Monthly Archives: January 2015

Yes Apps – 36% Detection Rate – OutBrowse

Welcome! Short on time today, but I just wanted to give you the heads up on a publisher called Yes Apps.Yes Apps UAC

Typically you’d see the Yes Apps publisher name appear when double-clicking on the installer_jdownloader_English.exe file: You can also look at the Yes Apps certificate and digital signature by looking under the Digital Signatures tab on the file’s properties. According to the certificate, Yes Apps is located in Dublin, Ireland.

Yes Apps certificate

After uploading the Yes Apps file – installer_jdownloader_English.exe – to VirusTotal, it was clear that it’s probably better to delete the file than running it. The detection rate was 36% and some of the detection names were: Downloader.DGR, APPL/Downloader.Gen, PUP.Optional.OutBrowse, Adware-OutBrowse.e and Trojan.Win32.Generic!BT.

Yes Apps virustotal

Did you also find a file signed by Yes Apps? What kind of download was it and where did you find it?

Thank you for reading.

Nextup – 30% Detection Rate – PUA.Verti / NextUp / Rocketfuel Installer

Hi there! Another short post this evening. Just wanted to give you the heads up on a publisher called Nextup.

Nextup UAC

If you have a Nextup file on your machine you may have noticed that Nextup is displayed as the publisher in the UAC dialog when double-clicking on the file. To get more details on the publisher, you can view the certificate by right-clicking on the file, and looking under the Digital Signatures tab. According to the embedded certificate we can see that Nextup seems to be located in Bellevue, Washington in US and that the certificate is issued by COMODO Code Signing CA 2.

Nextup certificate

After uploading the Nextup file – MediaPlayerClassicInstaller.exe – to VirusTotal, it was clear that it’s probably better to delete the file than running it. The detection rate was 30% and some of the detection names were: PUA.Verti, NextUp and Rocketfuel Installer (fs).

Nextup virustotal

Did you also run into a download that was signed by Nextup? What kind of download was it and was it detected by the anti-virus progams at VirusTotal? Please share by posting a comment.

Thanks for reading.

Install Path Ltd – 25% Detection Rate – Strictor, Amonetize

Hi there! Sorry for the silence for the last days. I’ve been having a few days off.  Anyway, I’m back on the blog again.

Did you just download something to your system digitally signed by Install Path Ltd? Then read on..

Install Path LTD comodo

By examining the embedded certificate, we can see that Install Path Ltd is located in Israel. The certificate is issued by COMODO RSA Code Signing CA. The certificate appears to be quite new.

Install Path Ltd certificate

So, why did I put up this blog post? Well, the thing is that the Install Path Ltd file is detected by many of the scanners, according to VirusTotal. Avast detects Setup__6741_i1454683454_il235.exe as Win32:Rootkit-gen [Rtk], AVG calls it InstallPath.7F5 , Avira detects it as ADWARE/Adware.Gen2, BitDefender calls it Gen:Variant.Adware.Strictor.75886, ESET-NOD32 classifies it as a variant of Win32/Amonetize.CX, Malwarebytes classifies it as PUP.Optional.Bundle and Panda calls it PUP/MultiToolbar.A.

Install Path Ltd virustotal

Did you also find an Install Path Ltd? Do you remember the download link? Please post it in the comments below and I’ll upload it to VirusTotal to see if that one is also detected.

Thank you for reading.

Update 2015-03-03: Found another Install Path file. The detection was almost the same: 28%.

Remove kongregate.com Pop Up Ads Caused By Adware

Does this sound like what you are seeing right now? You see pop-up ads from kongregate.com appearing in new tabs while browsing at sites that usually don’t advertise with pop-ups. The pop-ups manage to escape the built-in pop-up blockers in Chrome, Firefox, Internet Explorer or Safari. Perhaps the kongregate.com pop-ups show up when clicking search results from Google? Or does the pop-ups show up even when you’re not browsing?

Here is how the kongregate.com ad looked like on my system:

kongregate.com pop up

Does this sound like your computer, you almost certainly have some adware installed on your system that pops up the kongregate.com ads. So there’s no idea contacting the owner of the web site you currently were browsing. The ads are not coming from them. I’ll do my best to help you with the kongregate.com removal in this blog post.

Those that have been reading this blog already know this, but for new visitors: Recently I dedicated a few of my lab computers and intentionally installed some adware programs on them. Since then I have been monitoring the actions on these machines to see what kinds of advertisements that are displayed. I’m also looking on other interesting things such as if the adware auto-updates, or if it downloads additional unwanted software on the machines. I first observed the kongregate.com pop-up on one of these lab machines.

So, how do you remove the kongregate.com pop-up ads? On the machine where I got the kongregate.com ads I had GamesDesktop, MedPlayerNewVersion, Movie Wizard and istartsurf installed. I removed them with FreeFixer and that stopped the kongregate.com pop-ups and all the other ads I was getting in Mozilla Firefox.

The problem with this type of pop-up is that it can be popped up by many variants of adware. This makes it impossible to say exactly what you need to remove to stop the pop-ups.

Anyway, here’s my suggestion for the kongregate.com ads removal:

  1. What software do you have installed if you look in the Add/Remove programs dialog in the Windows Control Panel? Something that you don’t remember installing yourself or that was recently installed?
  2. You can also review the add-ons that you have in your browser. Same thing here, do you see something that you don’t remember installing?
  3. If that didn’t help, I’d recommend a scan with FreeFixer to manually track down the adware. FreeFixer is a freeware tool that I’m working on that scans your computer at lots of locations, such as browser add-ons, processes, Windows services, recently modified files, etc. If you want to get additional details about a file in the scan result, you can click the More Info link for that file and a web page will open up with a VirusTotal report which will be very useful to determine if the file is safe or malware:

    FreeFixer More Info link example
    An example of FreeFixer’s “More Info” links. Click for full size.

Did this blog post help you to remove the kongregate.com pop-up ads? Please let me know or how I can improve this blog post.

Thank you!

Remove cr.install-daddy.com from Firefox, Chrome and Internet Explorer

This page shows how to remove cr.install-daddy.com from Mozilla Firefox, Google Chrome and Internet Explorer.

Does this sound like your story? You see cr.install-daddy.com in your browser’s status bar or in your network log while browsing at websites that mostly don’t load any content from third party domains. Perhaps the cr.install-daddy.com domain show up when performing a search at the Google.com search engine?

Here’s a screen capture of cr.install-daddy.com when it showed up on my system:

cr.install-daddy.com connection

The following are some of the status bar notifications you may see in your browser’s status bar:

  • Waiting for cr.install-daddy.com…
  • Transferring data from cr.install-daddy.com…
  • Looking up cr.install-daddy.com…
  • Read cr.install-daddy.com
  • Connected to cr.install-daddy.com…

If this sounds like what you are seeing on your machine, you almost certainly have some adware installed on your machine that makes the cr.install-daddy.com domain appear in your browser. So there’s no use contacting the owner of the site you were browsing. The cr.install-daddy.com statusbar messages are not coming from them. I’ll do my best to help you remove the cr.install-daddy.com message in this blog post.

If you have been reading this blog already know this, but if you are new: Some time ago I dedicated a few of my lab machines and knowingly installed a few adware programs on them. Since then I have been monitoring the behaviour on these machines to see what kinds of advertisements that are displayed. I’m also looking on other interesting things such as if the adware updates itself automatically, or if it downloads additional unwanted software on the machines. I first noticed the cr.install-daddy.com in Mozilla Firefox’s statusbar on one of these lab computers.

install-daddy.com resolves to 192.31.186.37 and cr.install-daddy.com to the 69.16.175.10 IP address. cr.install-daddy.com was registered on 2013-06-13. Unfortunately I cannot see the WHOIS info, since it is protected by WHOISGUARD, INC.

So, how do you remove cr.install-daddy.com from your web browser? On the machine where cr.install-daddy.com showed up in the status bar I had TornTV installed. I removed it with FreeFixer and that stopped the web browser from loading data from cr.install-daddy.com.

The problem with this type of status bar message is that, or at least I think so, it can be caused by many variants of adware, not just TornTV. This makes it impossible to say exactly what you need to remove to stop the status bar messages.

Anyway, here’s my suggestion for the cr.install-daddy.com removal:

The first thing I would do to remove cr.install-daddy.com is to examine the software installed on the machine, by opening the “Uninstall programs” dialog. You can open this dialog from the Windows Control Panel. If you are using one of the more recent versions of Windows you can just type in “uninstall” in the Control Panel’s search field to find that dialog:
Uninstall a program search

Click on the “Uninstall a program” link and the Uninstall programs dialog will open up:
Uninstall a program dialog

Do you see something strange-looking in there or something that you don’t remember installing? Tip: Sort on the “Installed On” column to see if some program was installed about the same time as you started observing the cr.install-daddy.com status bar messages. Do you see TornTV listed there?

Then I would check the browser add-ons. Adware often appear under the add-ons dialog in Google Chrome, Mozilla Firefox, Internet Explorer, Safari or Opera. Is there anything that looks suspicious? Something that you don’t remember installing? TornTV in the list?
Firefox add-ons manager

I think you will be able to track down and uninstall the adware with the steps outlined above, but in case that did not work you can try the FreeFixer removal tool to identify and remove the adware. FreeFixer is a freeware tool that I’ve developed since 2006. Freefixer is a tool designed to manually identify and remove unwanted software. When you’ve tracked down the unwanted files you can simply tick a checkbox and click on the Fix button to remove the unwanted file.

FreeFixer’s removal feature is not locked down like many other removal tools out there. It will not require you to pay for the program just when you are about to remove the unwanted files.

And if you’re having problems determining if a file is legitimate or adware in the FreeFixer scan result, click on the More Info link for the file. That will open up a web page which contains additional information about the file. On that web page, check out the VirusTotal report which can be very useful:

FreeFixer More Info link example
An example of FreeFixer’s “More Info” links. Click for full size.

Did this blog post help you to remove cr.install-daddy.com? Please let me know or how I can improve this blog post.

Thank you!

Mari Mara – 20% Detection Rate – PUP.Optional.Maru / OutBrowse Revenyou

Hello! Just wanted to let you know about a publisher called Mari Mara that I found earlier today. Here’s how the UAC dialog looks like when running the file:

Mari Mara publisher

You can also check the digital signature under the file’s properties. According to the certificate we can see that Mari Mara appears to be located in Dublin, Ireland and that the certificate is issued by GlobalSign CodeSigning CA – G2.

Mari Mara certificate

The VirusTotal report shows that the Mari Mara file should probably be avoided, since setup.exe is detected as Win-PUP/OutBrowse by AhnLab-V3, Mari.668 by AVG, PUA.OutBrowse by Ikarus, PUP.Optional.Maru by Malwarebytes and OutBrowse Revenyou by Sophos.

Mari Mara virustotal

Did you also find a Mari Mara file? What kind of download was it? If you remember the download link, please post it in the comments below.

Thank you for reading.

Remove SettingsGuard – Sg.exe and SettingsGuard.exe Removal Instructions

Hello there. I just found another bundled program called SettingsGuard and wanted give you some removal instructions. SettingsGuard seems to be a variant of BitGuard that I’ve written about before. If SettingsGuard is running on your computer, you will see SettingsGuard.exe and sg.exe running in the Windows Task Manager:settingsguard.exe sg.exe task manager

You will also see loader.dll and ld64.dll registered as APPInit_Dlls. I’ll show how to remove SettingsGuard in this blog post with the FreeFixer removal tool.

So, how did SettingsGuard install on your machine? It was probably bundled with some download that you installed recently. Bundling means that software is included in other software’s installers. When I first found SettingsGuard, it was bundled with a download called Codec Perforer. Guess that is typo and it should be Codec Performer. This is how SettingsGuard was disclosed in Codec Perforer’s installer when I found it:

SettingsGuard installer Searchalgo

The installer file is digitally signed by Elephant Tech Software LLC.

Elephant Tech Software LLC

Generally, you can avoid bundled software such as SettingsGuard by being careful when installing software and declining the bundled offers in the installer.

When I mess around with some new bundled software I usually upload it to VirusTotal to test if the anti-virus tools there find something. 35% of the antimalware scanners detected the sg.exe file. The SettingsGuard files are detected as Gen:Variant.Strictor.73974 by Ad-Aware, Riskware.Agent! by Agnitum and a variant of Win32/SmartCyberTech.A by ESET-NOD32.

sg.exe virustotal

If you would like to remove SettingsGuard you can do so with the freeware FreeFixer tool. Select the SettingsGuard items for removal in FreeFixer, click Fix, restart your machine and the problem will be gone. Here’s a few screenshots to point you in the right direction:

settingsguard sg.exe process settingsguard settingsguard.exe remove settingsguard remove startup settingsguard loader.dll ld64.dll appinit_dlls settingsguard ld64.dll remove settingsguard ld64 removal

Hope that helped you to figure out how to do the removal.

Did you also find SettingsGuard on your system? Any idea how it installed? Please share in the comments below. Thank you very much!

Hope you found this useful. Thanks for reading.

Remove 12softlive12.newupdateweb.com Pop Up About Outdated Flash Player

Does this sound like your story? You see pop-up ads from 12softlive12.newupdateweb.com while browsing at websites that mostl of the time don’t advertise in pop-up windows. The pop-ups manage to find a way round the built-in pop-up blockers in Mozilla Firefox, Google Chrome, Internet Explorer or Safari. Maybe the newupdateweb.com popups appear when clicking search results from Google? Or does the pop-ups appear even when you’re not browsing?

Here’s how the 12softlive12.newupdateweb.com pop-up looked like when I got it on my system:

12softlive12.newupdateweb.com pop-up

If this sounds like what you are seeing on your system, you probably have some adware installed on your system that pops up the 12softlive12.newupdateweb.com ads. There’s no use contacting the owners of the site you currently were browsing. The ads are not coming from them. I’ll try help you with the 12softlive12.newupdateweb.com removal in this blog post.

Those that have been visiting this blog already know this, but for new visitors: A little while back I dedicated some of my lab machines and purposely installed a few adware programs on them. I’ve been observing the behaviour on these machines to see what kinds of adverts that are displayed. I’m also looking on other interesting things such as if the adware updates itself automatically, or if it installs additional unwanted software on the systems. I first spotted the 12softlive12.newupdateweb.com pop-up on one of these lab systems.

12softlive12.newupdateweb.com was created on 2015-01-14. 12softlive12.newupdateweb.com resolves to the 198.7.56.99 IP address.

So, how do you remove the 12softlive12.newupdateweb.com pop-up ads? On the machine where I got the 12softlive12.newupdateweb.com ads I had PriceLess, PriceHorse, OfferBoulevard and SpeedCheck installed. I removed them with FreeFixer and that stopped the 12softlive12.newupdateweb.com pop-ups and all the other ads I was getting in Mozilla Firefox.

The issue with pop-ups such as this one is that it can be initiated by many variants of adware. This makes it impossible to say exactly what you need to remove to stop the pop-ups.

So, what should done to solve the problem? To remove the 12softlive12.newupdateweb.com pop-up ads you need to review your computer for adware or other types of unwanted software and uninstall it. Here’s my suggested removal procedure:

The first thing I would do to remove the 12softlive12.newupdateweb.com pop-ups is to examine the programs installed on the machine, by opening the “Uninstall programs” dialog. You can open this dialog from the Windows Control Panel. If you are using one of the more recent versions of Windows Operating System you can just type in “uninstall” in the Control Panel’s search field to find that dialog:
Uninstall a program search

Click on the “Uninstall a program” link and the Uninstall programs dialog will open up:
Uninstall a program dialog

Do you see something strange-looking listed there or something that you don’t remember installing? Tip: Sort on the “Installed On” column to see if something was installed about the same time as you started seeing the 12softlive12.newupdateweb.com pop-ups.

Then you can examine you browser add-ons. Adware often appear under the add-ons menu in Google Chrome, Mozilla Firefox, Internet Explorer or Safari. Is there anything that looks suspicious? Something that you don’t remember installing?
Firefox add-ons manager

I think most users will be able to identify and remove the adware with the steps outlined above, but in case that did not work you can try the FreeFixer removal tool to identify and remove the adware. FreeFixer is a freeware tool that I started develop many years ago. It’s a tool built to manually identify and remove unwanted software. When you’ve identified the unwanted files you can simply tick a checkbox and click on the Fix button to remove the unwanted file.

FreeFixer’s removal feature is not locked like many other removal tools out there. It won’t require you to pay for the program just when you are about to remove the unwanted files.

And if you’re having issues determining if a file is clean or adware in FreeFixer’s scan report, click on the More Info link for the file. That will open up a web page which contains more details about the file. On that web page, check out the VirusTotal report which can be very useful:

FreeFixer More Info link example
An example of FreeFixer’s “More Info” links. Click for full size.

Here’s a video tutorial on how to remove the pop-ups with FreeFixer:

Did you find any adware on your machine? Did that stop the 12softlive12.newupdateweb.com ads? Please post the name of the adware you uninstalled from your machine in the comment below.

Thank you!

Wecan Software – 39% Detection – Verti / PUP.Optional.WeCan.A / NextUp / Rocketfuel Installer

Hi there! A short post on a publisher called  Wecan Software that I found this morning while downloading some software. According to the certificate, Wecan Software is located in Bellevue, Washington in the United States of America.Wecan software cert

Right now, 22 of the 57 anti-virus scanners detected the file. AVG reports MediaPlayerClassicInstaller.exe as Wecan.80E, Fortinet classifies it as Adware/Verti, Malwarebytes names it PUP.Optional.WeCan.A, Sophos classifies it as NextUp and VIPRE reports Rocketfuel Installer (fs).

Wecan software virustotal

Did you also find a file digitally signed by Wecan Software? Where did you find it and are the anti-virus programs detecting it? Please share in the comments below.

Hope this blog post helped you avoid some unwanted software on your machine.

Thanks for reading.