Category Archives: Uncategorized

NEW SOFT Inkorporeishn, TOV – 11% Detection Rate – Amonetize

November 24, 2015UncategorizedAmonetize, UkraineRoger Karlsson

Welcome! If you’ve been following me for the last year you know that I’ve been examining many software publishers that put a digital signature on their downloads. Today I found another publisher called NEW SOFT Inkorporeishn, TOV.

You can see who the signer is when double-clicking on an executable file. NEW SOFT Inkorporeishn, TOV appears in the publisher field in the dialog that pops up. It is also possible to check a digital signature by looking at a file’s properties. Here’s a screenshot of the NEW SOFT Inkorporeishn, TOV certificate.

So, why am I writing about the NEW SOFT Inkorporeishn, TOV file? Check out what the anti-malware software report about the file:

SUPERAntiSpyware reports PUP.Amonetize/Variant, Malwarebytes classifies it as PUP.Optional.Amonetize, Qihoo-360 calls it HEUR/QVM10.1.Malware.Gen and DrWeb reports Download Uc Browser V Handler Zip__15022_i1756037767_il542797.exe as Trojan.Amonetize.11110 are a few of the detection names for Download Uc Browser V Handler Zip__15022_i1756037767_il542797.exe.

Did you also find a NEW SOFT Inkorporeishn, TOV download? What kind of download was it?

Thanks for reading.

SetupFlash (New Media Holdings Ltd.) – 18% Detection Rate

November 24, 2015UncategorizedIsrael, Tel AvivRoger Karlsson

Hello readers! Just wanted to let you know about a publisher called SetupFlash (New Media Holdings Ltd.) before going back to writing some code for FreeFixer.

This is how it looks when double-clicking on the file and SetupFlash (New Media Holdings Ltd.) appears as the publisher. To get more details on the publisher, you can view the certificate by right-clicking on the file, and looking under the Digital Signatures tab. According to the certificate we can see that SetupFlash (New Media Holdings Ltd.) seems to be located in Israel and that the certificate is issued by GlobalSign CodeSigning CA – G2.

What caught my attention was that the download was called chrome-download.exe. This might look like an official Google Chrome download, but it is not. If it was an official download, it should be signed by Google Inc.. Here’s how the authentic Google Chrome looks like when you double click on it. Notice that the “Verified publisher” says “Google Inc”.

If you are considering to run the SetupFlash (New Media Holdings Ltd.) signed file, I’ll advice you not to. Delete it instead. Just check out detection list by some of the anti-virus program:

Ikarus classifies chrome-download.exe as PUA.InstallCore, VIPRE detects it as InstallCore (fs), Malwarebytes detects it as PUP.Optional.InstallCore and Sophos reports Install Core Click run software (PUA).

Did you also find a SetupFlash (New Media Holdings Ltd.) file?

Thank you for reading.

LLC “YUTA-SOFT” – 13% Detection Rate – BundleApp.NWS / Amonetize

November 14, 2015UncategorizedUkraineRoger Karlsson

Hi there! Just wanted to give you the heads up on a file called that’s digitally signed by LLC “YUTA-SOFT”.

Windows will display LLC “YUTA-SOFT” as the publisher when running the file. The certificate is issued by COMODO RSA Code Signing CA. And the company appears to be located in Ukraine.

For the time being, 7 of the scanners detected the file. AVG detects the Yuta Soft file as BundleApp.NWS, Panda reports Trj/Genetic.gen, ESET-NOD32 detects it as a variant of Win32/Amonetize.LP potentially unwanted, DrWeb reports Trojan.Amonetize.11077 and Malwarebytes detects it as PUP.Optional.Amonetize.

Did you also find a LLC “YUTA-SOFT” download? What kind of download was it?

Hope this blog post helped you avoid some unwanted software on your machine.

Thank you for reading.

Media Story (New Media Holdings Ltd) – 11% Detection Rate – InstallCore

November 3, 2015UncategorizedIsreal, Tel AvivRoger Karlsson

Hello! Just a note on a publisher called Media Story (New Media Holdings Ltd). The Media Story (New Media Holdings Ltd) download – chrome-download.exe – was detected when I uploaded it to VirusTotal. Did you also find a download by Media Story (New Media Holdings Ltd)? Was it also detected when you uploaded it to VirusTotal?

By looking at the certificate we can see that Media Story (New Media Holdings Ltd) appears to be located in Tel Aviv in Israel.

What caught my attention was that the download was called chrome-download.exe. This might look like an official Google Chrome download, but it is not. If it was an official download, it would be digitally signed by Google Inc.. Here’s how the authentic Google Chrome looks like when you double click on it. Notice that the “Verified publisher” says “Google Inc”.

The scan result from VirusTotal below clearly shows why you should avoid the Media Story (New Media Holdings Ltd) file. It is detected under names such as Adware ( 004cf5d71 ), Adware ( 004cf5d71 ), PUP.Optional.InstallCore and Install Core Click run software (PUA).

Since you probably came here after finding a download that was signed by Media Story (New Media Holdings Ltd), please share what kind of download it was and if it was detected by the anti-virus progams at VirusTotal.

Thanks for reading.

Remove WMiniPro.exe From Your Computer

October 31, 2015UncategorizedRoger Karlsson

Hi there. Just a quick post on the WMiniPro.exe. If you got WMiniPro.exe on your system, you will notice WMiniPro.exe running in the task manager and WMiniPro.exe installed as a new service. I’ll show how to remove WMiniPro.exe in this blog post with the FreeFixer removal tool.

WMiniPro.exe is bundled with a number of downloads. Bundling means that software is included in other software’s installers. When I first found WMiniPro.exe, it was bundled with FlvPlayer.

As always when I find some new bundled software I uploaded it to VirusTotal to verify if the anti-viruses there detect anything. 3 of the anti-malware scanners detected the file. ESET-NOD32 reports a variant of Win32/ELEX.FF potentially unwanted, DrWeb detects it as Adware.Mutabaha.672 and Baidu-International detects WMiniPro.exe as Adware.Win32.ELEX.FF.

All you need to do to remove WMiniPro.exe is to check the WMiniPro.exe files in the scan result and click the Fix button. You may have to restart your computer to complete the removal. Here’s a few screenshots from the removal that should help you:

Hope that helped you with the removal.

Do you also have WMiniPro.exe on your machine? Any idea how it was installed? Please share your story the comments below. Thank you!

Thank you for reading.

Ocsp.Comodoca4.com is Comodo’s OSCP Server

October 16, 2015UncategorizedRoger Karlsson

Did you just notice ocsp.comodoca4.com in Firefox’, Chrome’s, Internet Explorer’s or Safari’s status bar or in the network log and wonder where it came from?

You will see a connection to ocsp.comodoca4.com when the browser is using the Online Certificate Status Protocol (OCSP) to obtaining the revocation status for a COMODO certificate.

This is standard procedure and is nothing to worry about, with one exception that I ran into:

I noticed the connection to ocsp.comodoca4.com on one of my lab machines where I play around with some unwanted software. I noticed the connection to ocsp.comodoca4.com while doing a search at Google.com. Under normal circumstances, a visit to Google should not trigger a connection ocsp.comodoca4.com. Google’s certificate points the clients1.google.com OCSP server.

The lab machine had the SalePlus, YouTubeAdBlocke and IStart 5.3.7 software running. Most likely, one of these inserted some HTML code into Google’s page that triggered the OCSP connection. After removing these three potentially unwanted programs, the connections to ocsp.comodoca4.com no longer appeared when searching at the Google search engine.

What site did you visit when you noticed the connection to ocsp.comodoca4.com? Did you also see it while visiting Google? If so, what potentially unwanted software did you find on your machine?

Remove land.pckeeper.software Pop Up Ads

October 15, 2015UncategorizedRoger Karlsson

Did you just get interrupted by a pop-up ad from land.pckeeper.software? You are not alone. I also get the land.pckeeper.software pop-ups while browsing. Do the pop-ups also circumvent the pop-up blocker in Chrome, Firefox, Internet Explorer or Safari. Then read on…

Here’s a screenshot of the land.pckeeper.software pop-up ad when it showed up on my machine:

Does this sound like what you are seeing, you apparently have some adware installed on your system that pops up the land.pckeeper.software ads.

So, how do you remove the land.pckeeper.software pop-up ads? On the machine where I got the land.pckeeper.software ads I had CPUMiner, PineTree and GamesDesktop installed. These three programs are often referred to as “Potentially Unwanted”. I removed these three and that stopped the pop-ups.

The problem with pop-ups like this one is that it can be launched by many variants of adware. This makes it impossible to say exactly what you need to remove to stop the pop-ups.

Anyway, here’s my suggestion for the land.pckeeper.software ads removal:

The first thing I would do to remove the land.pckeeper.software pop-ups is to examine the programs installed on the machine, by opening the “Uninstall programs” dialog. You can reach this dialog from the Windows Control Panel. If you are using one of the more recent versions of Windows OS you can just type in “uninstall” in the Control Panel’s search field to find that dialog:

Click on the “Uninstall a program” link and the Uninstall programs dialog will open up:

Do you see something suspicious listed there or something that you don’t remember installing? Can you see GamesDesktop, PineTree or CpuMiner? Tip: Sort on the “Installed On” column to see if some program was installed approximately about the same time as you started getting the land.pckeeper.software pop-ups.

The next thing to check would be your browser’s add-ons. Adware often appear under the add-ons dialog in Chrome, Firefox, Internet Explorer or Safari. Is there something that looks suspicious? Something that you don’t remember installing? Can you see GamesDesktop, PineTree or CpuMiner?

Did this blog post help you to remove the land.pckeeper.software pop-up ads? Please let me know or how I can improve this blog post.

Thank you!

Registry Reviver (RegistryReviver.exe) Bundled With Software Downloads

September 30, 2015UncategorizedRoger Karlsson

Just a short note on a piece of software called Registry Reviver:

If this showed up unexpected on your machine, or you noticed a new process called RegistryReviver.exe in the Task Manager, it may have been bundled with a software download. I found Registry Reviver in a film-clip downloader installation package:

I uploaded the RegistryReviver.exe file to VirusTotal, and 2 of the 56 scanners detected the file:

In FreeFixer, the registryreviver.exe file shows up as listed in green since Corel Corporation, the company that digitally signed the file, is tagged as trusted.

Should I reconsider?

SRTSP64.SYS PAGE_FAULT_IN_NONPAGED_AREA Blue Screen Fix

September 15, 2015UncategorizedRoger Karlsson

I ran into a blue screen this morning in SRTSP64.SYS, with the PAGE_FAULT_IN_NONPAGED_AREA and “Your PC Ran into a problem and needs to restart” error messages. I fixed the srtsp64.sys blue screen error by uninstalling Norton 360.

I got this blue screen repeatedly, a few minutes after booting my Windows 8 machine. I figured out that SRTSP64.SYS was a Symantec driver by looking in regedit, where it appeared with the “Symantec Real Time Storage Protection x64” name.

I fixed the PAGE_FAULT_IN_NONPAGED_AREA / SRTSP64.sys blue screen by first restarting the machine into safe mode, and then I uninstalled Norton 360 from the Windows Control Panel.

Did that help you solve the SRTSP64.sys bluescreen problem? Did you find another solution to the SRTSP64.sys error which did not involve uninstalling Norton 360?