Category Archives: Uncategorized

SAFE INSTALL SOFTWARE – 18% Detection Rate At VirusTotal

June 10, 2015UncategorizedSan Fransisco, USRoger Karlsson

Hello readers! Lately I’ve been looking on the digital signatures on those files that push various types of unwanted programs. This morning I found a new file called finaltorrent-setup.exe, digitally signed by SAFE INSTALL SOFTWARE.

This is how it looks when double-clicking on the file and SAFE INSTALL SOFTWARE appears as the publisher. Information about a digital signature and the certificate can also be found under the Digital Signature tab. According to the certificate we can see that SAFE INSTALL SOFTWARE is located in San Fransisco in US and that the certificate is issued by VeriSign Class 3 Code Signing 2010 CA.

These are the current VirusTotal detections for the file. DownloadAdmin (fs), Trojan.Win32.Atraps.b, Trojan.Graftor and DownloadAdmin (fs) as a few of the detection names for the finaltorrent-setup.exe file.

Did you also find a file digitally signed by SAFE INSTALL SOFTWARE? What kind of download was it and where did you find it?

Thank you for reading.

Remove Pine Tree Ads – PineTree Adware Removal

June 8, 2015UncategorizedBrowseFoxRoger Karlsson

Hi there. Did you just spot something called Pine Tree on your machine? If the Pine Tree is installed on your machine, you’ll see Ads labeled “Pine Tree Ads” appearing in Firefox and Internet Explorer. I’ll show how to remove PineTree in this blog post with the FreeFixer removal tool.

So, how did Pine Tree install on your machine? It was probably bundled with some download that you installed recently. Bundling means that software is included in other software’s installers. Here’s how it appeared in the installer:

Generally, you can avoid bundled software such as Pine Tree by being careful when installing software and declining the bundled offers in the installer.

When I run into some new bundled software I always upload it to VirusTotal to check if the anti-virus software there detect something. 24 of the 56 scanners detected the file. The Pine Tree files are detected as a variant of Win32/BrowseFox.AE potentially unwanted by ESET-NOD32, Gen:Variant.Adware.Mikey by F-Secure, PUP.Optional.PineTree.A by Malwarebytes and Trojan.Win32.Yontoo.dnkubo by NANO-Antivirus.

All you need to do to remove PineTree is to check the Pine Tree files in the scan result and click the Fix button. A reboot of your machine may be required to complete the removal. Here’s a few screenshots that should help you along the way:

Hope that helped you to figure out how to do the removal.

I stumbled upon Pine Tree while testing out some downloads that are known to bundled lots of unwanted software. Any idea how PineTree was installed on your machine? Please share in the comments below. Thank you very much!

Thank you for reading and welcome back.

YURIY DRACHEV – VirusTotal Detects The Download as “MultiPlug”

June 7, 2015UncategorizedMultiPlug, RussiaRoger Karlsson

Welcome! Just a quick post today. Did you just find a file signed by YURIY DRACHEV? Then read on..

Windows will display YURIY DRACHEV as the publisher when running the file. It is also possible to check a digital signature by looking at a file’s properties. Here’s a screenshot of the YURIY DRACHEV certificate. Yuriy is according to the cert located in Russia.

If you are considering to run the YURIY DRACHEV signed file, I’ll advice you not to. This is yet another variant of the unwanted MultiPlug software.

Thanks for reading.

VIKTOR AGRAPOVICH – 35% Detection – MPlug / MultiPlug

June 5, 2015UncategorizedMultiPlug, RussiaRoger Karlsson

Hi there! Just a short post before I call it a day. I found yet another file that bundled a bunch of unwanted programs, and the file was signed by VIKTOR AGRAPOVICH.

Typically you’d see the VIKTOR AGRAPOVICH publisher name appear when double-clicking on the file: It is also possible to check a digital signature by looking at a file’s properties. Here’s a screenshot of the VIKTOR AGRAPOVICH certificate. Viktor seems to be located in Russia.

The scan result from VirusTotal below clearly shows why you should avoid the VIKTOR AGRAPOVICH file. It is detected under names such as Generic6.AYBD, Gen:Variant.Adware.Mplug, Trojan ( 0040fa761 ), PUP.Optional.MultiPlug and MultiPlug-FXN.

Did you also find a VIKTOR AGRAPOVICH file?

Thank you for reading.

SERGEY STAROSTIN – 12% Detection Rate – MultiPlug

June 2, 2015UncategorizedMultiPlug, RussiaRoger Karlsson

Hello readers! Did you just find a file that’s digitally signed by SERGEY STAROSTIN and came here to find more about it?

You can see who the signer is when double-clicking on an executable file. SERGEY STAROSTIN appears in the publisher field in the dialog that pops up. The certificate is issued by Certum Code Signing CA. Sergey is located in Russia.

So, why am I writing about the SERGEY STAROSTIN file? Check out what the anti-malware scanners report about the file:

are a few of the detection names for Medal Of Honour PC Game Full version Free Download.exe.

Did you also find a SERGEY STAROSTIN file? Do you remember where you downloaded it?

Thank you for reading.

How To Reset Google Chrome’s Settings

May 29, 2015UncategorizedChromeRoger Karlsson

Google Chrome allows you to reset the browser settings with a few clicks. Sometimes programs that you download and install can change your Chrome settings. In some cases, you can see new extensions extensions and toolbars or a new search engine. Resetting your browser settings will reset the unwanted changes caused by installing other programs.

Your bookmarks and passwords will not be cleared when using the reset feature.

Follow these steps to reset the settings in Chrome:

Click the Chrome menu in the upper-right corner of Chrome.
Select Settings.
Click Show advanced settings and locate the “Reset browser settings” section.
Click the Reset browser settings button.
In the confirmation dialog that appears, review the changes the reset feature performs, then click Reset.

Thanks for reading. Did this solve the problem you were experiencing?

Dmitry Taranov – 32% Detection Rate at VirusTotal.com

May 26, 2015UncategorizedMultiPlugRoger Karlsson

Welcome! Just wanted to give you the heads up on a publisher called Dmitry Taranov located in Ukraine.

Typically you’d see the Dmitry Taranov publisher name appear when double-clicking on the Medal Of Honour PC Game Full version Free Download.exe file: The certificate is issued by Certum Code Signing CA.

So what’s the problem? Well, currently 32% of the anti-virus scanners over at VirusTotal detected the file. Some of the detection names for the Medal Of Honour PC Game Full version Free Download.exe file are Gen:Variant.Adware.Mplug, Trojan ( 0040fa761 ), not-a-virus:Downloader.Win32.Agent.dlzx and MultiPlug.

Did you also run into a file that was digitally signed by Dmitry Taranov? What kind of download was it and was it reported by the anti-malwares at VirusTotal? Please share by posting a comment.

Thanks for reading.

ocsp.digicert.com – Revocation Status Server For Digital Certificate

May 23, 2015UncategorizedRoger Karlsson

If you see connections to ocsp.digicert.com in your browser or in your network traffic logger, there’s no need to worry. ocsp.digicert.com is DigiCert’s OCSP (Online Certificate Status Protocol) server and is used to check the revocation status of DigiCert’s digital certificates.

Here’s a screenshot of the ocsp.digicert.com HTTP requests and responses:

If you see Google Chrome, Mozilla Firefox or Internet Explorer connecting to ocsp.digicert.com, they are in the middle of the process of verifying a digital certificate. Perhaps a certificate for a HTTPS connection you just made?

Thanks for reading!

F11L Software Inc. – 19% Anti-Virus Detection – InstallBrain

April 14, 2015UncategorizedPortland, USRoger Karlsson

Hello readers! Was looking for some downloads to play around with and found one, digitally signed by F11L Software Inc.. The file is named setup.exe.

The following screenshot shows the User Account Control dialog when running the F11L Software Inc. file:

By examining the certificate, we can see that F11L Software Inc. is located in Portland, US. The certificate is issued by Go Daddy Secure Certificate Authority – G2.

When I uploaded the file to VirusTotal – as I usually do when I find something that looks suspicious – 19% of the scanners detected the file. The file is detected as InstallBrain.CF by AVG, Trojan.Win32.Qudamah.Gen.1 by Tencent and InstallBrain (fs) by VIPRE.

Did you also find a F11L Software Inc. file? What kind of download was it? If you remember the download link, please post it in the comments below.

Thanks for reading.

How To Remove WebProtector

April 9, 2015UncategorizedRoger Karlsson

Hello guys and gals. Just a short post on a named Web Protector. If you have Web Protector installed on your computer, you will notice a new service called LiveUpdateWPP.exe, new add-ons/toolbars added in Internet Explorer and Mozilla Firefox and WebProtectorPlus.exe running in the Windows Task Manager.

I’ll show how to remove WebProtector in this blog post with the FreeFixer removal tool.

Web Protector is distributed by a method called bundling. Bundling means that a piece of software is included in other software’s installers. Here’s how it appeared in the installer:

As usual when I run into some new bundled software I uploaded it to VirusTotal to verify if the anti-malware scanners there detect anything suspicious. 6 of the 57 scanners detected the file. Some of the detection names for Web Protector are Adware.Win32.Similagro.B, ApplicUnwnt, PUP.Optional.WebProtector.A and WS.Reputation.1.

Removing Web Protector is straightforward with FreeFixer. Just check the Web Protector files as shown in the screen-caps below. You might have to restart your machine to complete the removal. Problem fixed.