Sanflex – 33% Detection Rate – WebInstallBundle, DownloadAdmin and Artemis

digital signature, ,

Hello! Just a quick post on a file named installer_adobe_flash_player_Swedish.exe signed by Sanflex. The following screenshot shows the User Account Control dialog when running the Sanflex file:

Sanflex publisher

By looking at the certificate we can see that Sanflex appears to be located in San Fransisco, United States of America.

Sanflex certificate

The problem here is that if installer_adobe_flash_player_Swedish.exe really was a setup file for the official Adobe Flash Player, it would be digitally signed by Adobe Systems Incorporated and not by some unknown company. This looks very suspicious.

If you are considering to run the Sanflex signed file, I’ll advice you not to. Delete it instead. Just check out detection list by some of the anti-virus program. Big thanks to VirusTotal for the scan result.

Sanflex virustotal

F-Secure detects installer_adobe_flash_player_Swedish.exe as Adware:W32/WebInstallBundle, Fortinet reports Riskware/DownloadAdmin, Malwarebytes classifies it as PUP.Optional.DownloadAdmin and McAfee detects it as Artemis.

Did you also find a Sanflex file? What kind of download was it?

Thanks for reading.

SVAN TRANS LLC – 25% Detection Rate

digital signature, ,

Hi there! Just wanted to give you the heads-up on suspicious file I found right now before having my lunch. The file is named FlashPlayer__6741_i1404957756_il13.exe and digitally signed by SVAN TRANS LLC.

SVAN TRANS LLC publisher

You can also see the SVAN TRANS LLC certificate by looking under the Digital Signature tab on the file’s properties. According to the certificate, SVAN TRANS LLC is located in Kiev, Ukraine.

SVAN TRANS LLC certificate

The issue is that FlashPlayer__6741_i1404957756_il13.exe is not an official Flash Player download. If it was, it would be digitally signed by Adobe Systems Incorporated, and not by some unknown company from Ukraine.

25% of the scanners detected the file. The FlashPlayer__6741_i1404957756_il13.exe file is detected as PUA.Amonetize! by Agnitum, Gen:Variant.Application.Jaik by F-Secure and PUP.Optional.Amonetize by Malwarebytes. Thanks to VirusTotal for the scan report.

svan trans llc virustotal

Since some of the anti-virus programs detected the SVAN TRANS LLC file, I got curious and decided to test it to see what it installed. After stepping though the installer, Salus Net Protector, RocketTab and My Start Search were disclosed.

SVAN TRANS Salus SVAN Trans Rockettab

Did you also find an SVAN TRANS LLC? Do you remember the download link? Please post it in the comments below and I’ll upload it to VirusTotal to see if that one is also detected.

Thanks for reading.

Skype Packages – Not part of Skype

misc

If you see something called Skype Packages on your machine and wonder what it is, I just want to let you know that its not part of the official Skype download. It was installed by an unofficial Skype download that was signed by Astro Delivery.

I think you should remove Skype Packages.

Skype Packages

 

I’d also recommend a scan with FreeFixer to check if you got some other types of unwanted programs running on your machine.

Remove Vosteran.com and Vosteran.exe

freefixer

Hello hello. Found another startpage modifier named Vosteran right now. If you got Vosteran on your computer, you will see start pages in Chrome, Firefox and Internet Explorer changed to Vosteran.com, lots of Vosteran.exe processes running in the Windows Task Manager which appears to be a custom build of the Chrome browser! You’ll also see add-ons and new search providers installed in Internet Explorer and Mozilla Firefox. I’ll show how to remove Vosteran in this blog post with the FreeFixer removal tool.

Here’s the vosteran.com start page in Firefox:

vosteran.com web site

and the new add-ons called Vosteran 2.3.0 and Vosteran Search 1.0.2:

Vosteran Search Firefox add-on

If you check the Task Manager, you’ll see a bunch of vosteran.exe processes running:

vosteran.exe task manager

 

When I uploaded vosteran.exe to VirusTotal none of the anti-virus programs there detected the file.

Vosteran is bundled with other software. Bundled means that it is included in another software’s installer. When I first found Vosteran, it was bundled with a piece of software named unofficial Skype download which was digitally signed by Astro Delivery.

Generally, you can avoid bundled software such as Vosteran by being careful when installing software and declining the bundled offers in the installer.

Since you probably want to remove Vosteran, these are the files you should check for removal if you want to remove it with FreeFixer. You may have to restart your system to complete the removal.

vosteran.exe process remove vosteran.com remove internet explorer vosteran.com remove firefox vosteran search remove firefox

Hope this helped you remove the Vosteran start page modifier and vosteran.exe. If some of the Vosteran.com stuff remains in you browser, you can try the reset feature in your browsers to reset your browser to state that is almost the same as when you installed it for the first time.

Any idea how you got Vosteran on your system? Please share by posting a comment. Thank you very much!

Hope you found this useful and thanks you for reading.

WindowsMangerProtect / WindowsProtect – Removal Instructions

adware, freefixer

Just another short post before going back to coding. Today I wanted to talk about a bundled program called WindowsMangerProtect / WindowsProtect and thought I should give you some removal instructions. If you got WindowsMangerProtect / WindowsProtect installed on your machine, you will find ProtectWindowsManager.exe running in the Windows Task Manager and an entry in the Uninstall Programs list named WindowsMangerProtect20.0.0.1270 by WindowsProtect LIMITED. You will also see a new Windows Service installed on your machine.

I’ll show how to remove WindowsMangerProtect / WindowsProtect in this blog post with the FreeFixer removal tool.

ProtectWindowsManager.exe task manager

WindowsMangerProtect / WindowsProtect is distributed by a tactic called bundling. Bundling means that a piece of software is included in other software’s installers. Often, you can avoid bundled software such as WindowsMangerProtect / WindowsProtect by being careful when installing software and declining the bundled offers in the installer.

As always when I stumble upon some new bundled software I uploaded it to VirusTotal to see if the anti-virus scanners there detect anything interesting. Only 5% of the scanners detected the file. Baidu-International detects WindowsMangerProtect / WindowsProtect as Adware.Win32.Elex.sig, Malwarebytes classifies it as PUP.Optional.WPM.A and McAfee-GW-Edition reports BehavesLike.Win32.DunDun.gh. It this the other anti-virus scanner will catch up in a few days.

WindowsProtectManager virustotal

So, how about the WindowsMangerProtect / WindowsProtect removal? All you need to do to remove WindowsMangerProtect / WindowsProtect is to check the WindowsMangerProtect / WindowsProtect file, that is ProtectWindowsManager.exe, in the scan result and click the Fix button. You might have to reboot your computer to complete the removal. Here’s a few screenshots that should help you along the way:

ProtectWindowsManager.exe remove WindowsMangerProtect service remove

Hope this helped you solved the WindowsMangerProtect / WindowsProtect problem.

I stumbled upon WindowsMangerProtect / WindowsProtect while testing out some downloads that are known to bundled lots of unwanted software. Any idea how WindowsMangerProtect / WindowsProtect was installed on your system? Please share your story the comments below. Thank you!

Hope you found this useful and thanks you for reading.

What is 337 Games and 337Games.exe?

adware, freefixer

Welcome! Found a program called 337 Games this morning. If you got 337 Games on your computer, you will notice a 337 Games icon on the desktop, a 337 Games icon on the task bar and 337Games.exe installed in the Roaming directory on your machine. If 337 Games showed up unexpectedly on your machine, it might have been bundled with another program.

337 Games icon

Nothing happened when I double-clicked on the icon.

337 Games is distributed by a strategy called bundling. Bundling means that a piece of software is included in other software’s installers. Generally, you can avoid bundled software such as 337 Games by being careful when installing software and declining the bundled offers in the installer.

When I find some new bundled software I always upload it to VirusTotal to verify if the anti-viruses there find anything. Only one anti-virus scanners detected the file: Baidu-International detects 337 Games as Adware.Win32.Elex.sig.

337Games.exe virustotal

If you came here looking for removal instructions for 337 Games, you can do so from the Windows Control Panel.

337 GAMES uninstall

If that did not work, you can uninstall it with the FreeFixer removal tool. Just select the 337 Games file as the screenshots below shows. A restart of your computer might be required to complete the removal.

337Games.exe remove

Hope that helped you with the removal.

Do you also have 337 Games on your machine? Any idea how it installed? Please share your story the comments below. Thanks!

Thanks for reading!

R2D2 Tech Software LLC – 27% Detection Rate – Eldorado/InstallBrain

Uncategorized,

Hi there! Just a note post this morning on a publisher called R2D2 Tech Software LLC. The R2D2 Tech Software LLC download – CodecPerformerSetup.exe – was detected when I uploaded it to VirusTotal. Did you also find a download by R2D2 Tech Software LLC? Was it also detected when you uploaded it to VirusTotal?

R2D2 Tech Software publisher in the UAC dialog

If you have a R2D2 Tech Software LLC file on your machine you may have noticed that R2D2 Tech Software LLC is displayed as the publisher in the UAC dialog when double-clicking on the file. Viewing the certificate information is also possible by looking under the digital signature tab for the file. Here the certificate says that R2D2 Tech Software LLC is located in Beaverton, Oregon, USA.

R2D2 Tech Software certificate shows the publisher is from the US

So, why am I writing about the R2D2 Tech Software LLC file? Check out what the anti-virus scanners report about the file:

R2D2 Tech Software LLC VirusTotal - InstallBrain, Eldorado

F-Prot reports CodecPerformerSetup.exe as W32/A-3442f84d!Eldorado, Qihoo-360 classifies it as Malware.QVM06.Gen and VIPRE detects it as InstallBrain (fs) are a few of the detection names for CodecPerformerSetup.exe.

Did you also find an R2D2 Tech Software LLC? Do you remember the download link? Please post it in the comments below and I’ll upload it to VirusTotal to see if that one is also detected.

Thank you for reading.