Monthly Archives: June 2015

COnfirmED APp nLn – 18% Detection Rate – OutBrowse

Hi there! Lately I’ve been looking on the digital signatures on those files that push various types of unwanted programs. This morning I found a new file called Player.exe, digitally signed by COnfirmED APp nLn.

The following screenshot shows the User Account Control dialog when running the COnfirmED APp nLn file:

COnfirmED APp nLn publisher

You can also check the digital signature under the file’s properties. According to the certificate we can see that COnfirmED APp nLn seems to be located in Ireland and that the certificate is issued by thawte SHA256 Code Signing CA.

COnfirmED APp nLn cert

The problem with the COnfirmED APp nLn file is that it is detected by many of the antivirus progams. Here are some of the detection names: Downloader.LIR, PUA.OutBrowse.A and Adware-OutBrowse.g.

COnfirmED APp nLn anti-virus detection

Since you probably came here after finding a file that was signed by COnfirmED APp nLn, please share what kind of download it was and if it was detected by the antivirus scanners at VirusTotal.

Thank you for reading.

Top Scale (New Media Holdings Ltd.) – 14% Detection Rate – InstallCore

Hi there! If you’ve been following me for the last year you know that I’ve been examining many software publishers that put a digital signature on their downloads. Today I found another publisher called Top Scale (New Media Holdings Ltd.).

Top Scale New Media Holdings Ltd publisher

It is also possible to check a digital signature by looking at a file’s properties. Here’s a screenshot of the Top Scale (New Media Holdings Ltd.) certificate.

Top Scale New Media Holdings Ltd. cert

Top Scale is located in Tel Aviv, Israel, according to the certificate.

What caught my attention was that the download was called GoogleChromeSetup.exe. This might look like an official Google Chrome download, but it is not. If it was an official download, it should have been signed by Google Inc.. Here’s how the authentic Google Chrome looks like when you double click on it. Notice that the “Verified publisher” says “Google Inc”.
Chrome Google Inc publisher

So, what does the anti-virus programs say about the Top Scale (New Media Holdings Ltd.) file? No problem, I just uploaded the file to VirusTotal and it turned out that some of the anti-virus programs detects the Top Scale (New Media Holdings Ltd.) file, with names such as InstallCore.A98, W32.HfsAdware.D59D, PUP.Optional.InstallCore.A and InstallCore (fs).

Top Scale New Media Holdings anti-virus report

Did you also find an Top Scale (New Media Holdings Ltd.)? Do you remember the download link? Please post it in the comments below and I’ll upload it to VirusTotal to see if that one is also detected.

Thank you for reading.

Remove view.contextualyield.com Pop Up Ads

Does this sound like your story? You see pop-up advertisements from view.contextualyield.com while browsing sites that typically don’t advertise in pop-up windows. The pop-ups manage to bypass the built-in pop-up blockers in Mozilla Firefox, Google Chrome, Internet Explorer or Safari. Perhaps the view.contextualyield.com pop ups appear when clicking search results from Google? Or does the pop-ups show up even when you’re not browsing?

Here’s a screenshot of the view.contextualyield.com pop-up ad when it showed up on my machine:

view.contextualyield.com pop up

(Sorry for the ridiculous use of watermarks. I have to do it to stop the copy-cats.)

If this description sounds like your computer, you probably have some adware installed on your machine that pops up the view.contextualyield.com ads. Contacting the owner of the website would be a waste of time. They are not responsible for the ads. I’ll try help you with the view.contextualyield.com removal in this blog post.

Those that have been spending some time on this blog already know this, but here we go: A little while back I dedicated some of my lab computers and intentionally installed some adware programs on them. I have been tracking the behaviour on these computers to see what kinds of advertisements that are displayed. I’m also looking on other interesting things such as if the adware updates itself automatically, or if it downloads additional unwanted software on the computers. I first found the view.contextualyield.com pop-up on one of these lab computers.

view.contextualyield.com resolves to 46.105.156.73. view.contextualyield.com was registered on 2015-06-25. bycontext.com is also located at the same IP according to YouGetSignal’s reverse lookup service.

So, how do you remove the view.contextualyield.com pop-up ads? On the machine where I got the view.contextualyield.com ads I had istartsurf, MedPlayerNewVersion and Movie Wizard installed. I removed them with FreeFixer and that stopped the view.contextualyield.com pop-ups and all the other ads I was getting in Mozilla Firefox.

It seems as view.contextualyield.com is getting quite a lot of traffic, based on Alexa’s traffic rank:

contextualyield.com traffic rank

The issue with this type of pop-up is that it can be initiated by many variants of adware. This makes it impossible to say exactly what you need to remove to stop the pop-ups.

So, what can be done to solve the problem? To remove the view.contextualyield.com pop-up ads you need to review your computer for adware or other types of unwanted software and uninstall it. Here’s my suggested removal procedure:

  1. What software do you have installed if you look in the Add/Remove programs dialog in the Windows Control Panel? Something that you don’t remember installing yourself or that was recently installed?
  2. You can also check the add-ons you have in your browsers. Same thing here, do you see anything that you don’t remember installing?
  3. If that didn’t solve the problem, you can give FreeFixer a try. FreeFixer is built to assist users when manually tracking down adware and other types of unwanted software. It is a freeware utility that I’ve been working since 2006 and it scans your computer at lots of locations where unwanted software is known to hook into your system. If you would like to get additional details about a file in FreeFixer’s scan result, you can just click the More Info link for that file and a web page with a VirusTotal report will open up, which can be very useful to determine if the file is safe or malware:

    FreeFixer More Info link example
    An example of FreeFixer’s “More Info” links. Click for full size.

Here’s a video tutorial which shows FreeFixer in action removing adware that caused pop-up ads:

Did you find any adware on your machine? Did that stop the view.contextualyield.com ads? Please post the name of the adware you uninstalled from your machine in the comment below.

Thank you!

Egor Klochko – 34% Detection Rate – MultiPlug / Graftor

Welcome! Just a note on a publisher called Egor Klochko. The Egor Klochko download – Download Uc Browser V Handler Zip.exe – was detected when I uploaded it to VirusTotal. Did you also find a download by Egor Klochko? Was it also detected when you uploaded it to VirusTotal?

Egor Klochko publisher

Typically you’d see the Egor Klochko publisher name appear when double-clicking on the Download Uc Browser V Handler Zip.exe file: It is also possible to check a digital signature by looking at a file’s properties. Here’s a screenshot of the Egor Klochko certificate.

Egor Klochko certificate

The VirusTotal report shows that the Egor Klochko file should be avoided, since Download Uc Browser V Handler Zip.exe is detected as Trojan.Adware.Graftor.D31885 by Arcabit, Gen:Variant.Adware.Graftor.202885 by BitDefender and PUP.Optional.Multiplug by Malwarebytes.

Egor Klochko anti-virus report

Did you also find a Egor Klochko file? Do you remember where you downloaded it?

Thank you for reading.

Alekxandr Zabaro – 13% VirusTotal Detection Rate

Hi there! Just a quick post on a publisher called Alekxandr Zabaro that I found while running some tests for the upcoming FreeFixer release. The suspicious file is named Download.exe.

Alekxandr Zabaro file

It is also possible to check a digital signature by looking at a file’s properties. Here’s a screenshot of the Alekxandr Zabaro certificate.

Alekxandr Zabaro cert

After uploading the Alekxandr Zabaro file – Download.exe – to VirusTotal, it was clear that it’s probably better to delete the file than running it. The detection rate was 13% and some of the detection names were: Win32:MultiPlug-AAE [PUP], a variant of Win32/Adware.MultiPlug.MO and Unwanted-Program ( 0040f9681 ).

Alekxandr Zabaro anti virus report

Did you also find a Alekxandr Zabaro file? Do you remember where you downloaded it?

Hope this blog post helped you avoid some unwanted software on your machine.

Thank you for reading.

Remove go.1800option.com and promotions.1800option.com Pop Up Ads

Did you just get a pop-up from go.1800option.com or promotions.1800option.com and ponder where it came from? Did the go.1800option.com ad appear to have been initiated from a web site that under normal circumstances don’t use advertising such as pop-up windows? Or did the go.1800option.com pop-up show up while you clicked a link on one of the major search engines, such as Google, Bing or Yahoo?

Here is how the go.1800option.com ad looked like on my machine:

go.1800option.com pop up

And here’s promotions.1800option.com in the status bar:

promotions.1800option.com status bar

If this sounds like what you are seeing on your computer, you most likely have some adware installed on your computer that pops up the go.1800option.com ads. There’s no use contacting the owners of the site you currently were browsing. The ads are not coming from them. I’ll try help you to remove the go.1800option.com pop-ups in this blog post.

For those that are new to the blog: Recently I dedicated some of my lab computers and deliberately installed a few adware programs on them. Since then I’ve been monitoring the behaviour on these computers to see what kinds of advertisements that are displayed. I’m also looking on other interesting things such as if the adware updates itself automatically, or if it installs additional unwanted software on the machines. I first found the go.1800option.com pop-up on one of these lab computers.

go.1800option.com was registered on 2014-08-13. promotions.1800option.com resolves to 199.83.129.86 and go.1800option.com to the 92.222.66.143 IP address.

So, how do you remove the go.1800option.com pop-up ads? On the machine where I got the go.1800option.com ads I had istartsurf, MedPlayerNewVersion and Movie Wizard installed. I removed them with FreeFixer and that stopped the go.1800option.com pop-ups and all the other ads I was getting in Mozilla Firefox.

If you are wonder if there are many others out there also getting the go.1800option.com ads, the answer is probably yes. Check out the traffic rank from Alexa:

1800option.com traffic rank

The problem with pop-ups like this one is that it can be popped up by many variants of adware, not just the adware running on my system. This makes it impossible to say exactly what you need to remove to stop the pop-ups.

So, what can be done to solve the problem? To remove the go.1800option.com pop-up ads you need to review your system for adware or other types of unwanted software and uninstall it. Here’s my suggested removal procedure:

The first thing I would do to remove the go.1800option.com pop-ups is to examine the programs installed on the machine, by opening the “Uninstall programs” dialog. You can reach this dialog from the Windows Control Panel. If you are using one of the more recent versions of Windows Operating System you can just type in “uninstall” in the Control Panel’s search field to find that dialog:
Uninstall a program search

Click on the “Uninstall a program” link and the Uninstall programs dialog will open up:
Uninstall a program dialog

Do you see something strange-looking in there or something that you don’t remember installing? Tip: Sort on the “Installed On” column to see if some program was installed approximately about the same time as you started getting the go.1800option.com pop-ups.

The next thing to check would be your browser’s add-ons. Adware often appear under the add-ons menu in Google Chrome, Mozilla Firefox, Internet Explorer, Safari or Opera. Is there anything that looks suspicious? Something that you don’t remember installing?
Firefox add-ons manager

I think most users will be able to find and uninstall the adware with the steps outlined above, but in case that did not work you can try the FreeFixer removal tool to identify and remove the adware. FreeFixer is a freeware tool that I started develop many years ago. It’s a tool designed to manually find and remove unwanted software. When you’ve identified the unwanted files you can simply tick a checkbox and click on the Fix button to remove the unwanted file.

FreeFixer’s removal feature is not crippled like many other removal tools out there. It won’t require you to purchase the program just when you are about to remove the unwanted files.

And if you’re having difficulties figuring out if a file is safe or unsafe in FreeFixer’s scan result, click on the More Info link for the file. That will open up a web page which contains additional information about the file. On that web page, check out the VirusTotal report which can be very useful:

FreeFixer More Info link example
An example of FreeFixer’s “More Info” links. Click for full size.

Here you can see FreeFixer in action removing pop-up ads:

Did you find any adware on your machine? Did that stop the go.1800option.com ads? Please post the name of the adware you uninstalled from your machine in the comment below.

Thank you!

ALEKSANDR MOROZOV – 14% Detection Rate At VirusTotal

Hello! Just wanted to give you the heads up on files digitally signed by ALEKSANDR MOROZOV.

ALEKSANDR MOROZOV publisher

You will also see ALEKSANDR MOROZOV listed as the verified publisher in the User Account Control dialog that pops up if you try to run the file: It is also possible to check a digital signature by looking at a file’s properties. Here’s a screenshot of the ALEKSANDR MOROZOV certificate.

ALEKSANDR MOROZOV cert

Win32:MultiPlug-AAE [PUP], a variant of Win32/Adware.MultiPlug.MO, Unwanted-Program ( 0040f9681 ) and Suspicious.Cloud.5 are some detection names according to VirusTotal:

ALEKSANDR MOROZOV virus total

Did you also find a file digitally signed by ALEKSANDR MOROZOV? What kind of download was it and where did you find it?

Thanks for reading.

SERGEY NIKITIN – Detected as MultiPlug, Graftor, Qudamah etc

Hello! Just a short post on a publisher called SERGEY NIKITIN. I just found a download named Download.exe that was digitally signed by this publisher, and it turns out that it is detected by some anti-virus programs.

SERGEY NIKITIN publisher

You can also look at the SERGEY NIKITIN certificate and digital signature by looking under the Digital Signatures tab on the file’s properties. According to the certificate, SERGEY NIKITIN is located in Zaporizhia, Zaporizhska in Ukraine.

SERGEY NIKITIN certificate

The VirusTotal report shows that the SERGEY NIKITIN file should be avoided, since Download.exe is detected as Gen:Variant.Adware.Graftor.198034 by BitDefender, PUP.Optional.MultiPlug by Malwarebytes, Suspicious.Cloud.5 by Symantec and Trojan.Win32.Qudamah.Gen.4 by Tencent.

SERGEY NIKITIN virus report

Did you also find a SERGEY NIKITIN file?

Thanks for reading.

OtOPIa Soft – 25% Detection Rate – OutBrowse / Artemis

Hi there! Just wanted to give you the heads up on a publisher called OtOPIa SOft

OtOPIa SOft publisher

You can see who the signer is when double-clicking on an executable file. OtOPIa SOft appears in the publisher field in the dialog that pops up. To view more information about the certificate you can right-click on the file, then choose Properties and then select the Digital Signatures tab. According to the certificate we can see that OtOPIa SOft is located in Dublin, Ireland and that the certificate is issued by thawte SHA256 Code Signing CA.

OtOPIa SOft cert

So, why did I put up this blog post? Well, the thing is that the OtOPIa SOft file is detected by many of the anti-malware scanners, according to VirusTotal. AVG names Player.exe as Downloader.KAM, Malwarebytes calls it Trojan.Inject, McAfee-GW-Edition detects it as Artemis and VIPRE detects it as OutBrowse (fs)

OtOPIa SOft anti-virus report

Did you also find a file signed by OtOPIa SOft? What kind of download was it and where did you find it?

Thanks for reading.

IGOR MIHAYLOV – 35% Detection Rate at VirusTotal

Hello! Just wanted to give you the heads up on files digitally signed by IGOR MIHAYLOV.

IGOR MIHAYLOV publisher

It is also possible to check a digital signature by looking at a file’s properties. Here’s a screenshot of the IGOR MIHAYLOV certificate. It seems Igor is located in Russia.

IGOR MIHAYLOV cert

These are the current VirusTotal detections for the file. Trojan.Adware.Graftor.D30592, Generic6.BBOM, a variant of Win32/Adware.MultiPlug.MN, Gen:Variant.Adware.Graftor and SoftwareBundler:Win32/InstalleRex as a few of the detection names for the file I found.

IGOR MIHAYLOV anti-virus report

Did you also find a IGOR MIHAYLOV file? Do you remember where you downloaded it?

Hope this blog post helped you avoid some unwanted software on your machine.

Thanks for reading.