Tag Archives: Ukraine

NEW SOFT Inkorporeishn, TOV – 11% Detection Rate – Amonetize

November 24, 2015UncategorizedAmonetize, UkraineRoger Karlsson

Welcome! If you’ve been following me for the last year you know that I’ve been examining many software publishers that put a digital signature on their downloads. Today I found another publisher called NEW SOFT Inkorporeishn, TOV.

You can see who the signer is when double-clicking on an executable file. NEW SOFT Inkorporeishn, TOV appears in the publisher field in the dialog that pops up. It is also possible to check a digital signature by looking at a file’s properties. Here’s a screenshot of the NEW SOFT Inkorporeishn, TOV certificate.

So, why am I writing about the NEW SOFT Inkorporeishn, TOV file? Check out what the anti-malware software report about the file:

SUPERAntiSpyware reports PUP.Amonetize/Variant, Malwarebytes classifies it as PUP.Optional.Amonetize, Qihoo-360 calls it HEUR/QVM10.1.Malware.Gen and DrWeb reports Download Uc Browser V Handler Zip__15022_i1756037767_il542797.exe as Trojan.Amonetize.11110 are a few of the detection names for Download Uc Browser V Handler Zip__15022_i1756037767_il542797.exe.

Did you also find a NEW SOFT Inkorporeishn, TOV download? What kind of download was it?

Thanks for reading.

LLC “KIPER – SOFT” – 19% Detection Rate – PUP.Optional.Amonetize

November 20, 2015digital signatureUkraineRoger Karlsson

Hello! Just a short post on a publisher called LLC “KIPER – SOFT”. I just found a download that was digitally by this publisher, and it turns out that it is detected by some anti-virus programs.

If you have a LLC “KIPER – SOFT” file on your computer you may have noticed that LLC “KIPER – SOFT” pops up as the publisher in the User Account Control dialog when running the file. The certificate is issued by COMODO RSA Code Signing CA. The company is located in Ukraine.

The scan result from VirusTotal below clearly shows why you should avoid the LLC “KIPER – SOFT” file. It is detected under names such as Generic.959, W32/Amonetize.AO.gen!Eldorado, PUP.Optional.Amonetize and Trojan.Win32.Amonetize.dytukr.

Did you also find a file digitally signed by LLC “KIPER – SOFT”? Where did you find it and are the anti-virus programs detecting it? Please share in the comments below.

Thank you for reading.

LLC “YUTA-SOFT” – 13% Detection Rate – BundleApp.NWS / Amonetize

November 14, 2015UncategorizedUkraineRoger Karlsson

Hi there! Just wanted to give you the heads up on a file called that’s digitally signed by LLC “YUTA-SOFT”.

Windows will display LLC “YUTA-SOFT” as the publisher when running the file. The certificate is issued by COMODO RSA Code Signing CA. And the company appears to be located in Ukraine.

For the time being, 7 of the scanners detected the file. AVG detects the Yuta Soft file as BundleApp.NWS, Panda reports Trj/Genetic.gen, ESET-NOD32 detects it as a variant of Win32/Amonetize.LP potentially unwanted, DrWeb reports Trojan.Amonetize.11077 and Malwarebytes detects it as PUP.Optional.Amonetize.

Did you also find a LLC “YUTA-SOFT” download? What kind of download was it?

Hope this blog post helped you avoid some unwanted software on your machine.

Thank you for reading.

LLC “TRUKONF SOFT” – 33% Detection Rate – AdLoad / PUP.Optional.Amonetize

November 9, 2015digital signatureAmonetize, Donetsk, UkraineRoger Karlsson

Welcome! Just wanted to give you heads-up on suspicious file I found right now. The file is digitally signed by LLC “TRUKONF SOFT”.

This is how it looks when double-clicking on the file and LLC “TRUKONF SOFT” appears as the publisher. Viewing the certificate information is also possible by looking under the digital signature tab for the file. Here the certificate says that LLC “TRUKONF SOFT” is located in Ukraine.

The reason I’m writing this blog post is that the LLC “TRUKONF SOFT” file is detected by many of the antimalware progams at VirusTotal. VBA32 names it SScope.Trojan.Zbot.gen, Baidu-International detects the file as PUA.Win32.Amonetize.LI, Kaspersky calls it not-a-virus:Downloader.Win32.AdLoad.rppk, Sophos calls it Generic PUA JA (PUA), Panda reports PUP/Multitoolbar and Malwarebytes detects it as PUP.Optional.Amonetize.

Did you also find a LLC “TRUKONF SOFT” file?

Thank you for reading.

LLC “DIVAROS SOFT” – 9% Detection Rate – PUP.Optional.LoadMoney

October 23, 2015browser status barComodo, Kiev, UkraineRoger Karlsson

Hello! Having a quick break from the programming I’m doing right now. I’m doing some work on the freefixer.com web site. Just wanted to give you the heads up on a publisher called LLC “DIVAROS SOFT” that I ran into this morning:

You will also see LLC “DIVAROS SOFT” listed as the verified publisher in the User Account Control dialog that pops up if you try to run the file: It is also possible to check a digital signature by looking at a file’s properties. Here’s a screenshot of the LLC “DIVAROS SOFT” certificate. As you can see LLC DIVAROS SOFT is located in Kiev, Ukraine.

Comodo has issued the certificate.

So, why am I writing about the LLC “DIVAROS SOFT” file? Check out what the anti-virus software report about the file:

Avira calls it ADWARE/Amonetize.Gen7, AVG names it as Generic.A6F, VBA32 calls it SScope.Downware.Amonetize and Malwarebytes calls it PUP.Optional.LoadMoney are a few of the detection names for the file.

Did you also find a LLC “DIVAROS SOFT” file?

Thanks for reading. Now, back to coding…

LLC “B2B SOFT UA” – 14% Detection Rate

October 13, 2015digital signatureComodo, Kiev, UkraineRoger Karlsson

Hello readers! Just a short post before I call it a day. I found yet another file that bundled a bunch of unwanted programs, and the file was signed by LLC “B2B SOFT UA”.

You will also see LLC “B2B SOFT UA” listed as the verified publisher in the User Account Control dialog that pops up if you try to run the file: The certificate is issued by COMODO RSA Code Signing CA. The company is located in Kiev, Ukraine:

The VirusTotal report shows that the LLC “B2B SOFT UA” file should be avoided, since How I Met Your Mother S09E22 HDTV x264KILLERS[ettv]__15022_i1707449201_il379351.exe is detected as ADWARE/Amonetize.Gen by Avira, PE:Malware.RDM.15!5.15[F1] by Rising, HEUR/QVM10.1.Malware.Gen by Qihoo-360 and Trj/Genetic.gen by Panda.

Did you also find a LLC “B2B SOFT UA” file? What kind of download was it? If you remember the download link, please post it in the comments below.

Thanks for reading.

Arkhigrad Proekt, TOV – 9% Detection Rate

September 30, 2015digital signatureComodo, Russia, Simferopol, UkraineRoger Karlsson

Hello readers! Just wanted to give you the heads up on a publisher called Arkhigrad Proekt, TOV. Here how Arkhigrad Proekt, TOV appears in the UAC dialog when double-clicking on the Download__15022_i1683705761_il3.exe file:

You can also view the certificate by right-clicking on the file, and looking under the Digital Signature tab: According to the embedded certificate we can see that Arkhigrad Proekt, TOV is located in Simferopol, Ukraine/Russia and that the certificate is issued by COMODO RSA Code Signing CA.

Generic.3ED, ADWARE/Amonetize.Gen and PUP.Optional.Amonetize are some detection names according to VirusTotal:

Did you also find a file digitally signed by Arkhigrad Proekt, TOV? Where did you find it and are the anti-virus programs detecting it? Please share in the comments below.

Thank you for reading.

LLC “LEVADIYA-PROEKT” – 5% Detection Rate At VirusTotal

September 16, 2015digital signatureComodo, Lviv, UkraineRoger Karlsson

Hi there! If you are a regular here on the FreeFixer blog, you know that I’ve been examining files that have a digital signature and bundle various types of potentially unwanted software. Today I found another publisher named LLC “LEVADIYA-PROEKT” that bundles some software.

You can also see the LLC “LEVADIYA-PROEKT” certificate by looking under the Digital Signature tab on the file’s properties. According to the certificate, LLC “LEVADIYA-PROEKT” is located in Lviv, Ukraine. Comodo has issued the certificate.

The issue is that FlashPlayer__6741_i1651201445_il1668.exe is not an official Adobe Flash Player download. If it was, it would have been digitally signed by Adobe Systems Incorporated. Here’s how the authentic Adobe Flash Player looks like when you double click on it. Notice that the “Verified publisher” says “Adobe Systems Incorporated”.

So, what does the anti-virus programs say about the LLC “LEVADIYA-PROEKT” file? No problem, I just uploaded the file to VirusTotal and it turned out that a few of the anti-virus programs detects the LLC “LEVADIYA-PROEKT” file, with names such as ADWARE/Amonetize.Gen and a variant of Win32/Amonetize.IQ potentially unwanted.

Did you also find a LLC “LEVADIYA-PROEKT” file?

Thank you for reading.

cpm.exe, CPUMiner and LLC “Kelte-Proekt” – Removal Instructions

September 3, 2015Uncategorizedbitcoin miner, Kiev, UkraineRoger Karlsson

I just ran into a Bitcoin miner this morning called cpm.exe. If you have cpm.exe on your machine, you’ll see it in the Task Manager:

The cpm.exe file is digitally signed by a Ukrainian company called LLC “Kelte-Proekt”:

cpm.exe was bundled with an unofficial download of Google Chrome:

You can easily remove cpm.exe with FreeFixer. Just select cpm.exe under “Registry Startups” and “Processes”.

Hope that helped you figure out what cpm.exe is, how it got onto your machine and how to remove it.

Thanks for reading.

LLC FOTO-TSENTR – 7% Detection Rate – QVM10.1.Malware.Gen / Amonetize

September 3, 2015digital signatureComodo, UkraineRoger Karlsson

Welcome! Just a short post on a publisher called LLC `FOTO-TSENTR `. I just found a download named Moboroboexe__15022_i1619995140_il543480.exe that was digitally by this publisher, and it turns out that it is detected by some anti-virus programs.

You may see LLC `FOTO-TSENTR ` appear as the publisher when double-clicking on the Moboroboexe__15022_i1619995140_il543480.exe file. To view more information about the embedded certificate you can right-click on the file, then choose Properties and then select the Digital Signatures tab. According to the certificate we can see that LLC `FOTO-TSENTR ` seems to be located in Ukraine and that the certificate is issued by COMODO RSA Code Signing CA.

Here’s Comodo in the certificate chain:

The issue with the LLC `FOTO-TSENTR ` file is that it is detected by some of the anti-viruses. Here are some of the detection names: ADWARE/Amonetize.Gen, a variant of Win32/Amonetize.HU potentially unwanted and HEUR/QVM10.1.Malware.Gen.

Since you probably came here after finding a file that was digitally signed by LLC `FOTO-TSENTR `, please share what kind of download it was and if it was detected by the anti-malwares at VirusTotal.

Thank you for reading.

Update 2015-09-08: I found another file signed by LLC FOTO-TSENTR. The detection rate has increased to 13/56: