Hi there! Just wanted to give you heads-up on suspicious file I found right now. The file is named adobe_flash_setup.exe and digitally signed by OOO Mad Advert.
You can also check the digital signature under the file’s properties.. The screenshot below shows the OOO Mad Advert certificate. From the certificate info we can see that OOO Mad Advert appears to be located in Moscow, Russia.
Here’s how the OOO MAD Advert download is promoted:
What caught my attention was that the download was called adobe_flash_setup.exe. This might look like an official Adobe Flash Player download, but it is not. If it was an official download, it should have been digitally signed by Adobe Systems Incorporated. Here’s how the authentic Adobe Flash Player looks like when you double click on it. Notice that the “Verified publisher” says “Adobe Systems Incorporated”.
The detection rate is 3/55. Avast reports adobe_flash_setup.exe as Win32:Malware-gen, DrWeb calls it Trojan.InstallCore.508 and ESET-NOD32 calls it a variant of Win32/InstallCore.ZC potentially unwanted.
Did you also find a OOO Mad Advert file? Do you remember where you downloaded it?
Hello readers! Just a quick post on a publisher called SAFe store btw that I found while running some tests for the upcoming FreeFixer release. The suspicious file is named installer_jdownloader_English.exe.
You may see “SAFe store btw” appear as the publisher when double-clicking on the installer_jdownloader_English.exe file. You can also see the SAFe store btw certificate by looking under the Digital Signature tab on the file’s properties. According to the certificate, SAFe store btw is located in Dublin in Ireland.
The scan result from VirusTotal below clearly shows why you should avoid the SAFe store btw file, unless you like bundled software. It is detected under names such as PUA/Outbrowse.Gen, Riskware/OutBrowse, Application.Bundler.Outbrowse.BA, Trojan.Win32.OutBrowse.dpuzhb and Suspici.FCDBA93D.
Did you also find an SAFe store btw? Do you remember the download link? Please post it in the comments below and I’ll upload it to VirusTotal to see if that one is also detected.
Welcome! Just wanted to let you know about a publisher called Start Now before going back to writing some code for FreeFixer.
If you have a Start Now file on your machine you may have noticed that Start Now is displayed as the publisher in the UAC dialog when double-clicking on the file. It’s possible to view additional information about the certificate by right-clicking on the file, choosing properties and then clicking on the Digital Signatures tab. According to the certificate we can see that Start Now is located in Dublin, Ireland and that the certificate is issued by Go Daddy Secure Certificate Authority – G2.
The detection rate is 25/56. Avira classifies Player.exe as PUA/Outbrowse.Gen, DrWeb detects it as Trojan.OutBrowse.413, F-Prot classifies it as W32/Outbrowse.B2.gen!Eldorado, F-Secure detects it as Application.Bundler.Outbrowse and VIPRE detects it as Adware.NSIS.Outbrowse.bu (v).
Did you also find an Start Now? Do you remember the download link? Please post it in the comments below and I’ll upload it to VirusTotal to see if that one is also detected.
Did you just get a pop-up from offers.bycontext.com and ponder where it came from? Did the offers.bycontext.com ad appear to have been initiated from a web site that under normal circumstances don’t use aggressive advertising such as pop-up windows? Or did the offers.bycontext.com pop-up show up while you clicked a link on one of the big search engines, such as Google, Bing or Yahoo?
Here is a screen capture on the offers.bycontext.com pop-up from my system:
If you also see this on your computer, you almost certainly have some adware installed on your system that pops up the offers.bycontext.com ads. Contacting the owner of the web site would be a waste of time. They are not responsible for the ads. I’ll do my best to help you with the offers.bycontext.com removal in this blog post.
Those that have been visiting this blog already know this, but here we go: A little while back I dedicated a few of my lab computers and intentionally installed a few adware programs on them. Since then I have been following the actions on these machines to see what kinds of advertisements that are displayed. I’m also looking on other interesting things such as if the adware auto-updates, or if it downloads additional unwanted software on the machines. I first noticed the offers.bycontext.com pop-up on one of these lab machines.
offers.bycontext.com resolves to the 22.214.171.124 address. offers.bycontext.com was registered on 2014-05-15.
So, how do you remove the offers.bycontext.com pop-up ads? On the machine where I got the offers.bycontext.com ads I had MedPlayerNewVersion installed. I removed it with FreeFixer and that stopped the offers.bycontext.com pop-ups and all the other ads I was getting in Mozilla Firefox.
If you are wonder if there are many others out there also getting the offers.bycontext.com ads, the answer is probably yes. Check out the traffic rank from Alexa:
The problem with pop-ups such as this one is that it can be launched by many variants of adware, not just the adware on my computer. This makes it impossible to say exactly what you need to remove to stop the pop-ups.
So, what should done to solve the problem? To remove the offers.bycontext.com pop up ads you need to examine your system for adware or other types of unwanted software and uninstall it. Here’s my suggested removal procedure:
What software do you have installed if you look in the Add/Remove programs dialog in the Windows Control Panel? Something that you don’t remember installing yourself or that was recently installed?
How about your add-ons you have in your browsers. Anything in the list that you don’t remember installing?
If that didn’t help, you can give FreeFixer a try. FreeFixer is built to assist users when manually tracking down adware and other types of unwanted software. It is a freeware utility that I’ve been working since 2006 and it scans your computer at lots of locations where unwanted software is known to hook into your computer. If you would like to get additional details about a file in FreeFixer’s scan result, you can just click the More Info link for that file and a web page with a VirusTotal report will open up, which can be very useful to determine if the file is safe or malware:
Here you can see FreeFixer in action removing pop-up ads:
Did this blog post help you to remove the offers.bycontext.com pop-up ads? Please let me know or how I can improve this blog post.
Hi there! Was looking for some downloads to play around with and found one, digitally signed by Rodion Veresev.
You can see who the signer is when double-clicking on an executable file. Rodion Veresev appears in the publisher field in the dialog that pops up. According to the cert, he is located in Ukraine. The certificate is issued by Certum Code Signing CA.
The reason for posting about Rodion Veresev is that the file is detected by many of the anti-virus programs. Avira reports Download Uc Browser V Handler Zip.exe as TR/Crypt.XPACK.Gen, DrWeb calls it Trojan.Crossrider1.25958, Sophos detects it as MultiPlug and Tencent reports Trojan.Win32.Qudamah.Gen.6.
Did you also find a Rodion Veresev file? What kind of download was it?
Hope this blog post helped you avoid some unwanted software on your machine.
Hello readers! Was looking for some downloads to play around with and found one, digitally signed by F11L Software Inc.. The file is named setup.exe.
The following screenshot shows the User Account Control dialog when running the F11L Software Inc. file:
By examining the certificate, we can see that F11L Software Inc. is located in Portland, US. The certificate is issued by Go Daddy Secure Certificate Authority – G2.
When I uploaded the file to VirusTotal – as I usually do when I find something that looks suspicious – 19% of the scanners detected the file. The file is detected as InstallBrain.CF by AVG, Trojan.Win32.Qudamah.Gen.1 by Tencent and InstallBrain (fs) by VIPRE.
Did you also find a F11L Software Inc. file? What kind of download was it? If you remember the download link, please post it in the comments below.
Hello! If you are a regular here on the FreeFixer blog you know that I’ve been looking on the certificates used to sign files that bundled various types of unwanted software. Today I found another certificate, used by a publisher called App secure LLC.
Windows will display App secure LLC as the publisher when running the file. Information about a digital signature and the certificate can also be found under the Digital Signature tab. The screenshot below shows the App secure LLC certificate. From the certificate info we can see that App secure LLC appears to be located in Wilmington, Delaware in the US.
When I uploaded the App secure LLC file to VirusTotal, it came up with a 30% detection rate. The file is detected as Win32:SoftPulse-FZ [PUP] by Avast, W32.HfsAdware.8302 by Bkav, Gen:Variant.Strictor.83505 (B) by Emsisoft, a variant of Win32/SoftPulse.AB potentially unwanted by ESET-NOD32, not-a-virus:Downloader.Win32.DriverUpd.wui by Kaspersky and SoftPulse by Sophos.
The company web site appears to be APPSECURELLC.COM. Here’s some of the info from the WHOIS database:
Registrant Name: Roberto Blangino
Registrant Organization: App Software LLC
Registrant Street: 501 Silverside Road, Suite 105
Registrant City: Wilmington
Registrant State/Province: Delaware
Registrant Postal Code: 19809
Registrant Country: US
I checked some of services that provides domain info based on an IP address, and the following sites appears to be or have been located on the same IP:
Did you also find a file that was signed by App secure LLC? What kind of download was it and was it detected by the anti-virus scanners at VirusTotal? Please share in posting comments below.
Welcome! I was playing around and testing some downloads when I found a file signed by SaFe SoftwaRe sLL.
You can see who the signer is when double-clicking on an executable file. SaFe SoftwaRe sLL appears in the publisher field in the dialog that pops up.
You can also check the digital signature under the file’s properties. According to the embedded certificate we can see that SaFe SoftwaRe sLL seems to be located in Ireland and that the certificate is issued by thawte SHA256 Code Signing CA.
The certificate is quite new. It’s valid from the 5th of April 2015.
So, why am I writing about the SaFe SoftwaRe sLL file? Check out what the anti-malware scanners report about the file:
AVG names Player.exe as Downloader.FLM, Cyren detects it as W32/Outbrowse.B2.gen!Eldorado, DrWeb names it Trojan.OutBrowse.296, F-Prot detects it as W32/Outbrowse.B2.gen!Eldorado and McAfee calls it Adware-OutBrowse.e are a few of the detection names for Player.exe.
Did you also find a SaFe SoftwaRe sLL file? What kind of download was it? If you remember the download link, please post it in the comments below.
Hello guys and gals. Just a short post on a named Web Protector. If you have Web Protector installed on your computer, you will notice a new service called LiveUpdateWPP.exe, new add-ons/toolbars added in Internet Explorer and Mozilla Firefox and WebProtectorPlus.exe running in the Windows Task Manager.
I’ll show how to remove WebProtector in this blog post with the FreeFixer removal tool.
Web Protector is distributed by a method called bundling. Bundling means that a piece of software is included in other software’s installers. Here’s how it appeared in the installer:
As usual when I run into some new bundled software I uploaded it to VirusTotal to verify if the anti-malware scanners there detect anything suspicious. 6 of the 57 scanners detected the file. Some of the detection names for Web Protector are Adware.Win32.Similagro.B, ApplicUnwnt, PUP.Optional.WebProtector.A and WS.Reputation.1.
Removing Web Protector is straightforward with FreeFixer. Just check the Web Protector files as shown in the screen-caps below. You might have to restart your machine to complete the removal. Problem fixed.
Hope this helped you remove the Web Protector .
Did you also find Web Protector on your computer? Any idea how it installed? Please share by posting a comment. Thank you!
Welcome! Short on time today, but I just wanted to give you the heads up on a publisher called LLC BK UKRBUDMONTAZH.
If you have a LLC BK UKRBUDMONTAZH file on your machine you may have noticed that LLC BK UKRBUDMONTAZH is displayed as the publisher in the UAC dialog when double-clicking on the file. The certificate information can also be viewed from Windows Explorer. According to the certificate we can see that LLC BK UKRBUDMONTAZH seems to be located in Ukraine and that the certificate is issued by COMODO RSA Code Signing CA.
When I uploaded the LLC BK UKRBUDMONTAZH file to VirusTotal, it came up with a 11% detection rate. The file is detected as Trojan/Win32.TGeneric by Antiy-AVL, Amonetize (fs) by AVware, Trojan.Amonetize.2350 by DrWeb, a variant of Win32/Amonetize.EF potentially unwanted by ESET-NOD32 and Amonetize (fs) by VIPRE.
Since you probably came here after finding a download that was digitally signed by LLC BK UKRBUDMONTAZH, please share what kind of download it was and if it was detected by the anti-malwares at VirusTotal.