Tag Archives: Comodo

LLC “DIVAROS SOFT” – 9% Detection Rate – PUP.Optional.LoadMoney

Hello! Having a quick break from the programming I’m doing right now. I’m doing some work on the freefixer.com web site. Just wanted to give you the heads up on a publisher called LLC “DIVAROS SOFT” that I ran into this morning:

LLC DIVAROS SOFT publisher

You will also see LLC “DIVAROS SOFT” listed as the verified publisher in the User Account Control dialog that pops up if you try to run the file: It is also possible to check a digital signature by looking at a file’s properties. Here’s a screenshot of the LLC “DIVAROS SOFT” certificate. As you can see LLC DIVAROS SOFT is located in Kiev, Ukraine.

LLC DIVAROS SOFT certificate

Comodo has issued the certificate.

So, why am I writing about the LLC “DIVAROS SOFT” file? Check out what the anti-virus software report about the file:

LLC DIVAROS SOFT anti-virus report

Avira calls it ADWARE/Amonetize.Gen7, AVG names it as Generic.A6F, VBA32 calls it SScope.Downware.Amonetize and Malwarebytes calls it PUP.Optional.LoadMoney are a few of the detection names for the file.

Did you also find a LLC “DIVAROS SOFT” file?

Thanks for reading. Now, back to coding…

LLC “B2B SOFT UA” – 14% Detection Rate

Hello readers! Just a short post before I call it a day. I found yet another file that bundled a bunch of unwanted programs, and the file was signed by LLC “B2B SOFT UA”.

LLC B2B SOFT UA publisher

You will also see LLC “B2B SOFT UA” listed as the verified publisher in the User Account Control dialog that pops up if you try to run the file: The certificate is issued by COMODO RSA Code Signing CA. The company is located in Kiev, Ukraine:

LLC B2B SOFT UA certificate

The VirusTotal report shows that the LLC “B2B SOFT UA” file should be avoided, since How I Met Your Mother S09E22 HDTV x264KILLERS[ettv]__15022_i1707449201_il379351.exe is detected as ADWARE/Amonetize.Gen by Avira, PE:Malware.RDM.15!5.15[F1] by Rising, HEUR/QVM10.1.Malware.Gen by Qihoo-360 and Trj/Genetic.gen by Panda.

LLC B2B SOFT UA virus report

Did you also find a LLC “B2B SOFT UA” file? What kind of download was it? If you remember the download link, please post it in the comments below.

Thanks for reading.

Arkhigrad Proekt, TOV – 9% Detection Rate

Hello readers! Just wanted to give you the heads up on a publisher called Arkhigrad Proekt, TOV. Here how Arkhigrad Proekt, TOV appears in the UAC dialog when double-clicking on the Download__15022_i1683705761_il3.exe file:

Arkhigrad Proekt, TOV publisher

You can also view the certificate by right-clicking on the file, and looking under the Digital Signature tab: According to the embedded certificate we can see that Arkhigrad Proekt, TOV is located in Simferopol, Ukraine/Russia and that the certificate is issued by COMODO RSA Code Signing CA.

Arkhigrad Proekt, TOV certificate

Generic.3ED, ADWARE/Amonetize.Gen and PUP.Optional.Amonetize are some detection names according to VirusTotal:

Arkhigrad Proekt, TOV anti-virus report

Did you also find a file digitally signed by Arkhigrad Proekt, TOV? Where did you find it and are the anti-virus programs detecting it? Please share in the comments below.

Thank you for reading.

LLC “LEVADIYA-PROEKT” – 5% Detection Rate At VirusTotal

Hi there! If you are a regular here on the FreeFixer blog, you know that I’ve been examining files that have a digital signature and bundle various types of potentially unwanted software. Today I found another publisher named LLC “LEVADIYA-PROEKT” that bundles some software.

LLC LEVADIYA-PROEKT warning

You can also see the LLC “LEVADIYA-PROEKT” certificate by looking under the Digital Signature tab on the file’s properties. According to the certificate, LLC “LEVADIYA-PROEKT” is located in Lviv, Ukraine. Comodo has issued the certificate.

LLC LEVADIYA-PROEKT certificate

The issue is that FlashPlayer__6741_i1651201445_il1668.exe is not an official Adobe Flash Player download. If it was, it would have been digitally signed by Adobe Systems Incorporated. Here’s how the authentic Adobe Flash Player looks like when you double click on it. Notice that the “Verified publisher” says “Adobe Systems Incorporated”.
Adobe Systems Incorporated - Adobe Flashplayer Installer

So, what does the anti-virus programs say about the LLC “LEVADIYA-PROEKT” file? No problem, I just uploaded the file to VirusTotal and it turned out that a few of the anti-virus programs detects the LLC “LEVADIYA-PROEKT” file, with names such as ADWARE/Amonetize.Gen and a variant of Win32/Amonetize.IQ potentially unwanted.

anti-virus scan LLC LEVADIYA-PROEKT

Did you also find a LLC “LEVADIYA-PROEKT” file?

Thank you for reading.

LLC FOTO-TSENTR – 7% Detection Rate – QVM10.1.Malware.Gen / Amonetize

Welcome! Just a short post on a publisher called LLC `FOTO-TSENTR `. I just found a download named Moboroboexe__15022_i1619995140_il543480.exe that was digitally by this publisher, and it turns out that it is detected by some anti-virus programs.

LLC FOTO-TSENTR publisher

You may see LLC `FOTO-TSENTR ` appear as the publisher when double-clicking on the Moboroboexe__15022_i1619995140_il543480.exe file. To view more information about the embedded certificate you can right-click on the file, then choose Properties and then select the Digital Signatures tab. According to the certificate we can see that LLC `FOTO-TSENTR ` seems to be located in Ukraine and that the certificate is issued by COMODO RSA Code Signing CA.

LLC `FOTO-TSENTR ` cert

Here’s Comodo in the certificate chain:

LLC FOTO-TSENTR cert chain

The issue with the LLC `FOTO-TSENTR ` file is that it is detected by some of the anti-viruses. Here are some of the detection names: ADWARE/Amonetize.Gen, a variant of Win32/Amonetize.HU potentially unwanted and HEUR/QVM10.1.Malware.Gen.

LLC FOTO-TSENTR anti-virus report

Since you probably came here after finding a file that was digitally signed by LLC `FOTO-TSENTR `, please share what kind of download it was and if it was detected by the anti-malwares at VirusTotal.

Thank you for reading.

Update 2015-09-08: I found another file signed by LLC FOTO-TSENTR. The detection rate has increased to 13/56:

LLC FOTO-TSENTR report

OOO DIGITAL VEI – 18% Detection Rate – InstallCore

Hello readers! Just a quick post on a publisher called OOO DIGITAL VEI that I found while running some tests for the upcoming FreeFixer release. The suspicious file is named adobe_flash_player.exe.

OOO DIGITAL VEI publisher

Viewing the certificate information is also possible by looking under the digital signature tab for the file. Here the certificate says that OOO DIGITAL VEI is located in Moscow, Russa.

OOO DIGITAL VEI cert

And USERTrust and Comodo is upwards in the certificate chain:

OOO DIGITAL VEI cert chain

What caught my attention was that the download was called adobe_flash_player.exe. This might look like an official Adobe Flash Player download, but it is not. If it was an official download, it should be digitally signed by Adobe Systems Incorporated. Here’s how the authentic Adobe Flash Player looks like when you double click on it. Notice that the “Verified publisher” says “Adobe Systems Incorporated”.
Adobe Systems Incorporated - Adobe Flashplayer Installer

The problem with the OOO DIGITAL VEI file is that it is detected by many of the antivirus software. Here are some of the detection names: W32.HfsAdware.90CE, PUP.Optional.Bundle and InstallCore (fs).

OOO DIGITAL VEI anti-virus report

Did you also find a OOO DIGITAL VEI download? What kind of download was it?

Thank you for reading.

LLC “SOFT TRADE LTD” – 5% Detection Rate – Amonetize

Hello! If you’ve been following me for the last year you know that I’ve been examining many software publishers that put a digital signature on their downloads. Today I found another publisher called LLC “SOFT TRADE LTD”.

LLC SOFT TRADE LTD

Typically you’d see the LLC “SOFT TRADE LTD” publisher name appear when double-clicking on the FlashPlayer__6741_i1609075630_il45347.exe file: It is also possible to check a digital signature by looking at a file’s properties. Here’s a screenshot of the LLC “SOFT TRADE LTD” certificate.

LLC SOFT TRADE LTD certificate

 

The company is located in Ukraine says the certificate. UserTrust and Comodo is found in the certificate chain:

SOFT TRADE LTD LLC cert chain

What caught my attention was that the download was called FlashPlayer__6741_i1609075630_il45347.exe. This might look like an official Adobe Flash Player download, but it is not. If it was an official download, it should be digitally signed by Adobe Systems Incorporated. Here’s how the authentic Adobe Flash Player looks like when you double click on it. Notice that the “Verified publisher” says “Adobe Systems Incorporated”.
Adobe Systems Incorporated - Adobe Flashplayer Installer

 

Here’s how the LLC “SOFT TRADE LTD” installer looks like:

LLC SOFT TRADE LTD installer

ADWARE/Amonetize.Gen and a variant of Win32/Amonetize.HN potentially unwanted are some detection names according to VirusTotal:

LLC SOFT TRADE LTD anti-virus report

Did you also find a LLC “SOFT TRADE LTD” file? What kind of download was it? If you remember the download link, please post it in the comments below.

Thank you for reading.

Gencolabs LLC – 30% Detection Rate

Welcome! If you’ve been following me for the last year you know that I’ve been examining many software publishers that put a digital signature on their downloads. Today I found another publisher called Gencolabs LLC.

The following screenshot shows the User Account Control dialog when running the Gencolabs LLC file:

Gencolabs LLC publisher

Viewing the certificate information is also possible by looking under the digital signature tab for the file. Here the certificate says that Gencolabs LLC is located in Lewes in Delaware, US. Comodo has issued the certificate:

Gencolabs LLC cert

30% of the scanners detected the file. Avast detects breaking-bad-1-2-3-4-e-5-temporada-torrent-bdrip-bluray-720p-dual-udio.exe as NSIS:Downloader-ACE [PUP], NANO-Antivirus classifies it as Trojan.Nsis.Fraudster.dsyctt and Sophos classifies it as AdLoad (PUA).

Gencolabs LLC anti-virus report

Did you also find a Gencolabs LLC download? What kind of download was it?

Hope this blog post helped you avoid some unwanted software on your machine.

Thanks for reading.

LLC DE PROEKT – 39% Detection Rate – Amonetize / Strictor / PUP.Optional.Bundle

Hi there! Short on time this evening, but I just wanted to give you the heads up on a publisher called LLC DE PROEKT.

LLC DE PROEKT publisher

If you have a LLC DE PROEKT file on your machine you may have noticed that LLC DE PROEKT is displayed as the publisher in the UAC dialog when double-clicking on the file. The certificate is issued by COMODO RSA Code Signing CA. The publisher is located in the Ukraine.

LLC DE PROEKT cert

The problem here is that if FlashPlayer__6741_i1561835113_il7532.exe really was a setup file for Adobe Flash Player, it should have been digitally signed by Adobe Systems Incorporated and not by some unknown company. This looks suspicious. Here’s how the authentic Adobe Flash Player looks like when you double click on it. Notice that the “Verified publisher” says “Adobe Systems Incorporated”.
Adobe Systems Incorporated - Adobe Flashplayer Installer

The issue with the LLC DE PROEKT file is that it is detected by many of the antimalware software. Here are some of the detection names: Trojan.Application.Strictor.D164B3, BundleApp.IVU, W32.HfsAdware.B493, Gen:Variant.Application.Strictor, PUP.Optional.Bundle and Amonetize (fs).

LLC DE PROEKT virustotal report

Did you also find a download that was digitally signed by LLC DE PROEKT? What kind of download was it and was it detected by the anti-viruses at VirusTotal? Please share by posting a comment.

Thanks for reading.

Update 2015-08-18: Found another download today, also signed by LLC DE PROEKT and also using “Flash” in the filename to confuse users. The detection rate for this file was 25% according to VirusTotal:

LLC DE PROEKT av report update

 

When I ran the installer it disclosed that it bundled a bitcoin miner or some other type of crypto currency miner:

LLC DE PROEKT bitcoin miner

 

Just a quick update on the certificate chain. It begins with UserTrust, then Comodo and then LLC DE PROEKT:

LLC DE PROEKT certificate chain