Monthly Archives: January 2015

Dove Source (Fried Cooke Ltd.) – 4% Detection Rate – InstallCore

digital signature, ,

Hello readers! Short on time today this weekend, but I just wanted to give you the heads up on a publisher called Dove Source (Fried Cooke Ltd.). The signed file was named Skype_Setup.exe.Dove Source Fried Cooke LTD cert

 

The certificate is rather new. It is valid from the 5th of January 2015. According to the cert, the company is located in Tel Aviv, Israel.

The problem here is that if Skype_Setup.exe really was an installer for Skype, it should be digitally signed by Skype Software Sarl and not by some unknown company. Here’s how the authentic Skype looks like when you double click on it. Notice that the “Verified publisher” says “Skype Software Sarl”.

Skype Software Sarl publisher

The issue with the Dove Source (Fried Cooke Ltd.) file, in addition to using Skype’s name, is that it is detected by a few of the anti-malware scanners. Here are some of the detection names: ADWARE/InstallCore.Gen9 and a variant of Win32/InstallCore.UN.

Dove Source (Fried Cooke Ltd.) virustotal

Did you also find a Dove Source (Fried Cooke Ltd.) file? What kind of download was it?

Thanks for reading.

Small Island Development – Detection Rate: 18% – Smallis / PullUpdate / TVWizard

adware, digital signature

Welcome! Another quick post on a publisher called Small Island Development. I noticed that many FreeFixer users are submitting files digitally signed by this publisher, so I though I should write a few lines about them.

There seems to be many variants of the Small Islands files, and many of them seems to have a randomly generated filename. The file I’m currently looking on is detected by 10 of the scanners scanners at VirusTotal. The majority of the scanners classify the file as adware. AVG reports NXtcFoMlakD.dll as Smallis.5E4, Baidu-International names it Adware.MSIL.PullUpdate.BK, Comodo names it ApplicUnwnt, Panda reports Adware/TVWizard and Symantec calls it Yontoo.C.

Small Island Development virustotal

Did you also find a Small Island Development file? What kind of download was it?

Thanks for reading.

Acute Angle Solutions Ltd – 18% Detection Rate -PullUpdate / AcuteAngle / Injekt

adware, digital signature

Welcome! If you are a regular here on the FreeFixer blog you know that I’ve been looking on the certificates used to sign files that bundled various types of unwanted software. Today I found another certificate, while reviewing files submitted to the FreeFixer database, used by a publisher called Acute Angle Solutions Ltd..

You may see Acute Angle Solutions Ltd. appear as the publisher when checking the digital signature under the file’s properties.

It seems as the filename for this file is randomly generated: yzmHYl.dll.

Anyway, the reason I’m writing this blog post is that the Acute Angle Solutions Ltd. file is detected by many of the anti-malware scanners at VirusTotal. Antiy-AVL names yzmHYl.dll as Trojan/Win32.TSGeneric, AVG reports Acute.A40, Avira calls it Adware/PullUpdate.AQ, GData calls it Win32.Adware.AcuteAngle.B, Sophos classifies it as Pull Update and VIPRE detects it as Injekt (fs).

Acute Angle Solutions Ltd. virustotal

Did you also find a Acute Angle Solutions Ltd. download? What kind of download was it?

Thank you for reading.

Rational Thought Solutions – 18% Detection Rate – MSIL.Adware.PullUpdate

digital signature

Found another publisher that appears to be signing adware related files while checking out the new files added to FreeFixer’s database. The publisher is called Rational Thought Solutions.

When I uploaded the Rational Thought Solutions file to VirusTotal, it came up with a 18% detection rate. The file is detected as Downloader.CBD by AVG, a variant of MSIL/Adware.PullUpdate.G.gen by ESET-NOD32, PUP.Optional.StormAlert.A by Malwarebytes, Artemis!707FECAF8B22 by McAfee and MSIL.Adware.PullUpdate by VIPRE.

Rational Thought Solutions virustotal

From what I can tell from the Rational Thought Solutions files added to the FreeFixer database, the file names seems to be randomly generated. The files are located at C:\ProgramData\%random%\%random%.exe.

Did you also stumble upon a download that was signed by Rational Thought Solutions? What kind of download was it and was it reported by the anti-virus scanners at VirusTotal? Please share in posting comments below.

Thanks for reading.

Jambo Digital Ltd Signing CozaGhost.exe – 5% Detection Rate – PUP.Optional.Zoomify.A

digital signature

Hi there! Just wanted to give you the heads up on a publisher called Jambo Digital Ltd before calling it a day. The actual file is called cozaghost.exe and I found it while reviewing some of the files recently added by users into the FreeFixer database.

The VirusTotal report shows that the Jambo Digital Ltd file should be avoided, since cozaghost.exe is detected as Generic.397 by AVG, PUP.Optional.Zoomify.A by Malwarebytes and Zoomify by Sophos. The detection rate is pretty low. Just 5%.

Jambo Digital Ltd VirusTotal

Did you also find a Jambo Digital Ltd download? Do you remember the download link? If so, please post it in the comments and I’ll check it out to see if the detection rate is improved.

Thanks for reading.

Dove Delivery (Fried Cookie Ltd.) – 11% Detection Rate – InstallCore

adware, digital signature, ,

Hi there! Was looking for some downloads to play around with and found one, signed by Dove Delivery (Fried Cookie Ltd.). The file is named FlvPlayerSetup.exe.

You can look at the Dove Delivery (Fried Cookie Ltd.) certificate and digital signature by looking under the Digital Signatures tab on the file’s properties. According to the certificate, Dove Delivery (Fried Cookie Ltd.) is located in Tel Aviv in Israel.Dove Delivery Fried Cookie Ltd

So, why did I put up this blog post? Well, the thing is that the Dove Delivery (Fried Cookie Ltd.) file is detected by some of the anti-virus scanners, according to VirusTotal. Avira reports FlvPlayerSetup.exe as ADWARE/InstallCore.Gen, DrWeb reports Trojan.Packed.29923, ESET-NOD32 detects it as a variant of Win32/InstallCore.UQ and VIPRE reports InstallCore (fs).

Dove Delivery (Fried Cookie Ltd.) virustotal

Did you also find a Dove Delivery (Fried Cookie Ltd.) file? What kind of download was it? If you remember the download link, please post it in the comments below.

Hope this blog post helped you avoid some unwanted software on your machine.

Thank you for reading.

CLICKCAPTION – 33% Detection Rate – Vitruvian / InfoAtoms

adware, digital signature,

Hi there! I was reviewing some of the files added to the FreeFixer database this morning. Found a publisher called CLICKCAPTION that you probably want to know about. The file I found is called ccsvc.exe and digitally signed by CLICKCAPTION.

AVG reports ccsvc.exe as Clickcaption.5CF, DrWeb classifies it as Adware.Popad.11, Jiangmin detects it as AdWare/Vitruvian.f, Kaspersky reports not-a-virus:AdWare.Win32.Vitruvian.b, Malwarebytes classifies it as PUP.Optional.ClickCaption.A and VIPRE reports InfoAtoms (fs).

CLICKCAPTION virustotal

Did you also find a CLICKCAPTION file? What kind of download was it? If you remember the download link, please post it in the comments below.

Thank you for reading.

Swift Network (Fried Cookie Ltd.) – 23% Detection Rate – InstallCore

digital signature

Welcome! If you are a regular here on the FreeFixer blog, you know that I’ve been examining files that have a digital signature and bundle various types of potentially unwanted software. Today I found another publisher named Swift Network (Fried Cookie Ltd.) while reviewing some of the recent files submitted to this web site.

You can see who the signer is when double-clicking on an executable file. Swift Network (Fried Cookie Ltd.) appears in the publisher field in the dialog that pops up. The certificate is issued by GlobalSign CodeSigning CA – G2.

13 of the 56 anti-malware scanners detected the file. The IDM2-Win-EN.exe file is detected as Application.Win32.FriedCookie.CIRK by Comodo, Trojan.InstallCore.44 by DrWeb, Artemis by McAfee-GW-Edition, WS.Reputation.1 by Symantec and InstallCore (fs) by VIPRE.

Swift Network (Fried Cookie Ltd.) virustotal

Did you also find a file digitally signed by Swift Network (Fried Cookie Ltd.)? Where did you find it and are the anti-virus programs detecting it? Please share in the comments below.

Thanks for reading.

Proinstall Applications SRL – 9% Detection Rate

digital signature

Hi there! Just a note on a publisher called Proinstall Applications SRL. This is the publisher that digitally signs the downloads available from CNet’s Download.com site. The Proinstall Applications SRL download – KMPlayer_3.9.1.132.exe – was detected when I uploaded it to VirusTotal.

Proinstall Applications SRL UAC

You can also see the Proinstall Applications SRL certificate by looking under the Digital Signature tab on the file’s properties. According to the certificate, Proinstall Applications SRL is located in Romania.Proinstall Applications SRL certificate

When I tested the installer, it bundled software from Spigot, which I could skip by clicking the Decline button.Proinstall Applications SRL cnet installer

The problem with the Proinstall Applications SRL file is that it is detected by some of the anti-malware progams. Here are some of the detection names: Generic.8BF,  Adware.Downware.9446, Malware.QVM06.Gen and Spigot (fs).

Proinstall Applications SRL virustotal

Thanks for reading.

Remove CrimeWatch Adware

adware, freefixer

Hello there and welcome to the FreeFixer blog. I just found another bundled adware titled CrimeWatch and wanted to give you some removal instructions. If the CrimeWatch adware is installed and running on your machine, you will see CrimeWatchService.exe, digitally signed by “Mathematical Applications“, running in the Windows Task Manager. You will also see a new service installed, called CrimeWatch and perhaps also a yellow pop-up allowing you to toggle CrimeWatch on and off. I’ll show how to remove CrimeWatch in this blog post with the FreeFixer removal tool.Crime Watch toggle

CrimeWatch is bundled with a number of downloads. Bundling means that software is included in other software’s installers. Here’s one example how it appears in an installer for an unrelated program.

CrimeWatch installer

As always when I find some new bundled software I uploaded it to VirusTotal to check if the anti-malware software there find anything interesting. 15 of the 56 anti-malware scanners detected the file. The CrimeWatch files are detected as PUA.PullUpdate! by Agnitum, ApplicUnwnt by Comodo, Adware.Yontoo.55 by DrWeb, PUP.Optional.Crimewatch.A by Malwarebytes, Trj/Genetic.gen by Panda and HEUR/QVM30.1.Malware.Gen by Qihoo-360.

CrimeWatch virustotal

Since you probably want to remove CrimeWatch, these are the files you should check for removal if you want to remove it with FreeFixer. A restart of your machine may be required to complete the removal.CrimeWatchService.exe process crimewatch.exe crimewatch.dll files CrimeWatch service

Hope that helped you with the removal.

Did you also find CrimeWatch on your machine? Any idea how it installed? Please let me and the readers know by posting a comments. Thank you!

Hope you found this useful and thanks you for reading.