Jambo Digital Ltd Signing CozaGhost.exe – 5% Detection Rate – PUP.Optional.Zoomify.A

digital signature

Hi there! Just wanted to give you the heads up on a publisher called Jambo Digital Ltd before calling it a day. The actual file is called cozaghost.exe and I found it while reviewing some of the files recently added by users into the FreeFixer database.

The VirusTotal report shows that the Jambo Digital Ltd file should be avoided, since cozaghost.exe is detected as Generic.397 by AVG, PUP.Optional.Zoomify.A by Malwarebytes and Zoomify by Sophos. The detection rate is pretty low. Just 5%.

Jambo Digital Ltd VirusTotal

Did you also find a Jambo Digital Ltd download? Do you remember the download link? If so, please post it in the comments and I’ll check it out to see if the detection rate is improved.

Thanks for reading.

Dove Delivery (Fried Cookie Ltd.) – 11% Detection Rate – InstallCore

adware, digital signature, ,

Hi there! Was looking for some downloads to play around with and found one, signed by Dove Delivery (Fried Cookie Ltd.). The file is named FlvPlayerSetup.exe.

You can look at the Dove Delivery (Fried Cookie Ltd.) certificate and digital signature by looking under the Digital Signatures tab on the file’s properties. According to the certificate, Dove Delivery (Fried Cookie Ltd.) is located in Tel Aviv in Israel.Dove Delivery Fried Cookie Ltd

So, why did I put up this blog post? Well, the thing is that the Dove Delivery (Fried Cookie Ltd.) file is detected by some of the anti-virus scanners, according to VirusTotal. Avira reports FlvPlayerSetup.exe as ADWARE/InstallCore.Gen, DrWeb reports Trojan.Packed.29923, ESET-NOD32 detects it as a variant of Win32/InstallCore.UQ and VIPRE reports InstallCore (fs).

Dove Delivery (Fried Cookie Ltd.) virustotal

Did you also find a Dove Delivery (Fried Cookie Ltd.) file? What kind of download was it? If you remember the download link, please post it in the comments below.

Hope this blog post helped you avoid some unwanted software on your machine.

Thank you for reading.

CLICKCAPTION – 33% Detection Rate – Vitruvian / InfoAtoms

adware, digital signature,

Hi there! I was reviewing some of the files added to the FreeFixer database this morning. Found a publisher called CLICKCAPTION that you probably want to know about. The file I found is called ccsvc.exe and digitally signed by CLICKCAPTION.

AVG reports ccsvc.exe as Clickcaption.5CF, DrWeb classifies it as Adware.Popad.11, Jiangmin detects it as AdWare/Vitruvian.f, Kaspersky reports not-a-virus:AdWare.Win32.Vitruvian.b, Malwarebytes classifies it as PUP.Optional.ClickCaption.A and VIPRE reports InfoAtoms (fs).

CLICKCAPTION virustotal

Did you also find a CLICKCAPTION file? What kind of download was it? If you remember the download link, please post it in the comments below.

Thank you for reading.

Swift Network (Fried Cookie Ltd.) – 23% Detection Rate – InstallCore

digital signature

Welcome! If you are a regular here on the FreeFixer blog, you know that I’ve been examining files that have a digital signature and bundle various types of potentially unwanted software. Today I found another publisher named Swift Network (Fried Cookie Ltd.) while reviewing some of the recent files submitted to this web site.

You can see who the signer is when double-clicking on an executable file. Swift Network (Fried Cookie Ltd.) appears in the publisher field in the dialog that pops up. The certificate is issued by GlobalSign CodeSigning CA – G2.

13 of the 56 anti-malware scanners detected the file. The IDM2-Win-EN.exe file is detected as Application.Win32.FriedCookie.CIRK by Comodo, Trojan.InstallCore.44 by DrWeb, Artemis by McAfee-GW-Edition, WS.Reputation.1 by Symantec and InstallCore (fs) by VIPRE.

Swift Network (Fried Cookie Ltd.) virustotal

Did you also find a file digitally signed by Swift Network (Fried Cookie Ltd.)? Where did you find it and are the anti-virus programs detecting it? Please share in the comments below.

Thanks for reading.

Proinstall Applications SRL – 9% Detection Rate

digital signature

Hi there! Just a note on a publisher called Proinstall Applications SRL. This is the publisher that digitally signs the downloads available from CNet’s Download.com site. The Proinstall Applications SRL download – KMPlayer_3.9.1.132.exe – was detected when I uploaded it to VirusTotal.

Proinstall Applications SRL UAC

You can also see the Proinstall Applications SRL certificate by looking under the Digital Signature tab on the file’s properties. According to the certificate, Proinstall Applications SRL is located in Romania.Proinstall Applications SRL certificate

When I tested the installer, it bundled software from Spigot, which I could skip by clicking the Decline button.Proinstall Applications SRL cnet installer

The problem with the Proinstall Applications SRL file is that it is detected by some of the anti-malware progams. Here are some of the detection names: Generic.8BF,  Adware.Downware.9446, Malware.QVM06.Gen and Spigot (fs).

Proinstall Applications SRL virustotal

Thanks for reading.

Remove CrimeWatch Adware

adware, freefixer

Hello there and welcome to the FreeFixer blog. I just found another bundled adware titled CrimeWatch and wanted to give you some removal instructions. If the CrimeWatch adware is installed and running on your machine, you will see CrimeWatchService.exe, digitally signed by “Mathematical Applications“, running in the Windows Task Manager. You will also see a new service installed, called CrimeWatch and perhaps also a yellow pop-up allowing you to toggle CrimeWatch on and off. I’ll show how to remove CrimeWatch in this blog post with the FreeFixer removal tool.Crime Watch toggle

CrimeWatch is bundled with a number of downloads. Bundling means that software is included in other software’s installers. Here’s one example how it appears in an installer for an unrelated program.

CrimeWatch installer

As always when I find some new bundled software I uploaded it to VirusTotal to check if the anti-malware software there find anything interesting. 15 of the 56 anti-malware scanners detected the file. The CrimeWatch files are detected as PUA.PullUpdate! by Agnitum, ApplicUnwnt by Comodo, Adware.Yontoo.55 by DrWeb, PUP.Optional.Crimewatch.A by Malwarebytes, Trj/Genetic.gen by Panda and HEUR/QVM30.1.Malware.Gen by Qihoo-360.

CrimeWatch virustotal

Since you probably want to remove CrimeWatch, these are the files you should check for removal if you want to remove it with FreeFixer. A restart of your machine may be required to complete the removal.CrimeWatchService.exe process crimewatch.exe crimewatch.dll files CrimeWatch service

Hope that helped you with the removal.

Did you also find CrimeWatch on your machine? Any idea how it installed? Please let me and the readers know by posting a comments. Thank you!

Hope you found this useful and thanks you for reading.

Syndacato – syesubc3_p2v3.exe – Comes with uTorrent

digital signature

Did you find a file called syesubc3_p2v3.exe, digitally signed by Syndacato and wonder where it came from? I found this file in my Temp folder after installing uTorrent on my lab machine. Did you also recently install uTorrent, or did it come bundled with some other download in your case?

Update 2015-02-08: Now the file is called syesubc8_p2v3.exe.

Syndacato certificate

What does the Syndacato file do? Appears it did nothing on my machine. It just terminated after I double-clicked it. SuperAntiSpyware detects the file, Symantec tags it with their “Reputation” flag. The other 54 anti-virus programs does not detect it when I uploaded it to Virustotal.

Syndacato - syesubc3_p2v3.exe virustotal

Remove WebSize Adware

adware, freefixer

Hello readers. I was reviewing some of the files added to the FreeFixer database, and found something called WebSize? WebSize is yet another variant of BrowseFox. The WebSize removal is pretty easy. Just select the files that are digitally signed by WebSize in FreeFixer and the problem will be gone.

So what does VirusTotal say about the file? 19 of the anti-malware scanners detected the file. The WebSize files are detected as PUA.BrowseFox! by Agnitum, Adware/BrowseFox.A.1227 by Avira, Tool.NetFilter.313 by DrWeb and AdWare.Win64.Yotoon by VBA32.

WebSize virustotal

Hope that helped you to figure out how to do the removal.

Do you also have WebSize on your computer? Any idea how it was installed? Please share by posting a comment. Thank you!

Hope you found this useful and thanks you for reading.

Remove Ace Race Ads – Adware Removal Instructions

adware, freefixer

Just wanted to put up a short blog post before going back to coding. Did something named Ace Race appear on your machine? This appears to be yet another variant of BrowseFox that I’ve previously blogged about. If the Ace Race adware is running on your computer, you will see a new add-on called Ace Race installed into Mozilla Firefox and Internet Explorer. I’ll show how to remove Ace Race in this blog post with the FreeFixer removal tool.

ace race firefox

Ace Race is bundled with a number of downloads. Bundling means that software is included in other software’s installers. Here’s one example how it appears in an installer for an unrelated program.

ace race installer

Generally, you can avoid bundled software such as Ace Race by being careful when installing software and declining the bundled offers in the installer.

As usual when I run into some new bundled software I uploaded it to VirusTotal to see if the anti-malware scanners there detect anything fishy. 11 of the anti-malware scanners detected the file. The Ace Race files are detected as BrowseFox.F by AVG, W32/S-7bed2e86!Eldorado by F-Prot, Trojan ( 0040f9921 ) by K7GW, PUP.Optional.AceRace.A by Malwarebytes and AdWare.Kranet by VBA32.

acerace virustotal

If you would like to remove Ace Race you can do so with the freeware FreeFixer tool. Select the Ace Race files for removal in FreeFixer, click Fix, reboot your computer and the problem will be gone. Here’s a few screenshots to point you in the right direction:

ace race remove firefox ace race internet explorer

Hope that helped you to figure out how to do the removal.

Did you also find Ace Race on your machine? Any idea how it installed? Please share in the comments below. Thank you!

Thanks for reading. Welcome back!

Alpha IS (Fried Cookie Ltd.) – 14% Detection Rate – InstallCore

digital signature

Hi there! Just wanted to give you heads-up on suspicious file I found right now. The file is named installer_jdownloader_English.exe and digitally signed by Alpha IS (Fried Cookie Ltd.).

According to the certificate, Alpha IS (Fried Cookie Ltd.) is located in Tel Aviv, Israel.

Alpha IS Fried Cookie Ltd. cert

So, why did I put up this blog post? Well, the thing is that the Alpha IS (Fried Cookie Ltd.) file is detected by some of the anti-malware scanners, according to VirusTotal. Comodo reports installer_jdownloader_English.exe as Application.Win32.FriedCookie.CIRK, ESET-NOD32 detects it as a variant of Win32/InstallCore.UW, K7AntiVirus detects it as Trojan ( 004b25f41 ), K7GW calls it Trojan ( 004b25f41 ) and VIPRE detects it as InstallCore (fs)

Did you also find an Alpha IS (Fried Cookie Ltd.)? Do you remember the download link? Please post it in the comments below and I’ll upload it to VirusTotal to see if that one is also detected.

Thank you for reading.