Tag Archives: InstallCore

What’s Hiding Behind Bing’s Ads?

September 11, 2018misleading advertising, search engine adsAvast, Bing, InstallCore, UpdateCheckerRoger Karlsson

Something that always bugged me is some of the content promoted by search engine ads. I’m talking about the ads that appear at the top of the search results. Here’s an example where I search for “download firefox” on the Bing search engine:

The first four items above the fold are ads. Let’s click on the first ad (fir.updatechecker.club).

The fir.updatechecker.club web site shows a faked Windows GUI pretending to be the Firefox Installer (built inside the browser’s viewport) and they want me to pay 50 SEK to install the free Mozilla Firefox browser by sending an SMS! The fact that 50 SEK is charged when sending the SMS appears with a small font in grey in the lower left corner. When refusing to pay 50 SEK I get an setup file, which is detected by many of the security scanners:

The installer appears to be build using InstallCore and shows a sponsored offer to install Avast AntiVirus, which I declined. (Though it would be interesting to see if Avast would go ahead and remove the bundler. As you can see in the scan result above, Avast is detecting the installer file, giving it the detection name “FileRepMalware [PUP]”).

The installer file also installs a piece of software called UpdateChecker:

Should Bing block these ads? What do you think?

PremiumBeam (New Media Holdings Ltd.) – 15% Detection Rate – InstallCore

November 9, 2015digital signatureInstallCore, Israel, Tel AvivRoger Karlsson

Hi there! Just a quick post today, since I’m busy working with the next release of FreeFixer. Did you see a file, such as vlc-media-player.exe, on your system signed by PremiumBeam (New Media Holdings Ltd.)? Then read on..

If you have a PremiumBeam (New Media Holdings Ltd.) file on your computer you may have noticed that PremiumBeam (New Media Holdings Ltd.) pops up as the publisher in the User Account Control dialog when running the file. The PremiumBeam (New Media Holdings Ltd.) certificate shows that the publisher is located in Tel Aviv, Israel.

These are the current VirusTotal detections for the file. PUP.Optional.InstallCore, HEUR/QVM06.1.Malware.Gen, Install Core Click run software (PUA), SScope.Malware-Cryptor.InstallCore and InstallCore (fs) as a few of the detection names for the vlc-media-player.exe file.

Did you also find a file signed by PremiumBeam (New Media Holdings Ltd.)? What kind of download was it and where did you find it?

Thanks for reading.

Safemode Install (Fried Cookie Ltd) – 18% Detection Rate – InstallCore

October 28, 2015digital signatureGlobalSign, InstallCore, Israel, Tel AvivRoger Karlsson

Hi there! Just a short post on a publisher called Safemode Install (Fried Cookie Ltd). I just found a download named chrome-download.exe that was digitally by this publisher, and it turns out that it is detected by some anti-virus programs.

By looking at the certificate we can see that Safemode Install (Fried Cookie Ltd) appears to be located in Israel. GlobalSign has issued the certificate.

The issue here is that if chrome-download.exe really was a setup file for Google Chrome, it would be digitally signed by Google Inc. and not by some unknown company. I think this looks suspicious. Here’s how the authentic Google Chrome looks like when you double click on it. Notice that the “Verified publisher” says “Google Inc”.

So, why did I put up this blog post? Well, the thing is that the Safemode Install (Fried Cookie Ltd) file is detected by many of the scanners, according to VirusTotal. ESET-NOD32 detects it as a variant of Win32/InstallCore.ADE potentially unwanted, Malwarebytes detects it as PUP.Optional.InstallCore, AVG names chrome-download.exe as InstallCore.F22 and Sophos detects it as Install Core Click run software (PUA).

Did you also find a file digitally signed by Safemode Install (Fried Cookie Ltd)? What kind of download was it and where did you find it?

Thanks for reading.

MaxAgile (New Media Holdings Ltd.) – 9% Detection Rate – InstallCore

October 21, 2015digital signatureGlobalSign, InstallCore, Israel, Tel AvivRoger Karlsson

Hi there! Just a short post on a publisher called MaxAgile (New Media Holdings Ltd.) before going back to some coding on FreeFixer.

You can also check who signed a file by checking the digital signature tab. According to the embedded certificate we can see that MaxAgile (New Media Holdings Ltd.) seems to be located in Tel Aviv, Israel and that the certificate is issued by GlobalSign CodeSigning CA – G2.

The issue is that chrome-download.exe is not an official Google Chrome download. If it was, it should be digitally signed by Google Inc.. Here’s how the authentic Google Chrome looks like when you double click on it. Notice that the “Verified publisher” says “Google Inc”.

The scan result from VirusTotal below clearly shows why you should avoid the MaxAgile (New Media Holdings Ltd.) file. It is detected under names such as Trojan.InstallCore.1364, PUP.Optional.InstallCore and InstallCore (fs).

Did you also find a MaxAgile (New Media Holdings Ltd.) file?

Thanks for reading.

Top Scale (New Media Holdings Ltd.) – 14% Detection Rate – InstallCore

June 28, 2015digital signatureInstallCore, Israel, Tel AvivRoger Karlsson

Hi there! If you’ve been following me for the last year you know that I’ve been examining many software publishers that put a digital signature on their downloads. Today I found another publisher called Top Scale (New Media Holdings Ltd.).

It is also possible to check a digital signature by looking at a file’s properties. Here’s a screenshot of the Top Scale (New Media Holdings Ltd.) certificate.

Top Scale is located in Tel Aviv, Israel, according to the certificate.

What caught my attention was that the download was called GoogleChromeSetup.exe. This might look like an official Google Chrome download, but it is not. If it was an official download, it should have been signed by Google Inc.. Here’s how the authentic Google Chrome looks like when you double click on it. Notice that the “Verified publisher” says “Google Inc”.

So, what does the anti-virus programs say about the Top Scale (New Media Holdings Ltd.) file? No problem, I just uploaded the file to VirusTotal and it turned out that some of the anti-virus programs detects the Top Scale (New Media Holdings Ltd.) file, with names such as InstallCore.A98, W32.HfsAdware.D59D, PUP.Optional.InstallCore.A and InstallCore (fs).

Did you also find an Top Scale (New Media Holdings Ltd.)? Do you remember the download link? Please post it in the comments below and I’ll upload it to VirusTotal to see if that one is also detected.

Thank you for reading.

PlatformMax (Fried Cookie Ltd) – 9% Detection Rate – InstallCore

June 13, 2015UncategorizedInstallCore, Israel, Tel AvivRoger Karlsson

Welcome! Just wanted to give you heads-up on suspicious file I found right now. The file is named vlc-media-player_setup.exe and digitally signed by PlatformMax (Fried Cookie Ltd).

If you have a PlatformMax (Fried Cookie Ltd) file on your machine you may have noticed that PlatformMax (Fried Cookie Ltd) is displayed as the publisher in the UAC dialog when double-clicking on the file. The certificate is issued by GlobalSign CodeSigning CA – G2.

If you are considering to run the PlatformMax (Fried Cookie Ltd) signed file, please check out detection list by some of the anti-virus programs:

AVG detects vlc-media-player_setup.exe as Generic.7D6, Comodo classifies it as Application.Win32.InstallCore.DXC, DrWeb detects it as Trojan.InstallCore.890 and Malwarebytes reports PUP.Optional.InstallCore.SID.C.

Did you also find an PlatformMax (Fried Cookie Ltd)? Do you remember the download link? Please post it in the comments below and I’ll upload it to VirusTotal to see if that one is also detected.

Thanks for reading.

Setup Super (Fried Cookie Ltd.) – 16% Detection Rate – InstallCore

May 13, 2015digital signatureInstallCore, Israel, Tel AvivRoger Karlsson

Hello! I was playing around and testing some downloads when I found a file digitally signed by Setup Super (Fried Cookie Ltd.).

This is how Setup Super (Fried Cookie Ltd.) appears when running the file:

By examining the certificate, we can see that Setup Super (Fried Cookie Ltd.) is located in Tel Aviv, Israel. The certificate is issued by GlobalSign CodeSigning CA – G2.

The reason I’m writing this blog post is that the Setup Super (Fried Cookie Ltd.) file is detected by some of the anti-virus scanners at VirusTotal. Comodo detects installer_jdownloader_English.exe as Application.Win32.InstallCore.UD, Malwarebytes reports PUP.Optional.InstallCore.SID.C and VIPRE detects it as InstallCore (fs).

Did you also find a file digitally signed by Setup Super (Fried Cookie Ltd.)? Where did you find it and are the anti-virus programs detecting it? Please share in the comments below.

Thanks for reading.

Advertaizing Grupp – 19% Detection Rate – InstallCore

February 22, 2015digital signatureInstallCore, Moscow, RussiaRoger Karlsson

Hi there! If you are a regular here on the FreeFixer blog you know that I’ve been looking on the certificates used to sign files that bundled various types of unwanted software. Today I found another certificate, used by a publisher called Advertaizing Grupp.

You can view the certificate by right-clicking on the file, and looking under the Digital Signature tab: According to the embedded certificate we can see that Advertaizing Grupp is located in Russia and that the certificate is issued by COMODO RSA Code Signing CA.

What caught my attention was that the download was called adobe_flash_setup.exe. This might look like an official Adobe Flash Player download, but it is not. If it was an official download, it would be signed by Adobe Systems Incorporated. Here’s how the authentic Adobe Flash Player looks like when you double click on it. Notice that the “Verified publisher” says “Adobe Systems Incorporated”.

So, what does the anti-virus programs say about the Advertaizing Grupp file? No problem, I just uploaded the file to VirusTotal and it turned out that many of the anti-virus programs detects the Advertaizing Grupp file, with names such as Win32:Rootkit-gen [Rtk], Adware/InstallCo.zlz, Trojan.InstallCore.57, Trojan ( 004b4b721 ), Riskware.Win32.InstallCore.dnxkbc and Win32/Tnega.MFNTaRB.

Did you also find a download that was digitally signed by Advertaizing Grupp? What kind of download was it and was it detected by the anti-virus progams at VirusTotal? Please share in posting comments below.

Hope this blog post helped you avoid some unwanted software on your machine.

Thank you for reading.

OOO PREM”ER-SERVIS – 11% Anti-Virus Detection Rate – InstallCore

February 20, 2015digital signatureInstallCore, Moscow, RussiaRoger Karlsson

Welcome! I was playing around and testing some downloads when I found a file digitally signed by OOO PREM”ER-SERVIS. The OOO PREM”ER-SERVIS certificate shows that the publisher is located in Moscow, Russia.

The problem here is that if adobe_flash_setup.exe really was an installer file for Adobe Flash Player, it should have been signed by Adobe Systems Incorporated and not by some unknown company. Here’s how the authentic Adobe Flash Player looks like when you double click on it. Notice that the “Verified publisher” says “Adobe Systems Incorporated”.

Right now, 6 of the antimalware scanners detected the file. Some of the detection names for the adobe_flash_setup.exe file are Adware/InstallCore.783896, a variant of Win32/InstallCore.WX potentially unwanted, Trojan ( 004b61851 ) and Trojan ( 004b61851 ).

Did you also find a file digitally signed by OOO PREM”ER-SERVIS? Where did you find it and are the anti-virus programs detecting it? Please share in the comments below.

Thanks for reading.