Hello! Just a short post before I call it a day. I found yet another file that bundled a bunch of unwanted programs, and the file was signed by Trend Interactive.
It is also possible to check a digital signature by looking at a file’s properties. Here’s a screenshot of the Trend Interactive certificate.
Versign has issued the certificate:
When I uploaded the Trend Interactive file to VirusTotal, it came up with a 19% detection rate. The file is detected as PUA/DownloadAdmin.Gen7 by Avira, Gen:Variant.Application.Jaik.8223 by BitDefender and Adware ( 004c86ce1 ) by K7GW.
Did you also find a file digitally signed by Trend Interactive? What kind of download was it and where did you find it?
Hope this blog post helped you avoid some unwanted software on your machine.
Hi there! Just a note on a publisher called Vladimir Suvorov. The Vladimir Suvorov download – Download Uc Browser V Handler Zip.exe – was detected when I uploaded it to VirusTotal. Did you also find a download by Vladimir Suvorov? Was it also detected when you uploaded it to VirusTotal?
Here how Vladimir Suvorov appears in the UAC dialog when double-clicking on the Download Uc Browser V Handler Zip.exe file:
The certificate is issued by Certum Code Signing CA and mr. Suvorov is located in Poland:
The problem with the Vladimir Suvorov file is that it is detected by many of the anti-viruses. Here are some of the detection names: Generic6.BRAN, W32/S-a2e0b166!Eldorado, Gen:Variant.Adware.MPlug, SoftwareBundler:Win32/InstalleRex and MultiPlug (v).
Did you just get a pop-up from easydriverpro.com and ask yourself where it came from? Did the easydriverpro.com ad appear to have been initiated from a web site that under normal circumstances don’t use advertising such as pop-up windows? Or did the easydriverpro.com pop-up show up while you clicked a link on one of the major search engines, such as Google, Bing or Yahoo?
Here’s a screenshot of the easydriverpro.com pop-up ad when it showed up on my machine:
Does this sound like your experience, you almost certainly have some adware installed on your computer that pops up the easydriverpro.com ads. There’s no use contacting the owners of the site you currently were browsing. The ads are not coming from them. I’ll do my best to help you with the easydriverpro.com removal in this blog post.
For those that are new to the blog: Some time ago I dedicated some of my lab systems and knowingly installed a few adware programs on them. Since then I’ve been following the actions on these computers to see what kinds of advertisements that are displayed. I’m also looking on other interesting things such as if the adware auto-updates, or if it downloads additional unwanted software on the computers. I first noticed the easydriverpro.com pop-up on one of these lab machines.
easydriverpro.com resolves to 107.22.218.171.
So, how do you remove the easydriverpro.com pop-up ads? On the machine where I got the easydriverpro.com ads I had CPUMiner, PineTree and GamesDesktop installed. I removed them with FreeFixer and that stopped the easydriverpro.com pop-ups and all the other ads I was getting in Mozilla Firefox.
The issue with pop-ups like this one is that it can be popped up by many variants of adware. This makes it impossible to say exactly what you need to remove to stop the pop-ups.
Anyway, here’s my suggestion for the easydriverpro.com ads removal:
What software do you have installed if you look in the Add/Remove programs dialog in the Windows Control Panel? Something that you don’t remember installing yourself or that was recently installed?
How about your add-ons you installed in your browsers. Anything in the list that you don’t remember installing?
If that didn’t solve the problem, I’d recommend a scan with FreeFixer to manually track down the adware. FreeFixer is a freeware tool that I’m working on that scans your computer at lots of locations, such as browser add-ons, processes, Windows services, recently modified files, etc. If you want to get additional details about a file in the scan result, you can click the More Info link for that file and a web page will open up with a VirusTotal report which will be very useful to determine if the file is safe or malware:
An example of FreeFixer’s “More Info” links. Click for full size.
Here’s a video guide showing how to remove pop-up ads with FreeFixer:
Did this blog post help you to remove the easydriverpro.com pop-up ads? Please let me know or how I can improve this blog post.
Are you getting redirected from from Google’s search engine to Yahoo search? If you do, you probably have potentially unwanted software installed on your machine.
In my case, I had four potentially unwanted programs installed. There were called WNet, CashReminder, ActSys and PlainSavings. I removed them with FreeFixer and that stopped the browser from hijacking my Google searches. I don’t know which one of that sent me to Yahoo instead of Google.
The issue with these redirects, is that they can also be done by other potentially unwanted programs. This makes it impossible to say exactly what you need to remove to stop the unwanted redirects.
Anyway, here’s my suggestion for the b removal:
Examine what programs you have installed in the Add/Remove programs dialog in the Windows Control Panel. Do you see anything that you don’t remember installing or that was recently installed?
You can also examine the browser add-ons. Same thing here, do you see something that you don’t remember installing?
If that didn’t solve the problem, I’d recommend a scan with FreeFixer to manually track down the potentially unwanted program. FreeFixer is a freeware tool that I’m working on that scans your computer at lots of locations, such as browser add-ons, processes, Windows services, recently modified files, etc. If you want to get additional details about a file in the scan result, you can click the More Info link for that file and a web page will open up with a VirusTotal report which will be very useful to determine if the file is safe or malware:
An example of FreeFixer’s “More Info” links. Click for full size.
Did you find any potentially unwanted program on your machine? Did that stop Google from redirecting to Yahoo? Please post the name of the potentially unwanted program you uninstalled from your machine in the comment below.
Hi there! If you’ve been following me for the last year you know that I’ve been examining many software publishers that put a digital signature on their downloads. Today I found another publisher called Taras Lapin.
If you have a Taras Lapin file on your machine you may have noticed that Taras Lapin is displayed as the publisher in the UAC dialog when double-clicking on the file.
The certificate is issued by Certum Code Signing CA.
9 of the scanners detected the file. Some of the detection names for the Download Uc Browser V Handler Zip.exe file are Trojan.Crossrider1.45643, PUA.Multiplug, Multiplug-FAJ and MultiPlug (v).
Did you also find an Taras Lapin? Do you remember the download link? Please post it in the comments below and I’ll upload it to VirusTotal to see if that one is also detected.
Hello readers! Did you just find a file that’s digitally signed by MICHAIL SUDAREV and came here to find more about it?
Windows will display MICHAIL SUDAREV as the publisher when running the file. The certificate is issued by Certum Code Signing CA.
The cert mentions SPD CGISOFT ltd.Certum Trusted Network CA is the root in the certificate chain:
So, what does the anti-virus programs say about the MICHAIL SUDAREV file? No problem, I just uploaded the file to VirusTotal and it turned out that some of the anti-virus programs detects the MICHAIL SUDAREV file, with names such as Win32:Evo-gen [Susp], TR/Crypt.XPACK.Gen, SoftwareBundler:Win32/InstalleRex and MultiPlug (v).
Did you also find a MICHAIL SUDAREV download? What kind of download was it?
Hope this blog post helped you avoid some unwanted software on your machine.
Hello there and welcome to the FreeFixer blog. Today I wanted to talk about a bundled program called Malware Protection Live. If you have Malware Protection Live software installed on your machine, you will notice Malware Protection Live in the Remove programs list and MalwareProtectionClient.exe running in the Windows Task Manager:
Malware Protection Live is configured to run on startup. This is done by adding MalwareProtectionClient.exe as a startup in the Windows Registry:
So, how did Malware Protection Live install on your machine? Unless you downloaded it directly from their web site, it was probably bundled with some other download that you installed recently. Bundling means that software is included in other software’s installers. When I first found Malware Protection Live, it was bundled with CNET’s Download.com installer. Here’s how it appeared in the CNET’s Download.com installer where I found it:
According to the embedded certificate, Malware Protection Live is located in Florida, US:
So, what does the anti-virus programs over at VirusTotal say about the bundled MalwareProtectionClient.exe file? Detection rate is 0%, so hopefully the software is safe.
What do you think?
I’ll rescan it in a few days to see if detection ratio remain the same. Please check below for updates.
Did you also find Malware Protection Live on your machine? Any idea how it was installed? Was is also bundled in a download from Download.com? Please share your story the comments below. Thanks a bunch!
Thanks for reading. Welcome back!
Update Oct 11 2015: I checked out the MalwareProtectionClient.exe download again, and now it is detected by a few of the scanners over at VirusTotal. The detection ratio is 4/56:
Hello readers! Just a short note on a publisher called Simon Leshchuk.
It is also possible to check a digital signature by looking at a file’s properties. Here’s a screenshot of the Simon Leshchuk certificate. Simon is located in Ukraine.
The Certum CA has issued the certificate to mr Leshchuk as you can see in the certification path below:
The reason for posting about Simon Leshchuk is that the file is detected by many of the anti-virus programs. Arcabit detects Download.exe as Trojan.Adware.MPlug.65, Avira detects it as TR/Crypt.XPACK.Gen, F-Secure calls it Gen:Variant.Adware.MPlug, K7AntiVirus calls it Unwanted-Program ( 004c5f5e1 ) and Malwarebytes detects it as PUP.Optional.Multiplug.
Did you also find a Simon Leshchuk file? What kind of download was it? If you remember the download link, please post it in the comments below.
Welcome! Just wanted to give you the heads up on files digitally signed by Roman Ershov.
The certificate is issued by Certum Code Signing CA. Mr Ershov appears to be located in Russia.
The reason I’m writing this blog post is that the Roman Ershov file is detected by many of the anti-malware progams at VirusTotal. Avast classifies Download.exe as Win32:FakeDownload-G [PUP], Avira names it TR/Crypt.XPACK.Gen, Microsoft classifies it as SoftwareBundler:Win32/InstalleRex and VIPRE classifies it as MultiPlug (v).
Did you also find a Roman Ershov file? What kind of download was it?
Hello! Just wanted to give you the heads up on files digitally signed by Ostap Hohlov.
It is also possible to check a digital signature by looking at a file’s properties. Here’s a screenshot of the Ostap Hohlov certificate.
The problem with the Ostap Hohlov file is that it is detected by many of the anti-malware progams. Here are some of the detection names: Win32:FakeDownload-G [PUP], Gen:Variant.Adware.MPlug.62, PUP.Optional.MultiPlug, SoftwareBundler:Win32/InstalleRex and MultiPlug (v).
Did you also run into a download that was digitally signed by Ostap Hohlov? What kind of download was it and was it detected by the anti-malwares at VirusTotal? Please share by posting a comment.
