Monthly Archives: August 2014 – Removal Instructions

Hello there! Sorry for not posting for the last days. I’ve been on a short holiday. Came back home yesterday and found a search engine called that is being bundled with some downloads. Here’s how the appears in the web browser: in the web browser

Do you also have on your machine? It probably installed as a bundled offer. That’s where I found it. Here’s how is disclosed in the installer:

safefinder installer

Clicking the Terms of Service links in the installer brings up this web page:

safefinder terms

According to the Terms of Service, safefinder is run by a company called MobileMonetizer LTD.

Removing is pretty straightforward. Just select the items for removal in FreeFixer and the problem should be solved: internet explorer settings

Did you also get in your browser? Do you remember which download that bundled it? Please share by posting a comment below.

ShopOp – Removal Instructions

Did you spot something called ShopOp on your computer and wonder where it came from? It is likely that ShopOp was bundled with another software download. Here’s how ShopOp was disclosed when I found it bundled:

shopop bundled in a software download

You can uninstall ShopOp from the Programs and Features dialog in the Windows Control Panel. If ShopOp cannot be found there, or if its uninstaller is not working, then you can use FreeFixer to remove the ShopOp files. – How did it install on your computer?

Did your browser’s home page and search settings recently change to Are you are wondering how this web site installed itself on your machine?

It’s likely that was bundled with another software downloader. That’s where I found it, bundled in an unofficial Google Chrome download, digitally signed by Smart Secure Software. Here’s how was disclosed in the installer:


To uninstall, you can use the entry in the Add/Remove programs list or use FreeFixer to uninstall it.

SkypEmoticons – What Is SkypEmoticons and How To Remove It

Just a quick post on a program called SkypEmoticons. I found this bundled with another software download. If SkypEmoticons showed up unexpectedly on your machine, you may also have installed it as a bundled offer.

I uploaded the main file of SkypeEmoticons, SE.exe, to VirusTotal to see if the anti-virus scanners reported it. Only one of the anti-virus tools detected the SE.exe file, and that was Tencent, which reported the SE.exe file as Win32.Trojan.Falsesign.

skypemotics virustotal report

If you’d like to uninstall SkypEmoticons, you can simply check the SE.exe file for removal in FreeFixer:

skypemoticons startup skypemoticons se.exe process

Or uninstall it from the Add/Remove programs dialog:

skypemotics uninstall

Did you also find SkypEmoticons on your machine? Any idea how it was installed?

Score.exe Removal Instructions

Yesterday I was testing the Smart Secure Software download, that is known to bundle lots of unwanted programs. After going through the installer a new service appeared on the machine called score.exe. I though the file looked suspicious, since it was unsigned, had no version information, dropped in the c:\Windows folder,  and no entry in the Add/Remove programs dialog.

To my surprise none of the anti-virus programs over at VirusTotal detected the file:

score.exe virustotal report

It will be interesting to see if any of the anti-virus scanners starts to pick up score.exe.

So, should the score.exe file be removed? Yes I think so. You can remove it from FreeFixer by selecting the score.exe process and service:

scores service scores.exe process

Did you also find score.exe on your machine? Any idea how it got there?

Update 2014-10-07: Many of the anti-virus programs are now detecting score.exe:

  • AVG Agent5.HW
  • AVware Trojan.Win32.Generic.pak!cobra
  • Ad-Aware Trojan.Generic.11822832
  • Avast Win32:Dropper-gen [Drp]
  • Baidu-International Trojan.Win32.Agent.BWGA
  • BitDefender Trojan.Generic.11822832
  • Cyren W32/Trojan.KZBC-4044
  • ESET-NOD32 a variant of Win32/Agent.WGA
  • Emsisoft Trojan.Generic.11822832 (B)
  • F-Secure Trojan.Generic.11822832
  • Fortinet W32/Agent.WGA!tr
  • GData Trojan.Generic.11822832
  • Ikarus Trojan.Win32.Agent
  • McAfee Artemis!08675763B644
  • McAfee-GW-Edition Artemis
  • MicroWorld-eScan Trojan.Generic.11822832
  • Qihoo-360 Win32/Trojan.Dropper.c9f
  • Symantec Trojan.Gen.2
  • TheHacker Trojan/Agent.wga
  • TrendMicro TROJ_GEN.R0C1C0EJ514
  • TrendMicro-HouseCall TROJ_GEN.R0C1C0EJ514
  • VIPRE Trojan.Win32.Generic.pak!cobra
  • nProtect Trojan.Generic.11822832

UniversalUpdater, UpdateService.exe and AlNaddy Removal

Hello readers! Hope you are having a good time and not too many malware issues. Currently I’m on a short vacation, but I brought the laptop since I found a few new malware programs that I wanted to post about.

Found something called UniversalUpdater while testing out another download. If you’ve got UniversalUpdater on your machine, you’ll notice UpdateService.exe and CrashMon.exe running in the Windows Task Manager.

So, what’s are those two files? Well, a few of the anti-virus scanners over at VirusTotal flags the files as you can see in the screenshot. Artemis and Alnaddy are two of the detection names.

UniversalUpdater is detected as Alnaddy and Artemis

I could not see any entry for UniversalUpdater in the Add / Remove programs dialog. However, removing UniversalUpdater is easy with FreeFixer, just select the CrashMon.exe and UpdaterService.exe file for removal:

updaterservice.exe and the crashmon.exe files updaterservice.exe service

Did you also find UniversalUpdater on you machine? Any idea how it was installed?

ServiceChecker, Pirrit and UptUpdater.exe Removal Instructions

Another find today. Stumbled on a file called UptUpdater.exe, also bundled by an unofficial Google Chrome download. I first spotted the UptUpdater.exe file running in the Windows Task Manager, but after a while UptUpdater.exe showed its GUI, where it claimed to install something called ServiceChecker:ServiceChecker

Anyway, as usual when I find some new file, I upload them to VirusTotal to see what the anti-virus scanners says about the file. Turns out UptUpdater.exe is detected by a file of the anti-virus scanners, under names such as Adware.Win32.PirritAdware.Downware and Pirrit.UptUpdater.exe Pirrit VirusTotal Report

If you’d like to remove Pirrit from your machine, you can do so by selecting the UptUpdater.exe file in FreeFixer:UptUpdater.exe process

Did you also find the ServiceChecker/Pirrit/UptUpdater.exe on your computer? Any idea how it was installed?

Salus Adware – “Ads by Salus” Removal Instructions

Do you see ads labeled “Ads by Salus” while browsing the web, even on web sites that normally don’t have any advertisements? If so, you have the Salus Adware installed on your machine. Here’s how a Salus banner might look like:Ads by salusThe Salus adware, or Salus Protector, or Salus Internet Protector as the installer refers to it is bundled with other software downloads. I found Salus bundled with an unofficial Google Chrome download. Here’s how the disclosure looks like:

salus internet protector installer

For obvious reasons, Salus is adware. However, it appears as the anti-virus scanners have not yet started to detect it. Detection rate is 0/54 according to VirusTotal. I’m sure the anti-virus scanners will detect Salus sooner than later.

So, how can the Salus Adware be removed. No problem, you can easily uninstall it with FreeFixer. Just select the salus.exe and salus.sys file as shown in the screenshots below:

salus.sys driver salus.exe startup

Or from the uninstall programs dialog:

salus uninstall

Did you also have Salus installed on your machine? Any idea how it installed itself?

Hope you found this useful.

KernelScreenshotWin32.exe – Looks like malware to me

Just a quick note on a file called KernelScreenshotWin32.exe that I found earlier today. The file uses typical malware behaviour, that is, it has no version information, no digital signature, no entry in the Add/Remove programs dialog, runs in an unusual folder, called C:\Windows\SysWOW64\KernelScreenshotWin32\ instead of c:\Program Files, bundled with a file signed by Smart Secure Software, no visible GUI, runs in the background, etc, etc.

KernelScreenshotWin32.exe file

However, when I uploaded the file to VirusTotal, none of the 50+ anti-virus programs detected it. Maybe I’m incorrectly calling this malware? It will be interesting to see if some of the scanners start to pick up the KernelScreenshotWin32.exe file in the future.

Anyway, if you’d like to remove the KernelScreenshotWin32.exe file you can do so with FreeFixer. Just select the KernelScreenshotWin32.exe process and service:

KernelScreenshotWin32.exe process KernelScreenshotWin32.exe service

Did you also find KernelScreenshotWin32.exe on your machine? Any idea how it was installed? Please share by posting a comment.

What is SurfSafely? – It’s Adware

Do you have something called SurfSafely installed on your machine and you are wondering what it is? As you can see in the SurfSafely installer, SurfSafely is clearly adware:

surfsafely installer

Advertising is added to content viewed through your web browser.. may include sponsored links, banner ads, pop-up ads, and other forms of advertising.

Hope that helped you figure out what SurfSafely is. Any idea how you got SurfSafely on your machine? Please share by posting a comment below.

If you’d like to remove SurfSafely you can do so with FreeFixer. Just select the SurfSafely file for removal and the ad problem will be solved.