Monthly Archives: August 2014

Information Technology Systems – 16% Detection Rate at VirusTotal

Just a quick post on a faked Flash Player download, named adobe_flash_setup.exe, digitally signed by Information Technology Systems. This download was promoted with the following pop-up:

Faked Flash Update pop up windows

Information Technology Systems seems to be located in Montenegro based on the embedded certificate.

Information Technology Systems certificate, the publisher is located in montenegro

The current detection rate is 16% according to VirusTotal. InstallCore appears to be the most common detection name.

Information Technology Systems virus total report, InstallCore is one of the detection namesDid you also find a Information Technology Systems file? Do you remember where you downloaded it?

 

 

 

Remove RockResult Ads in Firefox and Internet Explorer

Hello there, hope you are having a great weekend. Just found another adware variant called RockResult. It appears that RockResult has been around for a while, at least a month, judging from the other anti-malware bloggers. But since I found it bundled today, I though I should write a short post about it.

If you have RockResult on your machine, you’ll see ads tagged as “RockResult Ads” while you are browsing the web. Here’s an example of the RockResult ads:RockResults ads

 

RockResult is added as an add-on in Internet Explorer and Firefox:

RockResult 1.0.1

 

So, how did RockResult install on your machine? It was probably bundled with some download that you installed recently. Here’s how RockResult was disclosed when I found it:

RockResult installer

 

I’m sure you’d like to remove RockResult, and that’s pretty easy with FreeFixer. Select the RockResult files, as shown in the screenshots below, click Fix, and reboot your machine and the ads should be gone.

RockResult removal internet explorer RockResult removal firefox

Thanks for reading.

 

What is SyncPulse Manager?

I found the SyncPulse Manager software while installing another download called BitLord. SyncPulse Manager was included in the BitLord installation package, or installed by one of the programs that were bundled with BitLord. Unfortunately, I could not see any notice that SyncPulse Manager would be installed while proceeding though BitLord’s installation wizard. Maybe I did not examine the various licence agreements shown during installation with enough care, or perhaps SyncPulse was not disclosed at all?

Anyway, if you have SyncPulse Manager on your machine, you’ll see SyncPulseManager.exe running in the Windows Task Manager:

syncpulsemanager.exe task manager

Out of curiosity, I uploaded the SyncPulseManager.exe file to VirusTotal. Currenly, none of the anti-virus programs is detecting SyncPulse. It will be interesting to see if any of them will detect SyncPulseManager.exe.

syncpulsemanager.exe virustotal

So should it be removed? I think so, since it was bundled and I could not see any notice that it would be installed. If you’d like to remove SyncPulse Manager, you can do so with FreeFixer, or from the Windows Control Panel:

syncpulsemanager.exe process syncpulse manager service

syncpulse manager unistall

How did you get SyncPulse Manager on your computer? Please share in the comments below. If it was bundled, did you see any disclosure that it would be installed?

Remove RocketTab – “Ads by RocketTab” Removal Instructions

Stumbled upon an adware called RocketTab this morning. I’ll show how to remove RocketTab, but first, let’s talk a little on how it is installed and what it does to your computer. RocketTab is distributed by bundling, that is, it is included in another software’s installer. Here’s how RocketTab was disclosed when I found it:

rockettab installer

Once installed you’ll notice the RocketTab file Client.exe running in the Windows Task Manager:

rockettab client.exe task manager

RocketTab inserts its ads while you browse the web. Here’s the ads are labeled “Ads by RocketTab” and appear on the Google search results.

rockettab - ad by RocketTab

As always when I find some new bundled software, such as RocketTab, I upload the files to VirusTotal to see what the other anti-virus programs report. And the detection rate is very low: 4%. The detection name is Adware.iBryte.

rockettab virustotal

Removing RocketTab is pretty easy with the FreeFixer removal tool. Just select the Client.exe process and scheduled task for removal, reboot and the problems is gone.

rockettab task rockettab client.exe process

Hope that helped you figure out what RocketTab is and how to remove it.

How did you get RocketTab on your computer? Please share in the comments below.

Update 2014-09-18: Client.exe is now digitally signed by Inertware.

Remove SnipSmart – Adware Removal Instructions

Hello readers! Today I’m posting removal instructions for yet another adware variant called snipsmart. The snipsmart adware is bundled with other software downloads. So if snipsmart appeared unexpectedly on your machine, that’s probably how it was installed.

Snipsmart is installed as an add-on in Internet Explorer and Mozilla Firefox. Here’s a screendump from my lab machine which shows snipsmart in the add-ons menu of Firefox:

snipsmart in firefox's add-on menu

Typically, this type of adware adds banners on web site while you are browsing the web. The ads are usually tagged with texts such as “Snipsmart ads” or “Ads by Snipsmart“. However, for unknown reasons, I did not see any ads. Do you see the snipsmart ads on your machine? Please take a screenshot of the ad and send it to me and I’ll post it here on the blog. Thank you very much!

As per usual, I uploaded snipsmart to VirusTotal to see what the antivirus scanners report. And the detection rate is low. Only 6 of the 55 anti-virus programs detected the snipsmartBho.dll file:

snipsmart virustotal report. 11% detection rate

So, let’s get on with the snipsmart removal. As usual, this type of adware is easy to remove with FreeFixer. Just select the snipsmart files for removal and click Fix. You may have to reboot your machine to complete the removal. Here’s FreeFixer in action uninstalling snipsmart:

snipsmart firefox extensions snipsmart bho

Hope that helped you figure out what snipsmart is and how to remove it.

How did you get snipsmart on your machine? Please share by posting a comment.

neurowise

Remove NeuroWise – Adware Uninstall Guide

Yesterday I tried one of the downloads listed at CNET’s Download.com site and found that they are bundling a new adware called NeuroWise:

neurowise cnet installer

Neurowise appears to be a variant of the Atuzi adware that they previously bundled. According to Download.com’s disclosure,

Neurowise content includes advertisements and is not affiliated with any underlying websites. Browser settings will be adjusted at install.

Typically, this type of adware shows banner ads labeled “Ads by Neurowise” or “Neurowise Ads“, but for some reason I did not see any ads while browsing around with neurowise installed. Did you spot any Neurowise ads? How did they look like and where did they appear?

Neurowise is installed as a browser add-on in Firefox and Internet Explorer. In case you haven’t already spotted it in Firefox, here’s how it appears in the add-on menu:

neurowise firefox add-on

The majority of the anti-virus programs over at VirusTotal are detecting Neurowise, as shown in the screeshot below. BrowseFox and AltBrowse are some of the detection names.

neurowisebho.dll virustotal report

Removing the Neurowise adware is a piece of cake with FreeFixer. Just start the scan, select the Neurowise files, click Fix, reboot you machine and the problem will be gone. Here’s a few screenshots showing FreeFixer in action removing the Neurowise files:

neurowise internet explorer neurowise firefox

Hope that helped you figure out what Neurowise is and how to remove it. Did you also get Neurowise from Download.com?

Remove InfiniNet Ads – Adware Removal Guide

Getting bombarded with ads labeled “InfiniNet Ads” in Internet Explorer and Firefox? Then you got the InfiniNet adware installed on your machine. InfiniNet inserts ads while you browse the web. I’ve seen the ads appear on all types of web pages.

InfiniNet Ads

Here InfiniNet inserts ads in search results on the Google search engine: InfiniNet ads in Google search results

I found the InfiniNet adware while testing another download that I knew had a history of bundling other types of adwares. Here’s how InfiniNet was disclosed in the installer:

InfiniNet installer

InfiniNet installs itself as an add-on in Firefox and Internet Explorer. Here’s how it shows up in Firefox’s add-on menu:

InfiniNet 1.0.1 in firefox

The anti-virus scanners seems to be pretty up to date when it comes to detecting InfiniNet.

InfiniNet Virustotal report

The detection rate is 45% which I think is pretty good. Some of the detection names are BrowseFox and AltBrowse.

The InfiniNet removal is straightforward with Freefixer. Just start the scan, select the InifiniNet files, click Fix and reboot your machine and the ads should be long gone. Here’s a few screenshots that shows FreeFixer in action deleting the InfiniNet files:

infininet firefox infininet bho

How did you get InfiniNet on your machine? Please share by posting a comment.

Kiril Skiba – 2 of 54 Anti-Virus programs detect the Kiril Skiba file

Hello there, just a quick post on a publisher called Kiril Skiba that I found while running some tests on FreeFixer v1.12. I should have this new version of FreeFixer out this week. The suspicious file is named ldownload.exe and the following screenshot shows the User Account Control dialog when running the Kiril Skiba file.

Kiril Skiba appears as the Verified publisher.

The digital certificate appears to be relatively new. It’s valid from the 11th of Junly, 2014. According to the certificate, Kiril Skiba is located in Ukraine. The certificate is issued by  Certum Code Signing CA.

Kiril Skiba certificate

At the time being, the detection score for the Kiril Skiba file is very low. When I uploaded the file to VirusTotal – as I usually do when I find something that looks suspicious –  only QIhoo-360 and VBA32 detected the file. The detection names are HEUR/Malware.QVM10.Gen and suspected of Trojan.Downloader.gen.h. With those two detections, I’d stay away from the file. It will be interesting to see if the other anti-virus programs will add this file it in the future.

Kiril Skiba ldownload.exe virus total report

When I tested to run the Kiril Skiba file, nothing appeared to happen. I could not see any modification at all on my lab computer. No windows popped up. Nothing.

Did you also find a file digitally signed by Kiril Skiba? Did it pose as something useful?

Remove websearch.fixsearch.info – Uninstall Guide

Did your search settings and home page in Chrome, Firefox and Internet Explorer just change to websearch.fixsearch.info? No worries, I’ll show how to remove websearch.fixsearch.info from your computer.

websearch.fixsearch.info

I found the unwanted websearch.fixsearch.info search engine while testing out some downloads. The downloaded files were digitally signed by Igor Kramoren and Alexey Kurilenko, publishers that have previously bundled unwanted software with their downloads.

How did you get fixsearch.info on your computer? Please share by posting a comment.

So, the websearch.fixsearch.info removal. One way to do the removal is to use the FreeFixer tool.

  1. Download and install FreeFixer.
  2. Click the Start scan button. It should complete in about 5 minutes.
  3. Check the websearch.fixsearch.info items in the scan result.
  4. Click the Fix button.
  5. Restart your web browsers.

You can also use the reset function in Firefox, Chrome and Internet Explorer. The reset feature restores many settings of the web browser to its default state. The problem is that it may do a little to much.

How to reset Mozilla Firefox settings:

  1. Click the menu button firefox menu button in the upper-right corner of the browser.
  2. Then click the Help button firefox help button at the bottom of the Firefox menu.
  3. From the Help menu, choose Troubleshooting Information.
  4. If you cannot access the Help menu, type about:support in the address bar to open up the Troubleshooting Information page.
  5. Click the Reset Firefox… button in the upper-right corner of the Troubleshooting Information page.
    firefox reset button
  6. A dialog will pop up explaining what settings Firefox tries to preserve. Notice that everything else will be removed! To continue, click the Reset Firefox button in the confirmation window that opens.firefox reset button confirm.
  7. Firefox will close and reset itself. When the reset is done, a window will list the information that was imported. Click Finish and you’re done.

How to reset Google Chrome settings:

  1. Click the Chrome menu chrome menu button in the upper-right corner of Chrome.
  2. Select Settings.
  3. Click Show advanced settings and locate the “Reset browser settings” section. chrome reset browser settings button
  4. Click the Reset browser settings button.
  5. In the confirmation dialog that appears, review the changes the reset feature performs, then click Reset. chrome reset confirm

 How to reset Internet Explorer settings

  1. Start Internet Explorer.
  2. On the Tools menu, ie tools button that appears in the upper-right corner of the browser, click Internet options. If you can’t see the Tools menu, press Alt on your keyboard.
  3. In the Internet Options window, click the Advanced tab. ie advanced tab
  4. Click Reset… If you’re using Internet Explorer 6, click Restore Default.
  5. In the Reset Internet Explorer Settings dialog box, click Resetie confirm reset
  6. Select the Delete personal settings check box if you want to reset home pages, search providers and accelerators. Delete temporary Internet files, history, cookies, web form information, ActiveX Filtering data, Tracking Protection data, Do Not Track data and passwords.
  7. When Internet Explorer has finished applying the default settings, click the Close button.
    ie reset progress
  8. Reboot your machine.

Hope that helped you remove websearch.fixsearch.info.

Thank you for reading.