Hi there! Just wanted to give you the heads up on a file called that’s digitally signed by LLC “YUTA-SOFT”.
Windows will display LLC “YUTA-SOFT” as the publisher when running the file. The certificate is issued by COMODO RSA Code Signing CA. And the company appears to be located in Ukraine.
For the time being, 7 of the scanners detected the file. AVG detects the Yuta Soft file as BundleApp.NWS, Panda reports Trj/Genetic.gen, ESET-NOD32 detects it as a variant of Win32/Amonetize.LP potentially unwanted, DrWeb reports Trojan.Amonetize.11077 and Malwarebytes detects it as PUP.Optional.Amonetize.
Did you also find a LLC “YUTA-SOFT” download? What kind of download was it?
Hope this blog post helped you avoid some unwanted software on your machine.
Does this sound like your story? You see pop-up ads from s.admtpmp124.com while browsing websites that mostl of the time don’t advertise in pop-up windows. The pop-ups manage to sidestep the built-in pop-up blockers in Mozilla Firefox, Google Chrome, Internet Explorer or Safari. Perhaps the s.admtpmp124.com pop-ups appear when clicking search results from Google? Or does the pop ups appear even when you’re not browsing?
Here’s a screenshot of the s.admtpmp124.com pop-up ad when it showed up on my computer:
If you also see this on your machine, you most likely have some adware installed on your machine that pops up the s.admtpmp124.com ads. Contacting the owner of the web site would be a waste of time. They are not responsible for the ads. I’ll do my best to help you with the s.admtpmp124.com removal in this blog post.
For those that are new to the blog: Recently I dedicated a few of my lab machines and purposely installed some adware programs on them. Since then I have been observing the behaviour on these computers to see what kinds of advertisements that are displayed. I’m also looking on other interesting things such as if the adware updates itself, or if it downloads and installs additional unwanted software on the machines. I first found the s.admtpmp124.com pop-up on one of these lab machines.
s.admtpmp124.com was registered on 2015-05-23. s.admtpmp124.com resolves to the 22.214.171.124 address.
The following domains are also registered and its possible that they are used for pop-ups too:
So, how do you remove the s.admtpmp124.com pop-up ads? On the machine where I got the s.admtpmp124.com ads I had Shopper-Pro, ObjectBrowser, MyStartSearch, YTDownloader, iWebar, Wajam, Primary Color and WebShield installed. I removed them with FreeFixer and that stopped the s.admtpmp124.com pop-ups and all the other ads I was getting in Mozilla Firefox.
The s. domain is attracting quite a lot of traffic, just check out the Alexa traffic rank:
The issue with pop-ups such as this one is that it can be popped up by many variants of adware, not just the adware running on my computer. This makes it impossible to say exactly what you need to remove to stop the pop-ups.
Anyway, here’s my suggestion for the s.admtpmp124.com ads removal:
Examine what programs you have installed in the Add/Remove programs dialog in the Windows Control Panel. Do you see anything that you don’t remember installing or that was recently installed?
How about your add-ons you have in your browsers. Anything in the list that you don’t remember installing?
If that does not help, I’d recommend a scan with FreeFixer to manually track down the adware. FreeFixer is a freeware tool that I’m working on that scans your computer at lots of locations, such as browser add-ons, processes, Windows services, recently modified files, etc. If you want to get additional details about a file in the scan result, you can click the More Info link for that file and a web page will open up with a VirusTotal report which will be very useful to determine if the file is safe or malware:
Here’s a video tutorial showing FreeFixer in action removing pop-up ads:
Did this blog post help you to remove the s.admtpmp124.com pop-up ads? Please let me know or how I can improve this blog post.
Welcome! Just wanted to give you heads-up on suspicious file I found right now. The file is digitally signed by LLC “TRUKONF SOFT”.
This is how it looks when double-clicking on the file and LLC “TRUKONF SOFT” appears as the publisher. Viewing the certificate information is also possible by looking under the digital signature tab for the file. Here the certificate says that LLC “TRUKONF SOFT” is located in Ukraine.
The reason I’m writing this blog post is that the LLC “TRUKONF SOFT” file is detected by many of the antimalware progams at VirusTotal. VBA32 names it SScope.Trojan.Zbot.gen, Baidu-International detects the file as PUA.Win32.Amonetize.LI, Kaspersky calls it not-a-virus:Downloader.Win32.AdLoad.rppk, Sophos calls it Generic PUA JA (PUA), Panda reports PUP/Multitoolbar and Malwarebytes detects it as PUP.Optional.Amonetize.
Hi there! Just a quick post today, since I’m busy working with the next release of FreeFixer. Did you see a file, such as vlc-media-player.exe, on your system signed by PremiumBeam (New Media Holdings Ltd.)? Then read on..
If you have a PremiumBeam (New Media Holdings Ltd.) file on your computer you may have noticed that PremiumBeam (New Media Holdings Ltd.) pops up as the publisher in the User Account Control dialog when running the file. The PremiumBeam (New Media Holdings Ltd.) certificate shows that the publisher is located in Tel Aviv, Israel.
These are the current VirusTotal detections for the file. PUP.Optional.InstallCore, HEUR/QVM06.1.Malware.Gen, Install Core Click run software (PUA), SScope.Malware-Cryptor.InstallCore and InstallCore (fs) as a few of the detection names for the vlc-media-player.exe file.
Did you also find a file signed by PremiumBeam (New Media Holdings Ltd.)? What kind of download was it and where did you find it?
Hi there! Just a quick post on a file named mediaplayer_update.exe signed by Adverts Technologies.
You can also see the Adverts Technologies certificate by looking under the Digital Signature tab on the file’s properties. According to the certificate, Adverts Technologies is located in Moscow, Russia.
The issue with the Adverts Technologies file is that it is detected by many of the antimalware progams. Here are some of the detection names: Generic.E4D, PUP.Optional.Adverts, HEUR/QVM06.1.Malware.Gen, InstallCore ToDownload (PUA), SAPE.InstallCore.2505, Trojan.Win32.Generic!BT and Adware.BrowseFox.Win32.128816.
Did you also find an Adverts Technologies? Do you remember the download link? Please post it in the comments below and I’ll upload it to VirusTotal to see if that one is also detected.
Hi there! Just a quick post on a file named Medal Of Honour PC Game Full version Free Download.exe signed by RUn apps fOrevEr Lld.
The following screenshot shows the User Account Control dialog when running the RUn apps fOrevEr Lld file:
It is also possible to check a digital signature by looking at a file’s properties. Here’s a screenshot of the RUn apps fOrevEr Lld certificate.
The VirusTotal report shows that the RUn apps fOrevEr Lld file should be avoided, since Medal Of Honour PC Game Full version Free Download.exe is detected as Trojan.OutBrowse.1613 by DrWeb, Downloader.AAPP by AVG, SoftwareBundler:Win32/Outbrowse by Microsoft, OutBrowse by VIPRE and HEUR/QVM42.0.Malware.Gen by Qihoo-360.
Did you also find a file that was digitally signed by RUn apps fOrevEr Lld? What kind of download was it and was it reported by the anti-malware scanners at VirusTotal? Please share by posting a comment.
Welcome! Just wanted to give you the heads up on files digitally signed by SaFE clIck LoL.
You will also see SaFE clIck LoL listed as the verified publisher in the User Account Control dialog that pops up if you try to run the file: It’s possible to view additional information about the embedded certificate by right-clicking on the file, choosing properties and then clicking on the Digital Signatures tab. According to the certificate we can see that SaFE clIck LoL appears to be located in Dublin, Ireland and that the certificate is issued by thawte SHA256 Code Signing CA.
The problem with the SaFE clIck LoL file is that it is detected by many of the antimalware scanners. Here are some of the detection names: Downloader.AAPP, PUA/Outbrowse.Gen, SoftwareBundler:Win32/Outbrowse and OutBrowse.
Did you also find an SaFE clIck LoL? Do you remember the download link? Please post it in the comments below and I’ll upload it to VirusTotal to see if that one is also detected.
Hello readers! Just a quick post on a publisher called ClIck to StaRt that I found while running some tests for the upcoming FreeFixer release. The suspicious file is named Animal Porn On Android.exe.
The following screenshot shows the User Account Control dialog when running the ClIck to StaRt file:
To get more details on the publisher, you can view the certificate by right-clicking on the file, and looking under the Digital Signatures tab.. The screenshot below shows the Click to StaRt certificate. From the certificate info we can see that ClIck to StaRt appears to be located in Dublin, Ireland.
The reason I’m writing this blog post is that the ClIck to StaRt file is detected by many of the anti-virus software at VirusTotal. AVG reports Luhe.Fiha.A, McAfee reports Adware-OutBrowse.h, Avast names Animal Porn On Android.exe as Win32:Malware-gen, ClamAV detects it as Win.Adware.Outbrowse-1167 and DrWeb detects it as Trojan.OutBrowse.1694.
Did you also find a ClIck to StaRt file? What kind of download was it? If you remember the download link, please post it in the comments below.
Hello! Just a note on a publisher called Media Story (New Media Holdings Ltd). The Media Story (New Media Holdings Ltd) download – chrome-download.exe – was detected when I uploaded it to VirusTotal. Did you also find a download by Media Story (New Media Holdings Ltd)? Was it also detected when you uploaded it to VirusTotal?
By looking at the certificate we can see that Media Story (New Media Holdings Ltd) appears to be located in Tel Aviv in Israel.
What caught my attention was that the download was called chrome-download.exe. This might look like an official Google Chrome download, but it is not. If it was an official download, it would be digitally signed by Google Inc.. Here’s how the authentic Google Chrome looks like when you double click on it. Notice that the “Verified publisher” says “Google Inc”.
The scan result from VirusTotal below clearly shows why you should avoid the Media Story (New Media Holdings Ltd) file. It is detected under names such as Adware ( 004cf5d71 ), Adware ( 004cf5d71 ), PUP.Optional.InstallCore and Install Core Click run software (PUA).
Since you probably came here after finding a download that was signed by Media Story (New Media Holdings Ltd), please share what kind of download it was and if it was detected by the anti-virus progams at VirusTotal.
Hi there! Ran into a BoxI DJV file about a week ago, but decided not to blog about it since I got the schedule full with other things. I’m currently working on improving the freefixer.com web site with some new features.
However, I changed my mind today about BoxI DJV since there currently a large number of files being distributed with the BoxI DJV signature. And since the Boxl DJV file is detected by many of the anti-virus programs out there I wanted to give you the heads up with a short blog post about it. Here’s BoxI DJV listed as the verified publisher:
You can see who the signer is when double-clicking on an executable file. BoxI DJV appears in the publisher field in the dialog that pops up. The certificate is issued by thawte SHA256 Code Signing CA.
Here’s the detections from VirusTotal for BoxI DJV:
The detection rate is 26/53. The Moborobo.exe file is detected as OutBrowse by VIPRE, Riskware/OutBrowse by Fortinet, PUA.Boxidjv1.Gen by CAT-QuickHeal, Trojan.OutBrowse.1215 by DrWeb, Downloader.YVA by AVG, W32.HfsAdware.9EC9 by Bkav and SAPE.Heur.BB351 by Symantec.
Did you also find a file digitally signed by BoxI DJV? What kind of download was it and where did you find it?