Monthly Archives: August 2014

CashNBack and NCupons – Removal Instructions

Uncategorized

Found another bundled piece of software this morning. It’s called Cash’n’Back or NCupons and has been around for a while. If you have this on your machine, you’ll see the CashNBack.exe process running in the background.

Cash’n’Back is bundled with other software downloads. Here’s how it is disclosed in the installer where I found it:

cashnback installer

CashNBack’s web site it ncupons.com if you’d like to review the Terms and Conditions and the Privacy Policy.

cashnback's web site is ncupons.com

If you’d like to remove NCupons/CashNBack you can do so from the Add/Remove programs dialog, or by selecting the Cash’n Back files in FreeFixer.cashnback uninstall

cashnback

I uploaded the CashNBack.exe file to VirusTotal and MalwareBytes detected it as PUP.Optional.CashNBack.A.

How To Remove The Glomatron Adware

Uncategorized

Stumbled on an adware called Glomatron yesterday when testing a software download. Glomatron was disclosed in the installer as you can see below. Basically Glomatron will insert various types of ads by modifying the web pages you currently visit. According to the installer it may show offers, coupons, related search results, etc.

Glomatron bundled

Generally, software such as Glomatron is distributed by bundling. That is, the software is included in an unrelated download. You can avoid Glomatron and other bundled software by carefully reviewing what the installer displays and opting out from the unwanted software, before proceeding in the installer by clicking the Next, Accept or Install button.

Here’s how Glomatron appears in Firefox:

glomatron in firefox

So how can Glomatron be removed. It’s pretty easy with FreeFixer, just select the Glomatron files for removal and the ads will be gone. You can also uninstall it from the Add/Remove programs dialog.

glomatron internet explorer bho glomatron firefix add-on

Did you also get Glomatron on your machine? What kind of download was it and where did you find it?

 

File Monarch & java_setup.exe – Stay away from it – 34% detection rate

adware, digital signature

If you are a regular here on the FreeFixer blog you know that I’ve been looking on the certificates used to sign files that bundled various types of unwanted software.

While I was looking around on some recently submitted files here on freefixer.com I found a file called java_setup.exe signed by a company called File Monarch. The problem here is that if this really was a setup file for Java, it would have been digitally signed by Oracle and not by  some unknown company. This looks very suspicious. And the VirusTotal report shows that the File Monarch file should be avoided, since java_setup.exe is detected as Adware.IBryte, Optimum Installer and Trojan.Win32.Buzus.

File Monarch - java_setup.exe VirusTotal report

This tactic appears to be pretty common to get users to install something that they didn’t want: Pop up some file and claim that Java or the Flash Player needs to be updated.

Well, hope that helped you avoid some adware or whatever this java_setup.exe file would install.

Did you also find some file signed by File Monarch, or a file falsely claiming to be a Java setup file? Where did you find them?

I’ll dig around a bit more in the FreeFixer database to see if there’s some other faked Java setup files.

 

Wilmaonline LTD – VirusTotal and Bundling Report

digital signature, , , , , ,

Found a file this morning, claiming to be a Flash Player setup file. However, the file was not digitally signed by Adobe, which is the publisher of the Flash Player. Instead it was signed by a company called Wilmaonline LTD. which made it look suspicious.

Wilmaonline LTD. publisher

According to the certificate that is embedded in the file, Wilmaonline is a company located in Israel.

Wilmaonline LTD. certificate

So, what does the anti-virus programs say about the Wilmaonline file? No problem, I just uploaded the file to VirusTotal and it turned out that many of the anti-virus programs detects the Wilmaonline file, with names such as Adware.Downware and PUP.Optional.Amonetize.

Wilmaonline LTD Virus Total Report - PUP.Optional.Amonetize, Adware.Downware

To see more in details what changes the Wilmaonline file would do on a user’s computer I decided to run the file on my lab machine. The following InstallPath installer appeared, where “Flash Player”, Dolphin Deals, Flow Surf, Webssearches and OffersWizard selected for installation by default. This is probably the reason why the anti-virus programs detects the Wilmaonline file, in addition to using Adobe’s Flash trademark.

Wilmaonline LTD. - installer for Flash Player, Dolphin Deals, Flow Surf, Webssearches, OffersWizard

Did you also find a file digitally signed by Wilma Online? What kind of download was it and where did you find it?

Update 13 Sep 2014: Thought I should follow up on this one. The Wilmaonline signed files are still being distributed. They are promoted as Flash Players, chess games, Ask.FM trackers, keygens, cracks, etc. The installer file includes lots of bundled programs, but for unknown reasons, nothing is installed when I click through the installer. Did you also see this behaviour, or did it install the bundled programs on your machine? The anti-virus programs have improved their detection rates somewhat for the WilmaOnline files:

  • 18/54 – FlashPlayersetup__2570_i1300328638_il1783.exe
  • 15/52 – Chess Titans setup__6670_il4710.exe
  • 15/55 – Ask Fm Tracker 2014 Downloader__3687_i1301881522_il2700510.exe
  • 14/55 – Keygen Installer__9167_il260.exe

BrowseBurst – Software Description and Removal Instructions

adware, freefixer

Did you see some ads labeled BrowseBurst, find a folder called BrowseBurst in “c:\Program Files” or the BrowseBurst item in the Add/Remove programs dialog and wonder what it is?

The screenshot from the BrowseBurst installer explains what the software does. It will show various types of advertisements, such as “offers”, coupons, website ratings, related search results, etc. Some of the ads are inserted into web pages while you browse the web, even though the underlying web site is not affiliated with BrowseBurst. BrowseBurst will also collect user information for ad relevance and “other purposes”.

BrowseBurst

Typically adware such as BrowseBurst is bundled with free software downloads and can be avoided by carefully navigating through the software installer, unchecking or declining the bundled offers, such as BrowseBurst.

How is BrowseBurst removed? You can uninstall BrowseBurst from the Add/Remove programs dialog. If that would fail from some reason, you can also remove BrowseBurst with FreeFixer.  Just check the BrowseBurst files for removal, reboot and the ads will be gone.

How did you get BrowseBurst on your machine and how did you notice it?

Igor Kramoren – Warning for files signed by this publisher!

digital signature, ,

Stumbled on a file this morning, digitally signed by Igor Kramoren.

Igor Kramoren Certificate Igor Kramoren publisher

The issue with the Igor Kramoren file is that it is detected by many of the anti-virus programs. Here are some of the detection names:

  • BitDefender Gen:Variant.Zusy.100672
  • DrWeb Trojan.Siggen6.21336
  • ESET-NOD32 a variant of Win32/AdWare.MultiPlug.AQ
  • F-Secure Gen:Variant.Zusy.100672
  • Ikarus AdWare.Graftor
  • Malwarebytes PUP.Optional.InstallRex
  • McAfee PUP-FMH
  • Panda Trj/Kazy.AS

Did you also find a file digitally signed by Igor Kramoren? What kind of download was it and where did you find it?