Tag Archives: Eldorado

Stepan Rybin – 44% Detection Rate – MultiPlug / Adware.Mikey

Hello! Did you see a file, such as WhatsApp.exe, on your system signed by Stepan Rybin? Then read on..

I found this Stepan Rybin file while reviewing some of the submissions to the FreeFixer web site. I thought it looked a little bit like a typical “MultiPlug” adware file and the VirusTotal scan result showed that was the case. Ad-Aware reports WhatsApp.exe as Gen:Variant.Adware.Mikey.7658, Avast calls it Win32:MultiPlug-TP [PUP], Cyren names it W32/S-05e718fa!Eldorado, F-Prot calls it W32/S-05e718fa!Eldorado and Sophos detects it as MultiPlug.

Stepan Rybin anti-virus report

Did you also find a Stepan Rybin download? Do you remember where you downloaded it? Please post the URL in the comments below. I’d like to install this download on my lab machine to have a closer look at it.

Thank you for reading.

Fileadventure – Fake Java Update – 38% Detection Rate

Hello! Just a short note on a publisher called Fileadventure.

Fileadventure publisher

If you have a Fileadventure file on your machine you may have noticed that Fileadventure is displayed as the publisher in the UAC dialog when double-clicking on the file. You can also look at the Fileadventure certificate and digital signature by looking under the Digital Signatures tab on the file’s properties. According to the certificate, Fileadventure is located in Kansas City, USA.

Fileadventure certificate

The problem here is that if setup.exe really was an installer file for Java, it would be digitally signed by Oracle America Inc. and not by some unknown company.

The Fileadventure file was promoted by adware that showed a pop-up in the browser saying “Your Java Version is Outdated“. The pop-up opened up a faked Java update site.

Your Java Version is Outdated

When I uploaded the Fileadventure file to VirusTotal, it came up with a 38% detection rate. The file is detected as Win32:IBryte-HL [PUP] by Avast, W32/A-138dbbfa!Eldorado by F-Prot, PUP.Optional.iBryte by Malwarebytes and AdKnowledge (fs) by VIPRE.

Fileadventure virustotal

Did you also find a Fileadventure file? Was it also promoted as a “Java Update”?

Thanks for reading.

R2D2 Tech Software LLC – 27% Detection Rate – Eldorado/InstallBrain

Hi there! Just a note post this morning on a publisher called R2D2 Tech Software LLC. The R2D2 Tech Software LLC download – CodecPerformerSetup.exe – was detected when I uploaded it to VirusTotal. Did you also find a download by R2D2 Tech Software LLC? Was it also detected when you uploaded it to VirusTotal?

R2D2 Tech Software publisher in the UAC dialog

If you have a R2D2 Tech Software LLC file on your machine you may have noticed that R2D2 Tech Software LLC is displayed as the publisher in the UAC dialog when double-clicking on the file. Viewing the certificate information is also possible by looking under the digital signature tab for the file. Here the certificate says that R2D2 Tech Software LLC is located in Beaverton, Oregon, USA.

R2D2 Tech Software certificate shows the publisher is from the US

So, why am I writing about the R2D2 Tech Software LLC file? Check out what the anti-virus scanners report about the file:

R2D2 Tech Software LLC VirusTotal - InstallBrain, Eldorado

F-Prot reports CodecPerformerSetup.exe as W32/A-3442f84d!Eldorado, Qihoo-360 classifies it as Malware.QVM06.Gen and VIPRE detects it as InstallBrain (fs) are a few of the detection names for CodecPerformerSetup.exe.

Did you also find an R2D2 Tech Software LLC? Do you remember the download link? Please post it in the comments below and I’ll upload it to VirusTotal to see if that one is also detected.

Thank you for reading.

ICS Setup – 16% Detection Rate By VirusTotal

Hello! Just a quick post on a file named ChromeSetup.exe signed by ICS Setup before calling it a day. This is how  appears when running the file:

ICS Setup

To get more details on the publisher, you can view the certificate by right-clicking on the file, and looking under the Digital Signatures tab. According to the certificate we can see that ICS Setup seems to be located in Tel-Aviv, Israel and that the certificate is issued by COMODO Code Signing CA 2.

ICS Setup certificate

9 of the anti-virus scanners detected the file. Some of the detection names for the ChromeSetup.exe file are W32/InstallCore.AC.gen!Eldorado, BehavesLike.Win32.CryptInno.bc and InstallCore.b (fs).

ICS Setup virustotal

Did you also find a ICS Setup file? What kind of download was it? If you remember the download link, please post it in the comments below.

Thank you for reading.

Remove Browser App Adware

Getting  ads labled “Ad by Browser App” or “Ads by Browser App“, like in the screenshots below:

Browseri_Appe Ad by Browser App

Browseri_Appe Ads by Browser App

Then you have the BrowserApp adware installed on your machine. You will also Browser App listed as a browser add-on. Here it is in Firefox:

Browseri_Appe 1.2 Firefox

The detection rate by the anti-virus programs are currently very low. Only 3 of the 50+ anti-virus scanners at VirusTotal detects the Browser App files. Eldorado and Crossrider are two of the detection names:

Browser App virus total report

How to remove Browser App? No problem, just selected the Browser App files in FreeFixer and you will no longer see the ads:

Browseri_Appe tasks Browseri_Appe firefox extensions Browseri_Appe browser helper objectHow did you get the BrowserApp adware on your machine?

These are the variants I’ve found:

  • Browser_AppS 1.1
  • Browseri_Appe 1.2
  • Browsers App
  • Browsers Apps +



Context2pro, conadvanced.exe, contextprod.exe and contextfr.exe – Removal Instructions

Just a quick post. Found something called Cyclon or Context2Pro bundled in a free download. This is how it appeared in the installer.

Context2pro Cyclon Installer

Clicking the EULA link opened up a 404 Not Found page. Once installed I noticed pop-ups from markettizer.net.

markettizer.net pop up

The anti-virus programs have a relatively good detection rate for Context2Pro:

Context2Pro Contextprod.exe VirusTotal scan result

To remove Context2Pro, check conadvanced.exe, contextprod.exe and contextfr.exe for removal in FreeFixer. During my testing there was no entry in the Add/Remove programs dialog for Context2pro.

context2pro startups - contextfr.exe, conadvanced.exe and contextprod.exe Context2Pro processes contextadvanced.exe

How did you get Context2Pro on your computer?