Category Archives: freefixer

Say Hi To Cuckoo Sandbox!

Cuckoo is an open source automated malware analysis tool. Cuckoo can execute files and monitor the behaviour. And if you are running FreeFixer, your suspicious files will also be analysed by the sandbox. For free.

I’ll try to explain what Cuckoo can do more in detail by using examples from the Cuckoo reports on files listed here at freefixer.com:

One of the most useful features is that Cuckoo can trace API calls. Here’s an example from RunBoosterUpdateTask64.exe, where you can see that it calls CreateServiceW to register a driver named WinDivert64.sys. This is pretty useful if you are trying to find out what a particular file on your system is doing.

"call": {
  "category": "services",
  "status": 1,
  "stacktrace": [],
  "api": "CreateServiceW",
  "return_value": 4536928,
  "arguments": {
    "service_start_name": "",
    "start_type": 2,
    "service_handle": "0x0000000000453a60",
    "display_name": "WinDivert1.2",
    "error_control": 1,
    "service_name": "WinDivert1.2",
    "filepath": "C:\\Windows\\System32\\drivers\\WinDivert64.sys",
    "filepath_r": "C:\\Windows\\system32\\drivers\\WinDivert64.sys",
    "service_manager_handle": "0x0000000000453a00",
    "desired_access": 983551,
    "service_type": 1,
    "password": ""
  },
  "time": 1576385586.79675,
  "tid": 2436,
  "flags": {}
}

Cuckoo also monitors host resolving. Here’s another example from the log where RunBoosterUpdateTask64.exe tries to get the IP address for update.updinfo.xyz:

"resolves_host": [ "update.updinfo.xyz" ]

And the list goes on. Cuckoo detects anti-virtualisation tactics. For example, Cuckoo will notice if the file under test checks for existence of VMware/VirtualBox registry keys or files.

Here’s an example from armsvc.exe where Cuckoo notice that the process is trying to detect if it is running in VMware using an instruction:

{
  "markcount": 1,
  "families": [],
  "description": "Detects VMWare through the in instruction feature",
  "severity": 3,
...

Cuckoo will detect potential compressed or encrypted data in the executable files by measuring the entropy in the file. Cuckoo can also step through installation wizards and takes screenshots during the analysis. It will also log UDP and TCP connection.

I’m impressed by all the features.

So, I’ve set up a Cuckoo installation that freefixer.com will use to analyse files. The approach is simple. Freefixer.com will upload files to sandbox and after a while the analysis will be displayed on the web site. I’ve decided to display the Summary, Generic, Dropped, Signatures, Yara, and Network sections from the sandbox report. Here’s an example report for armsvc.exe:

I’ve been running Cuckoo for some time now, and it has analysed more that 6000 files. I’m pretty happy with the result so far. Cuckoo just keeps on running, analysing one file after another.

I’ve identified a number of issues that needs to be addressed:

  • Lots of noise! The reports from Cuckoo can be quite verbose and it can be difficult for users to identify the most interesting parts of the log. This is pretty difficult problem that I’m not sure how to fix. An automated approach is needed to pinpoint the most interesting parts of the log.
  • Identical screenshots. The sandbox generates screenshots that are almost identical. I’m currently using ImageMagick to compare images for similarity but it does not work good enough. I think the code needs another round of tuning.
  • The web site needs to explain what the items in the log means. For example, what does UPD packets sent from the local host to 224.0.0.255 at port 5355 mean? (It’s a name resolution for hosts on the same local link)
  • The JSON reports are shown in fixed size text-areas (<pre></pre>) with vertical and horizontal scrollbars. Works OK when the amount of JSON data is small. Works terrible when dealing with large amount of data. Please let me know if you have some ideas on how to present the JSON data in smart ways.

I’m hoping, now that you have another tool to analyse files, that this will help you to track down and remove that malware running on your machine.

Remove CrimeWatch Adware

Hello there and welcome to the FreeFixer blog. I just found another bundled adware titled CrimeWatch and wanted to give you some removal instructions. If the CrimeWatch adware is installed and running on your machine, you will see CrimeWatchService.exe, digitally signed by “Mathematical Applications“, running in the Windows Task Manager. You will also see a new service installed, called CrimeWatch and perhaps also a yellow pop-up allowing you to toggle CrimeWatch on and off. I’ll show how to remove CrimeWatch in this blog post with the FreeFixer removal tool.Crime Watch toggle

CrimeWatch is bundled with a number of downloads. Bundling means that software is included in other software’s installers. Here’s one example how it appears in an installer for an unrelated program.

CrimeWatch installer

As always when I find some new bundled software I uploaded it to VirusTotal to check if the anti-malware software there find anything interesting. 15 of the 56 anti-malware scanners detected the file. The CrimeWatch files are detected as PUA.PullUpdate! by Agnitum, ApplicUnwnt by Comodo, Adware.Yontoo.55 by DrWeb, PUP.Optional.Crimewatch.A by Malwarebytes, Trj/Genetic.gen by Panda and HEUR/QVM30.1.Malware.Gen by Qihoo-360.

CrimeWatch virustotal

Since you probably want to remove CrimeWatch, these are the files you should check for removal if you want to remove it with FreeFixer. A restart of your machine may be required to complete the removal.CrimeWatchService.exe process crimewatch.exe crimewatch.dll files CrimeWatch service

Hope that helped you with the removal.

Did you also find CrimeWatch on your machine? Any idea how it installed? Please let me and the readers know by posting a comments. Thank you!

Hope you found this useful and thanks you for reading.

Remove WebSize Adware

Hello readers. I was reviewing some of the files added to the FreeFixer database, and found something called WebSize? WebSize is yet another variant of BrowseFox. The WebSize removal is pretty easy. Just select the files that are digitally signed by WebSize in FreeFixer and the problem will be gone.

So what does VirusTotal say about the file? 19 of the anti-malware scanners detected the file. The WebSize files are detected as PUA.BrowseFox! by Agnitum, Adware/BrowseFox.A.1227 by Avira, Tool.NetFilter.313 by DrWeb and AdWare.Win64.Yotoon by VBA32.

WebSize virustotal

Hope that helped you to figure out how to do the removal.

Do you also have WebSize on your computer? Any idea how it was installed? Please share by posting a comment. Thank you!

Hope you found this useful and thanks you for reading.

Remove Ace Race Ads – Adware Removal Instructions

Just wanted to put up a short blog post before going back to coding. Did something named Ace Race appear on your machine? This appears to be yet another variant of BrowseFox that I’ve previously blogged about. If the Ace Race adware is running on your computer, you will see a new add-on called Ace Race installed into Mozilla Firefox and Internet Explorer. I’ll show how to remove Ace Race in this blog post with the FreeFixer removal tool.

ace race firefox

Ace Race is bundled with a number of downloads. Bundling means that software is included in other software’s installers. Here’s one example how it appears in an installer for an unrelated program.

ace race installer

Generally, you can avoid bundled software such as Ace Race by being careful when installing software and declining the bundled offers in the installer.

As usual when I run into some new bundled software I uploaded it to VirusTotal to see if the anti-malware scanners there detect anything fishy. 11 of the anti-malware scanners detected the file. The Ace Race files are detected as BrowseFox.F by AVG, W32/S-7bed2e86!Eldorado by F-Prot, Trojan ( 0040f9921 ) by K7GW, PUP.Optional.AceRace.A by Malwarebytes and AdWare.Kranet by VBA32.

acerace virustotal

If you would like to remove Ace Race you can do so with the freeware FreeFixer tool. Select the Ace Race files for removal in FreeFixer, click Fix, reboot your computer and the problem will be gone. Here’s a few screenshots to point you in the right direction:

ace race remove firefox ace race internet explorer

Hope that helped you to figure out how to do the removal.

Did you also find Ace Race on your machine? Any idea how it installed? Please share in the comments below. Thank you!

Thanks for reading. Welcome back!

Remove Dynamo Combo Ads

Hello guys and gals. Today I wanted to talk about an adware called Dynamo Combo and give you some removal instructions. Dynamo Combo appears to be a variant of BrowseFox that I blogged about previously. If Dynamo Combo is installed and running on your machine, you will see a new add-on, called Dynamo Combo, installed into Firefox and Internet Explorer. I’ll show how to remove Dynamo Combo in this blog post with the FreeFixer removal tool.

So, how did Dynamo Combo install on your machine? It was probably bundled with some download that you installed recently. Bundling means that software is included in other software’s installers.

Generally, you can avoid bundled software such as Dynamo Combo by being careful when installing software and declining the bundled offers in the installer.

So, how about the Dynamo Combo removal? You can remove Dynamo Combo with the FreeFixer removal tool. Here’s a few screenshots from the removal that should help you: A reboot of your computer might be required to complete the removal.

Dynamo Combo Dynamo Combo internet explorer

Hope that helped you with the removal.

Did you also find Dynamo Combo on your system? Any idea how it was installed? Please share your story the comments below. Thanks!

Thank you for reading.

Remove Video Dimmer Adware

Hello readers. Hope you are doing ok. Just a quick post on the Video Dimmer adware. It appears that Video Dimmer has been around for some time, but now I noticed it bundled with several downloads.If Video Dimmer is installed on your machine, you’ll find a new service installed and videodimmerservice.exe running in the Windows Task Manager.

I’ll show how to remove Video Dimmer in this blog post with the FreeFixer removal tool.

So, how did Video Dimmer install on your machine? It was probably bundled with some download that you installed recently. Bundling means that software is included in other software’s installers. Here’s how it appeared in the installer:

video dimmer installer

When I find some new bundled software I always upload it to VirusTotal to check if the anti-malware programs there find something. Of the 56 anti-virus scanners, 10 detected the file. AVG detects Video Dimmer as Downloader.CBD, Avira detects it as Adware/PullUpdate.AP, Comodo names it ApplicUnwnt, Malwarebytes names it PUP.Optional.VideoDimmer.A and Qihoo-360 reports HEUR/QVM03.0.Malware.Gen.

All you need to do to remove Video Dimmer is to check the Video Dimmer files in the scan result and click the Fix button. A reboot of your computer may be required to complete the removal. Just select the Video Dimmer files as shown in the screenshots below.

videodimmerservice.exe service video dimmer process

Hope this helped you solved the Video Dimmer problem.

I stumbled upon Video Dimmer while testing out some downloads that are known to bundled lots of unwanted software. Any idea how Video Dimmer was installed on your computer? Please share your story the comments below. Thank you very much!

Thanks for reading!

Cyti Web Adware Removal Instructions

Hello guys and gals. Just a short post on an adware called Cyti Web. This appears to be a variant of BrowseFox that I’ve previously blogged about many times. If Cyti Web is running on your system, you will find new add-on installed into Firefox and Internet Explorer. I’ll show how to remove Cyti Web in this blog post with the FreeFixer removal tool.

Cyti Web 1.0.1 firefox

CytiWeb is bundled with other software. Bundled means that it is included in another software’s installer. When I first found CytiWeb, it was bundled with a software download called FlvPlayer. The following screen-cap shows how Cyti Web was disclosed in FlvPlayer’s installer when I found it.

Cyti web installer

Generally, you can avoid bundled software such as Cyti Web by being careful when installing software and declining the bundled offers in the installer.

As usual when I find some new bundled software I uploaded it to VirusTotal to verify if the anti-virus scanners there detect anything interesting. 32 of the scanners detected the file. The Cyti Web files are detected as BrowseFox.F by AVG, ADWARE/BrowseFox.Gen2 by Avira, Trojan.BPlug.144 by DrWeb, Artemis by McAfee-GW-Edition, Yontoo.C by Symantec and AdWare.Kranet by VBA32.

You can remove Cyti Web with the FreeFixer removal tool. Here’s a few screenshots that should help you along the way: A restart of your machine might be required to complete the removal. Problem solved.

Cyti web remove internet explorer Cyti web remove firefox

Hope this helped you remove the Cyti Web adware.

Any idea how you got Cyti Web on your computer? Please share by posting a comment. Thanks!

Hope you found this useful. Thanks for reading.

Remove Ads by Unisales – Adware Removal Instructions

Hello readers. Another day, another blog post. Today I wanted to talk about a Adware called UniSales and thought I should give you some removal instructions. UniSales appears to be a variant of BuyNSave that I wrote about previously. If UniSales is installed on your computer, you will see ads labeled Ads by unisales added into Google’s search results, new add-ons called “Unisales” installed into Firefox and Internet Explorer, pop-up windows labeled “Ads by unisales” and overlay ads, also tagged “Ads by unisales”.

unisales firefox ads by unisales google ads by unisales overlay ad Ads by unisales pop-up ad

I’ll show how to remove UniSales in this blog post with the FreeFixer removal tool.

UniSales is distributed by a tactic called bundling. Bundling means that a piece of software is included in other software’s installers. Here’s how it appeared in the installer:

Unisales installer

Generally, you can avoid bundled software such as UniSales by being careful when installing software and declining the bundled offers in the installer.

When I stumble upon some new bundled software I always upload it to VirusTotal to verify if the anti-virus programs there detect something interesting. 29% of the anti-virus scanners detected the file. ESET-NOD32 names UniSales as a variant of Win32/AdWare.MultiPlug.BN, F-Secure calls it Gen:Variant.Adware.Graftor.153998, McAfee detects it as Artemis!7E61FEF6948F and McAfee-GW-Edition names it BehavesLike.Win32.Adware.hm.

unisales virustotal

I’m sure you’d like to remove UniSales, and that’s pretty straightforward with FreeFixer. Select the UniSales files, as shown in the screenshots below, click Fix, and restart your machine and the problem should be gone.

unisales remove internet explorer unisales remove firefox

Hope this helped you remove the UniSales Adware.

I stumbled upon UniSales while testing out some downloads that are known to bundled lots of unwanted software. Any idea how you got UniSales on your computer? Please let me and the readers know by posting a comments. Thanks a bunch!

Thank you for reading.

How To Remove GamesDesktop

Hello readers. Hope you are doing ok. Today I wanted to talk about something called GamesDesktop and thought I should give you some removal instructions. If GamesDesktop is installed and running on your machine, you will find some new files running in the Windows Task Manager. I’ll show how to remove GamesDesktop in this blog post with the FreeFixer removal tool.

GamesDesktop process

So, how did GamesDesktop install on your machine? It was probably bundled with some download that you installed recently. Bundling means that software is included in other software’s installers. When I first found GamesDesktop, it was bundled with a download called FastPlayerPro. Here’s one example how it appears in the FastPlayerPro installer.

games desktop installer

Generally, you can avoid bundled software such as GamesDesktop by being careful when installing software and declining the bundled offers in the installer.

When I run into some new bundled software I always upload it to VirusTotal to test if the anti-malware software there detect something suspicious. The detection rate is 27/56. Antiy-AVL reports GamesDesktop as Trojan/Win32.TSGeneric, Avast detects it as Win32:Adware-ASG [PUP], AVware reports Tuto4PC (fs), F-Prot calls it W32/S-c61ac5f0!Eldorado, F-Secure calls it Adware.Eorezo.BZ and Symantec calls it WS.Reputation.1.

GamesDesktop virus total

So, how about the removal? All you need to do to remove GamesDesktop is to check the GamesDesktop files in the scan result and click the Fix button. You might have to reboot your computer to complete the removal. Here’s a few screenshots that should help you along the way:

GamesDesktop startup removal GamesDesktop process removal

Hope that helped you with the removal.

Do you also have GamesDesktop on your computer? Any idea how it was installed? Please share by posting a comment. Thanks!

Thanks for reading. Welcome back!

Remove Internet Program – “Ads by internet program” Removal Instructions

Hello readers. Hope you are doing ok. Did you just find something called Internet Program on your machine? This seems to be a variant of BrowseFox/AltBrowse that I’ve previously written about. If the Internet Program adware is running on your machine, you will notice ads labeled “Ads by internet program” added in Internet Explorer and Mozilla Firefox and “internet program” Related Searches added on the left side of the web browser’s view port. Google Chrome seems to have been unaffected by the adware. Did you see anything added into Chrome?

I’ll show how to remove Internet Program in this blog post with the FreeFixer removal tool.

Ads by internet program Internet Program Related Searches

Internet Program is bundled with a number of downloads. Bundling means that software is included in other software’s installers. When I first found Internet Program, it was bundled with a fake Google Chrome download. This is how Internet Program was disclosed in the fake Google Chrome’s installer when I found it.

internet program installer

As you can see, the Internet Program is clearly adware. But for unknown reasons the anti-virus programs are not detecting Internet Program when I uploaded it to VirusTotal:

Internet Program virustotal

Generally, you can avoid bundled software such as Internet Program by being careful when installing software and declining the bundled offers in the installer.

So, how about the removal? All you need to do to remove Internet Program is to check the Internet Program files in the scan result and click the Fix button. A reboot of your machine might be required to complete the removal. Here’s a few screen-caps that should help you along the way:

Internet Program remove Internet Explorer Internet Program remove firefox

Hope this helped you remove the Internet Program adware.

Did you also find Internet Program on your machine? Any idea how it was installed? Please share in the comments below. Thank you!

Thank you for reading.

Update 2014-12-18: The files are still not detected by any of the anti-virus scanners at VirusTotal.