Monthly Archives: November 2015

LLC “YUTA-SOFT” – 13% Detection Rate – BundleApp.NWS / Amonetize

Uncategorized

Hi there! Just wanted to give you the heads up on a file called that’s digitally signed by LLC “YUTA-SOFT”.

LLC YUTA-SOFT pubisher

Windows will display LLC “YUTA-SOFT” as the publisher when running the file. The certificate is issued by COMODO RSA Code Signing CA. And the company appears to be located in Ukraine.

LLC YUTA-SOFT certificate

For the time being, 7 of the scanners detected the file. AVG detects the Yuta Soft file as BundleApp.NWS, Panda reports Trj/Genetic.gen, ESET-NOD32 detects it as a variant of Win32/Amonetize.LP potentially unwanted, DrWeb reports Trojan.Amonetize.11077 and Malwarebytes detects it as PUP.Optional.Amonetize.

LLC YUTA-SOFT virus report

Did you also find a LLC “YUTA-SOFT” download? What kind of download was it?

Hope this blog post helped you avoid some unwanted software on your machine.

Thank you for reading.

Remove s.admtpmp124.com Pop Up Ads

pop-ups

Does this sound like your story? You see pop-up ads from s.admtpmp124.com while browsing websites that mostl of the time don’t advertise in pop-up windows. The pop-ups manage to sidestep the built-in pop-up blockers in Mozilla Firefox, Google Chrome, Internet Explorer or Safari. Perhaps the s.admtpmp124.com pop-ups appear when clicking search results from Google? Or does the pop ups appear even when you’re not browsing?

Here’s a screenshot of the s.admtpmp124.com pop-up ad when it showed up on my computer:

s.admtpmp124.com pop upIf you also see this on your machine, you most likely have some adware installed on your machine that pops up the s.admtpmp124.com ads. Contacting the owner of the web site would be a waste of time. They are not responsible for the ads. I’ll do my best to help you with the s.admtpmp124.com removal in this blog post.

For those that are new to the blog: Recently I dedicated a few of my lab machines and purposely installed some adware programs on them. Since then I have been observing the behaviour on these computers to see what kinds of advertisements that are displayed. I’m also looking on other interesting things such as if the adware updates itself, or if it downloads and installs additional unwanted software on the machines. I first found the s.admtpmp124.com pop-up on one of these lab machines.

s.admtpmp124.com was registered on 2015-05-23. s.admtpmp124.com resolves to the 130.211.126.3 address.

The following domains are also registered and its possible that they are used for pop-ups too:

  • admtpmp123.com
  • admtpmp125.com
  • admtpmp126.com
  • admtpmp127.com
  • admtpmp128.com

So, how do you remove the s.admtpmp124.com pop-up ads? On the machine where I got the s.admtpmp124.com ads I had Shopper-Pro, ObjectBrowser, MyStartSearch, YTDownloader, iWebar, Wajam, Primary Color and WebShield installed. I removed them with FreeFixer and that stopped the s.admtpmp124.com pop-ups and all the other ads I was getting in Mozilla Firefox.

The s. domain is attracting quite a lot of traffic, just check out the Alexa traffic rank:

admtpmp124.com traffic

The issue with pop-ups such as this one is that it can be popped up by many variants of adware, not just the adware running on my computer. This makes it impossible to say exactly what you need to remove to stop the pop-ups.

Anyway, here’s my suggestion for the s.admtpmp124.com ads removal:

  1. Examine what programs you have installed in the Add/Remove programs dialog in the Windows Control Panel. Do you see anything that you don’t remember installing or that was recently installed?
  2. How about your add-ons you have in your browsers. Anything in the list that you don’t remember installing?
  3. If that does not help, I’d recommend a scan with FreeFixer to manually track down the adware. FreeFixer is a freeware tool that I’m working on that scans your computer at lots of locations, such as browser add-ons, processes, Windows services, recently modified files, etc. If you want to get additional details about a file in the scan result, you can click the More Info link for that file and a web page will open up with a VirusTotal report which will be very useful to determine if the file is safe or malware:

    FreeFixer More Info link example
    An example of FreeFixer’s “More Info” links. Click for full size.

Here’s a video tutorial showing FreeFixer in action removing pop-up ads:

Did this blog post help you to remove the s.admtpmp124.com pop-up ads? Please let me know or how I can improve this blog post.

Thank you!

LLC “TRUKONF SOFT” – 33% Detection Rate – AdLoad / PUP.Optional.Amonetize

digital signature, ,

Welcome! Just wanted to give you heads-up on suspicious file I found right now. The file is digitally signed by LLC “TRUKONF SOFT”.

LLC TRUKONF SOFT publisher

This is how it looks when double-clicking on the file and LLC “TRUKONF SOFT” appears as the publisher. Viewing the certificate information is also possible by looking under the digital signature tab for the file. Here the certificate says that LLC “TRUKONF SOFT” is located in Ukraine.

LLC TRUKONF SOFT certificate

The reason I’m writing this blog post is that the LLC “TRUKONF SOFT” file is detected by many of the antimalware progams at VirusTotal. VBA32 names it SScope.Trojan.Zbot.gen, Baidu-International detects the file as PUA.Win32.Amonetize.LI, Kaspersky calls it not-a-virus:Downloader.Win32.AdLoad.rppk, Sophos calls it Generic PUA JA (PUA), Panda reports PUP/Multitoolbar and Malwarebytes detects it as PUP.Optional.Amonetize.

LLC TRUKONF SOFT anti-virus report

Did you also find a LLC “TRUKONF SOFT” file?

Thank you for reading.

PremiumBeam (New Media Holdings Ltd.) – 15% Detection Rate – InstallCore

digital signature, ,

Hi there! Just a quick post today, since I’m busy working with the next release of FreeFixer. Did you see a file, such as vlc-media-player.exe, on your system signed by PremiumBeam (New Media Holdings Ltd.)? Then read on..

PremiumBeam (New Media Holdings Ltd.)

 

If you have a PremiumBeam (New Media Holdings Ltd.) file on your computer you may have noticed that PremiumBeam (New Media Holdings Ltd.) pops up as the publisher in the User Account Control dialog when running the file. The PremiumBeam (New Media Holdings Ltd.) certificate shows that the publisher is located in Tel Aviv, Israel.

These are the current VirusTotal detections for the file. PUP.Optional.InstallCore, HEUR/QVM06.1.Malware.Gen, Install Core Click run software (PUA), SScope.Malware-Cryptor.InstallCore and InstallCore (fs) as a few of the detection names for the vlc-media-player.exe file.

PremiumBeam New Media Holdings Ltd. anti-virus report

Did you also find a file signed by PremiumBeam (New Media Holdings Ltd.)? What kind of download was it and where did you find it?

Thanks for reading.

Adverts Technologies – 25% Detection Rate – PUP.Optional.Adverts / ToDownload

digital signature,

Hi there! Just a quick post on a file named mediaplayer_update.exe signed by Adverts Technologies.

Adverts Technologies publisher

You can also see the Adverts Technologies certificate by looking under the Digital Signature tab on the file’s properties. According to the certificate, Adverts Technologies is located in Moscow, Russia.

Adverts Technologies cert

The issue with the Adverts Technologies file is that it is detected by many of the antimalware progams. Here are some of the detection names: Generic.E4D, PUP.Optional.Adverts, HEUR/QVM06.1.Malware.Gen, InstallCore ToDownload (PUA), SAPE.InstallCore.2505, Trojan.Win32.Generic!BT and Adware.BrowseFox.Win32.128816.

Adverts Technologies anti-virus

Did you also find an Adverts Technologies? Do you remember the download link? Please post it in the comments below and I’ll upload it to VirusTotal to see if that one is also detected.

Thanks for reading.

RUn apps fOrevEr Lld – 35% Detection Rate

digital signature, ,

Hi there! Just a quick post on a file named Medal Of Honour PC Game Full version Free Download.exe signed by RUn apps fOrevEr Lld.

The following screenshot shows the User Account Control dialog when running the RUn apps fOrevEr Lld file:

RUn apps fOrevEr Lld publisher

It is also possible to check a digital signature by looking at a file’s properties. Here’s a screenshot of the RUn apps fOrevEr Lld certificate.

RUn apps fOrevEr Lld cert

The VirusTotal report shows that the RUn apps fOrevEr Lld file should be avoided, since Medal Of Honour PC Game Full version Free Download.exe is detected as Trojan.OutBrowse.1613 by DrWeb, Downloader.AAPP by AVG, SoftwareBundler:Win32/Outbrowse by Microsoft, OutBrowse by VIPRE and HEUR/QVM42.0.Malware.Gen by Qihoo-360.

RUn apps fOrevEr Lld anti-virus report

Did you also find a file that was digitally signed by RUn apps fOrevEr Lld? What kind of download was it and was it reported by the anti-malware scanners at VirusTotal? Please share by posting a comment.

Thanks for reading.

SaFE clIck LoL – 36% Detection Rate

digital signature, ,

Welcome! Just wanted to give you the heads up on files digitally signed by SaFE clIck LoL.

SaFE clIck LoL publisher

You will also see SaFE clIck LoL listed as the verified publisher in the User Account Control dialog that pops up if you try to run the file: It’s possible to view additional information about the embedded certificate by right-clicking on the file, choosing properties and then clicking on the Digital Signatures tab. According to the certificate we can see that SaFE clIck LoL appears to be located in Dublin, Ireland and that the certificate is issued by thawte SHA256 Code Signing CA.

SaFE clIck LoL cert

The problem with the SaFE clIck LoL file is that it is detected by many of the antimalware scanners. Here are some of the detection names: Downloader.AAPP, PUA/Outbrowse.Gen, SoftwareBundler:Win32/Outbrowse and OutBrowse.

SaFE clIck LoL anti-virus report

Did you also find an SaFE clIck LoL? Do you remember the download link? Please post it in the comments below and I’ll upload it to VirusTotal to see if that one is also detected.

Thanks for reading.

ClIck to StaRt – 24% Detection Rate – OutBrowse

digital signature, ,

Hello readers! Just a quick post on a publisher called ClIck to StaRt that I found while running some tests for the upcoming FreeFixer release. The suspicious file is named Animal Porn On Android.exe.

The following screenshot shows the User Account Control dialog when running the ClIck to StaRt file:

ClIck to StaRt publisher

To get more details on the publisher, you can view the certificate by right-clicking on the file, and looking under the Digital Signatures tab.. The screenshot below shows the Click to StaRt certificate. From the certificate info we can see that ClIck to StaRt appears to be located in Dublin, Ireland.

ClIck to StaRt certificate

The reason I’m writing this blog post is that the ClIck to StaRt file is detected by many of the anti-virus software at VirusTotal. AVG reports Luhe.Fiha.A, McAfee reports Adware-OutBrowse.h, Avast names Animal Porn On Android.exe as Win32:Malware-gen, ClamAV detects it as Win.Adware.Outbrowse-1167 and DrWeb detects it as Trojan.OutBrowse.1694.

ClIck to StaRt anti-virus report

Did you also find a ClIck to StaRt file? What kind of download was it? If you remember the download link, please post it in the comments below.

Thanks for reading.

Media Story (New Media Holdings Ltd) – 11% Detection Rate – InstallCore

Uncategorized,

Hello! Just a note on a publisher called Media Story (New Media Holdings Ltd). The Media Story (New Media Holdings Ltd) download – chrome-download.exe – was detected when I uploaded it to VirusTotal. Did you also find a download by Media Story (New Media Holdings Ltd)? Was it also detected when you uploaded it to VirusTotal?

Media Story New Media Holdings Ltd cert uac

By looking at the certificate we can see that Media Story (New Media Holdings Ltd) appears to be located in Tel Aviv in Israel.

Media Story (New Media Holdings Ltd) cert

What caught my attention was that the download was called chrome-download.exe. This might look like an official Google Chrome download, but it is not. If it was an official download, it would be digitally signed by Google Inc.. Here’s how the authentic Google Chrome looks like when you double click on it. Notice that the “Verified publisher” says “Google Inc”.
Chrome Google Inc publisher

The scan result from VirusTotal below clearly shows why you should avoid the Media Story (New Media Holdings Ltd) file. It is detected under names such as Adware ( 004cf5d71 ), Adware ( 004cf5d71 ), PUP.Optional.InstallCore and Install Core Click run software (PUA).

Media Story New Media Holdings Ltd anti-virus report

Since you probably came here after finding a download that was signed by Media Story (New Media Holdings Ltd), please share what kind of download it was and if it was detected by the anti-virus progams at VirusTotal.

Thanks for reading.

BoxI DJV – 49% Detection Rate – OutBrowse / Downloader.YVA / W32.HfsAdware

digital signature,

Hi there! Ran into a BoxI DJV file about a week ago, but decided not to blog about it since I got the schedule full with other things. I’m currently working on improving the freefixer.com web site with some new features.

However, I changed my mind today about BoxI DJV since there currently a large number of files being distributed with the BoxI DJV signature. And since the Boxl DJV file is detected by many of the anti-virus programs out there I wanted to give you the heads up with a short blog post about it. Here’s BoxI DJV listed as the verified publisher:

BoxI DJV

You can see who the signer is when double-clicking on an executable file. BoxI DJV appears in the publisher field in the dialog that pops up. The certificate is issued by thawte SHA256 Code Signing CA.

Here’s the detections from VirusTotal for BoxI DJV:

BoxI DJV anti-virus report

The detection rate is 26/53. The Moborobo.exe file is detected as OutBrowse by VIPRE, Riskware/OutBrowse by Fortinet, PUA.Boxidjv1.Gen by CAT-QuickHeal, Trojan.OutBrowse.1215 by DrWeb, Downloader.YVA by AVG, W32.HfsAdware.9EC9 by Bkav and SAPE.Heur.BB351 by Symantec.

Did you also find a file digitally signed by BoxI DJV? What kind of download was it and where did you find it?

Thanks for reading.