Tag Archives: Moscow

Adverts Technologies – 25% Detection Rate – PUP.Optional.Adverts / ToDownload

Hi there! Just a quick post on a file named mediaplayer_update.exe signed by Adverts Technologies.

Adverts Technologies publisher

You can also see the Adverts Technologies certificate by looking under the Digital Signature tab on the file’s properties. According to the certificate, Adverts Technologies is located in Moscow, Russia.

Adverts Technologies cert

The issue with the Adverts Technologies file is that it is detected by many of the antimalware progams. Here are some of the detection names: Generic.E4D, PUP.Optional.Adverts, HEUR/QVM06.1.Malware.Gen, InstallCore ToDownload (PUA), SAPE.InstallCore.2505, Trojan.Win32.Generic!BT and Adware.BrowseFox.Win32.128816.

Adverts Technologies anti-virus

Did you also find an Adverts Technologies? Do you remember the download link? Please post it in the comments below and I’ll upload it to VirusTotal to see if that one is also detected.

Thanks for reading.

OOO DIGITAL VEI – 18% Detection Rate – InstallCore

Hello readers! Just a quick post on a publisher called OOO DIGITAL VEI that I found while running some tests for the upcoming FreeFixer release. The suspicious file is named adobe_flash_player.exe.

OOO DIGITAL VEI publisher

Viewing the certificate information is also possible by looking under the digital signature tab for the file. Here the certificate says that OOO DIGITAL VEI is located in Moscow, Russa.

OOO DIGITAL VEI cert

And USERTrust and Comodo is upwards in the certificate chain:

OOO DIGITAL VEI cert chain

What caught my attention was that the download was called adobe_flash_player.exe. This might look like an official Adobe Flash Player download, but it is not. If it was an official download, it should be digitally signed by Adobe Systems Incorporated. Here’s how the authentic Adobe Flash Player looks like when you double click on it. Notice that the “Verified publisher” says “Adobe Systems Incorporated”.
Adobe Systems Incorporated - Adobe Flashplayer Installer

The problem with the OOO DIGITAL VEI file is that it is detected by many of the antivirus software. Here are some of the detection names: W32.HfsAdware.90CE, PUP.Optional.Bundle and InstallCore (fs).

OOO DIGITAL VEI anti-virus report

Did you also find a OOO DIGITAL VEI download? What kind of download was it?

Thank you for reading.

Astori LLC – 18% Detection Rate

Hello! Was looking for some downloads to play around with and found one, digitally signed by Astori LLC. The file is named in such a way that users might think it is a download for the Game of Thrones TV series.

The following screenshot shows the User Account Control dialog when running the Astori LLC file:

Astori LLC publisher

It’s possible to view additional information about the certificate by right-clicking on the file, choosing properties and then clicking on the Digital Signatures tab. According to the certificate we can see that Astori LLC appears to be located in Moscow, Russia and that the certificate is issued by COMODO Code Signing CA 2.

Astori LLC cert

I found an older file, also signed by Astori LLC. This one was detected by 10 of the 57 scanners over at VirusTotal:

Astori LLC virustotal

Did you also find a Astori LLC file? What kind of download was it? If you remember the download link, please post it in the comments below.

Thanks for reading.

OOO Mad Advert – 5% Detection Rate – Trojan.InstallCore / Win32:Malware-gen

Hi there! Just wanted to give you heads-up on suspicious file I found right now. The file is named adobe_flash_setup.exe and digitally signed by OOO Mad Advert.

OOO Mad Advert publisher

You can also check the digital signature under the file’s properties.. The screenshot below shows the OOO Mad Advert certificate. From the certificate info we can see that OOO Mad Advert appears to be located in Moscow, Russia.

OOO Mad Advert cert

 

Here’s how the OOO MAD Advert download is promoted:

updater.safeplugin-update.org pop up

What caught my attention was that the download was called adobe_flash_setup.exe. This might look like an official Adobe Flash Player download, but it is not. If it was an official download, it should have been digitally signed by Adobe Systems Incorporated. Here’s how the authentic Adobe Flash Player looks like when you double click on it. Notice that the “Verified publisher” says “Adobe Systems Incorporated”.
Adobe Systems Incorporated - Adobe Flashplayer Installer

The detection rate is 3/55. Avast reports adobe_flash_setup.exe as Win32:Malware-gen, DrWeb calls it Trojan.InstallCore.508 and ESET-NOD32 calls it a variant of Win32/InstallCore.ZC potentially unwanted.

OOO Mad Advert anti-virus report

Did you also find a OOO Mad Advert file? Do you remember where you downloaded it?

Thank you for reading.

Techsnab LLC – 16% Anti-Virus Detection Rate

Welcome! If you are a regular here on the FreeFixer blog, you know that I’ve been examining files that have a digital signature and bundle various types of potentially unwanted software. Today I found another publisher named Techsnab LLC that bundles some software.

Techsnab LLC certificate

To get more details on the publisher, you can view the certificate by right-clicking on the file, and looking under the Digital Signatures tab. According to the embedded certificate we can see that Techsnab LLC is located in Moscow, Russia and that the certificate is issued by COMODO Code Signing CA 2. This Techsnab certificate has been revoked:

Techsnab LLC revoked

16% of the scanners detected the file. The Game_of_Thrones_S04E02_HDTV_x264-2HD[ettv].exe file is detected as APPL/Techsnab.onemb by Avira, W32.HfsAdware.894E by Bkav, Trojan ( 004b5df41 ) by K7GW, Trojan.Win32.Techsnab.dossoy by NANO-Antivirus and GetPrivate (fs) by VIPRE.

Techsnab LLC anti-virus report

Did you also find a Techsnab LLC file? What kind of download was it? If you remember the download link, please post it in the comments below.

Thanks for reading.

Jelbrus LLC from The Pirate Bay – 23% Anti-Virus Detection Rate – Strictor / Techsnab / HfsAdware

Welcome! Saturday night post this time 😉 Just wanted to let you know about a publisher called Jelbrus LLC. You may run into this download if you are visiting sites such as The Pirate Bay.

Jelbrus LLC make changes

Information about a digital signature and the certificate can also be found under the Digital Signature tab. According to the embedded certificate we can see that Jelbrus LLC seems to be located in Moscow in Russia and that the certificate is issued by Thawte Code Signing CA – G2.

Jelbrus LLC certificate

So what’s up with Jelbrus? The file I found is, named Breaking_Bad_Season_1_Complete_720p.BRrip.Sujaidr_(pimprg)_.exe, so you might get the impression that this is a download for the famous TV-Series called Breaking Bad. It’s not.

Here’s how the Jelbrus installer looks like if you run the file:

Jelbrus LLC installer

When clicking the Next button a bunch settings are changed and some files are added on your computer. Here’s the interesting stuff from a FreeFixer log:

FreeFixer v1.13 log
http://www.freefixer.com/

Scheduled tasks (39 whitelisted)
================================
Great Performance Ultimate, C:\Program Files (x86)\PrivateVPN\gpup.exe , signer: [unsigned]
Jelbrus Secure Web Task, C:\Program Files (x86)\Jelbrus Secure Web\jswtask.exe , signer: [unsigned]
Malware Cleaner, C:\Users\honeypotter\AppData\Roaming\1265.tmp.exe (file is missing)

Processes (42 whitelisted)
==========================
C:\Windows\mlwps.exe, signer: [unsigned]
C:\Users\HONEYP~1\AppData\Local\Temp\92.tmp.exe, signer: [unsigned]
C:\Program Files (x86)\Jelbrus Secure Web\privoxy.exe, signer: [unsigned]

Services (47 whitelisted)
=========================
Live Malware Protection, Live Malware Protection, c:\windows\mlwps.exe, signer: [unsigned]
PrivoxyService, Privoxy (PrivoxyService), c:\program files (x86)\jelbrus secure web\privoxy.exe, signer: [unsigned]

Recently created/modified files
===============================
20 minutes, c:\Program Files (x86)\Jelbrus Secure Web\mgwz.dll, signer: [unsigned]
20 minutes, c:\Program Files (x86)\Jelbrus Secure Web\privoxy.exe, signer: [unsigned]
20 minutes, c:\Program Files (x86)\Jelbrus Secure Web\jsie.dll, signer: [unsigned]
20 minutes, c:\Program Files (x86)\Jelbrus Secure Web\jswff.exe, signer: Jelbrus LLC [valid]
20 minutes, c:\Program Files (x86)\Jelbrus Secure Web\jsweb64.dll, signer: [unsigned]
20 minutes, c:\Program Files (x86)\Jelbrus Secure Web\jswchromium64.exe, signer: [unsigned]
20 minutes, c:\Program Files (x86)\Jelbrus Secure Web\jsweb.dll, signer: [unsigned]
20 minutes, c:\Program Files (x86)\Jelbrus Secure Web\jswchromium.exe, signer: [unsigned]
20 minutes, c:\Program Files (x86)\Jelbrus Secure Web\jswtask.exe, signer: [unsigned]
20 minutes, c:\Users\honeypotter\AppData\Local\Temp\92.tmp.exe, signer: [unsigned]
21 minutes, c:\Program Files (x86)\PrivateVPN\tasks.dll, signer: [unsigned]
21 minutes, c:\Users\honeypotter\AppData\Local\Temp\tasks.dll, signer: [unsigned]
21 minutes, c:\Program Files (x86)\PrivateVPN\gpup.exe, signer: [unsigned]
21 minutes, c:\Users\honeypotter\AppData\Local\Temp\580C.tmp.exe, signer: [unsigned]
23 minutes, c:\Users\honeypotter\AppData\Local\Temp\1716.tmp.exe, signer: [unsigned]
24 minutes, c:\Users\honeypotter\AppData\Local\Temp\6E23.tmp.exe, signer: [unsigned]

LAN Proxy Settings
==================
*=127.0.0.1:8118

You will also see advertisements while browsing the web labelled “Ad by CouponDropDown“. Here’s the “Ad by CouponDropDown” ads on Google:

Ad by CouponDropDown

So what does the anti-virus scanners at VirusTotal say about Jelbrus’ “Breaking Bad” file? The detection rate is 13/57. Gen:Variant.Strictor.75172, Jelbrus.3C0, Adware/Techsnab.9058, Jelbrus LLC (fs), W32.HfsAdware.307F and Gen:Variant.Strictor.75172 were some of the detection names.

Jelbrus LLC anti-virus report

Did you also find an Jelbrus LLC? Did you also find it at The Pirate Bay?

Thank you for reading.

Advertaizing Grupp – 19% Detection Rate – InstallCore

Hi there! If you are a regular here on the FreeFixer blog you know that I’ve been looking on the certificates used to sign files that bundled various types of unwanted software. Today I found another certificate, used by a publisher called Advertaizing Grupp.

Advertaizing Grupp certificate

You can view the certificate by right-clicking on the file, and looking under the Digital Signature tab: According to the embedded certificate we can see that Advertaizing Grupp is located in Russia and that the certificate is issued by COMODO RSA Code Signing CA.

What caught my attention was that the download was called adobe_flash_setup.exe. This might look like an official Adobe Flash Player download, but it is not. If it was an official download, it would be signed by Adobe Systems Incorporated. Here’s how the authentic Adobe Flash Player looks like when you double click on it. Notice that the “Verified publisher” says “Adobe Systems Incorporated”.
Adobe Systems Incorporated - Adobe Flashplayer Installer

So, what does the anti-virus programs say about the Advertaizing Grupp file? No problem, I just uploaded the file to VirusTotal and it turned out that many of the anti-virus programs detects the Advertaizing Grupp file, with names such as Win32:Rootkit-gen [Rtk], Adware/InstallCo.zlz, Trojan.InstallCore.57, Trojan ( 004b4b721 ), Riskware.Win32.InstallCore.dnxkbc and Win32/Tnega.MFNTaRB.

Advertaizing Grupp anti virus report

Did you also find a download that was digitally signed by Advertaizing Grupp? What kind of download was it and was it detected by the anti-virus progams at VirusTotal? Please share in posting comments below.

Hope this blog post helped you avoid some unwanted software on your machine.

Thank you for reading.

OOO PREM”ER-SERVIS – 11% Anti-Virus Detection Rate – InstallCore

Welcome! I was playing around and testing some downloads when I found a file digitally signed by OOO PREM”ER-SERVIS. The OOO PREM”ER-SERVIS certificate shows that the publisher is located in Moscow, Russia.

OOO PREM''ER-SERVIS certificate

The problem here is that if adobe_flash_setup.exe really was an installer file for Adobe Flash Player, it should have been signed by Adobe Systems Incorporated and not by some unknown company. Here’s how the authentic Adobe Flash Player looks like when you double click on it. Notice that the “Verified publisher” says “Adobe Systems Incorporated”.
Adobe Systems Incorporated - Adobe Flashplayer Installer

Right now, 6 of the antimalware scanners detected the file. Some of the detection names for the adobe_flash_setup.exe file are Adware/InstallCore.783896, a variant of Win32/InstallCore.WX potentially unwanted, Trojan ( 004b61851 ) and Trojan ( 004b61851 ).

OOO PREM''ER-SERVIS anti-virus report

Did you also find a file digitally signed by OOO PREM”ER-SERVIS? Where did you find it and are the anti-virus programs detecting it? Please share in the comments below.

Thanks for reading.