Monthly Archives: October 2015

Remove topf1le.com Pop Up Ads

pop-ups

Sound familiar? You see pop-up ads from topf1le.com while browsing sites that typically don’t advertise in pop-up windows. The pop-ups manage to get round the built-in pop-up blockers in Google Chrome, Mozilla Firefox, Internet Explorer or Safari. Perhaps the topf1le.com pop-ups appear when clicking search results from Google? Or does the pop-ups appear even when you’re not browsing?

Here is how the topf1le.com ad looked like on my computer:

topf1le.com pop up

If this sounds like what you are seeing on your computer, you presumably have some adware installed on your system that pops up the topf1le.com ads. So there’s no use contacting the site owner. The ads are not coming from them. I’ll try help you with the topf1le.com removal in this blog post.

I found the topf1le.com pop-up on one of the lab machines where I have some adware running. I’ve talked about this in some of the previous blog posts. The adware was installed on purpose, and from time to time I check if something new has appeared, such as pop-up windows, new tabs in the browsers, injected ads on website that usually don’t show ads, or if some new files have been saved to the hard-drive.

topf1le.com was registered on 2015-07-24. In the pop up URL I’ve spotted the following domain:

  • www.ultifiletur.com
  • www.defile4.com

So, how do you remove the topf1le.com pop-up ads? On the machine where I got the topf1le.com ads I had gosearch.me, SmartComp Safe Network, Live Malware Protection and Windows Menager installed. I removed them with FreeFixer and that stopped the topf1le.com pop-ups and all the other ads I was getting in Mozilla Firefox.

If you are wonder if there are many others out there also getting the topf1le.com ads, the answer is probably yes. Check out the traffic rank from Alexa:

topf1le.com alexa

The issue with pop-ups like the one described in this blog post is that it can be popped up by many variants of adware. This makes it impossible to say exactly what you need to remove to stop the pop-ups.

So, what can be done? To remove the topf1le.com pop-up ads you need to check your machine for adware or other types of unwanted software and uninstall it. Here’s my suggested removal procedure:

  1. Review what programs you have installed in the Add/Remove programs dialog in the Windows Control Panel. Do you see something that you don’t remember installing or that was recently installed?
  2. You can also check the add-ons you have in your browsers. Same thing here, do you see something that you don’t remember installing?
  3. If that did not help, you can give FreeFixer a try. FreeFixer is built to assist users when manually tracking down adware and other types of unwanted software. It is a freeware utility that I’ve been working since 2006 and it scans your computer at lots of locations where unwanted software is known to hook into your computer. If you would like to get additional details about a file in FreeFixer’s scan result, you can just click the More Info link for that file and a web page with a VirusTotal report will open up, which can be very useful to determine if the file is safe or malware:

    FreeFixer More Info link example
    An example of FreeFixer’s “More Info” links. Click for full size.

Here’s a video tutorial which shows FreeFixer in action removing adware that caused pop-up ads:

Did this blog post help you to remove the topf1le.com pop-up ads? Please let me know or how I can improve this blog post.

Thank you!

Remove WMiniPro.exe From Your Computer

Uncategorized

Hi there. Just a quick post on the WMiniPro.exe. If you got WMiniPro.exe on your system, you will notice WMiniPro.exe running in the task manager and WMiniPro.exe installed as a new service. I’ll show how to remove WMiniPro.exe in this blog post with the FreeFixer removal tool.

WMiniPro.exe task manager

WMiniPro.exe is bundled with a number of downloads. Bundling means that software is included in other software’s installers. When I first found WMiniPro.exe, it was bundled with FlvPlayer.

As always when I find some new bundled software I uploaded it to VirusTotal to verify if the anti-viruses there detect anything. 3 of the anti-malware scanners detected the file. ESET-NOD32 reports a variant of Win32/ELEX.FF potentially unwanted, DrWeb detects it as Adware.Mutabaha.672 and Baidu-International detects WMiniPro.exe as Adware.Win32.ELEX.FF.

WMiniPro.exe anti-virus report

 

All you need to do to remove WMiniPro.exe is to check the WMiniPro.exe files in the scan result and click the Fix button. You may have to restart your computer to complete the removal. Here’s a few screenshots from the removal that should help you:

WMiniPro.exe process removal WMiniPro.exe removal

Hope that helped you with the removal.

Do you also have WMiniPro.exe on your machine? Any idea how it was installed? Please share your story the comments below. Thank you!

Thank you for reading.

Remove en.reimageplus.com Pop Up Ads

pop-ups

Does this sound like what you are seeing right now? You see pop-up adverts from en.reimageplus.com while browsing websites that typically don’t advertise in pop-up windows. The pop ups manage to find a way round the built-in pop-up blockers in Google Chrome, Mozilla Firefox, Internet Explorer or Safari. Maybe the en.reimageplus.com pop-ups show up when clicking search results from Google? Or does the pop-ups appear even when you’re not browsing?

Here’s a screenshot of the en.reimageplus.com pop-up ad when it showed up on my computer:en.reimageplus.com pop up

(I’m sorry for the many watermarks. If I don’t add them, the screenshot always show up at some copy-cat blogs.)

Does this sound like your machine, you apparently have some adware installed on your system that pops up the en.reimageplus.com ads. There’s no use contacting the owners of the website you currently were browsing. The advertisements are not coming from them. I’ll do my best to help you remove the en.reimageplus.com pop-up in this blog post.

I found the en.reimageplus.com pop-up on one of the lab computers where I have some adware running. I’ve talked about this in some of the previous blog posts. The adware was installed on purpose, and from time to time I check if something new has appeared, such as pop-up windows, new tabs in the browsers, injected ads on web site that usually don’t show ads, or if some new files have been saved to the hard-drive.

en.reimageplus.com resolves to the 192.237.225.117 IP address.

So, how do you remove the en.reimageplus.com pop-up ads? On the machine where I got the en.reimageplus.com ads I had Live Malware Protection, gosearch.me, SmartComp Safe Network and Windows Menager installed. I removed them with FreeFixer and that stopped the en.reimageplus.com pop-ups and all the other ads I was getting in Mozilla Firefox.

The issue with pop-ups such as this one is that it can be launched by many variants of adware, not just the adware running on my system. This makes it impossible to say exactly what you need to remove to stop the pop-ups.

So, what should done to solve the problem? To remove the en.reimageplus.com pop-up ads you need to check your system for adware or other types of unwanted software and uninstall it. Here’s my suggested removal procedure:

  1. Examine what programs you have installed in the Add/Remove programs dialog in the Windows Control Panel. Do you see something that you don’t remember installing or that was recently installed?
  2. How about your browser add-ons. Anything in the list that you don’t remember installing?
  3. If that does not help, I’d recommend a scan with FreeFixer to manually track down the adware. FreeFixer is a freeware tool that I’m working on that scans your computer at lots of locations, such as browser add-ons, processes, Windows services, recently modified files, etc. If you want to get additional details about a file in the scan result, you can click the More Info link for that file and a web page will open up with a VirusTotal report which will be very useful to determine if the file is safe or malware:

    FreeFixer More Info link example
    An example of FreeFixer’s “More Info” links. Click for full size.

Here’s a video tutorial showing FreeFixer in action removing pop-up ads:

Did this blog post help you to remove the en.reimageplus.com pop-up ads? Please let me know or how I can improve this blog post.

Thank you!

Safemode Install (Fried Cookie Ltd) – 18% Detection Rate – InstallCore

digital signature, , ,

Hi there! Just a short post on a publisher called Safemode Install (Fried Cookie Ltd). I just found a download named chrome-download.exe that was digitally by this publisher, and it turns out that it is detected by some anti-virus programs.

Safemode Install Fried Cookie Ltd certificate

By looking at the certificate we can see that Safemode Install (Fried Cookie Ltd) appears to be located in Israel. GlobalSign has issued the certificate.

The issue here is that if chrome-download.exe really was a setup file for Google Chrome, it would be digitally signed by Google Inc. and not by some unknown company. I think this looks suspicious. Here’s how the authentic Google Chrome looks like when you double click on it. Notice that the “Verified publisher” says “Google Inc”.
Chrome Google Inc publisher

So, why did I put up this blog post? Well, the thing is that the Safemode Install (Fried Cookie Ltd) file is detected by many of the scanners, according to VirusTotal. ESET-NOD32 detects it as a variant of Win32/InstallCore.ADE potentially unwanted, Malwarebytes detects it as PUP.Optional.InstallCore, AVG names chrome-download.exe as InstallCore.F22 and Sophos detects it as Install Core Click run software (PUA).

Safemode Install (Fried Cookie Ltd) anti-virus report

Did you also find a file digitally signed by Safemode Install (Fried Cookie Ltd)? What kind of download was it and where did you find it?

Thanks for reading.

LLC “DIVAROS SOFT” – 9% Detection Rate – PUP.Optional.LoadMoney

browser status bar, ,

Hello! Having a quick break from the programming I’m doing right now. I’m doing some work on the freefixer.com web site. Just wanted to give you the heads up on a publisher called LLC “DIVAROS SOFT” that I ran into this morning:

LLC DIVAROS SOFT publisher

You will also see LLC “DIVAROS SOFT” listed as the verified publisher in the User Account Control dialog that pops up if you try to run the file: It is also possible to check a digital signature by looking at a file’s properties. Here’s a screenshot of the LLC “DIVAROS SOFT” certificate. As you can see LLC DIVAROS SOFT is located in Kiev, Ukraine.

LLC DIVAROS SOFT certificate

Comodo has issued the certificate.

So, why am I writing about the LLC “DIVAROS SOFT” file? Check out what the anti-virus software report about the file:

LLC DIVAROS SOFT anti-virus report

Avira calls it ADWARE/Amonetize.Gen7, AVG names it as Generic.A6F, VBA32 calls it SScope.Downware.Amonetize and Malwarebytes calls it PUP.Optional.LoadMoney are a few of the detection names for the file.

Did you also find a LLC “DIVAROS SOFT” file?

Thanks for reading. Now, back to coding…

MaxAgile (New Media Holdings Ltd.) – 9% Detection Rate – InstallCore

digital signature, , ,

Hi there! Just a short post on a publisher called MaxAgile (New Media Holdings Ltd.) before going back to some coding on FreeFixer.

MaxAgile New Media Holdings Ltd certificate

You can also check who signed a file by checking the digital signature tab. According to the embedded certificate we can see that MaxAgile (New Media Holdings Ltd.) seems to be located in Tel Aviv, Israel and that the certificate is issued by GlobalSign CodeSigning CA – G2.

MaxAgile GlobalSign

The issue is that chrome-download.exe is not an official Google Chrome download. If it was, it should be digitally signed by Google Inc.. Here’s how the authentic Google Chrome looks like when you double click on it. Notice that the “Verified publisher” says “Google Inc”.
Chrome Google Inc publisher

The scan result from VirusTotal below clearly shows why you should avoid the MaxAgile (New Media Holdings Ltd.) file. It is detected under names such as Trojan.InstallCore.1364, PUP.Optional.InstallCore and InstallCore (fs).

MaxAgile anti-virus report

Did you also find a MaxAgile (New Media Holdings Ltd.) file?

Thanks for reading.

Ocsp.Comodoca4.com is Comodo’s OSCP Server

Uncategorized

Did you just notice ocsp.comodoca4.com in Firefox’, Chrome’s, Internet Explorer’s or Safari’s status bar or in the network log and wonder where it came from?

ocsp.comodoca4.com

You will see a connection to ocsp.comodoca4.com when the browser is using the Online Certificate Status Protocol (OCSP) to obtaining the revocation status for a COMODO certificate.

This is standard procedure and is nothing to worry about, with one exception that I ran into:

I noticed the connection to ocsp.comodoca4.com on one of my lab machines where I play around with some unwanted software. I noticed the connection to ocsp.comodoca4.com while doing a search at Google.com. Under normal circumstances, a visit to Google should not trigger a connection ocsp.comodoca4.com. Google’s certificate points the clients1.google.com OCSP server.

The lab machine had the SalePlus, YouTubeAdBlocke and IStart 5.3.7 software running. Most likely, one of these inserted some HTML code into Google’s page that triggered the OCSP connection. After removing these three potentially unwanted programs, the connections to ocsp.comodoca4.com no longer appeared when searching at the Google search engine.

What site did you visit when you noticed the connection to ocsp.comodoca4.com? Did you also see it while visiting Google? If so, what potentially unwanted software did you find on your machine?

Remove land.pckeeper.software Pop Up Ads

Uncategorized

Did you just get interrupted by a pop-up ad from land.pckeeper.software? You are not alone. I also get the land.pckeeper.software pop-ups while browsing. Do the pop-ups also circumvent the pop-up blocker in Chrome, Firefox, Internet Explorer or Safari. Then read on…

Here’s a screenshot of the land.pckeeper.software pop-up ad when it showed up on my machine:land.pckeeper.software pop up

Does this sound like what you are seeing, you apparently have some adware installed on your system that pops up the land.pckeeper.software ads.

So, how do you remove the land.pckeeper.software pop-up ads? On the machine where I got the land.pckeeper.software ads I had CPUMiner, PineTree and GamesDesktop installed. These three programs are often referred to as “Potentially Unwanted”. I removed these three and that stopped the pop-ups.

The problem with pop-ups like this one is that it can be launched by many variants of adware. This makes it impossible to say exactly what you need to remove to stop the pop-ups.

Anyway, here’s my suggestion for the land.pckeeper.software ads removal:

The first thing I would do to remove the land.pckeeper.software pop-ups is to examine the programs installed on the machine, by opening the “Uninstall programs” dialog. You can reach this dialog from the Windows Control Panel. If you are using one of the more recent versions of Windows OS you can just type in “uninstall” in the Control Panel’s search field to find that dialog:
Uninstall a program search

Click on the “Uninstall a program” link and the Uninstall programs dialog will open up:
Uninstall a program dialog

Do you see something suspicious listed there or something that you don’t remember installing? Can you see GamesDesktop, PineTree or CpuMiner? Tip: Sort on the “Installed On” column to see if some program was installed approximately about the same time as you started getting the land.pckeeper.software pop-ups.

The next thing to check would be your browser’s add-ons. Adware often appear under the add-ons dialog in Chrome, Firefox, Internet Explorer or Safari. Is there something that looks suspicious? Something that you don’t remember installing? Can you see GamesDesktop, PineTree or CpuMiner?
Firefox add-ons manager

Did this blog post help you to remove the land.pckeeper.software pop-up ads? Please let me know or how I can improve this blog post.

Thank you!

LLC “B2B SOFT UA” – 14% Detection Rate

digital signature, ,

Hello readers! Just a short post before I call it a day. I found yet another file that bundled a bunch of unwanted programs, and the file was signed by LLC “B2B SOFT UA”.

LLC B2B SOFT UA publisher

You will also see LLC “B2B SOFT UA” listed as the verified publisher in the User Account Control dialog that pops up if you try to run the file: The certificate is issued by COMODO RSA Code Signing CA. The company is located in Kiev, Ukraine:

LLC B2B SOFT UA certificate

The VirusTotal report shows that the LLC “B2B SOFT UA” file should be avoided, since How I Met Your Mother S09E22 HDTV x264KILLERS[ettv]__15022_i1707449201_il379351.exe is detected as ADWARE/Amonetize.Gen by Avira, PE:Malware.RDM.15!5.15[F1] by Rising, HEUR/QVM10.1.Malware.Gen by Qihoo-360 and Trj/Genetic.gen by Panda.

LLC B2B SOFT UA virus report

Did you also find a LLC “B2B SOFT UA” file? What kind of download was it? If you remember the download link, please post it in the comments below.

Thanks for reading.

Pop Up Ads and Status Bar Messages – October 2015

browser status bar, pop-ups

If you have been following me on the blog for the last six months you know that I often write about how to remove pop up ads and how to remove unwanted sites showing up in the browser’s status bar. In those blog posts, I show how to track down and remove unwanted software by using the 1) Windows Control Panel, 2) the browser’s add-on dialog or 3) with the FreeFixer removal tool.

I often write a new blog post for each site that I find, which is quite time-consuming. The upcoming months I’ll be focusing on developing some back-end stuff for FreeFixer so I can’t be as active as I use to be on the blog. But I will at least summarise the finds that I do, with a screenshot, and post them here.

A pop up from se-arlig-undersokning.xyz:

se-arlig-undersokning.xyz

spartoo.se pop up:

spartoo.se pop up

barnebys.se pop up:

barnebys.se pop up

us.fps-pb.com pop up:

us.fps-pb.com pop up

and a pop up ad from luxuryslotonline.com:

luxuryslotonline.com pop up

A pop up from d31f5ec245utk2.cloudfront.net:

d31f5ec245utk2.cloudfront.net pop up

go.leguide.com pop up:

go.leguide.com pop up

dream-marriage.com pop up:

dream-marriage.com pop up

tracking.tfxiq.net in the status bar:

tracking.tfxiq.net

Pop up from machine.billionoptions.net:

machine.billionoptions.net

Pop up from aftonbladet.se.05b.xyz:

aftonbladet.se.05b.xyz pop up

kds.adspirit.de pop up:

kds.adspirit.de pop up

A pop up from chachagong23.com:

chachagong23.com pop up

dry.papaerleaf.com in the status bar:

dry.papaerleaf.com

super-promo.guqu.info pop up:

super-promo.guqu.info

rqf.receptorirrigated.com in the status bar:

rqf.receptorirrigated.com

A pop up ad from 123mymovies.com:

123mymovies.com pop up

adss.comeadvertisewithus.com in Firefox’ status bar:

adss.comeadvertisewithus.com

A pop up from static.millionairetruth.com:

static.millionairetruth.com pop up

gets.attracteffectclub.info in the status bar:

gets.attracteffectclub.info

A pop-up ad from super-promo.gufu.info:

super-promo.gufu.info pop up

While doing at search at Google, ads.egrana.com.br showed up in the status bar:

ads.egrana.com.br status bar

pinsght.com in the status bar:

pinsght.com

super-promo.goas.info pop up:

super-promo.goas.info pop up

A pop-up from cnn.officialreport.info:cnn.officialreport.info pop up

While searching at Google’s search engine, cdn1.clktag.com popped up in the status bar:

cdn1.clktag.com status bar

karriar-magazine.com pop up ad:

karriar-magazine.com pop up

Pop-up ad from super-promo.gipi.info:

super-promo.gipi.info

api.pixelcloudhit.com  in the status bar:

api.pixelcloudhit.com status bar

And a pop up from scanscasino.com:

scanscasino.com pop up

Pop up ad from super-promo.giiy.info:

super-promo.giiy.info

swf.chequebooksbruising.com in the browser’s status bar:

swf.chequebooksbruising.com

A pop up from super-promo.giip.info:

super-promo.giip.info

and cdn3.org showed up in the network log:

cdn3.org

bcp.crwdcntrl.net loaded from google:

bcp.crwdcntrl.net

anddogen.com in the status bar:

anddogen.com

A pop up from super-promo.gurs.info.

A pop up ad about oil-trading from preg.conquer-media.com:

preg.conquer-media.com pop up

i_sbitinbsjs_info.tlscdn.com showed up in the status bar of Mozilla Firefox while searching at Google. Here’s a dump from the network log.

i_sbitinbsjs_info.tlscdn.com

technologiestuart.com also showed up in the status bar while doing the Google search:

www.technologiestuart.com

The Wajam adware is responsible for that connection.

A bunch of netdna-ssl.com domains showing up in the Firefox status bar, while searching at Google. The domains were:

  • 4x3zy4ql-l8bu4n1j.netdna-ssl.com
  • 5k9v3bc1-enehfzfv.netdna-ssl.com
  • d13j8bqw-l8bu4n1j.netdna-ssl.com
  • j9bruvxk-l8bu4n1j.netdna-ssl.com

4x3zy4ql-l8bu4n1j.netdna-ssl.com   5k9v3bc1-enehfzfv.netdna-ssl.com

A pop-up ad from super-promo.gazy.info:

super-promo.gazy.info pop up

A survey pop-up ad from super-promo.gaol.info:

super-promo.gaol.info pop up

jscdnbox.com loading while searching at Google:

jscdnbox.com

s.tlscdn.com in Firefox’ status bar:

s.tlscdn.com

Here’s isi.envelopspunnet.com in the status bar:

isi.envelopspunnet.com

Pop up ad from super-promo.gaah.info:

super-promo.gaah.info pop up

stat.vidcore.tv in the status bar:

stat.vidcore.tv

A pop-up from nordicslabel.com:

nordicslabel.com pop up

Adsvids.com in the status bar:

adsvids.com

A pop-up ad from super-promo.fuvu.info:

super-promo.fuvu.info pop up

The 8casino-x.com pop up ad:

8casino-x.com pop up

omq.relievingdungeons.com may show up in your browser’s status bar:

omq.relievingdungeons.com

go.herdailyvideos.com in Firefox’ status bar:

go.herdailyvideos.com

bit-search.com in the status bar:

bit-search.com

search.smartshopping.com also in the status bar:

search.smartshopping.com

tracking.audience.media in the status bar, while searching at Google:

tracking.audience.media

And here’s a pop up from super-promo.grav.info:super-promo.grav.info pop up

cf.vsavr.com in the network log:

cf.vsavr.com

prod.vsearchr.com, also in the network log:

prod.vsearchr.com

A popup ad from super-promo.geew.info:

super-promo.geew.info pop up

A pop up from financialsecrets.info.

Other sites that showed up in the network log while doing a search at Google:

  • uhl.outspokentameness.com
  • foi.slynessduplicating.com
  • duu.ragsmarmoset.com
  • opl.speculationsanorak.com
  • vrr.unfamiliarcartographer.com
  • nex.encirclelargish.com
  • hev.sedentaryprosecutor.com
  • drm.polysyllabicsurrounds.com
  • ryz.affiliatedstammer.com
  • monetserv.info
  • nwv.vicescappuccino.com
  • a.global-cdn.co
  • pki.dowagersinimitable.com
  • vmx.pukingtwirled.com
  • yqg.employscitrate.com
  • hzm.maximumfireplaces.com
  • app.keymaxbit.com
  • logs.keymaxbit.com
  • ezl.allegesmourns.com
  • tki.chimpanzeepooling.com
  • www.unionismstream.com
  • eam.duchessestallying.com
  • ech.parallaxindecision.com
  • www.physicianapologises.com
  • www.decomposeselbows.com
  • www.centrifugescompletions.com
  • www.riderdismantled.com
  • vsb.tatlocalisation.com
  • yfv.humpstows.com
  • dfe.contributorymethods.com
  • hql.flirtationafricans.com
  • sgn.egyptianobservably.com
  • arj.keelconjectured.com
  • t1.extreme-dm.com
  • xhd.handbagoverturn.com
  • yze.farcataclysm.com
  • app.pricemoon.co
  • jsgnr.pricemoon.co
  • cwbl.pricemoon.co
  • horusjs.s3.amazonaws.com
  • i_crbfmcjs_info.tlscdn.com
  • cdn.gosignserv.com
  • c.crbsjs.info
  • q.megainbsjs.info
  • r6.kelkoo.com
  • r.kelkoo.com
  • m.megainbsjs.info
  • adsroute.adk2x.com
  • connect.facebook.net
  • d2nq0f8d9ofdwv.cloudfront.net
  • cdn.adpdx.com
  • p.adpdx.com
  • wcp.commonwealthprussia.com
  • qzd.haemophiliacontextualisation.com

A few other sites that appeared in my network log:

  • js.bitgenmax.com
  • app.newcloudrack.com
  • logs.newcloudrack.com
  • js.newcloudrack.com
  • js.keymaxbit.com
  • m2.macutnova.com
  • app.bitgenmax.com
  • logs.bitgenmax.com
  • c.megainbsjs.info
  • f.asdfzxcv1312.com
  • s.megainbsjs.info
  • f.megainbsjs.info
  • app.cloudmaxbox.com
  • logs.cloudmaxbox.com
  • d2avx7g1ttwebd.cloudfront.net
  • d21r4q0rdzodf.cloudfront.net
  • js.cloudmaxbox.com
  • app.devgokey.com
  • logs.devgokey.com
  • js.devgokey.com
  • danv01ao0kdr2.cloudfront.net
  • portal.brandlock.io

Ran into a file signed by BoxI DJV.

BoxI DJV file

Ran into a file signed by Media Theory (Fried Cookie Ltd):

Media Theory (Fried Cookie Ltd)

Somewhat unrelated, but I’ve also run into a add-on called FirefixTab 0.1.13:

FirefixTab 0.1.13