Monthly Archives: June 2014

Overall Media, Inc. – Bundling and VirusTotal detections.

digital signature

A few days ago I found a download that was digitally signed by a company called Overall Media, Inc. What caught my attentions was that the download was called SkypeSetup.exe and used the Skype icon for the installer file. This might look like an official Skype download, but it is not.

Overall Media, Inc. publisher using the logo

Overall Media, Inc. certificate

When running the Overall Media, Inc. SkypeSetup.exe file I could see that it bundled Search Protect and the Qone8.com web site.

Overall Media, Inc. Skype Download

Overall Media, Inc. installer bundling Search Protect Overall Media, Inc. SkypeSetup.exe bundling Qone8.com

When running the Overall Media, Inc. file through the scanners at VirusTotal, 4 of the anti-virus programs detected the file:

Overall Media, Inc. VirusTotal detections

Did you also find an Overall Media, Inc. download? Where did you find it and what kind of download was it?

Digital Plugin S.L Publisher – VirusTotal Detections

digital signature, , , , ,

Sorry for not posting anything during the days. I’ve been having a few days off visiting friends and family. Before my time off I found another publisher called DIGITAL PLUGIN S.L that bundles some potentially unwanted programs. The file I found was called Player.exe and I could see DIGITAL PLUGIN S.L appear when double-clicking on the file.

Digital Plugin S.L Publisher

 

Update 2015-06-29: Found another download with the publisher name “Digital Plugin SL“.

Viewing the certificate information is also possible by looking under the digital signature tab for the file. Here the certificate says that DIGITAL PLUGIN S.L is located in Tenerife.

Digital Plugin S.L Certificate

Digital Plugin S.L Tenerife

 

And the certificate was issued by GlobalSign.

The reason for posting about DIGITAL PLUGIN S.L is that the file is detected by many of the anti-virus programs. Currently player.exe is detected by 13 of the 52 anti-virus scanners:

Digital Plugin S.L Virus Total detections

Hope you found this post useful.

Did you also find a download signed by DIGITAL PLUGIN S.L? What kind of download was it?

Update 2015-09-12: Today I noticed another download called google_chrome.exe, signed by Digital Plugin SL.

Digital Plugin SL cert again

 

This is another certificate, issued by VeriSign. VirusTotal reports a 19/57 detection ratio.

V.X. Technocom – Bundling, VirusTotal Detections and Digital Signature Information

digital signature

If you’ve been following my recent posts here on the FreeFixer blog, you know that I’ve been looking at files that have a valid digital signature and bundle various types of potentially unwanted programs. A few days ago I found another publisher named V.X. Technocom that bundles software.

The file was called Game_of_Thrones_S04E02_HDTV_x264-2HD[ettv].exe.

If you have a V.X. Technocom download on your computer you may have noticed that Closed Joint-Stock Company “V.X. Technocom appears as the publisher in the UAC dialog when double-clicking on the file.

V.X. Technocom Publisher

You can also see the V.X. Technocom certificate by looking under the Digital Signature tab on the file’s properties. According to the certificate, V.X. Technocom is located in Moscow, Russia.

v.x.-technocom-digital-signature

v.x.-technocom-moscow-russia

These are the current VirusTotal detections for the file. Adware/Savy.ahdd and GetPrivate are the detection names by AntiVir and VIPRE:

v.x.-technocom-closed-joint-stock-company-getprivate-adware-savy.ahdd

Since the download was detected I decided to give it a try to see what it installed. During my test I could see AduckySweet-Page, ShopperFriend and Block-N-Surf, as shown in the screenshots below:

v.x.-technocom is bundling SweetPage v.x.-technocom is bundling Block-N-Surf v.x-technocom ShopperFriendaducky

After accepting the offers a bunch of new files and settings appeared. Here are some of the files:

  • WindowsUpdater.exe
  • winsystem.exe
  • svcsystem.exe
  • PluginService.exe
  • privoxy.exe

A bunch of new ads also started to pop up, labeled monkeytize and RightCoupon.

Monkeytize Ads

You can remove these unwanted ads, files and settings with help from the FreeFixer tool.

Where did you find the V.X. Technocom download? What kind of download was it?

How To Remove Bellaphant Adware

Uncategorized

Found another adware variant called Bellaphant today. It was bundled with a download called MediaFinder. Here’s how Bellaphant is disclosed in the MediaFinder installer:Bellaphant is bundled with Media Finder

According to the disclosure, Bellaphant

provides special offers and coupons, website ratings and reviews, multi-site searching, comparison shopping and related search results. Additional features may be auto-enabled after installing.

13 of the 51 anti-virus programs are clearly aware of  the Bellaphant adware, as you can see in the scan result from VirusTotal:

Bellaphant VirusTotal scan result

If you have Bellaphant on your machine you can see it in Mozilla Firefox’ and Internet Explorer’s Add-Ons menu:

bellaphant appears as a firefox addon bellaphant also appears as an Internet Explorer add-on

If you’d like to remove Bellaphant with FreeFixer, you can just check the Mozilla Firefox Extension and the Internet Exlorer browser helper object called bellaphantbho.dll:

bellaphant in FreeFixer Select Bellaphantbho.dll to remove Bellaphant from Internet Explorer

I found Bellaphant bundled with MediaFinder. How did you get Bellaphant on your machine?

Adobe Flash Player Packages – What is it?

Uncategorized

Did you find something called Adobe Flash Player Packages in the programs list and wonder what it is? Chances are that this was added when downloading and installing an unofficial Adobe Flash Player. Here’s how Adobe Flash Player Packages appears in the programs list:

Adobe Flash Player Packages

To avoid this in the future, please keep in mind to always download software from its official site. For example, get the Adobe Flash Player from http://get.adobe.com/se/flashplayer/

How did you get Adobe Flash Player Packages on your machine?

 

What is Site Matcher Pro? – Removal Instructions

adware, freefixer

Did you just find something called Site Matcher Pro in Mozilla Firefox’ Add-on dialog? site-matcher-pro-1.0

Site Matcher Pro is a piece of software that suggests similar web site based on the sites that you are currently browsing.

How did you get Site Matcher Pro on your computer? I found it bundled with an unofficial Adobe Flash Player download. The Flash download was signed by the SuperCool Applications publisher. Here’s a screenshot of Site Matcher Pro appearing in the installer:

Site Matcher Pro is bundled with an unofficial Adobe Flash Player download.

If you’d like to remove Site Matcher Pro, you can do so from inside Firefox, or by selecting the Site Matcher Pro extension for removal in FreeFixer:

Site Matcher Pro appears in FreeFixer's scan result

Hope this helped you to figure out what Site Matcher Pro is and how to remove it.

Update 2014-10-06: Found Site Matcher Pro in another installer:

site matcher pro

Greener Web – Adware Removal Instructions

Uncategorized

Another adware find this morning. This one is called Greener Web. You might have noticed Greener Web when starting up Firefox and being asked to install Greener Web, or in Mozilla’s and Internet Explorer’s add-on dialog:

Greener Web 1.0.1 in Firefox Greener Web appears an Internet Explorer Add-On Greener Web 1.0.1 Firefox Addon

Many of the  anti-virus programs over at VirusTotal  detects the Greener Web adware as you can see in the scan result for GreenerWebbho.dll:

greener-web-virustotal

I found GreenerWeb bundled in an unofficial Adobe Flash Player download. The installer file, AdobeFlashPlayer.exe was digitally signed by SuperCool Applications. Here’s how GreenerWeb was disclosed in the installer:

GreenerWeb installer disclosure

How did you get Greener Web on your computer? Please let me and the readers know by posting a comment.

You can remove Greener Web with FreeFixer. Just select the Greener Web files for removal and click the Fix button and Greener Web will not bother you any more:

Greener Web Firefox Ext in FreeFixer greenerwebbho.dll in FreeFixer

Hope this helped you figure out what Greener Web  is and how it is distributed.

Media_Play_AIR+ – Removal Instructions

adware, freefixer, ,

Just wanted to let you know about a new adware variant called Media_Play_AIR+ that I found tonight. 8 of the 50 anti-virus scanners at VirusTotal detects the Media_Play_AIR_1.1-bg.exe file, which you may see in the Windows Task Manager: media_play_air+-virustotal Some of the anti-virus program calls Media_Play_AIR+ Artemis, CrossRider and AppRider.

These are the variants I’ve found so far:

  • Media_Play_AIR+_1.1
  • Mediaa_Play_AIR_1.4

I found Media_Play_AIR+ bundled with a Zip/Unzip utility. The setup file was digitally signed by CloverMedia SL. How did you get Media_Play_AIR on your computer? The Media_Play_AIR+ files are digitally signed by individual developer SIMONA-VIORICA MARIN, which according to the certificate is located in Bucharest, Romania. Media_Play_AIR+_1.1-bg.exe certificate You can remove Media_Play_AIR+ with FreeFixer. Just select the Media_Play_AIR+ files as shown in the screenshots. Most of the files are located in c:\Program Files \Media_Play_AIR+_1.1 or c:\Program Files (x86)\Media_Play_AIR+_1.1 on 64-bit Windows. media_player_air+ in Firefox media_play_air+-bho media_play_air+ Media_Play_AIR+ is a variant of MPlayerPlus. Since the removal procedure is the same I’ll link that removal video where you can see FreeFixer in action removing the adware: Hope you found this useful.

How To Remove NewPlayer Ads

adware, freefixer

Did you see a new type of ads labeled Ads by NewPlayer popping up recently on your computer, even on web sites that normally don’t show any ads? Then you have the NewPlayer adware on your machine. The two types of NewPlayer ads that I’ve seen is a standard banner (to the left), and the Nav-Links roll-over ad type (to the right), as shown in the screenshot below.Ads by NewPlayer

Removing NewPlayer a one minute job with FreeFixer. All you need to do is to selected the NewPlayer files for removal, and then hit the Fix button. The filenames for NewPlayer can vary somewhat. In my case they were called NewPlayerFT171.exeNewPlayerV40.exe and NewPlayerLwruQw.exe. I’m sure you can identify them on your computer. Here’s the NewPlayer files in the FreeFixer scan result:

NewPlayer.exe Service NewPlayer Scheduled Tasks

Newplayer Process in FreeFixer

The detection rate for the NewPlayer adware appears to be pretty low. 3 of the 52 anti-virus scanners at VirusTotal detected the NewPlayer file. Avast refers to it as Win32:Adware-BQV and Baidu and ESET-NOD32 calls it AddLyrics.

newplayer-virus-total

How did you get NewPlayer on your computer?

New IT Limited Digital Signature – What does it bundle?

digital signature

I was playing around and testing some downloads when I found a file signed by New IT Limited. This is how it looks when double-clicking on the file and New IT Limited appears as the publisher.

new it limited publisher

It is also possible to check a digital signature by looking at a file’s properties.  Here’s a screenshot of the New IT Limited certificate:

The New I Lmited certificate

New IT Limited appears to be located in Nicosia, Cyprus.

new it limited subject

What initially caught my interest was that the file was named Game of Thrones HDTV.. after the the famous TV-series Game of Thrones from HBO. 2 the 51 scanners over at VirusTotal detected the New IT Limited file. Win32:FourShared-D [PUP] and a variant of Win32/4Shared.S where the detection names:

New IT Limited VirusTotal scan FourShared/4Shared

Since the ESET-NOD32 and Avast detected the file I got curious and decided to run the file. Turns out the installer bundled the Qone8 search engine:

new-it-limited-installer

Did you also find a download that was digitally signed by New IT Limited? What kind of download was it?

Thanks for reading!