Tag Archives: Russia

TAIMED LLC – 2% Anti-Virus Detection Rate – Trojan.Win32.Qudamah

Uncategorized, , ,

Hi there! Hope you are having a good saturday night. Just wanted to give you the heads up on files digitally signed by TAIMED LLC.

TAIMED LLC uac

Windows will display TAIMED LLC as the publisher when running the file. The certificate information can also be viewed from Windows Explorer. According to the certificate we can see that TAIMED LLC appears to be located in Lubertsy, Russia and that the certificate is issued by COMODO Code Signing CA 2.

TAIMED LLC certificate

So, why did I put up this blog post? Well, the thing is that the TAIMED LLC file is detected by a few of the antimalware scanners, according to VirusTotal. Tencent classifies Game_of_Thrones_S04E02_HDTV_x264-2HD[ettv].exe as Trojan.Win32.Qudamah.Gen.3

TAIMED LLC anti-virus report

In addition to that, if you run the file, it will install the Jelbrus Secure Web adware. I’m sure the other anti-virus program will detect this in a few days.

Did you also find a file digitally signed by TAIMED LLC? Where did you find it and are the anti-virus programs detecting it? I found it at The Pirate Bay. Please share in the comments below.

Thank you for reading.

Techsnab LLC – 16% Anti-Virus Detection Rate

adware, , ,

Welcome! If you are a regular here on the FreeFixer blog, you know that I’ve been examining files that have a digital signature and bundle various types of potentially unwanted software. Today I found another publisher named Techsnab LLC that bundles some software.

Techsnab LLC certificate

To get more details on the publisher, you can view the certificate by right-clicking on the file, and looking under the Digital Signatures tab. According to the embedded certificate we can see that Techsnab LLC is located in Moscow, Russia and that the certificate is issued by COMODO Code Signing CA 2. This Techsnab certificate has been revoked:

Techsnab LLC revoked

16% of the scanners detected the file. The Game_of_Thrones_S04E02_HDTV_x264-2HD[ettv].exe file is detected as APPL/Techsnab.onemb by Avira, W32.HfsAdware.894E by Bkav, Trojan ( 004b5df41 ) by K7GW, Trojan.Win32.Techsnab.dossoy by NANO-Antivirus and GetPrivate (fs) by VIPRE.

Techsnab LLC anti-virus report

Did you also find a Techsnab LLC file? What kind of download was it? If you remember the download link, please post it in the comments below.

Thanks for reading.

Jelbrus LLC from The Pirate Bay – 23% Anti-Virus Detection Rate – Strictor / Techsnab / HfsAdware

adware, digital signature, , , , , ,

Welcome! Saturday night post this time 😉 Just wanted to let you know about a publisher called Jelbrus LLC. You may run into this download if you are visiting sites such as The Pirate Bay.

Jelbrus LLC make changes

Information about a digital signature and the certificate can also be found under the Digital Signature tab. According to the embedded certificate we can see that Jelbrus LLC seems to be located in Moscow in Russia and that the certificate is issued by Thawte Code Signing CA – G2.

Jelbrus LLC certificate

So what’s up with Jelbrus? The file I found is, named Breaking_Bad_Season_1_Complete_720p.BRrip.Sujaidr_(pimprg)_.exe, so you might get the impression that this is a download for the famous TV-Series called Breaking Bad. It’s not.

Here’s how the Jelbrus installer looks like if you run the file:

Jelbrus LLC installer

When clicking the Next button a bunch settings are changed and some files are added on your computer. Here’s the interesting stuff from a FreeFixer log:

FreeFixer v1.13 log
http://www.freefixer.com/

Scheduled tasks (39 whitelisted)
================================
Great Performance Ultimate, C:\Program Files (x86)\PrivateVPN\gpup.exe , signer: [unsigned]
Jelbrus Secure Web Task, C:\Program Files (x86)\Jelbrus Secure Web\jswtask.exe , signer: [unsigned]
Malware Cleaner, C:\Users\honeypotter\AppData\Roaming\1265.tmp.exe (file is missing)

Processes (42 whitelisted)
==========================
C:\Windows\mlwps.exe, signer: [unsigned]
C:\Users\HONEYP~1\AppData\Local\Temp\92.tmp.exe, signer: [unsigned]
C:\Program Files (x86)\Jelbrus Secure Web\privoxy.exe, signer: [unsigned]

Services (47 whitelisted)
=========================
Live Malware Protection, Live Malware Protection, c:\windows\mlwps.exe, signer: [unsigned]
PrivoxyService, Privoxy (PrivoxyService), c:\program files (x86)\jelbrus secure web\privoxy.exe, signer: [unsigned]

Recently created/modified files
===============================
20 minutes, c:\Program Files (x86)\Jelbrus Secure Web\mgwz.dll, signer: [unsigned]
20 minutes, c:\Program Files (x86)\Jelbrus Secure Web\privoxy.exe, signer: [unsigned]
20 minutes, c:\Program Files (x86)\Jelbrus Secure Web\jsie.dll, signer: [unsigned]
20 minutes, c:\Program Files (x86)\Jelbrus Secure Web\jswff.exe, signer: Jelbrus LLC [valid]
20 minutes, c:\Program Files (x86)\Jelbrus Secure Web\jsweb64.dll, signer: [unsigned]
20 minutes, c:\Program Files (x86)\Jelbrus Secure Web\jswchromium64.exe, signer: [unsigned]
20 minutes, c:\Program Files (x86)\Jelbrus Secure Web\jsweb.dll, signer: [unsigned]
20 minutes, c:\Program Files (x86)\Jelbrus Secure Web\jswchromium.exe, signer: [unsigned]
20 minutes, c:\Program Files (x86)\Jelbrus Secure Web\jswtask.exe, signer: [unsigned]
20 minutes, c:\Users\honeypotter\AppData\Local\Temp\92.tmp.exe, signer: [unsigned]
21 minutes, c:\Program Files (x86)\PrivateVPN\tasks.dll, signer: [unsigned]
21 minutes, c:\Users\honeypotter\AppData\Local\Temp\tasks.dll, signer: [unsigned]
21 minutes, c:\Program Files (x86)\PrivateVPN\gpup.exe, signer: [unsigned]
21 minutes, c:\Users\honeypotter\AppData\Local\Temp\580C.tmp.exe, signer: [unsigned]
23 minutes, c:\Users\honeypotter\AppData\Local\Temp\1716.tmp.exe, signer: [unsigned]
24 minutes, c:\Users\honeypotter\AppData\Local\Temp\6E23.tmp.exe, signer: [unsigned]

LAN Proxy Settings
==================
*=127.0.0.1:8118

You will also see advertisements while browsing the web labelled “Ad by CouponDropDown“. Here’s the “Ad by CouponDropDown” ads on Google:

Ad by CouponDropDown

So what does the anti-virus scanners at VirusTotal say about Jelbrus’ “Breaking Bad” file? The detection rate is 13/57. Gen:Variant.Strictor.75172, Jelbrus.3C0, Adware/Techsnab.9058, Jelbrus LLC (fs), W32.HfsAdware.307F and Gen:Variant.Strictor.75172 were some of the detection names.

Jelbrus LLC anti-virus report

Did you also find an Jelbrus LLC? Did you also find it at The Pirate Bay?

Thank you for reading.

Advertaizing Grupp – 19% Detection Rate – InstallCore

digital signature, ,

Hi there! If you are a regular here on the FreeFixer blog you know that I’ve been looking on the certificates used to sign files that bundled various types of unwanted software. Today I found another certificate, used by a publisher called Advertaizing Grupp.

Advertaizing Grupp certificate

You can view the certificate by right-clicking on the file, and looking under the Digital Signature tab: According to the embedded certificate we can see that Advertaizing Grupp is located in Russia and that the certificate is issued by COMODO RSA Code Signing CA.

What caught my attention was that the download was called adobe_flash_setup.exe. This might look like an official Adobe Flash Player download, but it is not. If it was an official download, it would be signed by Adobe Systems Incorporated. Here’s how the authentic Adobe Flash Player looks like when you double click on it. Notice that the “Verified publisher” says “Adobe Systems Incorporated”.
Adobe Systems Incorporated - Adobe Flashplayer Installer

So, what does the anti-virus programs say about the Advertaizing Grupp file? No problem, I just uploaded the file to VirusTotal and it turned out that many of the anti-virus programs detects the Advertaizing Grupp file, with names such as Win32:Rootkit-gen [Rtk], Adware/InstallCo.zlz, Trojan.InstallCore.57, Trojan ( 004b4b721 ), Riskware.Win32.InstallCore.dnxkbc and Win32/Tnega.MFNTaRB.

Advertaizing Grupp anti virus report

Did you also find a download that was digitally signed by Advertaizing Grupp? What kind of download was it and was it detected by the anti-virus progams at VirusTotal? Please share in posting comments below.

Hope this blog post helped you avoid some unwanted software on your machine.

Thank you for reading.

OOO PREM”ER-SERVIS – 11% Anti-Virus Detection Rate – InstallCore

digital signature, ,

Welcome! I was playing around and testing some downloads when I found a file digitally signed by OOO PREM”ER-SERVIS. The OOO PREM”ER-SERVIS certificate shows that the publisher is located in Moscow, Russia.

OOO PREM''ER-SERVIS certificate

The problem here is that if adobe_flash_setup.exe really was an installer file for Adobe Flash Player, it should have been signed by Adobe Systems Incorporated and not by some unknown company. Here’s how the authentic Adobe Flash Player looks like when you double click on it. Notice that the “Verified publisher” says “Adobe Systems Incorporated”.
Adobe Systems Incorporated - Adobe Flashplayer Installer

Right now, 6 of the antimalware scanners detected the file. Some of the detection names for the adobe_flash_setup.exe file are Adware/InstallCore.783896, a variant of Win32/InstallCore.WX potentially unwanted, Trojan ( 004b61851 ) and Trojan ( 004b61851 ).

OOO PREM''ER-SERVIS anti-virus report

Did you also find a file digitally signed by OOO PREM”ER-SERVIS? Where did you find it and are the anti-virus programs detecting it? Please share in the comments below.

Thanks for reading.