Greener Web, or in Mozilla’s and Internet Explorer’s add-on dialog:
Many of the anti-virus programs over at VirusTotal detects the Greener Web adware as you can see in the scan result for GreenerWebbho.dll:
I found GreenerWeb bundled in an unofficial Adobe Flash Player download. The installer file, AdobeFlashPlayer.exe was digitally signed by SuperCool Applications. Here’s how GreenerWeb was disclosed in the installer:
How did you get Greener Web on your computer? Please let me and the readers know by posting a comment.
You can remove Greener Web with FreeFixer. Just select the Greener Web files for removal and click the Fix button and Greener Web will not bother you any more:
Hope this helped you figure out what Greener Web is and how it is distributed.
Did you see a new type of ads labeled Ads by NewPlayer popping up recently on your computer, even on web sites that normally don’t show any ads? Then you have the NewPlayer adware on your machine. The two types of NewPlayer ads that I’ve seen is a standard banner (to the left), and the Nav-Links roll-over ad type (to the right), as shown in the screenshot below.
Removing NewPlayer a one minute job with FreeFixer. All you need to do is to selected the NewPlayer files for removal, and then hit the Fix button. The filenames for NewPlayer can vary somewhat. In my case they were called NewPlayerFT171.exe, NewPlayerV40.exe and NewPlayerLwruQw.exe. I’m sure you can identify them on your computer. Here’s the NewPlayer files in the FreeFixer scan result:
The detection rate for the NewPlayer adware appears to be pretty low. 3 of the 52 anti-virus scanners at VirusTotal detected the NewPlayer file. Avast refers to it as Win32:Adware-BQV and Baidu and ESET-NOD32 calls it AddLyrics.
How did you get NewPlayer on your computer?
I was playing around and testing some downloads when I found a file signed by New IT Limited. This is how it looks when double-clicking on the file and New IT Limited appears as the publisher.
It is also possible to check a digital signature by looking at a file’s properties. Here’s a screenshot of the New IT Limited certificate:
New IT Limited appears to be located in Nicosia, Cyprus.
What initially caught my interest was that the file was named Game of Thrones HDTV.. after the the famous TV-series Game of Thrones from HBO. 2 the 51 scanners over at VirusTotal detected the New IT Limited file. Win32:FourShared-D [PUP] and a variant of Win32/4Shared.S where the detection names:
Since the ESET-NOD32 and Avast detected the file I got curious and decided to run the file. Turns out the installer bundled the Qone8 search engine:
Did you also find a download that was digitally signed by New IT Limited? What kind of download was it?
Thanks for reading!