Monthly Archives: June 2015

PlatformMax (Fried Cookie Ltd) – 9% Detection Rate – InstallCore

Welcome! Just wanted to give you heads-up on suspicious file I found right now. The file is named vlc-media-player_setup.exe and digitally signed by PlatformMax (Fried Cookie Ltd).

PlatformMax Fried Cookie publisher

If you have a PlatformMax (Fried Cookie Ltd) file on your machine you may have noticed that PlatformMax (Fried Cookie Ltd) is displayed as the publisher in the UAC dialog when double-clicking on the file. The certificate is issued by GlobalSign CodeSigning CA – G2.

PlatformMax (Fried Cookie Ltd) cert

If you are considering to run the PlatformMax (Fried Cookie Ltd) signed file, please check out detection list by some of the anti-virus programs:

PlatformMax anti-virus report

AVG detects vlc-media-player_setup.exe as Generic.7D6, Comodo classifies it as Application.Win32.InstallCore.DXC, DrWeb detects it as Trojan.InstallCore.890 and Malwarebytes reports PUP.Optional.InstallCore.SID.C.

Did you also find an PlatformMax (Fried Cookie Ltd)? Do you remember the download link? Please post it in the comments below and I’ll upload it to VirusTotal to see if that one is also detected.

Thanks for reading.

Rodion Bordin – 33% Anti-Virus Detection Rate

Hello readers! Just a short note on a publisher called Rodion Bordin.

Rodion Bordin publisher

This is how it looks when double-clicking on the file and Rodion Bordin appears as the publisher. The certificate is issued by Certum Code Signing CA.

Rodion Bordin digital signature

So, why did I put up this blog post? Well, the thing is that the Rodion Bordin file is detected by many of the anti-malware scanners, according to VirusTotal. Ad-Aware detects the file as Trojan.Agent.BKMF, DrWeb names it Trojan.PWS.Qqpass.11207, Malwarebytes names it PUP.Optional.MultiPlug and Tencent classifies it as Trojan.Win32.Qudamah.Gen.0

Rodion Bordin anti-virus report

Did you also find a Rodion Bordin file? What kind of download was it? If you remember the download link, please post it in the comments below.

Thanks for reading.

Danil Vlasov – 40% Detection at VirusTotal

Hi there! Just a quick post on a file named Moborobo.exe signed by Danil Vlasov.

Danil Vlasov publisher

It is also possible to check a digital signature by looking at a file’s properties. Here’s a screenshot of the Danil Vlasov certificate.

Danil Vlasov certificate

The reason I’m writing this blog post is that the Danil Vlasov file is detected by many of the anti-malwares at VirusTotal. Avira reports Moborobo.exe as TR/Crypt.XPACK.Gen, BitDefender detects it as Gen:Variant.Strictor.88461, Fortinet detects it as Riskware/Generic.AC.4386 and Sophos detects it as MultiPlug.

Danil Vlasov virustotal report

Did you also find a Danil Vlasov file?

Thank you for reading.

Kiril Semyakov – 46% Detection Rate – Adware.Agent.PQH / Win32:FakeDownload-F

Hello readers! Just a quick post today, since I’m busy working with the next release of FreeFixer. Did you see a file on your system digitally signed by Kiril Semyakov? Then read on..

Kiril Semyakov publisher

Windows will display Kiril Semyakov as the publisher when running the file. It is also possible to check a digital signature by looking at a file’s properties. Here’s a screenshot of the Kiril Semyakov certificate.

Kiril Semyakov cert

According to this, Kiril is located in Ukraine.

The reason I’m writing this blog post is that the Kiril Semyakov file is detected by many of the anti-malwares at VirusTotal. Avast classifies the file as Win32:FakeDownload-F [PUP], F-Secure reports Adware.Agent.PQH, Ikarus detects it as PUA.Win32.InstalleRex, McAfee-GW-Edition detects it as MultiPlug-FYT and Sophos reports MultiPlug.

Kiril Semyakov anti-virus report

Did you also find a Kiril Semyakov file? What kind of download was it? If you remember the download link, please post it in the comments below.

Thank you for reading.

SAFE INSTALL SOFTWARE – 18% Detection Rate At VirusTotal

Hello readers! Lately I’ve been looking on the digital signatures on those files that push various types of unwanted programs. This morning I found a new file called finaltorrent-setup.exe, digitally signed by SAFE INSTALL SOFTWARE.

SAFE INSTALL SOFTWARE publisher

This is how it looks when double-clicking on the file and SAFE INSTALL SOFTWARE appears as the publisher. Information about a digital signature and the certificate can also be found under the Digital Signature tab. According to the certificate we can see that SAFE INSTALL SOFTWARE is located in San Fransisco in US and that the certificate is issued by VeriSign Class 3 Code Signing 2010 CA.

SAFE INSTALL SOFTWARE certificate

These are the current VirusTotal detections for the file. DownloadAdmin (fs), Trojan.Win32.Atraps.b, Trojan.Graftor and DownloadAdmin (fs) as a few of the detection names for the finaltorrent-setup.exe file.

SAFE INSTALL SOFTWARE virus total report

Did you also find a file digitally signed by SAFE INSTALL SOFTWARE? What kind of download was it and where did you find it?

Thank you for reading.

EVGENIY NESTEROV – 24% Detection Rate At VirusTotal

Welcome! Short on time today, but I just wanted to give you the heads up on a publisher called EVGENIY NESTEROV.

This is how EVGENIY NESTEROV appears when running the file:

EVGENIY NESTEROV publisher

The certificate is issued by Certum Code Signing CA. Evgeniy appears to be located in Russia.

EVGENIY NESTEROV digital signature

So, why am I writing about the EVGENIY NESTEROV file? Check out what the anti-malware software report about the file:

EVGENIY NESTEROV virustotal

Avast reports the file as Win32:FakeDownload-F [PUP], Ikarus detects it as PUA.Win32.InstalleRex, Sophos calls it MultiPlug and Tencent classifies it as Trojan.Win32.Qudamah.Gen.6 are a few of the detection names for [share_ebook] MediaWiki Administrators’ Tutorial Guide [ReUpload].exe.

Did you also find a EVGENIY NESTEROV download? What kind of download was it?

Thanks for reading.

Remove Pine Tree Ads – PineTree Adware Removal

Hi there. Did you just spot something called Pine Tree on your machine? If the Pine Tree is installed on your machine, you’ll see Ads labeled “Pine Tree Ads” appearing in Firefox and Internet Explorer. I’ll show how to remove PineTree in this blog post with the FreeFixer removal tool.

Pine Tree Ads

Pine Tree firefox

So, how did Pine Tree install on your machine? It was probably bundled with some download that you installed recently. Bundling means that software is included in other software’s installers. Here’s how it appeared in the installer:

pine tree installer

Generally, you can avoid bundled software such as Pine Tree by being careful when installing software and declining the bundled offers in the installer.

When I run into some new bundled software I always upload it to VirusTotal to check if the anti-virus software there detect something. 24 of the 56 scanners detected the file. The Pine Tree files are detected as a variant of Win32/BrowseFox.AE potentially unwanted by ESET-NOD32, Gen:Variant.Adware.Mikey by F-Secure, PUP.Optional.PineTree.A by Malwarebytes and Trojan.Win32.Yontoo.dnkubo by NANO-Antivirus.

All you need to do to remove PineTree is to check the Pine Tree files in the scan result and click the Fix button. A reboot of your machine may be required to complete the removal. Here’s a few screenshots that should help you along the way:

remove pinetree internet explorer

Hope that helped you to figure out how to do the removal.

I stumbled upon Pine Tree while testing out some downloads that are known to bundled lots of unwanted software. Any idea how PineTree was installed on your machine? Please share in the comments below. Thank you very much!

Thank you for reading and welcome back.

YURIY DRACHEV – VirusTotal Detects The Download as “MultiPlug”

Welcome! Just a quick post today. Did you just find a file signed by YURIY DRACHEV? Then read on..

YURIY DRACHEV publisher

Windows will display YURIY DRACHEV as the publisher when running the file. It is also possible to check a digital signature by looking at a file’s properties. Here’s a screenshot of the YURIY DRACHEV certificate. Yuriy is according to the cert located in Russia.

YURIY DRACHEV certificate

If you are considering to run the YURIY DRACHEV signed file, I’ll advice you not to. This is yet another variant of the unwanted MultiPlug software.

Thanks for reading.

VIKTOR AGRAPOVICH – 35% Detection – MPlug / MultiPlug

Hi there! Just a short post before I call it a day. I found yet another file that bundled a bunch of unwanted programs, and the file was signed by VIKTOR AGRAPOVICH.

VIKTOR AGRAPOVICH publisher

Typically you’d see the VIKTOR AGRAPOVICH publisher name appear when double-clicking on the file: It is also possible to check a digital signature by looking at a file’s properties. Here’s a screenshot of the VIKTOR AGRAPOVICH certificate. Viktor seems to be located in Russia.

VIKTOR AGRAPOVICH cert

The scan result from VirusTotal below clearly shows why you should avoid the VIKTOR AGRAPOVICH file. It is detected under names such as Generic6.AYBD, Gen:Variant.Adware.Mplug, Trojan ( 0040fa761 ), PUP.Optional.MultiPlug and MultiPlug-FXN.

VIKTOR AGRAPOVICH virus total

Did you also find a VIKTOR AGRAPOVICH file?

Thank you for reading.