Hi there! Just a quick post on a file named Medal Of Honour PC Game Full version Free Download.exe signed by RUn apps fOrevEr Lld.

The following screenshot shows the User Account Control dialog when running the RUn apps fOrevEr Lld file:

It is also possible to check a digital signature by looking at a file’s properties. Here’s a screenshot of the RUn apps fOrevEr Lld certificate.

The VirusTotal report shows that the RUn apps fOrevEr Lld file should be avoided, since Medal Of Honour PC Game Full version Free Download.exe is detected as Trojan.OutBrowse.1613 by DrWeb, Downloader.AAPP by AVG, SoftwareBundler:Win32/Outbrowse by Microsoft, OutBrowse by VIPRE and HEUR/QVM42.0.Malware.Gen by Qihoo-360.

Did you also find a file that was digitally signed by RUn apps fOrevEr Lld? What kind of download was it and was it reported by the anti-malware scanners at VirusTotal? Please share by posting a comment.

Thanks for reading.

Welcome! Just wanted to give you the heads up on files digitally signed by SaFE clIck LoL.

You will also see SaFE clIck LoL listed as the verified publisher in the User Account Control dialog that pops up if you try to run the file: It’s possible to view additional information about the embedded certificate by right-clicking on the file, choosing properties and then clicking on the Digital Signatures tab. According to the certificate we can see that SaFE clIck LoL appears to be located in Dublin, Ireland and that the certificate is issued by thawte SHA256 Code Signing CA.

The problem with the SaFE clIck LoL file is that it is detected by many of the antimalware scanners. Here are some of the detection names: Downloader.AAPP, PUA/Outbrowse.Gen, SoftwareBundler:Win32/Outbrowse and OutBrowse.

Did you also find an SaFE clIck LoL? Do you remember the download link? Please post it in the comments below and I’ll upload it to VirusTotal to see if that one is also detected.

Thanks for reading.

Hello readers! Just a quick post on a publisher called ClIck to StaRt that I found while running some tests for the upcoming FreeFixer release. The suspicious file is named Animal Porn On Android.exe.

The following screenshot shows the User Account Control dialog when running the ClIck to StaRt file:

To get more details on the publisher, you can view the certificate by right-clicking on the file, and looking under the Digital Signatures tab.. The screenshot below shows the Click to StaRt certificate. From the certificate info we can see that ClIck to StaRt appears to be located in Dublin, Ireland.

The reason I’m writing this blog post is that the ClIck to StaRt file is detected by many of the anti-virus software at VirusTotal. AVG reports Luhe.Fiha.A, McAfee reports Adware-OutBrowse.h, Avast names Animal Porn On Android.exe as Win32:Malware-gen, ClamAV detects it as Win.Adware.Outbrowse-1167 and DrWeb detects it as Trojan.OutBrowse.1694.

Did you also find a ClIck to StaRt file? What kind of download was it? If you remember the download link, please post it in the comments below.

Thanks for reading.

Hello readers! If you are a regular here on the FreeFixer blog you know that I’ve been looking on the certificates used to sign files that bundled various types of unwanted software. Today I found another certificate, used by a publisher called BEst inSTall TLl.

If you have a BEst inSTall TLl file on your machine you may have noticed that BEst inSTall TLl is displayed as the publisher in the UAC dialog when double-clicking on the file. You can also check the digital signature under the file’s properties. According to the embedded certificate we can see that BEst inSTall TLl is located in Dublin, Ireland and that the certificate is issued by thawte SHA256 Code Signing CA.

Thawte has issued the certificate.

So, what does the anti-virus programs say about the BEst inSTall TLl file? No problem, I just uploaded the file to VirusTotal and it turned out that many of the anti-virus programs detects the BEst inSTall TLl file, with names such as NSIS:OutBrowse-DQ [PUP], Downloader.QWU, Gen:Variant.Adware.Mikey.21084, HEUR/QVM30.1.Malware.Gen and Generic PUA AA (PUA).

Did you also find a BEst inSTall TLl file? What kind of download was it? If you remember the download link, please post it in the comments below.

Thanks for reading.

Update 2015-08-18: Found another download, also signed by Best Install TLl, claiming to be an episode of a famous TV series. The detection rate for this file was 45%. Notice that the installer does not have any button to cancel the installation.

Hi there! Lately I’ve been looking on the digital signatures on those files that push various types of unwanted programs. This morning I found a new file called Player.exe, digitally signed by COnfirmED APp nLn.

The following screenshot shows the User Account Control dialog when running the COnfirmED APp nLn file:

You can also check the digital signature under the file’s properties. According to the certificate we can see that COnfirmED APp nLn seems to be located in Ireland and that the certificate is issued by thawte SHA256 Code Signing CA.

The problem with the COnfirmED APp nLn file is that it is detected by many of the antivirus progams. Here are some of the detection names: Downloader.LIR, PUA.OutBrowse.A and Adware-OutBrowse.g.

Since you probably came here after finding a file that was signed by COnfirmED APp nLn, please share what kind of download it was and if it was detected by the antivirus scanners at VirusTotal.

Thank you for reading.

Hi there! Short on time today, but I just wanted to give you the heads up on a publisher called just accepT.

You can see who the signer is when double-clicking on an executable file. just accepT appears in the publisher field in the dialog that pops up. You can also see the just accepT certificate by looking under the Digital Signature tab on the file’s properties. According to the certificate, just accepT is located in Dublin in Ireland.

After uploading the just accepT file – Player.exe – to VirusTotal, it was clear that it’s probably better to delete the file than running it. The detection rate was 12% and some of the detection names were: Downloader.HFI and Artemis!83841CFEAEC6.

Did you also find a just accepT file?

Thank you for reading.