Tag Archives: InstallCore

Webcellence Ltd. – Detected by AVG, NOD32 and DrWeb

Hi there! If you’ve been following me for the last year you know that I’ve been examining many software publishers that put a digital signature on their downloads. A few days ago I found another publisher called Webcellence Ltd..

Webcellence Ltd. UAC prompt

To get more details on the publisher, you can view the certificate by right-clicking on the file, and looking under the Digital Signatures tab: According to the certificate we can see that Webcellence Ltd. is located in Moshav Ora, Israel and that the certificate is issued by VeriSign Class 3 Code Signing 2010 CA.

Webcellence Ltd. certificate - adobe_flash_player.exe

The reason I’m writing this blog post is that the Webcellence Ltd. file is detected by a few of the anti-virus progams at VirusTotal. DrWeb classifies adobe_flash_player.exe as Trojan.MulDrop5.38502 and ESET-NOD32 calls it a variant of Win32/InstallCore.QD.

Webcellence Ltd virus totalAlthough the file is named adobe_flash_player.exe it’s not the official download for the Adobe Flash Player. The real flash player installer should be digitally signed by the Adobe company.

Did you also find an Webcellence Ltd.? Do you remember the download link? Please post it in the comments below and I’ll upload it to VirusTotal to see if that one is also detected.

Thank you for reading.

ICS Setup – 16% Detection Rate By VirusTotal

Hello! Just a quick post on a file named ChromeSetup.exe signed by ICS Setup before calling it a day. This is how  appears when running the file:

ICS Setup

To get more details on the publisher, you can view the certificate by right-clicking on the file, and looking under the Digital Signatures tab. According to the certificate we can see that ICS Setup seems to be located in Tel-Aviv, Israel and that the certificate is issued by COMODO Code Signing CA 2.

ICS Setup certificate

9 of the anti-virus scanners detected the file. Some of the detection names for the ChromeSetup.exe file are W32/InstallCore.AC.gen!Eldorado, BehavesLike.Win32.CryptInno.bc and InstallCore.b (fs).

ICS Setup virustotal

Did you also find a ICS Setup file? What kind of download was it? If you remember the download link, please post it in the comments below.

Thank you for reading.

Advertiso GmbH – 15% Detection Rate at VirusTotal

Found another software publisher that bundles lots of potentially unwanted software. The publisher is called Advertiso GmbH and the file was called adobe-flash-player_setup.exe.

Advertiso GmbH

When I uploaded the file to VirusTotal, it came up with a 15% detection rate.

Advertiso GmbH virustotal

InstallCore seems to be the common detection name for the Advertiso GmbH file.

When I ran the Advertiso GmbH file it offered a bunch of bundled softwares, such as Web Finder Pro (Site Finder Pro), AdvanceElite, AstroMenda, PennyBee, etc. An in addition, it failed to install Adobe’s Flash Player, with the error “Installation encountered errors“:

adobe flash player installer failed - Installation encountered errors

Hope this helped figure out what the Advertiso GmbH installer will do to your system.

If you want to download the Flash Player, please do so from Adobe’s official web site:


Did you also find a file from Advertiso GmbH? What kind of download was it? Was it also detected by the anti-virus programs at VirusTotal? Please share in the comments below?

Update 2015-09-10: Found another download signed by Advertiso called chrome_download.exe. The detection rate for that file is 20%:

Advertiso GmbH anti-virus report


Symbolicom Holdings Limited – 7% Detection Rate at VirusTotal

Just wanted to let you know about a publisher called Symbolicom Holdings Limited before going back to writing some code for FreeFixer. When I uploaded the Symbolicom Holdings Limited file, named adobe_flash_player.exe, to VirusTotal it came up with a 7% detection rate.

Symbolicom Holdings Limited certificate for adobe_flash_player.exe Symbolicom Holdings Limited publisher in the UAC dialog Symbolicom Holdings Limited Virus Total Report

Some of the detection names are Trojan.MulDrop5a variant of Win32/InstallCore and  HEUR/Malware.QVM06.Gen.

Although the file name contains “adobe” and “flash” it’s not an official Adobe Flash download. The official Adobe Flash Player should be digitally signed by Adobe Inc.

Did you also find a Symbolicom Holdings Limited download? What kind of download was it?


Information Technology Systems – 16% Detection Rate at VirusTotal

Just a quick post on a faked Flash Player download, named adobe_flash_setup.exe, digitally signed by Information Technology Systems. This download was promoted with the following pop-up:

Faked Flash Update pop up windows

Information Technology Systems seems to be located in Montenegro based on the embedded certificate.

Information Technology Systems certificate, the publisher is located in montenegro

The current detection rate is 16% according to VirusTotal. InstallCore appears to be the most common detection name.

Information Technology Systems virus total report, InstallCore is one of the detection namesDid you also find a Information Technology Systems file? Do you remember where you downloaded it?




Information Technology Systems doo – VirusTotal Report

Just wanted to give you the heads up on a publisher called Information Technology Systems doo.

Information Technology Systems doo Publisher

According to the certificate, the publisher is located in Montenegro:

Information Technology Systems doo Certificate

This is the VirusTotal scan report for the Information Technology Systems doo file:

Information Technology Systems doo - VirusTotal

Generic.DAA, Unwanted-Program and  are some of the detection names.

Did you also find a file signed by Information Technology Systems doo? What kind of download was it? In my case, the download claimed to be the Flash Player installer.

Update 2014-09-03: Found a file promoted as a Java installer, signed by Information Technology Systems doo:

Information Technology Systems doo

The web page is hosted on softkopro.net. The file is called java_setup.exe and is detected by 10 of the 55 anti-virus programs at VirusTotal.

According to the web page, java_setup.exe is a downloader, rather than the real Java setup file:

“Coinis downloader is distributing a proprietary download manager that will take you to the official download of this program. Prior to taking you to the official download, we will offer optional sponsored software that you may be interested in. You are not required to install any additional software to receive your download.”

Update 2016-09-23: I’ve rescanned the java_setup.exe file. Now the detection rate is 31/57. Based on the scan result over at VirusTotal and by looking at the java_setup.exe executable file, it seems that the file contains the InstallCore software rather the Coinis downloader, contrary to what the web page at softkopro.net stated.

SuperCool Applications Publisher – Warning

This night I found a file claiming to be an installer for Adobe’s Flash Player. However, the file was not signed by Adobe as it should be. Instead SuperCool Applications appeared as the publisher:

SuperCool Applications Publisher

SuperCool Applications also appears under the digital signature tab. SuperCool Applications is located in Tel Aviv, Israel.

SuperCool Applications Digital Signature

Supercool Applications certificate says Tel Aviv, Israel

So, why should you avoid the SuperCool Applications “Flash Player” and instead download Flash from the official site? The anti-virus scanners should convince you:

SuperCool Applications virus total scan result.

Seven of the anti-virus programs detects the the SuperCool Applications file, and refers to it as Max Setup, InstallCore, Install Core Click run Software and PUP.Optional.InstallCore.

Hope this helped you to get the official Flash Player and skip the SuperCool Applications download.

Please let me know if you found this blog post useful.