Hi there! Short on time this evening, but I just wanted to give you the heads up on a publisher called LLC DE PROEKT.
If you have a LLC DE PROEKT file on your machine you may have noticed that LLC DE PROEKT is displayed as the publisher in the UAC dialog when double-clicking on the file. The certificate is issued by COMODO RSA Code Signing CA. The publisher is located in the Ukraine.
The problem here is that if FlashPlayer__6741_i1561835113_il7532.exe really was a setup file for Adobe Flash Player, it should have been digitally signed by Adobe Systems Incorporated and not by some unknown company. This looks suspicious. Here’s how the authentic Adobe Flash Player looks like when you double click on it. Notice that the “Verified publisher” says “Adobe Systems Incorporated”.
The issue with the LLC DE PROEKT file is that it is detected by many of the antimalware software. Here are some of the detection names: Trojan.Application.Strictor.D164B3, BundleApp.IVU, W32.HfsAdware.B493, Gen:Variant.Application.Strictor, PUP.Optional.Bundle and Amonetize (fs).
Did you also find a download that was digitally signed by LLC DE PROEKT? What kind of download was it and was it detected by the anti-viruses at VirusTotal? Please share by posting a comment.
Thanks for reading.
Update 2015-08-18: Found another download today, also signed by LLC DE PROEKT and also using “Flash” in the filename to confuse users. The detection rate for this file was 25% according to VirusTotal:
When I ran the installer it disclosed that it bundled a bitcoin miner or some other type of crypto currency miner:
Just a quick update on the certificate chain. It begins with UserTrust, then Comodo and then LLC DE PROEKT:
Welcome! Lately I’ve been looking on the digital signatures on those files that push various types of unwanted programs. This morning I found a new file called How I Met Your Mother S09E22 HDTV x264-KILLERS[ettv].exe, digitally signed by Dmitry Banak.
Of the 56 scanners, 17 detected the file. The How I Met Your Mother S09E22 HDTV x264-KILLERS[ettv].exe file is detected as Win32:MultiPlug-ABB [PUP] by Avast, a variant of Win32/Kryptik.DPGT by ESET-NOD32, PUP.Optional.Multiplug by Malwarebytes and Trojan.Win32.WebPick.dtsbvc by NANO-Antivirus.
Did you also find a Dmitry Banak download? What kind of download was it?
This page shows how to remove buzzdock.com from Mozilla Firefox, Google Chrome and Internet Explorer.
Did you just see buzzdock.com in the status bar of your browser and ponder where it came from? Or did buzzdock.com show up while you searched for something on one of the major search engines, such as the Google search engine?
Here’s a screen dump of buzzdock.com when it showed up on my machine:
As you can see, it appeared while I did a search at Google.
The following are some of the statusbar messages you may see in your browser’s status bar:
Waiting for buzzdock.com…
Transferring data from buzzdock.com…
Looking up buzzdock.com…
Read buzzdock.com
Connected to buzzdock.com…
Does this sound like what you see your computer, you apparently have some potentially unwanted program installed on your machine that makes the buzzdock.com domain appear in your browser. So don’t flame the people that runs the web site you were at when you first spotted buzzdock.com in the statusbar. They are apparently not responsible, but from the potentially unwanted program that’s running on your machine. I’ll try help you with the buzzdock.com removal in this blog post.
For those that are new to the blog: Not long ago I dedicated some of my lab computers and deliberately installed some potentially unwanted programs on them. I’ve been monitoring the behaviour on these computers to see what kinds of ads, if any, that are displayed. I’m also looking on other interesting things such as if the potentially unwanted program updates itself automatically, or if it downloads additional software on the computers. I first spotted buzzdock.com in Mozilla Firefox’s status bar on one of these lab machines.
buzzdock.com was registered on 2009-11-02. buzzdock.com resolves to the 8.25.35.116 IP address. I’ve also seen edge.buzzdock.com in use.
So, how do you remove buzzdock.com from your browser? On the machine where buzzdock.com showed up in the status bar I had PriceFountain, SpeedChecker, YTDownloader and WebWaltz installed. I removed them with FreeFixer and that stopped the browser from loading data from buzzdock.com.
The issue with status bar messages like this one is that it can be caused by many variants of potentially unwanted programs, not just the potentially unwanted program that’s installed on my machine. This makes it impossible to say exactly what you need to remove to stop the status bar messages.
Anyway, here’s my suggestion for the buzzdock.com removal:
The first thing I would do to remove buzzdock.com is to examine the software installed on the machine, by opening the “Uninstall programs” dialog. You can open this dialog from the Windows Control Panel. If you are using one of the more recent versions of Windows you can just type in “uninstall” in the Control Panel’s search field to find that dialog:
Click on the “Uninstall a program” link and the Uninstall programs dialog will open up:
Do you see something dubious in there or something that you don’t remember installing? Tip: Sort on the “Installed On” column to see if something was installed about the same time as you started seeing the buzzdock.com status bar messages.
Then you can examine you browser add-ons. Potentially unwanted programs often appear under the add-ons dialog in Chrome, Firefox, Internet Explorer or Safari. Is there anything that looks suspicious? Something that you don’t remember installing?
I think most users will be able to find and remove the potentially unwanted program with the steps outlined above, but in case that did not work you can try the FreeFixer removal tool to identify and remove the potentially unwanted program. FreeFixer is a freeware tool that I started develop many years ago. Freefixer is a tool built to manually identify and remove unwanted software. When you’ve tracked down the unwanted files you can simply tick a checkbox and click on the Fix button to remove the unwanted file.
FreeFixer’s removal feature is not crippled like many other removal tools out there. It won’t require you to pay a fee just when you are about to remove the unwanted files.
And if you’re having troubles deciding if a file is clean or potentially unwanted in FreeFixer’s scan result, click on the More Info link for the file. That will open up a web page which contains additional information about the file. On that web page, check out the VirusTotal report which can be very useful:
Did you find any potentially unwanted program on your machine? Did that stop buzzdock.com? Please post the name of the potentially unwanted program you uninstalled from your machine in the comment below.
Hi there! Just a quick post on a file named finaltorrent-setup.exe digitally signed by TRUSTED INSTALL SOFTWARE.
Typically you’d see the TRUSTED INSTALL SOFTWARE publisher name appear when double-clicking on the finaltorrent-setup.exe file: It’s possible to view additional information about the certificate by right-clicking on the file, choosing properties and then clicking on the Digital Signatures tab. According to the certificate we can see that TRUSTED INSTALL SOFTWARE is located in San Fransisco in US and that the certificate is issued by VeriSign Class 3 Code Signing 2010 CA.
So, what’s the problem here? Well, AVG detects this as Generic.AA1. All the other anti-virus programs over at VirusTotal did not detect the file. Could AVG’s detection be a false positive? What do you think?
Did you also find a file signed by the same publisher? Does the scanners at VirusTotal detect it?
Hello! Was looking for some downloads to play around with and found one, digitally signed by Astori LLC. The file is named in such a way that users might think it is a download for the Game of Thrones TV series.
The following screenshot shows the User Account Control dialog when running the Astori LLC file:
It’s possible to view additional information about the certificate by right-clicking on the file, choosing properties and then clicking on the Digital Signatures tab. According to the certificate we can see that Astori LLC appears to be located in Moscow, Russia and that the certificate is issued by COMODO Code Signing CA 2.
I found an older file, also signed by Astori LLC. This one was detected by 10 of the 57 scanners over at VirusTotal:
Did you also find a Astori LLC file? What kind of download was it? If you remember the download link, please post it in the comments below.
Hi there! If you’ve been following my recent posts here on the FreeFixer blog, you know that I’ve been looking at files that have a valid digital signature and bundle various types of potentially unwanted programs. A few days ago I found another publisher named GLobal appS Roi.
If you have a GLobal appS Roi file on your machine you may have noticed that GLobal appS Roi is displayed as the publisher in the UAC dialog when double-clicking on the file. You can also see the GLobal appS Roi certificate by looking under the Digital Signature tab on the file’s properties. According to the certificate, GLobal appS Roi is located in Dublin, Ireland.
These are the current VirusTotal detections for the file. Downloader.MTU, W32.HfsAdware.4546, Trojan.OutBrowse.760 and Adware-OutBrowse.g as a few of the detection names for the Player.exe file.
Did you also find a GLobal appS Roi file? What kind of download was it? If you remember the download link, please post it in the comments below.
Welcome! Just wanted to give you the heads up on files digitally signed by Artur Flomenko.
If you have a Artur Flomenko file on your machine you may have noticed that Artur Flomenko is displayed as the publisher in the UAC dialog when double-clicking on the file. The certificate is issued by Certum Code Signing CA. Mr Flomenko is located in Ukraine.
So, what does the anti-virus programs say about the Artur Flomenko file? No problem, I just uploaded the file to VirusTotal and it turned out that some of the anti-virus programs detects the Artur Flomenko file, with names such as Win32:FakeDownload-G [PUP], a variant of Win32/Kryptik.DPGT, Trojan.Downloader, Trj/Genetic.gen and PE:AdWare.Win32.MultiPlug.aq!1075358402.
Did you also find an Artur Flomenko? Do you remember the download link? Please post it in the comments below and I’ll upload it to VirusTotal to see if that one is also detected.