Category Archives: digital signature

Premium Platform (Fried Cookie Ltd.) – 12% Detection Rate

digital signature

Hello readers! Just a quick post on a file named FinalTorrentSetup.exe signed by Premium Platform (Fried Cookie Ltd.).

Premium Platform Fried Cookie publisher

Windows will display Premium Platform (Fried Cookie Ltd.) as the publisher when running the file. Viewing the certificate information is also possible by looking under the digital signature tab for the file. Here the certificate says that Premium Platform (Fried Cookie Ltd.) is located in Tel Aviv, Israel.

Premium Platform Fried Cookie Ltd certificate

Win32:Malware-gen, Application.Win32.InstallCore.DI, a variant of Win32/InstallCore.YH potentially unwanted and InstallCore (fs) are some detection names according to VirusTotal:

Premium Platform anti-virus report

Did you also find a Premium Platform (Fried Cookie Ltd.) file? What kind of download was it? If you remember the download link, please post it in the comments below.

Thank you for reading.

SuperSource (Fried Cookie Ltd.) – 18% Anti-Virus Detection Rate – InstallCore

digital signature

Welcome! If you are a regular here on the FreeFixer blog you know that I’ve been looking on the certificates used to sign files that bundled various types of unwanted software. Today I found another certificate, used by a publisher called SuperSource (Fried Cookie Ltd.).

SuperSource Fried Cookie

You can see who the signer is when double-clicking on an executable file. SuperSource (Fried Cookie Ltd.) appears in the publisher field in the dialog that pops up. Information about a digital signature and the certificate can also be found under the Digital Signature tab.. The screenshot below shows the SuperSource (Fried Cookie Ltd.) certificate. From the certificate info we can see that SuperSource (Fried Cookie Ltd.) appears to be located in Israel.

SuperSource (Fried Cookie Ltd.) cert

The reason I’m writing this blog post is that the SuperSource (Fried Cookie Ltd.) file is detected by many of the anti-virus software at VirusTotal. Avast detects installer_jdownloader_English.exe as Win32:Trojan-gen, AVG reports Generic.0C3, DrWeb reports Trojan.InstallCore.312, K7AntiVirus calls it Adware ( 004b91c91 ) and VIPRE reports InstallCore (fs).

SuperSource anti-virus report

Did you also find a SuperSource (Fried Cookie Ltd.) file? What kind of download was it? If you remember the download link, please post it in the comments below.

Thanks for reading.

LiveSoftAction SRL – 11% Anti-Virus Detection Rate – GetNow / Iminent

digital signature,

Hi there! Just a short post on a publisher called LiveSoftAction SRL before going back to some coding on FreeFixer.

LiveSoftAction SRL uac

You will also see LiveSoftAction SRL listed as the verified publisher in the User Account Control dialog that pops up if you try to run the file: The certificate information can also be viewed from Windows Explorer.. The screenshot below shows the LiveSoftAction SRL certificate. From the certificate info we can see that LiveSoftAction SRL appears to be located in Bucuresti in Romania.

LiveSoftAction SRL certificate

When I uploaded the LiveSoftAction SRL file to VirusTotal, it came up with a 11% detection rate. The file is detected as Win32:Dropper-gen [Drp] by Avast, Adware.Iminent.25 by DrWeb, a variant of Win32/GetNow.H potentially unwanted by ESET-NOD32, BehavesLike.Win32.LiveSoftAction.dc by McAfee-GW-Edition and LiveSoftAction (fs) by VIPRE.

LiveSoftAction SRL anti-virus report

Did you also find a file digitally signed by LiveSoftAction SRL? What kind of download was it and where did you find it?

Thanks for reading.

LLC “HALKON PLYUS” – 4% Anti-Virus Detection Rate

digital signature,

Hello! If you’ve been following my recent posts here on the FreeFixer blog, you know that I’ve been looking at files that have a valid digital signature and bundle various types of potentially unwanted programs. A few days ago I found another publisher named LLC “HALKON PLYUS”.

LLC HALKON PLYUS

If you have a LLC HALKON PLYUS file on your computer you may have noticed that LLC HALKON PLYUS pops up as the publisher in the User Account Control dialog when running the file. To get more details on the publisher, you can view the certificate by right-clicking on the file, and looking under the Digital Signatures tab. According to the embedded certificate we can see that LLC “HALKON PLYUS” is located in Ternopil, Ukraine and that the certificate is issued by COMODO RSA Code Signing CA.

LLC HALKON PLYUS certificate

The reason for posting about LLC “HALKON PLYUS” is that the file is detected by a few of the anti-virus programs. Avast classifies MediaPlayer__6741_i1484416138_il59937.exe as Win32:Malware-gen and Avira detects it as ADWARE/Adware.Gen4.

LLC HALKON PLYUS anti-virus report

To see more in details what changes the LLC “HALKON PLYUS” file would do on a user’s computer I decided to run the file on my lab machine. The installer bundled some additional software such as Wajam, PriceLess, TabNav and AnySend.

Did you also find a download that was signed by LLC “HALKON PLYUS”? What kind of download was it and was it detected by the anti-malwares at VirusTotal? Please share in posting comments below.

Thanks for reading.

Tiki Taka – 25% Anti-Virus Detection – OutBrowse / Revenyou

digital signature, ,

Welcome! Just a short post before I call it a day. I found yet another interesting file. It was  was signed by Tiki Taka.

Tiki Taka uac

You may see Tiki Taka appear as the publisher when double-clicking on the Player.exe file. Viewing the certificate information is also possible by looking under the digital signature tab for the file. Here the certificate says that Tiki Taka is located in Dublin, Ireland.

Tiki Taka certificate

I decided to upload the Tiki Taka file to VirusTotal. 25% of the scanners detected the file. PUA/Outbrowse.Gen, Trojan.OutBrowse.68, Win32/OutBrowse.BU potentially unwanted, PUP.Optional.OutBrowse and OutBrowse Revenyou are some of the detection names.

Tiki Taka anti-virus report

Did you also find an Tiki Taka? Do you remember the download link? Please post it in the comments below and I’ll upload it to VirusTotal to see if that one is also detected.

Thank you for reading.

NEXT-POINT (OOO Next-Point) – 7% Anti-Virus Detection Rate – InstallCore

digital signature

Hi there! Just a short post on a publisher called NEXT-POINT (OOO Next-Point). I just found a download named adobe_flash_setup.exe that was digitally by this publisher, and it turns out that it is detected by some anti-virus programs.

NEXT-POINT OOO Next-Point UAC

You can also check the digital signature under the file’s properties. According to the certificate we can see that NEXT-POINT (OOO Next-Point) seems to be located in Moscow, Russia and that the certificate is issued by COMODO RSA Code Signing CA.

NEXT-POINT (OOO Next-Point) certificate

The problem is that adobe_flash_setup.exe is not an official Adobe Flash Player download. If it was, it would have been digitally signed by Adobe Systems Incorporated. Here’s how the authentic Adobe Flash Player looks like when you double click on it. Notice that the “Verified publisher” says “Adobe Systems Incorporated”.
Adobe Systems Incorporated - Adobe Flashplayer Installer

The current detection rate is 4/57, that is 7%. Avira reports adobe_flash_setup.exe as Adware/InstallCore.A.499, ESET-NOD32 detects it as a variant of Win32/InstallCore.XP potentially unwanted and K7AntiVirus reports Trojan ( 004b75ec1 ).

NEXT-POINT anti-virus report

When I tested the NEXT-POINT (OOO Next-Point) file it installed StormFall and MyPC backup on some product from Symantec. Don’t remember the name. Perhaps it was Norton 360.

Did you also find a file signed by NEXT-POINT (OOO Next-Point)? What kind of download was it and where did you find it?

Hope this blog post helped you avoid some unwanted software on your machine.

Thanks for reading.

Jelbrus LLC from The Pirate Bay – 23% Anti-Virus Detection Rate – Strictor / Techsnab / HfsAdware

adware, digital signature, , , , , ,

Welcome! Saturday night post this time 😉 Just wanted to let you know about a publisher called Jelbrus LLC. You may run into this download if you are visiting sites such as The Pirate Bay.

Jelbrus LLC make changes

Information about a digital signature and the certificate can also be found under the Digital Signature tab. According to the embedded certificate we can see that Jelbrus LLC seems to be located in Moscow in Russia and that the certificate is issued by Thawte Code Signing CA – G2.

Jelbrus LLC certificate

So what’s up with Jelbrus? The file I found is, named Breaking_Bad_Season_1_Complete_720p.BRrip.Sujaidr_(pimprg)_.exe, so you might get the impression that this is a download for the famous TV-Series called Breaking Bad. It’s not.

Here’s how the Jelbrus installer looks like if you run the file:

Jelbrus LLC installer

When clicking the Next button a bunch settings are changed and some files are added on your computer. Here’s the interesting stuff from a FreeFixer log:

FreeFixer v1.13 log
http://www.freefixer.com/

Scheduled tasks (39 whitelisted)
================================
Great Performance Ultimate, C:\Program Files (x86)\PrivateVPN\gpup.exe , signer: [unsigned]
Jelbrus Secure Web Task, C:\Program Files (x86)\Jelbrus Secure Web\jswtask.exe , signer: [unsigned]
Malware Cleaner, C:\Users\honeypotter\AppData\Roaming\1265.tmp.exe (file is missing)

Processes (42 whitelisted)
==========================
C:\Windows\mlwps.exe, signer: [unsigned]
C:\Users\HONEYP~1\AppData\Local\Temp\92.tmp.exe, signer: [unsigned]
C:\Program Files (x86)\Jelbrus Secure Web\privoxy.exe, signer: [unsigned]

Services (47 whitelisted)
=========================
Live Malware Protection, Live Malware Protection, c:\windows\mlwps.exe, signer: [unsigned]
PrivoxyService, Privoxy (PrivoxyService), c:\program files (x86)\jelbrus secure web\privoxy.exe, signer: [unsigned]

Recently created/modified files
===============================
20 minutes, c:\Program Files (x86)\Jelbrus Secure Web\mgwz.dll, signer: [unsigned]
20 minutes, c:\Program Files (x86)\Jelbrus Secure Web\privoxy.exe, signer: [unsigned]
20 minutes, c:\Program Files (x86)\Jelbrus Secure Web\jsie.dll, signer: [unsigned]
20 minutes, c:\Program Files (x86)\Jelbrus Secure Web\jswff.exe, signer: Jelbrus LLC [valid]
20 minutes, c:\Program Files (x86)\Jelbrus Secure Web\jsweb64.dll, signer: [unsigned]
20 minutes, c:\Program Files (x86)\Jelbrus Secure Web\jswchromium64.exe, signer: [unsigned]
20 minutes, c:\Program Files (x86)\Jelbrus Secure Web\jsweb.dll, signer: [unsigned]
20 minutes, c:\Program Files (x86)\Jelbrus Secure Web\jswchromium.exe, signer: [unsigned]
20 minutes, c:\Program Files (x86)\Jelbrus Secure Web\jswtask.exe, signer: [unsigned]
20 minutes, c:\Users\honeypotter\AppData\Local\Temp\92.tmp.exe, signer: [unsigned]
21 minutes, c:\Program Files (x86)\PrivateVPN\tasks.dll, signer: [unsigned]
21 minutes, c:\Users\honeypotter\AppData\Local\Temp\tasks.dll, signer: [unsigned]
21 minutes, c:\Program Files (x86)\PrivateVPN\gpup.exe, signer: [unsigned]
21 minutes, c:\Users\honeypotter\AppData\Local\Temp\580C.tmp.exe, signer: [unsigned]
23 minutes, c:\Users\honeypotter\AppData\Local\Temp\1716.tmp.exe, signer: [unsigned]
24 minutes, c:\Users\honeypotter\AppData\Local\Temp\6E23.tmp.exe, signer: [unsigned]

LAN Proxy Settings
==================
*=127.0.0.1:8118

You will also see advertisements while browsing the web labelled “Ad by CouponDropDown“. Here’s the “Ad by CouponDropDown” ads on Google:

Ad by CouponDropDown

So what does the anti-virus scanners at VirusTotal say about Jelbrus’ “Breaking Bad” file? The detection rate is 13/57. Gen:Variant.Strictor.75172, Jelbrus.3C0, Adware/Techsnab.9058, Jelbrus LLC (fs), W32.HfsAdware.307F and Gen:Variant.Strictor.75172 were some of the detection names.

Jelbrus LLC anti-virus report

Did you also find an Jelbrus LLC? Did you also find it at The Pirate Bay?

Thank you for reading.

Lamphouse Media LLC – 21% Detection Rate – Adware.Agent.PGG

digital signature

Hi there! If you’ve been following me for the last year you know that I’ve been examining many software publishers that put a digital signature on their downloads. Today I found another publisher called Lamphouse Media LLC while checking out some of the more recent submissions to the FreeFixer database.

You can view the details of a digital signature by looking at a file’s properties from Windows Explorer.

The reason why I think the Lamphouse Media LLC file is interesting is because it is detected by some of the scanners at VirusTotal. It came up with a 21% detection rate. The file is detected as Generic.BAF by AVG, Adware.Agent.PGG by BitDefender and Adware.Agent.PGG by nProtect.

Lamphouse Media LLC anti-virus report

Did you also find an Lamphouse Media LLC? Do you remember the download link? Please post it in the comments below. I’d like to check it out on my lab machine.

Thanks for reading.

Advertaizing Grupp – 19% Detection Rate – InstallCore

digital signature, ,

Hi there! If you are a regular here on the FreeFixer blog you know that I’ve been looking on the certificates used to sign files that bundled various types of unwanted software. Today I found another certificate, used by a publisher called Advertaizing Grupp.

Advertaizing Grupp certificate

You can view the certificate by right-clicking on the file, and looking under the Digital Signature tab: According to the embedded certificate we can see that Advertaizing Grupp is located in Russia and that the certificate is issued by COMODO RSA Code Signing CA.

What caught my attention was that the download was called adobe_flash_setup.exe. This might look like an official Adobe Flash Player download, but it is not. If it was an official download, it would be signed by Adobe Systems Incorporated. Here’s how the authentic Adobe Flash Player looks like when you double click on it. Notice that the “Verified publisher” says “Adobe Systems Incorporated”.
Adobe Systems Incorporated - Adobe Flashplayer Installer

So, what does the anti-virus programs say about the Advertaizing Grupp file? No problem, I just uploaded the file to VirusTotal and it turned out that many of the anti-virus programs detects the Advertaizing Grupp file, with names such as Win32:Rootkit-gen [Rtk], Adware/InstallCo.zlz, Trojan.InstallCore.57, Trojan ( 004b4b721 ), Riskware.Win32.InstallCore.dnxkbc and Win32/Tnega.MFNTaRB.

Advertaizing Grupp anti virus report

Did you also find a download that was digitally signed by Advertaizing Grupp? What kind of download was it and was it detected by the anti-virus progams at VirusTotal? Please share in posting comments below.

Hope this blog post helped you avoid some unwanted software on your machine.

Thank you for reading.

Interesting Solutions – 16% Anti-Virus Detection Rate – PullUpdate / PUP.Optional.WebGuard.A

digital signature

Welcome! If you’ve been following me for the last year you know that I’ve been examining many software publishers that put a digital signature on their downloads. I’ve seen lots of submission of  Interesting Solutions files to the FreeFixer database, so I thought it was about time to write a few lines about this publisher.

The scan result from VirusTotal below clearly shows why you probably should avoid the Interesting Solutions files. It is detected under names such as Downloader.CBD, Adware.Yontoo.55, a variant of MSIL/Adware.PullUpdate.G.gen, PUP.Optional.WebGuard.A, HEUR/QVM03.0.Malware.Gen and Injekt (fs).

Interesting Solutions anti virus report

Did you also find a Interesting Solutions file? Do you remember the download link for the software that bundled Interesting Solutions? Please let me know so I can test it out on my lab machine.

Thanks for reading.