Monthly Archives: January 2015

Syndacato – syesubc3_p2v3.exe – Comes with uTorrent

digital signature

Did you find a file called syesubc3_p2v3.exe, digitally signed by Syndacato and wonder where it came from? I found this file in my Temp folder after installing uTorrent on my lab machine. Did you also recently install uTorrent, or did it come bundled with some other download in your case?

Update 2015-02-08: Now the file is called syesubc8_p2v3.exe.

Syndacato certificate

What does the Syndacato file do? Appears it did nothing on my machine. It just terminated after I double-clicked it. SuperAntiSpyware detects the file, Symantec tags it with their “Reputation” flag. The other 54 anti-virus programs does not detect it when I uploaded it to Virustotal.

Syndacato - syesubc3_p2v3.exe virustotal

Remove WebSize Adware

adware, freefixer

Hello readers. I was reviewing some of the files added to the FreeFixer database, and found something called WebSize? WebSize is yet another variant of BrowseFox. The WebSize removal is pretty easy. Just select the files that are digitally signed by WebSize in FreeFixer and the problem will be gone.

So what does VirusTotal say about the file? 19 of the anti-malware scanners detected the file. The WebSize files are detected as PUA.BrowseFox! by Agnitum, Adware/BrowseFox.A.1227 by Avira, Tool.NetFilter.313 by DrWeb and AdWare.Win64.Yotoon by VBA32.

WebSize virustotal

Hope that helped you to figure out how to do the removal.

Do you also have WebSize on your computer? Any idea how it was installed? Please share by posting a comment. Thank you!

Hope you found this useful and thanks you for reading.

Remove Ace Race Ads – Adware Removal Instructions

adware, freefixer

Just wanted to put up a short blog post before going back to coding. Did something named Ace Race appear on your machine? This appears to be yet another variant of BrowseFox that I’ve previously blogged about. If the Ace Race adware is running on your computer, you will see a new add-on called Ace Race installed into Mozilla Firefox and Internet Explorer. I’ll show how to remove Ace Race in this blog post with the FreeFixer removal tool.

ace race firefox

Ace Race is bundled with a number of downloads. Bundling means that software is included in other software’s installers. Here’s one example how it appears in an installer for an unrelated program.

ace race installer

Generally, you can avoid bundled software such as Ace Race by being careful when installing software and declining the bundled offers in the installer.

As usual when I run into some new bundled software I uploaded it to VirusTotal to see if the anti-malware scanners there detect anything fishy. 11 of the anti-malware scanners detected the file. The Ace Race files are detected as BrowseFox.F by AVG, W32/S-7bed2e86!Eldorado by F-Prot, Trojan ( 0040f9921 ) by K7GW, PUP.Optional.AceRace.A by Malwarebytes and AdWare.Kranet by VBA32.

acerace virustotal

If you would like to remove Ace Race you can do so with the freeware FreeFixer tool. Select the Ace Race files for removal in FreeFixer, click Fix, reboot your computer and the problem will be gone. Here’s a few screenshots to point you in the right direction:

ace race remove firefox ace race internet explorer

Hope that helped you to figure out how to do the removal.

Did you also find Ace Race on your machine? Any idea how it installed? Please share in the comments below. Thank you!

Thanks for reading. Welcome back!

Alpha IS (Fried Cookie Ltd.) – 14% Detection Rate – InstallCore

digital signature

Hi there! Just wanted to give you heads-up on suspicious file I found right now. The file is named installer_jdownloader_English.exe and digitally signed by Alpha IS (Fried Cookie Ltd.).

According to the certificate, Alpha IS (Fried Cookie Ltd.) is located in Tel Aviv, Israel.

Alpha IS Fried Cookie Ltd. cert

So, why did I put up this blog post? Well, the thing is that the Alpha IS (Fried Cookie Ltd.) file is detected by some of the anti-malware scanners, according to VirusTotal. Comodo reports installer_jdownloader_English.exe as Application.Win32.FriedCookie.CIRK, ESET-NOD32 detects it as a variant of Win32/InstallCore.UW, K7AntiVirus detects it as Trojan ( 004b25f41 ), K7GW calls it Trojan ( 004b25f41 ) and VIPRE detects it as InstallCore (fs)

Did you also find an Alpha IS (Fried Cookie Ltd.)? Do you remember the download link? Please post it in the comments below and I’ll upload it to VirusTotal to see if that one is also detected.

Thank you for reading.

Install Source (Fried Cookie Ltd.) – 9% Detection Rate – InstallCore

Uncategorized

Hello! I was playing around and testing some downloads when I found a file signed by Install Source (Fried Cookie Ltd.).

If you have a Install Source (Fried Cookie Ltd.) file on your computer you may have noticed that Install Source (Fried Cookie Ltd.) pops up as the publisher in the User Account Control dialog when running the file. It is also possible to check a digital signature by looking at a file’s properties.

The issue is that chrome_setup.exe is not an official Google Chrome download. If it was, it should be signed by Google Inc.. Here’s how the authentic Google Chrome looks like when you double click on it. Notice that the “Verified publisher” says “Google Inc”.
Chrome Google Inc publisher

Of the 56 anti-virus scanners, 5 detected the file. AVG reports chrome_setup.exe as Generic.834, AVware detects it as InstallCore (fs), Comodo detects it as Application.Win32.FriedCookie.CIRK, ESET-NOD32 reports a variant of Win32/InstallCore.UT and VIPRE detects it as InstallCore (fs).

Install Source virustotal

Did you also find a file digitally signed by Install Source (Fried Cookie Ltd.)? Where did you find it and are the anti-virus programs detecting it? Please share in the comments below.

Thanks for reading.

TOV Doychkhof – 34% Detection Rate – Amonetize

Uncategorized

Hello readers! I was playing around and testing some downloads when I found a file digitally signed by TOV Doychkhof.

TOV Doychkhof uac

It is also possible to check a digital signature by looking at a file’s properties. Here’s a screenshot of the TOV Doychkhof certificate.

TOV Doychkhof certificate

The issue is that FlashPlayer__6741_i1439870194_il674.exe is not an official Adobe Flash Player download. If it was, it should have been digitally signed by Adobe Systems Incorporated. Here’s how the authentic Adobe Flash Player looks like when you double click on it. Notice that the “Verified publisher” says “Adobe Systems Incorporated”.
Adobe Systems Incorporated - Adobe Flashplayer Installer

When I uploaded the TOV Doychkhof file to VirusTotal, it came up with a 34% detection rate. The file is detected as Trojan.Amonetize.341 by DrWeb, Riskware/Amonetize by Fortinet, not-a-virus:AdWare.Win32.Amonetize.sfd by Kaspersky, Artemis by McAfee-GW-Edition and HEUR/QVM10.1.Malware.Gen by Qihoo-360.

TOV Doychkhof virustotal

Did you also find a file digitally signed by TOV Doychkhof? What kind of download was it and where did you find it?

Thanks for reading.

Remove Dynamo Combo Ads

adware, freefixer

Hello guys and gals. Today I wanted to talk about an adware called Dynamo Combo and give you some removal instructions. Dynamo Combo appears to be a variant of BrowseFox that I blogged about previously. If Dynamo Combo is installed and running on your machine, you will see a new add-on, called Dynamo Combo, installed into Firefox and Internet Explorer. I’ll show how to remove Dynamo Combo in this blog post with the FreeFixer removal tool.

So, how did Dynamo Combo install on your machine? It was probably bundled with some download that you installed recently. Bundling means that software is included in other software’s installers.

Generally, you can avoid bundled software such as Dynamo Combo by being careful when installing software and declining the bundled offers in the installer.

So, how about the Dynamo Combo removal? You can remove Dynamo Combo with the FreeFixer removal tool. Here’s a few screenshots from the removal that should help you: A reboot of your computer might be required to complete the removal.

Dynamo Combo Dynamo Combo internet explorer

Hope that helped you with the removal.

Did you also find Dynamo Combo on your system? Any idea how it was installed? Please share your story the comments below. Thanks!

Thank you for reading.

Bully Unity LTD – Not The Real Mozilla Firefox Download

digital signature

Did you find a “Mozilla Firefox” download signed by Bully Unity LTD? Just wanted to give you the heads up that this is not the official Mozilla Firefox download. The real deal should be signed by Mozilla Corporation.

Mozilla Corporation real firefox

I uploaded the file to VirusTotal, but it was not detected by any of the anti-virus scanners. Did you also find a Bully Unity LTD file? Was it detected by the anti-virus programs?

Thank you for reading.

Bully Unity LTD certificate

Edward Kosar – 39% Detection Rate – Adware.MultiPlug

digital signature

Welcome! Just a quick post on a publisher called Edward Kosar that I found while running some tests for the upcoming FreeFixer release. The suspicious file is named “How I Met Your Mother S09E22 HDTV x264-KILLERS[ettv].exe”.

Edward Kosar UAC

The certificate is issued by Certum Code Signing CA. According to the cert, Edward Kosar is located in Ukraine.

Edward Kosar certificate

So, why did I put up this blog post? Well, the thing is that the Edward Kosar file is detected by many of the scanners, according to VirusTotal. F-Prot classifies How I Met Your Mother S09E22 HDTV x264-KILLERS[ettv].exe as W32/S-e70371e2!Eldorado, Kaspersky reports not-a-virus:AdWare.Win32.MultiPlug.oaqy, McAfee detects it as MultiPlug-FTW, Panda classifies it as Trj/Genetic.gen and VBA32 reports suspected of Heur.Malware-Cryptor.Multiplug.

Edward Kosar virustotal

Did you also run into a file that was digitally signed by Edward Kosar? What kind of download was it and was it detected by the anti-viruses at VirusTotal? Please share in posting comments below.

Thank you for reading.

Remove Video Dimmer Adware

adware, freefixer

Hello readers. Hope you are doing ok. Just a quick post on the Video Dimmer adware. It appears that Video Dimmer has been around for some time, but now I noticed it bundled with several downloads.If Video Dimmer is installed on your machine, you’ll find a new service installed and videodimmerservice.exe running in the Windows Task Manager.

I’ll show how to remove Video Dimmer in this blog post with the FreeFixer removal tool.

So, how did Video Dimmer install on your machine? It was probably bundled with some download that you installed recently. Bundling means that software is included in other software’s installers. Here’s how it appeared in the installer:

video dimmer installer

When I find some new bundled software I always upload it to VirusTotal to check if the anti-malware programs there find something. Of the 56 anti-virus scanners, 10 detected the file. AVG detects Video Dimmer as Downloader.CBD, Avira detects it as Adware/PullUpdate.AP, Comodo names it ApplicUnwnt, Malwarebytes names it PUP.Optional.VideoDimmer.A and Qihoo-360 reports HEUR/QVM03.0.Malware.Gen.

All you need to do to remove Video Dimmer is to check the Video Dimmer files in the scan result and click the Fix button. A reboot of your computer may be required to complete the removal. Just select the Video Dimmer files as shown in the screenshots below.

videodimmerservice.exe service video dimmer process

Hope this helped you solved the Video Dimmer problem.

I stumbled upon Video Dimmer while testing out some downloads that are known to bundled lots of unwanted software. Any idea how Video Dimmer was installed on your computer? Please share your story the comments below. Thank you very much!

Thanks for reading!