Do you see advertisements labeled Ads By Cinema-Plus 1.2, while browsing the web? If so, you have an adware called CinameHDPure installed on your machine. The CinameHDPure files are digitally signed by a company called Motoko Group. This how the Ads By Cinema-Plus 1.2 looks like:
Removing CinameHDPure is pretty straightforward. Just select the CinameHDPure files in FreeFixer as shown in the screenshots and you’ll be good:
I think there are multiple variants of this adware. The variant I found was named CinameHDPureV9.5.
How did you get the Ads By Cinema-Plus ads on your machine?
Did your search settings and home page in Mozilla Firefox and Internet Explorer get changed to Groovorio.com . No problem, just select the Groovorio.com items in FreeFixer‘s scan result and the problem will be solved.
How did you get Groovorio.com on your computer? I found it bundled in a downloader program. Here’s how it was disclosed in the installer:
Hope you found this useful.
Just a quick post to warn you files digitally signed by Stanislav Kabin. The file I found was detected by many of the anti-virus programs. Here’s how Stanislav Kabin appears in the UAC dialog.
The Stanislav Kabin certificate shows that the publisher is located in Russia.
Did you also find a file signed by Stanislav Kabin? What kind of file was it, and where did you find it?
Here’s the VirusTotal scan results:
Do you see ads labeled “Ads by TheTorntv” while searching on Google, like in the screenshot below?
If you see TheTorntv ads, you got an adware installed on your machine called TheTorntv. Don’t worry, I’ll show how to remove TheTorntv with FreeFixer. The files that you want to remove is located in a folder called TheTorntv V10 located in the Program Files folder.
Just select the following files for removal in FreeFixer’s scan result and the ads will be gone after you reboot your machine:
The following are the detection names for TheTorntv, thanks to VirusTotal:
- a variant of Win64/Toolbar.Crossrider.F
- Crossrider (fs)
How did you get TheTorntv on your machine? I found it while looking around at a torrent site.
Just wanted to give you the heads up on a publisher called Information Technology Systems doo.
According to the certificate, the publisher is located in Montenegro:
This is the VirusTotal scan report for the Information Technology Systems doo file:
Generic.DAA, Unwanted-Program and are some of the detection names.
Did you also find a file signed by Information Technology Systems doo? What kind of download was it? In my case, the download claimed to be the Flash Player installer.
Update 2014-09-03: Found a file promoted as a Java installer, signed by Information Technology Systems doo:
The web page is hosted on softkopro.net. The file is called java_setup.exe and is detected by 10 of the 55 anti-virus programs at VirusTotal.
According to the web page, java_setup.exe is a downloader, rather than the real Java setup file:
“Coinis downloader is distributing a proprietary download manager that will take you to the official download of this program. Prior to taking you to the official download, we will offer optional sponsored software that you may be interested in. You are not required to install any additional software to receive your download.”
Update 2016-09-23: I’ve rescanned the java_setup.exe file. Now the detection rate is 31/57. Based on the scan result over at VirusTotal and by looking at the java_setup.exe executable file, it seems that the file contains the InstallCore software rather the Coinis downloader, contrary to what the web page at softkopro.net stated.
I just found a program called WiredTools, which installed with the SoundFrost music download software. You might notice WiredTools.exe running in the background or that it appears in the Add/Remove programs dialog:
I have not figured out what the purpose of the WiredTools program is, but I think it looks suspicious. I could not see any disclosure in the SoundFrost installer that WiredTools would be installed.
I uploaded WiredTools.exe to VirusTotal. Only one of the scanners detected the file, as HEUR/Malware.QVM10.Gen:
Did you also find WiredTools on your computer? Did you also get it while installing SoundFrost?
I’ve previously written about JDownloader. Today I noticed that another company called Onekit Internet S.L has signed the JDownloader file.
When I tested the installer, the following programs were bundled and disclosed in the installer:
- iRobinHood Partners Addon
- Remote Desktop Access (VuuPC)
- PC Speed Up
10 of the anti-virus scanners are detecting the the Onekit Internet S.L file:
Do you see something called PC_Booster and PC_Sustainer 1.80 running on your machine?
No problem, here’s how to remove PC_Booster and PC_Sustainer 1.80 with FreeFixer:
Hope you found this useful. How did you get PC_Booster and PC_Sustainer 1.80 on your machine?
Just found a download digitally signed by Saul Perec. I’d recommend being careful if you also have downloaded a file signed by Saul Perec. This the the VirusTotal scan for the Saul Perec file:
Luckily Windows warns when launching a downloaded file and shows the publisher information.
You can also view the Saul Perec certificate by right-clicking on the file, and looking under the Digital Signature tab:
Did you also find a file signed by Saul Perec? Where did you find it and what kind of download was it?
Did you just launch your web browser and noticed your start page had been changed to websearch.flyandsearch.info? No problem, I’ll show how to remove the websearch.flyandsearch.info start page and search provider from Internet Explorer and Mozilla Firefox in this blog post. Here’s how flyandsearch.info appears in Firefox:
The removal is easy with FreeFixer, just select the websearch.flyandsearch.info items listed in the FreeFixer scan result, as shown in the screenshots below, and then click the Fix button. Problem solved.
How did you get websearch.flyandsearch.info on your computer? I found it in a download that claimed to be an episode of a famous TV-series.