Category Archives: digital signature

Digital Plugin S.L Publisher – VirusTotal Detections

June 14, 2014digital signatureDomaIQ, GlobalSign, SoftPulse, Spain, Tenerife, VerisignRoger Karlsson

Sorry for not posting anything during the days. I’ve been having a few days off visiting friends and family. Before my time off I found another publisher called DIGITAL PLUGIN S.L that bundles some potentially unwanted programs. The file I found was called Player.exe and I could see DIGITAL PLUGIN S.L appear when double-clicking on the file.

Update 2015-06-29: Found another download with the publisher name “Digital Plugin SL“.

Viewing the certificate information is also possible by looking under the digital signature tab for the file. Here the certificate says that DIGITAL PLUGIN S.L is located in Tenerife.

And the certificate was issued by GlobalSign.

The reason for posting about DIGITAL PLUGIN S.L is that the file is detected by many of the anti-virus programs. Currently player.exe is detected by 13 of the 52 anti-virus scanners:

Hope you found this post useful.

Did you also find a download signed by DIGITAL PLUGIN S.L? What kind of download was it?

Update 2015-09-12: Today I noticed another download called google_chrome.exe, signed by Digital Plugin SL.

This is another certificate, issued by VeriSign. VirusTotal reports a 19/57 detection ratio.

V.X. Technocom – Bundling, VirusTotal Detections and Digital Signature Information

June 9, 2014digital signatureRoger Karlsson

If you’ve been following my recent posts here on the FreeFixer blog, you know that I’ve been looking at files that have a valid digital signature and bundle various types of potentially unwanted programs. A few days ago I found another publisher named V.X. Technocom that bundles software.

The file was called Game_of_Thrones_S04E02_HDTV_x264-2HD[ettv].exe.

If you have a V.X. Technocom download on your computer you may have noticed that Closed Joint-Stock Company “V.X. Technocom appears as the publisher in the UAC dialog when double-clicking on the file.

You can also see the V.X. Technocom certificate by looking under the Digital Signature tab on the file’s properties. According to the certificate, V.X. Technocom is located in Moscow, Russia.

These are the current VirusTotal detections for the file. Adware/Savy.ahdd and GetPrivate are the detection names by AntiVir and VIPRE:

Since the download was detected I decided to give it a try to see what it installed. During my test I could see Aducky, Sweet-Page, ShopperFriend and Block-N-Surf, as shown in the screenshots below:

After accepting the offers a bunch of new files and settings appeared. Here are some of the files:

WindowsUpdater.exe
winsystem.exe
svcsystem.exe
PluginService.exe
privoxy.exe

A bunch of new ads also started to pop up, labeled monkeytize and RightCoupon.

You can remove these unwanted ads, files and settings with help from the FreeFixer tool.

Where did you find the V.X. Technocom download? What kind of download was it?

New IT Limited Digital Signature – What does it bundle?

June 3, 2014digital signatureRoger Karlsson

I was playing around and testing some downloads when I found a file signed by New IT Limited. This is how it looks when double-clicking on the file and New IT Limited appears as the publisher.

It is also possible to check a digital signature by looking at a file’s properties. Here’s a screenshot of the New IT Limited certificate:

New IT Limited appears to be located in Nicosia, Cyprus.

What initially caught my interest was that the file was named Game of Thrones HDTV.. after the the famous TV-series Game of Thrones from HBO. 2 the 51 scanners over at VirusTotal detected the New IT Limited file. Win32:FourShared-D [PUP] and a variant of Win32/4Shared.S where the detection names:

Since the ESET-NOD32 and Avast detected the file I got curious and decided to run the file. Turns out the installer bundled the Qone8 search engine:

Did you also find a download that was digitally signed by New IT Limited? What kind of download was it?

Thanks for reading!

InstallVibes Digital Signature – Bundling, VirusTotal detections and Promotions

May 29, 2014digital signatureBundlore, PUP.Optional.Bundlore, TR/Dropper.GenRoger Karlsson

I just found a file digitally signed by InstallVibes. You might have noticed that InstallVibes appears as the publisher in the User Account Control dialog that pops up when double-clicking on the file and came here to find more about it.

Information about a digital signature and the certificate can also be found under the Digital Signature tab. The two screenshots below shows the InstallVibes certificate and that the “Subject” is located in Tel Aviv, Israel.

I decided to upload the InstallVibes file to VirusTotal. The file was detected by some of the anti-virus programs, with names such as: TR/Dropper.Gen, PUP.Optional.Bundlore and Bundlore.

Since some of the anti-virus programs detected the InstallVibes file, I got curious and decided to test it to see what it installed. The following software is bundled and disclosed in the InstallVibes installer:

Qone8
ProductivityPro
Optimizer Pro
Wajam
BestMarkit
MoboGenies
PriceMeter
OMG (OnlineMusicGroove)
ClipHD
MyPcBackup

This is how the web page looked like when I found the InstallVibes file. It appeared in a few variants:

Did you also find an InstallVibes file? What kind of download was it?

If you also have a file digitally signed by InstallVibes, please upload at www.virustotal.com to see if anything is detected or if it comes up clean. I’d be very interested to see the scan result. Please post the link to the scan result in the comments field below. Thank you!

Artur Kozak Publisher – Digital Signature Warning!

May 29, 2014digital signatureAdware.Downware, InstalleRex, TSULoader, Win32.AdloadRoger Karlsson

Lately I’ve been looking on the digital signatures on those files that push various types of unwanted programs. This morning I found a new file in the FreeFixer database called digital-photo-2013-11-nov.pdf.exe, digitally signed by Artur Kozak.

You can see who the signer is when double-clicking on an executable file. Artur Kozak appears in the publisher field in the dialog that pops up. You can also see the Artur Kozak certificate under the digital signature tab.

So, why am I warning you about the Artur Kozak file? Check out what the anti-virus programs report about the file:

TSULoader, InstalleRex, Win32.Adload and Adware.Downware are some of the detection names reported by the anti-virus scanners.

Hope this helped you avoid getting some unwanted programs on your machine.

Where did you find the Artur Kozak file? What was the file called?

SuperCool Applications Publisher – Warning

May 29, 2014digital signatureInstall Core Click run Software, InstallCore, Max Setup, PUP.Optional.InstallCoreRoger Karlsson

This night I found a file claiming to be an installer for Adobe’s Flash Player. However, the file was not signed by Adobe as it should be. Instead SuperCool Applications appeared as the publisher:

SuperCool Applications also appears under the digital signature tab. SuperCool Applications is located in Tel Aviv, Israel.

So, why should you avoid the SuperCool Applications “Flash Player” and instead download Flash from the official site? The anti-virus scanners should convince you:

Seven of the anti-virus programs detects the the SuperCool Applications file, and refers to it as Max Setup, InstallCore, Install Core Click run Software and PUP.Optional.InstallCore.

Hope this helped you to get the official Flash Player and skip the SuperCool Applications download.

Please let me know if you found this blog post useful.

Stas Kosmov Publisher – Digital Signature Warning!

May 28, 2014digital signatureRoger Karlsson

For some unknown reason I had trouble sleeping this night, so instead I spent a few hours hunting some adware installers. I found a file digitally signed by Stas Kosmov that bundled lots of unwanted software. Stas Kosmov will appear as the publisher when double-clicking on the file and in the file’s digital signature tab. According to the certificate Stas Kosmov is located in Kiev, Ukraine.

So, what does the anti-virus scanners say about this file? The following scan result should convince you to not run the Stas Kosmov file:

Did you also find a file signed by Stas Kosmov? Where did you find it?

Anton Melnikov Publisher – WARNING

May 27, 2014adware, digital signatureRoger Karlsson

Just a short post before getting back to work. I found a software download this morning that bundles some unwanted software. The download is digitally signed by Anton Melnikov. The problem with the Anton Melnikov download is that is bundles lots of unwanted software, such as “SaveOn”, “Y**tubeAdBlocker”, “SW-Booster”, “SW-Sustainer”, etc.

Windows will display Anton Melnikov as the publisher when running the file. The program name is “Installer for TopApp software“.

You can also check the digital signature under the file’s properties. The certificate says Anton Melnikov is located in Kiev, Ukraine.

Well, hope this blog post saved you a few hours by avoiding those unwanted programs. There are after all more interesting things to do than cleaning a computer from adware.

Did you also find a file signed by Anton Melnikov? Where did you find it and what kind of download was it? Thanks for sharing.

Daneil Jemoch Publisher – WARNING!

May 26, 2014digital signatureGraftor, InstalleRex, MultiPlugRoger Karlsson

Just a quick post before starting todays programming on the FreeFixer tool. This is the second time I spot a file digitally signed by Daneil Jemoch that bundles lots of unwanted programs. Though I should warn you and hopefully save you from some unnecessary adware cleaning. You can see Daneil Jemoch appear as the publisher when running the file as shown below.

You can also check who signed a file by checking the digital signature tab. The screenshot below shows the Daneil Jemoch certificate. From the certificate info we can see that Daneil Jemoch appears to be located in Kiev, Ukraine.

The anti-virus programs have a decent detection rate for the Daneil Jemoch file:

The anti-virus scanners refers to the file as Graftor, MultiPlug and InstalleRex.

Where did you find the Daneil Jemoch signed file?

Hope you found this post useful. Please let me know by posting a comment.

Boris Burkin Publisher – WARNING

May 23, 2014adware, digital signature, trojanAdware.Downware, Downloader.AdLoad, InstalleRex, Trojan.AntiFW, Win32.InfoLeakRoger Karlsson

Just a short post before I call it a day. I found yet another file that bundled a bunch of unwanted programs, and the file was signed by Boris Burkin. Typically you’d see the Boris Burkin publisher name appear when double-clicking on the file:

You will also see Boris Burkin appear if you check the file’s digital signature.

If you are considering to run the Boris Burkin signed file, I’ll advice you not to. Delete it instead. Just check out detection list by some of the anti-virus program:

The anti-virus program calls the file Trojan.AntiFW, InstalleRex, Adware.Downware, Win32.InfoLeak, Downloader.AdLoad, etc.

Did you also find a file digitally signed by Boris Burkin? Where did you find it and are the anti-virus programs detecting it? Please share in the comments below.