Tag Archives: US

Hummingbird Limited – 26% Detection Rate At VirusTotal

Hello! Just a quick post today, since I’m busy working with the next release of FreeFixer. Did you see a file, such as vlc-media-player.exe, on your system digitally signed by Hummingbird Limited? Then read on..

Hummingbird Limited publisher

The certificate information can also be viewed from Windows Explorer. According to the embedded certificate we can see that Hummingbird Limited is located in Oakland in California, US and that the certificate is issued by VeriSign Class 3 Code Signing 2010 CA.

Hummingbird Limited cert

26% of the scanners detected the file. The vlc-media-player.exe file is detected as Trojan.Vittalia.456 by DrWeb, a variant of Win32/DownloadAdmin.N potentially unwanted by ESET-NOD32, PUP.Optional.DownLoadAdmin by Malwarebytes, DownloadAdmin by McAfee and Trojan.Win32.Generic!BT by VIPRE.

Hummingbird Limited anti-virus reportDid you also find a Hummingbird Limited file? Do you remember where you downloaded it?

Thank you for reading.

TEA TIME BISCUITS – 21% Detection Rate – DownloadAdmin / Jaik

Welcome! Just wanted to give you the heads up on a file called “additionaloffers-setup[1].exe” that’s digitally signed by TEA TIME BISCUITS.

TEA TIME BISCUITS certificate

 

I found this file on my lab machine after trying out a download from CNet’s Download.com site.

You can view the certificate shown above by right-clicking on the file, choosing properties and then clicking on the Digital Signatures tab. According to the embedded certificate we can see that TEA TIME BISCUITS seems to be located in San Fransisco, California, US and that the certificate is issued by VeriSign Class 3 Code Signing 2010 CA.

So, what the issue with the TEA TIME BISCUITS file? Just check out detection list by some of the anti-virus program:

F-Secure reports additionaloffers-setup[1].exe as Gen:Variant.Application.Jaik, GData detects it as Gen:Variant.Application.Jaik.8223 and Malwarebytes calls it PUP.Optional.DownloadAdmin.

TEA TIME BISCUITS anti-virus report

Did you also find a TEA TIME BISCUITS file? Do you remember where you downloaded it?

Thank you for reading.

Trend Interactive – 19% Detection Rate – DownloadAdmin / Application.Jaik

Hello! Just a short post before I call it a day. I found yet another file that bundled a bunch of unwanted programs, and the file was signed by Trend Interactive.

Trend Interactive publisher

It is also possible to check a digital signature by looking at a file’s properties. Here’s a screenshot of the Trend Interactive certificate.

Trend Interactive certificate

Versign has issued the certificate:

Trend Interactive cert path

When I uploaded the Trend Interactive file to VirusTotal, it came up with a 19% detection rate. The file is detected as PUA/DownloadAdmin.Gen7 by Avira, Gen:Variant.Application.Jaik.8223 by BitDefender and Adware ( 004c86ce1 ) by K7GW.

Trend Interactive anti-virus report

Did you also find a file digitally signed by Trend Interactive? What kind of download was it and where did you find it?

Hope this blog post helped you avoid some unwanted software on your machine.

Thanks for reading.

Malware Protection Live and MalwareProtectionClient.exe Bundled With CNET’s Download.com Installer

Hello there and welcome to the FreeFixer blog. Today I wanted to talk about a bundled program called Malware Protection Live. If you have Malware Protection Live software installed on your machine, you will notice Malware Protection Live in the Remove programs list and MalwareProtectionClient.exe running in the Windows Task Manager:

MalwareProtectionClient.exe task manager Malware Protection Live uninstall

 

Malware Protection Live is configured to run on startup. This is done by adding MalwareProtectionClient.exe as a startup in the Windows Registry:

MalwareProtectionClient.exe startup

So, how did Malware Protection Live install on your machine? Unless you downloaded it directly from their web site, it was probably bundled with some other download that you installed recently. Bundling means that software is included in other software’s installers. When I first found Malware Protection Live, it was bundled with CNET’s Download.com installer. Here’s how it appeared in the CNET’s Download.com installer where I found it:

Malware Protection Live CNET download.com installer

According to the embedded certificate, Malware Protection Live is located in Florida, US:

Malware Protection Live cert

So, what does the anti-virus programs over at VirusTotal say about the bundled MalwareProtectionClient.exe file? Detection rate is 0%, so hopefully the software is safe.

MalwareProtectionClient.exe anti-virus report

What do you think?

I’ll rescan it in a few days to see if detection ratio remain the same. Please check below for updates.

Did you also find Malware Protection Live on your machine? Any idea how it was installed? Was is also bundled in a download from Download.com? Please share your story the comments below. Thanks a bunch!

Thanks for reading. Welcome back!

Update Oct 11 2015: I checked out the MalwareProtectionClient.exe download again, and now it is detected by a few of the scanners over at VirusTotal. The detection ratio is 4/56:

MalwareProtectionClient.exe anti-virus report

TRUSTED INSTALL SOFTWARE – Generic.AA1 or False Positive?

Hi there! Just a quick post on a file named finaltorrent-setup.exe digitally signed by TRUSTED INSTALL SOFTWARE.

TRUSTED INSTALL SOFTWARE publisher

Typically you’d see the TRUSTED INSTALL SOFTWARE publisher name appear when double-clicking on the finaltorrent-setup.exe file: It’s possible to view additional information about the certificate by right-clicking on the file, choosing properties and then clicking on the Digital Signatures tab. According to the certificate we can see that TRUSTED INSTALL SOFTWARE is located in San Fransisco in US and that the certificate is issued by VeriSign Class 3 Code Signing 2010 CA.

TRUSTED INSTALL SOFTWARE cert

So, what’s the problem here? Well, AVG detects this as Generic.AA1. All the other anti-virus programs over at VirusTotal did not detect the file. Could AVG’s detection be a false positive? What do you think?

TRUSTED INSTALL SOFTWARE virustotal

Did you also find a file signed by the same publisher? Does the scanners at VirusTotal detect it?

Thanks for reading.

SAFE INSTALL SOFTWARE – 18% Detection Rate At VirusTotal

Hello readers! Lately I’ve been looking on the digital signatures on those files that push various types of unwanted programs. This morning I found a new file called finaltorrent-setup.exe, digitally signed by SAFE INSTALL SOFTWARE.

SAFE INSTALL SOFTWARE publisher

This is how it looks when double-clicking on the file and SAFE INSTALL SOFTWARE appears as the publisher. Information about a digital signature and the certificate can also be found under the Digital Signature tab. According to the certificate we can see that SAFE INSTALL SOFTWARE is located in San Fransisco in US and that the certificate is issued by VeriSign Class 3 Code Signing 2010 CA.

SAFE INSTALL SOFTWARE certificate

These are the current VirusTotal detections for the file. DownloadAdmin (fs), Trojan.Win32.Atraps.b, Trojan.Graftor and DownloadAdmin (fs) as a few of the detection names for the finaltorrent-setup.exe file.

SAFE INSTALL SOFTWARE virus total report

Did you also find a file digitally signed by SAFE INSTALL SOFTWARE? What kind of download was it and where did you find it?

Thank you for reading.

F11L Software Inc. – 19% Anti-Virus Detection – InstallBrain

Hello readers! Was looking for some downloads to play around with and found one, digitally signed by F11L Software Inc.. The file is named setup.exe.

 

The following screenshot shows the User Account Control dialog when running the F11L Software Inc. file:

F11L Software Inc. publisher

By examining the certificate, we can see that F11L Software Inc. is located in Portland, US. The certificate is issued by Go Daddy Secure Certificate Authority – G2.

F11L Software Inc. certificate

When I uploaded the file to VirusTotal – as I usually do when I find something that looks suspicious – 19% of the scanners detected the file. The file is detected as InstallBrain.CF by AVG, Trojan.Win32.Qudamah.Gen.1 by Tencent and InstallBrain (fs) by VIPRE.

F11L Software Inc. anti-virus report

Did you also find a F11L Software Inc. file? What kind of download was it? If you remember the download link, please post it in the comments below.

Thanks for reading.

App secure LLC – 30% Anti-Virus Detection – SoftPulse / Strictor / HfsAdware / DriverUpd

Hello! If you are a regular here on the FreeFixer blog you know that I’ve been looking on the certificates used to sign files that bundled various types of unwanted software. Today I found another certificate, used by a publisher called App secure LLC.

App secure LLC publisher

Windows will display App secure LLC as the publisher when running the file. Information about a digital signature and the certificate can also be found under the Digital Signature tab. The screenshot below shows the App secure LLC certificate. From the certificate info we can see that App secure LLC appears to be located in Wilmington, Delaware in the US.

App secure LLC certificate

When I uploaded the App secure LLC file to VirusTotal, it came up with a 30% detection rate. The file is detected as Win32:SoftPulse-FZ [PUP] by Avast, W32.HfsAdware.8302 by Bkav, Gen:Variant.Strictor.83505 (B) by Emsisoft, a variant of Win32/SoftPulse.AB potentially unwanted by ESET-NOD32, not-a-virus:Downloader.Win32.DriverUpd.wui by Kaspersky and SoftPulse by Sophos.

App secure LLC virus report

The company web site appears to be APPSECURELLC.COM. Here’s some of the info from the WHOIS database:

Registrant Name: Roberto Blangino 
Registrant Organization: App Software LLC
Registrant Street: 501 Silverside Road, Suite 105 
Registrant City: Wilmington
Registrant State/Province: Delaware
Registrant Postal Code: 19809
Registrant Country: US

I checked some of services that provides domain info based on an IP address, and the following sites appears to be or have been located on the same IP:

  • 123maxmusic.com
  • 88dls.com
  • acpsoftwarellc.com
  • www.magnoplayer.com
  • www.newvideoplayer.com

Did you also find a file that was signed by App secure LLC? What kind of download was it and was it detected by the anti-virus scanners at VirusTotal? Please share in posting comments below.

Thanks for reading.