Tag Archives: HfsAdware

BoxI DJV – 49% Detection Rate – OutBrowse / Downloader.YVA / W32.HfsAdware

Hi there! Ran into a BoxI DJV file about a week ago, but decided not to blog about it since I got the schedule full with other things. I’m currently working on improving the freefixer.com web site with some new features.

However, I changed my mind today about BoxI DJV since there currently a large number of files being distributed with the BoxI DJV signature. And since the Boxl DJV file is detected by many of the anti-virus programs out there I wanted to give you the heads up with a short blog post about it. Here’s BoxI DJV listed as the verified publisher:

BoxI DJV

You can see who the signer is when double-clicking on an executable file. BoxI DJV appears in the publisher field in the dialog that pops up. The certificate is issued by thawte SHA256 Code Signing CA.

Here’s the detections from VirusTotal for BoxI DJV:

BoxI DJV anti-virus report

The detection rate is 26/53. The Moborobo.exe file is detected as OutBrowse by VIPRE, Riskware/OutBrowse by Fortinet, PUA.Boxidjv1.Gen by CAT-QuickHeal, Trojan.OutBrowse.1215 by DrWeb, Downloader.YVA by AVG, W32.HfsAdware.9EC9 by Bkav and SAPE.Heur.BB351 by Symantec.

Did you also find a file digitally signed by BoxI DJV? What kind of download was it and where did you find it?

Thanks for reading.

App secure LLC – 30% Anti-Virus Detection – SoftPulse / Strictor / HfsAdware / DriverUpd

Hello! If you are a regular here on the FreeFixer blog you know that I’ve been looking on the certificates used to sign files that bundled various types of unwanted software. Today I found another certificate, used by a publisher called App secure LLC.

App secure LLC publisher

Windows will display App secure LLC as the publisher when running the file. Information about a digital signature and the certificate can also be found under the Digital Signature tab. The screenshot below shows the App secure LLC certificate. From the certificate info we can see that App secure LLC appears to be located in Wilmington, Delaware in the US.

App secure LLC certificate

When I uploaded the App secure LLC file to VirusTotal, it came up with a 30% detection rate. The file is detected as Win32:SoftPulse-FZ [PUP] by Avast, W32.HfsAdware.8302 by Bkav, Gen:Variant.Strictor.83505 (B) by Emsisoft, a variant of Win32/SoftPulse.AB potentially unwanted by ESET-NOD32, not-a-virus:Downloader.Win32.DriverUpd.wui by Kaspersky and SoftPulse by Sophos.

App secure LLC virus report

The company web site appears to be APPSECURELLC.COM. Here’s some of the info from the WHOIS database:

Registrant Name: Roberto Blangino 
Registrant Organization: App Software LLC
Registrant Street: 501 Silverside Road, Suite 105 
Registrant City: Wilmington
Registrant State/Province: Delaware
Registrant Postal Code: 19809
Registrant Country: US

I checked some of services that provides domain info based on an IP address, and the following sites appears to be or have been located on the same IP:

  • 123maxmusic.com
  • 88dls.com
  • acpsoftwarellc.com
  • www.magnoplayer.com
  • www.newvideoplayer.com

Did you also find a file that was signed by App secure LLC? What kind of download was it and was it detected by the anti-virus scanners at VirusTotal? Please share in posting comments below.

Thanks for reading.

Techsnab LLC – 16% Anti-Virus Detection Rate

Welcome! If you are a regular here on the FreeFixer blog, you know that I’ve been examining files that have a digital signature and bundle various types of potentially unwanted software. Today I found another publisher named Techsnab LLC that bundles some software.

Techsnab LLC certificate

To get more details on the publisher, you can view the certificate by right-clicking on the file, and looking under the Digital Signatures tab. According to the embedded certificate we can see that Techsnab LLC is located in Moscow, Russia and that the certificate is issued by COMODO Code Signing CA 2. This Techsnab certificate has been revoked:

Techsnab LLC revoked

16% of the scanners detected the file. The Game_of_Thrones_S04E02_HDTV_x264-2HD[ettv].exe file is detected as APPL/Techsnab.onemb by Avira, W32.HfsAdware.894E by Bkav, Trojan ( 004b5df41 ) by K7GW, Trojan.Win32.Techsnab.dossoy by NANO-Antivirus and GetPrivate (fs) by VIPRE.

Techsnab LLC anti-virus report

Did you also find a Techsnab LLC file? What kind of download was it? If you remember the download link, please post it in the comments below.

Thanks for reading.

Jelbrus LLC from The Pirate Bay – 23% Anti-Virus Detection Rate – Strictor / Techsnab / HfsAdware

Welcome! Saturday night post this time 😉 Just wanted to let you know about a publisher called Jelbrus LLC. You may run into this download if you are visiting sites such as The Pirate Bay.

Jelbrus LLC make changes

Information about a digital signature and the certificate can also be found under the Digital Signature tab. According to the embedded certificate we can see that Jelbrus LLC seems to be located in Moscow in Russia and that the certificate is issued by Thawte Code Signing CA – G2.

Jelbrus LLC certificate

So what’s up with Jelbrus? The file I found is, named Breaking_Bad_Season_1_Complete_720p.BRrip.Sujaidr_(pimprg)_.exe, so you might get the impression that this is a download for the famous TV-Series called Breaking Bad. It’s not.

Here’s how the Jelbrus installer looks like if you run the file:

Jelbrus LLC installer

When clicking the Next button a bunch settings are changed and some files are added on your computer. Here’s the interesting stuff from a FreeFixer log:

FreeFixer v1.13 log
http://www.freefixer.com/

Scheduled tasks (39 whitelisted)
================================
Great Performance Ultimate, C:\Program Files (x86)\PrivateVPN\gpup.exe , signer: [unsigned]
Jelbrus Secure Web Task, C:\Program Files (x86)\Jelbrus Secure Web\jswtask.exe , signer: [unsigned]
Malware Cleaner, C:\Users\honeypotter\AppData\Roaming\1265.tmp.exe (file is missing)

Processes (42 whitelisted)
==========================
C:\Windows\mlwps.exe, signer: [unsigned]
C:\Users\HONEYP~1\AppData\Local\Temp\92.tmp.exe, signer: [unsigned]
C:\Program Files (x86)\Jelbrus Secure Web\privoxy.exe, signer: [unsigned]

Services (47 whitelisted)
=========================
Live Malware Protection, Live Malware Protection, c:\windows\mlwps.exe, signer: [unsigned]
PrivoxyService, Privoxy (PrivoxyService), c:\program files (x86)\jelbrus secure web\privoxy.exe, signer: [unsigned]

Recently created/modified files
===============================
20 minutes, c:\Program Files (x86)\Jelbrus Secure Web\mgwz.dll, signer: [unsigned]
20 minutes, c:\Program Files (x86)\Jelbrus Secure Web\privoxy.exe, signer: [unsigned]
20 minutes, c:\Program Files (x86)\Jelbrus Secure Web\jsie.dll, signer: [unsigned]
20 minutes, c:\Program Files (x86)\Jelbrus Secure Web\jswff.exe, signer: Jelbrus LLC [valid]
20 minutes, c:\Program Files (x86)\Jelbrus Secure Web\jsweb64.dll, signer: [unsigned]
20 minutes, c:\Program Files (x86)\Jelbrus Secure Web\jswchromium64.exe, signer: [unsigned]
20 minutes, c:\Program Files (x86)\Jelbrus Secure Web\jsweb.dll, signer: [unsigned]
20 minutes, c:\Program Files (x86)\Jelbrus Secure Web\jswchromium.exe, signer: [unsigned]
20 minutes, c:\Program Files (x86)\Jelbrus Secure Web\jswtask.exe, signer: [unsigned]
20 minutes, c:\Users\honeypotter\AppData\Local\Temp\92.tmp.exe, signer: [unsigned]
21 minutes, c:\Program Files (x86)\PrivateVPN\tasks.dll, signer: [unsigned]
21 minutes, c:\Users\honeypotter\AppData\Local\Temp\tasks.dll, signer: [unsigned]
21 minutes, c:\Program Files (x86)\PrivateVPN\gpup.exe, signer: [unsigned]
21 minutes, c:\Users\honeypotter\AppData\Local\Temp\580C.tmp.exe, signer: [unsigned]
23 minutes, c:\Users\honeypotter\AppData\Local\Temp\1716.tmp.exe, signer: [unsigned]
24 minutes, c:\Users\honeypotter\AppData\Local\Temp\6E23.tmp.exe, signer: [unsigned]

LAN Proxy Settings
==================
*=127.0.0.1:8118

You will also see advertisements while browsing the web labelled “Ad by CouponDropDown“. Here’s the “Ad by CouponDropDown” ads on Google:

Ad by CouponDropDown

So what does the anti-virus scanners at VirusTotal say about Jelbrus’ “Breaking Bad” file? The detection rate is 13/57. Gen:Variant.Strictor.75172, Jelbrus.3C0, Adware/Techsnab.9058, Jelbrus LLC (fs), W32.HfsAdware.307F and Gen:Variant.Strictor.75172 were some of the detection names.

Jelbrus LLC anti-virus report

Did you also find an Jelbrus LLC? Did you also find it at The Pirate Bay?

Thank you for reading.