Stanislav Kabin – Certificate Warning

digital signature

Just a quick post to warn you files digitally signed by Stanislav Kabin. The file I found was detected by many of the anti-virus programs. Here’s how Stanislav Kabin appears in the UAC dialog.

Stanislav Kabin Publisher

 

The Stanislav Kabin certificate shows that the publisher is located in Russia.

Stanislav Kabin Certificate

Did you also find a file signed by Stanislav Kabin? What kind of file was it, and where did you find it?

Here’s the VirusTotal scan results:

Stanislav Kabin VirusTotal Report

 

Ads by TheTorntv – Removal Instructions

Uncategorized

Do you see ads labeled “Ads by TheTorntv” while searching on Google, like in the screenshot below?

Ads by TheTorntv in Google search results

 

If you see TheTorntv ads, you got an adware installed on your machine called TheTorntv. Don’t worry, I’ll show how to remove TheTorntv with FreeFixer. The files that you want to remove is located in a folder called TheTorntv V10 located in the Program Files folder.

Just select the following files for removal in FreeFixer’s scan result and the ads will be gone after you reboot your machine:

TheTorntv Scheduled tasks TheTorntv Mozilla Extension TheTornTv in Internet Explorer

The following are the detection names for TheTorntv, thanks to VirusTotal:

  • ADWARE/CrossRider.Gen2
  •  a variant of Win64/Toolbar.Crossrider.F
  •  AdWare.Adload
  • PUP.Optional.TornTV.A
  • Crossrider (fs)

How did you get TheTorntv on your machine? I found it while looking around at a torrent site.

Information Technology Systems doo – VirusTotal Report

digital signature,

Just wanted to give you the heads up on a publisher called Information Technology Systems doo.

Information Technology Systems doo Publisher

According to the certificate, the publisher is located in Montenegro:

Information Technology Systems doo Certificate

This is the VirusTotal scan report for the Information Technology Systems doo file:

Information Technology Systems doo - VirusTotal

Generic.DAA, Unwanted-Program and  are some of the detection names.

Did you also find a file signed by Information Technology Systems doo? What kind of download was it? In my case, the download claimed to be the Flash Player installer.

Update 2014-09-03: Found a file promoted as a Java installer, signed by Information Technology Systems doo:

Information Technology Systems doo

The web page is hosted on softkopro.net. The file is called java_setup.exe and is detected by 10 of the 55 anti-virus programs at VirusTotal.

According to the web page, java_setup.exe is a downloader, rather than the real Java setup file:

“Coinis downloader is distributing a proprietary download manager that will take you to the official download of this program. Prior to taking you to the official download, we will offer optional sponsored software that you may be interested in. You are not required to install any additional software to receive your download.”

Update 2016-09-23: I’ve rescanned the java_setup.exe file. Now the detection rate is 31/57. Based on the scan result over at VirusTotal and by looking at the java_setup.exe executable file, it seems that the file contains the InstallCore software rather the Coinis downloader, contrary to what the web page at softkopro.net stated.

What is WiredTools?

Uncategorized

I just found a program called WiredTools, which installed with the SoundFrost music download software. You might notice WiredTools.exe running in the background or that it appears in the Add/Remove programs dialog:

WiredTools Remove Programs Dialog WiredTools.exe Task Manager

 

I have not figured out what the purpose of the WiredTools program is, but I think it looks suspicious. I could not see any disclosure in the SoundFrost installer that WiredTools would be installed.

I uploaded WiredTools.exe to VirusTotal. Only one of the scanners detected the file, as HEUR/Malware.QVM10.Gen:

WiredTools Virus Total

Did you also find WiredTools on your computer? Did you also get it while installing SoundFrost?

Onekit Internet S.L – VirusTotal Scan Report

digital signature

I’ve previously written about JDownloader. Today I noticed that another company called Onekit Internet S.L has signed the JDownloader file.

onekit internet s l

When I tested the installer, the following programs were bundled and disclosed in the installer:

  • SoftwareUpdater
  • iRobinHood Partners Addon
  • Remote Desktop Access (VuuPC)
  • PC Speed Up
  • PassWidget

10 of the anti-virus scanners are detecting the the Onekit Internet S.L file:

onekit internet s.l virus total

Saul Perec VirusTotal Report – 38% Detection Rate

digital signature,

Just found a download digitally signed by Saul Perec. I’d recommend being careful if you also have downloaded a file signed by Saul Perec. This the the VirusTotal scan for the Saul Perec file:

Saul Perec Virus Total

Luckily Windows warns when launching a downloaded file and shows the publisher information.

Saul Perec Publisher

You can also view the Saul Perec certificate by right-clicking on the file, and looking under the Digital Signature tab:

Saul Perec Certificate

Did you also find a file signed by Saul Perec? Where did you find it and what kind of download was it?

websearch.flyandsearch.info Removal Instructions

Uncategorized

Did you just launch your web browser and noticed your start page had been changed to websearch.flyandsearch.info? No problem, I’ll show how to remove the websearch.flyandsearch.info start page and search provider from Internet Explorer and Mozilla Firefox in this blog post. Here’s how flyandsearch.info appears in Firefox:

websearch.flyandsearch.info in firefox

The removal is easy with FreeFixer, just select the websearch.flyandsearch.info items listed in the FreeFixer scan result, as shown in the screenshots below, and then click the Fix button. Problem solved.

websearch.flyandsearch.info websearch.flyandsearch.info ie settings websearch.flyandsearch.info ie search provider

How did you get websearch.flyandsearch.info on your computer? I found it in a download that claimed to be an episode of a famous TV-series.

Remove Browser App Adware

adware, freefixer,

Getting  ads labled “Ad by Browser App” or “Ads by Browser App“, like in the screenshots below:

Browseri_Appe Ad by Browser App

Browseri_Appe Ads by Browser App

Then you have the BrowserApp adware installed on your machine. You will also Browser App listed as a browser add-on. Here it is in Firefox:

Browseri_Appe 1.2 Firefox

The detection rate by the anti-virus programs are currently very low. Only 3 of the 50+ anti-virus scanners at VirusTotal detects the Browser App files. Eldorado and Crossrider are two of the detection names:

Browser App virus total report

How to remove Browser App? No problem, just selected the Browser App files in FreeFixer and you will no longer see the ads:

Browseri_Appe tasks Browseri_Appe firefox extensions Browseri_Appe browser helper objectHow did you get the BrowserApp adware on your machine?

These are the variants I’ve found:

  • Browser_AppS 1.1
  • Browseri_Appe 1.2
  • Browsers App
  • Browsers Apps +

 

 

PriceChop Ads Removal

Uncategorized

Getting ads saying “Ad by PriceChop” or “Click to continue > by PriceChop“? Then you got the PriceChop adware running on your machine. I’ll show how to remove the PriceChop ads in this blog post.

pricechop - ad by Pricechop

PriceChop is installed as an add-on in your browser. Here’s how it appears in Firefox:

pricechop adblocker firefox add-on

Removal is pretty straightforward with FreeFixer. Just select the PriceChop, Adblocker, Assist.dll and SW-Booster files as shown in the screenshots below.

pricechop adblocker bho pricechop - trusted publisher sw-booster pricechop - sw-booster.exe pricechop - assist.dll pricechop - adblocker

By the way, here’s the scan results from VirusTotal for the PriceChop file loaded into Internet Explorer:

pricechop virus total

How did you get PriceChop on your computer?