Hello! If you’ve been following my recent posts here on the FreeFixer blog, you know that I’ve been looking at files that have a valid digital signature and bundle various types of potentially unwanted programs. A few days ago I found another publisher named LLC “HALKON PLYUS”.
If you have a LLC HALKON PLYUS file on your computer you may have noticed that LLC HALKON PLYUS pops up as the publisher in the User Account Control dialog when running the file. To get more details on the publisher, you can view the certificate by right-clicking on the file, and looking under the Digital Signatures tab. According to the embedded certificate we can see that LLC “HALKON PLYUS” is located in Ternopil, Ukraine and that the certificate is issued by COMODO RSA Code Signing CA.
The reason for posting about LLC “HALKON PLYUS” is that the file is detected by a few of the anti-virus programs. Avast classifies MediaPlayer__6741_i1484416138_il59937.exe as Win32:Malware-gen and Avira detects it as ADWARE/Adware.Gen4.
To see more in details what changes the LLC “HALKON PLYUS” file would do on a user’s computer I decided to run the file on my lab machine. The installer bundled some additional software such as Wajam, PriceLess, TabNav and AnySend.
Did you also find a download that was signed by LLC “HALKON PLYUS”? What kind of download was it and was it detected by the anti-malwares at VirusTotal? Please share in posting comments below.
Thanks for reading.
I went to download a media player for YTSmovies, a movies streaming site. It said HALKON PLYUS was the publisher. I Googled that name and this page came up. I’m thinking I’ll give it a miss… Thoughts?
hxxp://www.ytsmovies .com/2015/04/the-cobbler-2014.html
hxxp://www.smartmediafinder .com/3038/download.php?id=3038&name=emsisoft%20anti%20malware%20key
hxxp://www.smartmediafinder .com
Many .rar files but at the end ther’s something like a Matrioska =) i found it, just take care of yours “Mouse Clicks” .
dreamsceneseven__1598_i1508730975_il741180.exe chcialem pobrac sobie animowane tapety a tu takie coś……
NintendoEmulator Downloader__3687_i1511078604_il725058
is it safe to have this on the computer or will it give me any problems?
Sounds like trouble to me. I would remove the file.
This “Halkon Plyus” also claims to have an art book offer to download. It is “Encyclopedia Of Painting”, a book that I have been searching for a legitimate PDF copy of. So art enthusiasts beware as well. Fortunately I saw this information before attempting to download, and possibly introducing this danger to our computers. We need to address the fact that, in addition to conducting other forms of aggression in southern Europe, Russia may also be interested in sabotaging western computer systems.
I recently came across an old YouStar system with everything but the software CD and I have been searching for the software hoping someone had posted it online as a download (and breaking a rule about downloading software for free that is normally sold since the company is out of business) and came across and ENTIRE SITE filled with items with the LLC Halkon Plyus digital certificate. I knew something was up with the site as there were no ads, only one “Download” button (rather than 7 or 8 with only one of them being for the software you’re looking for) and the file wasn’t even a mega-byte. I scanned it with Malware-Bytes and it detected PUP.Optional.Amonetize
That made me right click and see who digitally signed it, which led me here. Then to be certain I downloaded, but didn’t install, a couple more files they offered and scanned them as well. Same results, same digital signature.
The scary part of this is the site looks legit, has legit graphics and it for free game downloads which means kids everywhere will be downloading from this site and, if this is a virus, spreading it quickly through their parents computers.
The site is hxxp://chaplinco .com/OLD-SITE/
Hope this helps.
I downloaded a book from , or what appeared to be a book I was looking for, to find I inadvertently downloaded a .exe file with publisher name as HALKON PLYUS. Thanks for the warning.