Monthly Archives: July 2014

Ads By Cinema-Plus 1.2 – CinameHDPure Removal

Do you see advertisements labeled Ads By Cinema-Plus 1.2, while browsing the web? If so, you have an adware called CinameHDPure installed on your machine. The CinameHDPure files are digitally signed by a company called Motoko Group. This how the Ads By Cinema-Plus 1.2 looks like:

Ads by Cinema-Plus 1.2 Ads By Cinema Plus

Removing CinameHDPure is pretty straightforward. Just select the CinameHDPure files in  FreeFixer as shown in the screenshots and you’ll be good:

CinameHDPure tasks CinameHDPure firefox extension CinameHDPure bho


I think there are multiple variants of this adware. The variant I found was named CinameHDPureV9.5.

How did you get the Ads By Cinema-Plus ads on your machine? Removal Instructions

Did your search settings and home page in Mozilla Firefox and Internet Explorer get changed to . No problem, just select the items in FreeFixer‘s scan result and the problem will be solved. Firefox add-on in FreeFixer firefox search engine ie search provier

How did you get on your computer? I found it bundled in a downloader program. Here’s how it was disclosed in the installer:

groovorio installer

Hope you found this useful.

Stanislav Kabin – Certificate Warning

Just a quick post to warn you files digitally signed by Stanislav Kabin. The file I found was detected by many of the anti-virus programs. Here’s how Stanislav Kabin appears in the UAC dialog.

Stanislav Kabin Publisher


The Stanislav Kabin certificate shows that the publisher is located in Russia.

Stanislav Kabin Certificate

Did you also find a file signed by Stanislav Kabin? What kind of file was it, and where did you find it?

Here’s the VirusTotal scan results:

Stanislav Kabin VirusTotal Report


Ads by TheTorntv – Removal Instructions

Do you see ads labeled “Ads by TheTorntv” while searching on Google, like in the screenshot below?

Ads by TheTorntv in Google search results


If you see TheTorntv ads, you got an adware installed on your machine called TheTorntv. Don’t worry, I’ll show how to remove TheTorntv with FreeFixer. The files that you want to remove is located in a folder called TheTorntv V10 located in the Program Files folder.

Just select the following files for removal in FreeFixer’s scan result and the ads will be gone after you reboot your machine:

TheTorntv Scheduled tasks TheTorntv Mozilla Extension TheTornTv in Internet Explorer

The following are the detection names for TheTorntv, thanks to VirusTotal:

  • ADWARE/CrossRider.Gen2
  •  a variant of Win64/Toolbar.Crossrider.F
  •  AdWare.Adload
  • PUP.Optional.TornTV.A
  • Crossrider (fs)

How did you get TheTorntv on your machine? I found it while looking around at a torrent site.

Information Technology Systems doo – VirusTotal Report

Just wanted to give you the heads up on a publisher called Information Technology Systems doo.

Information Technology Systems doo Publisher

According to the certificate, the publisher is located in Montenegro:

Information Technology Systems doo Certificate

This is the VirusTotal scan report for the Information Technology Systems doo file:

Information Technology Systems doo - VirusTotal

Generic.DAA, Unwanted-Program and  are some of the detection names.

Did you also find a file signed by Information Technology Systems doo? What kind of download was it? In my case, the download claimed to be the Flash Player installer.

Update 2014-09-03: Found a file promoted as a Java installer, signed by Information Technology Systems doo:

Information Technology Systems doo

The web page is hosted on The file is called java_setup.exe and is detected by 10 of the 55 anti-virus programs at VirusTotal.

According to the web page, java_setup.exe is a downloader, rather than the real Java setup file:

“Coinis downloader is distributing a proprietary download manager that will take you to the official download of this program. Prior to taking you to the official download, we will offer optional sponsored software that you may be interested in. You are not required to install any additional software to receive your download.”

Update 2016-09-23: I’ve rescanned the java_setup.exe file. Now the detection rate is 31/57. Based on the scan result over at VirusTotal and by looking at the java_setup.exe executable file, it seems that the file contains the InstallCore software rather the Coinis downloader, contrary to what the web page at stated.

What is WiredTools?

I just found a program called WiredTools, which installed with the SoundFrost music download software. You might notice WiredTools.exe running in the background or that it appears in the Add/Remove programs dialog:

WiredTools Remove Programs Dialog WiredTools.exe Task Manager


I have not figured out what the purpose of the WiredTools program is, but I think it looks suspicious. I could not see any disclosure in the SoundFrost installer that WiredTools would be installed.

I uploaded WiredTools.exe to VirusTotal. Only one of the scanners detected the file, as HEUR/Malware.QVM10.Gen:

WiredTools Virus Total

Did you also find WiredTools on your computer? Did you also get it while installing SoundFrost?

Onekit Internet S.L – VirusTotal Scan Report

I’ve previously written about JDownloader. Today I noticed that another company called Onekit Internet S.L has signed the JDownloader file.

onekit internet s l

When I tested the installer, the following programs were bundled and disclosed in the installer:

  • SoftwareUpdater
  • iRobinHood Partners Addon
  • Remote Desktop Access (VuuPC)
  • PC Speed Up
  • PassWidget

10 of the anti-virus scanners are detecting the the Onekit Internet S.L file:

onekit internet s.l virus total

Saul Perec VirusTotal Report – 38% Detection Rate

Just found a download digitally signed by Saul Perec. I’d recommend being careful if you also have downloaded a file signed by Saul Perec. This the the VirusTotal scan for the Saul Perec file:

Saul Perec Virus Total

Luckily Windows warns when launching a downloaded file and shows the publisher information.

Saul Perec Publisher

You can also view the Saul Perec certificate by right-clicking on the file, and looking under the Digital Signature tab:

Saul Perec Certificate

Did you also find a file signed by Saul Perec? Where did you find it and what kind of download was it? Removal Instructions

Did you just launch your web browser and noticed your start page had been changed to No problem, I’ll show how to remove the start page and search provider from Internet Explorer and Mozilla Firefox in this blog post. Here’s how appears in Firefox: in firefox

The removal is easy with FreeFixer, just select the items listed in the FreeFixer scan result, as shown in the screenshots below, and then click the Fix button. Problem solved. ie settings ie search provider

How did you get on your computer? I found it in a download that claimed to be an episode of a famous TV-series.