Category Archives: Uncategorized

NEW SOFT Inkorporeishn, TOV – 11% Detection Rate – Amonetize

Welcome! If you’ve been following me for the last year you know that I’ve been examining many software publishers that put a digital signature on their downloads. Today I found another publisher called NEW SOFT Inkorporeishn, TOV.

NEW SOFT Inkorporeishn, TOV publisher

You can see who the signer is when double-clicking on an executable file. NEW SOFT Inkorporeishn, TOV appears in the publisher field in the dialog that pops up. It is also possible to check a digital signature by looking at a file’s properties. Here’s a screenshot of the NEW SOFT Inkorporeishn, TOV certificate.

NEW SOFT Inkorporeishn, TOV cert

So, why am I writing about the NEW SOFT Inkorporeishn, TOV file? Check out what the anti-malware software report about the file:

NEW SOFT Inkorporeishn TOV anti-virus report

SUPERAntiSpyware reports PUP.Amonetize/Variant, Malwarebytes classifies it as PUP.Optional.Amonetize, Qihoo-360 calls it HEUR/QVM10.1.Malware.Gen and DrWeb reports Download Uc Browser V Handler Zip__15022_i1756037767_il542797.exe as Trojan.Amonetize.11110 are a few of the detection names for Download Uc Browser V Handler Zip__15022_i1756037767_il542797.exe.

Did you also find a NEW SOFT Inkorporeishn, TOV download? What kind of download was it?

Thanks for reading.

SetupFlash (New Media Holdings Ltd.) – 18% Detection Rate

Hello readers! Just wanted to let you know about a publisher called SetupFlash (New Media Holdings Ltd.) before going back to writing some code for FreeFixer.

SetupFlash New Media Holdings Ltd publisher

This is how it looks when double-clicking on the file and SetupFlash (New Media Holdings Ltd.) appears as the publisher. To get more details on the publisher, you can view the certificate by right-clicking on the file, and looking under the Digital Signatures tab. According to the certificate we can see that SetupFlash (New Media Holdings Ltd.) seems to be located in Israel and that the certificate is issued by GlobalSign CodeSigning CA – G2.

SetupFlash (New Media Holdings Ltd.) cert

What caught my attention was that the download was called chrome-download.exe. This might look like an official Google Chrome download, but it is not. If it was an official download, it should be signed by Google Inc.. Here’s how the authentic Google Chrome looks like when you double click on it. Notice that the “Verified publisher” says “Google Inc”.
Chrome Google Inc publisher

If you are considering to run the SetupFlash (New Media Holdings Ltd.) signed file, I’ll advice you not to. Delete it instead. Just check out detection list by some of the anti-virus program:

SetupFlash New Media Holdings Ltd. report

Ikarus classifies chrome-download.exe as PUA.InstallCore, VIPRE detects it as InstallCore (fs), Malwarebytes detects it as PUP.Optional.InstallCore and Sophos reports Install Core Click run software (PUA).

Did you also find a SetupFlash (New Media Holdings Ltd.) file?

Thank you for reading.

LLC “YUTA-SOFT” – 13% Detection Rate – BundleApp.NWS / Amonetize

Hi there! Just wanted to give you the heads up on a file called that’s digitally signed by LLC “YUTA-SOFT”.

LLC YUTA-SOFT pubisher

Windows will display LLC “YUTA-SOFT” as the publisher when running the file. The certificate is issued by COMODO RSA Code Signing CA. And the company appears to be located in Ukraine.

LLC YUTA-SOFT certificate

For the time being, 7 of the scanners detected the file. AVG detects the Yuta Soft file as BundleApp.NWS, Panda reports Trj/Genetic.gen, ESET-NOD32 detects it as a variant of Win32/Amonetize.LP potentially unwanted, DrWeb reports Trojan.Amonetize.11077 and Malwarebytes detects it as PUP.Optional.Amonetize.

LLC YUTA-SOFT virus report

Did you also find a LLC “YUTA-SOFT” download? What kind of download was it?

Hope this blog post helped you avoid some unwanted software on your machine.

Thank you for reading.

Media Story (New Media Holdings Ltd) – 11% Detection Rate – InstallCore

Hello! Just a note on a publisher called Media Story (New Media Holdings Ltd). The Media Story (New Media Holdings Ltd) download – chrome-download.exe – was detected when I uploaded it to VirusTotal. Did you also find a download by Media Story (New Media Holdings Ltd)? Was it also detected when you uploaded it to VirusTotal?

Media Story New Media Holdings Ltd cert uac

By looking at the certificate we can see that Media Story (New Media Holdings Ltd) appears to be located in Tel Aviv in Israel.

Media Story (New Media Holdings Ltd) cert

What caught my attention was that the download was called chrome-download.exe. This might look like an official Google Chrome download, but it is not. If it was an official download, it would be digitally signed by Google Inc.. Here’s how the authentic Google Chrome looks like when you double click on it. Notice that the “Verified publisher” says “Google Inc”.
Chrome Google Inc publisher

The scan result from VirusTotal below clearly shows why you should avoid the Media Story (New Media Holdings Ltd) file. It is detected under names such as Adware ( 004cf5d71 ), Adware ( 004cf5d71 ), PUP.Optional.InstallCore and Install Core Click run software (PUA).

Media Story New Media Holdings Ltd anti-virus report

Since you probably came here after finding a download that was signed by Media Story (New Media Holdings Ltd), please share what kind of download it was and if it was detected by the anti-virus progams at VirusTotal.

Thanks for reading.

Remove WMiniPro.exe From Your Computer

Hi there. Just a quick post on the WMiniPro.exe. If you got WMiniPro.exe on your system, you will notice WMiniPro.exe running in the task manager and WMiniPro.exe installed as a new service. I’ll show how to remove WMiniPro.exe in this blog post with the FreeFixer removal tool.

WMiniPro.exe task manager

WMiniPro.exe is bundled with a number of downloads. Bundling means that software is included in other software’s installers. When I first found WMiniPro.exe, it was bundled with FlvPlayer.

As always when I find some new bundled software I uploaded it to VirusTotal to verify if the anti-viruses there detect anything. 3 of the anti-malware scanners detected the file. ESET-NOD32 reports a variant of Win32/ELEX.FF potentially unwanted, DrWeb detects it as Adware.Mutabaha.672 and Baidu-International detects WMiniPro.exe as Adware.Win32.ELEX.FF.

WMiniPro.exe anti-virus report

 

All you need to do to remove WMiniPro.exe is to check the WMiniPro.exe files in the scan result and click the Fix button. You may have to restart your computer to complete the removal. Here’s a few screenshots from the removal that should help you:

WMiniPro.exe process removal WMiniPro.exe removal

Hope that helped you with the removal.

Do you also have WMiniPro.exe on your machine? Any idea how it was installed? Please share your story the comments below. Thank you!

Thank you for reading.

Ocsp.Comodoca4.com is Comodo’s OSCP Server

Did you just notice ocsp.comodoca4.com in Firefox’, Chrome’s, Internet Explorer’s or Safari’s status bar or in the network log and wonder where it came from?

ocsp.comodoca4.com

You will see a connection to ocsp.comodoca4.com when the browser is using the Online Certificate Status Protocol (OCSP) to obtaining the revocation status for a COMODO certificate.

This is standard procedure and is nothing to worry about, with one exception that I ran into:

I noticed the connection to ocsp.comodoca4.com on one of my lab machines where I play around with some unwanted software. I noticed the connection to ocsp.comodoca4.com while doing a search at Google.com. Under normal circumstances, a visit to Google should not trigger a connection ocsp.comodoca4.com. Google’s certificate points the clients1.google.com OCSP server.

The lab machine had the SalePlus, YouTubeAdBlocke and IStart 5.3.7 software running. Most likely, one of these inserted some HTML code into Google’s page that triggered the OCSP connection. After removing these three potentially unwanted programs, the connections to ocsp.comodoca4.com no longer appeared when searching at the Google search engine.

What site did you visit when you noticed the connection to ocsp.comodoca4.com? Did you also see it while visiting Google? If so, what potentially unwanted software did you find on your machine?

Remove land.pckeeper.software Pop Up Ads

Did you just get interrupted by a pop-up ad from land.pckeeper.software? You are not alone. I also get the land.pckeeper.software pop-ups while browsing. Do the pop-ups also circumvent the pop-up blocker in Chrome, Firefox, Internet Explorer or Safari. Then read on…

Here’s a screenshot of the land.pckeeper.software pop-up ad when it showed up on my machine:land.pckeeper.software pop up

Does this sound like what you are seeing, you apparently have some adware installed on your system that pops up the land.pckeeper.software ads.

So, how do you remove the land.pckeeper.software pop-up ads? On the machine where I got the land.pckeeper.software ads I had CPUMiner, PineTree and GamesDesktop installed. These three programs are often referred to as “Potentially Unwanted”. I removed these three and that stopped the pop-ups.

The problem with pop-ups like this one is that it can be launched by many variants of adware. This makes it impossible to say exactly what you need to remove to stop the pop-ups.

Anyway, here’s my suggestion for the land.pckeeper.software ads removal:

The first thing I would do to remove the land.pckeeper.software pop-ups is to examine the programs installed on the machine, by opening the “Uninstall programs” dialog. You can reach this dialog from the Windows Control Panel. If you are using one of the more recent versions of Windows OS you can just type in “uninstall” in the Control Panel’s search field to find that dialog:
Uninstall a program search

Click on the “Uninstall a program” link and the Uninstall programs dialog will open up:
Uninstall a program dialog

Do you see something suspicious listed there or something that you don’t remember installing? Can you see GamesDesktop, PineTree or CpuMiner? Tip: Sort on the “Installed On” column to see if some program was installed approximately about the same time as you started getting the land.pckeeper.software pop-ups.

The next thing to check would be your browser’s add-ons. Adware often appear under the add-ons dialog in Chrome, Firefox, Internet Explorer or Safari. Is there something that looks suspicious? Something that you don’t remember installing? Can you see GamesDesktop, PineTree or CpuMiner?
Firefox add-ons manager

Did this blog post help you to remove the land.pckeeper.software pop-up ads? Please let me know or how I can improve this blog post.

Thank you!

Registry Reviver (RegistryReviver.exe) Bundled With Software Downloads

Just a short note on a piece of software called Registry Reviver:

Registry Reviver

If this showed up unexpected on your machine, or you noticed a new process called RegistryReviver.exe in the Task Manager, it may have been bundled with a software download. I found Registry Reviver in a film-clip downloader installation package:

registry reviver bundled

I uploaded the RegistryReviver.exe file to VirusTotal, and 2 of the 56 scanners detected the file:

RegistryReviver.exe anti-virus report

In FreeFixer, the registryreviver.exe file shows up as listed in green since Corel Corporation, the company that digitally signed the file, is tagged as trusted.

Should I reconsider?

SRTSP64.SYS PAGE_FAULT_IN_NONPAGED_AREA Blue Screen Fix

I ran into a blue screen this morning in SRTSP64.SYS, with the PAGE_FAULT_IN_NONPAGED_AREA and “Your PC Ran into a problem and needs to restart” error messages. I fixed the srtsp64.sys blue screen error by uninstalling Norton 360.

SRTSP64.SYS PAGE_FAULT_IN_NONPAGED_AREA

I got this blue screen repeatedly, a few minutes after booting my Windows 8 machine. I figured out that SRTSP64.SYS was a Symantec driver by looking in regedit, where it appeared with the “Symantec Real Time Storage Protection x64” name.

srtsp64.sys symantec protection driver

I fixed the PAGE_FAULT_IN_NONPAGED_AREA / SRTSP64.sys blue screen by first restarting the machine into safe mode, and then I uninstalled Norton 360 from the Windows Control Panel.

Norton 360 uninstall

Did that help you solve the SRTSP64.sys bluescreen problem? Did you find another solution to the  SRTSP64.sys error which did not involve uninstalling Norton 360?

cpm.exe, CPUMiner and LLC “Kelte-Proekt” – Removal Instructions

I just ran into a Bitcoin miner this morning called cpm.exe. If you have cpm.exe on your machine, you’ll see it in the Task Manager:

cpm.exe task manager

The cpm.exe file is digitally signed by a Ukrainian company called LLC “Kelte-Proekt”:LLC Kelte-Proekt cert

cpm.exe was bundled with an unofficial download of Google Chrome:

CPUMiner

You can easily remove cpm.exe with FreeFixer. Just select cpm.exe under “Registry Startups” and “Processes”.

Hope that helped you figure out what cpm.exe is, how it got onto your machine and how to remove it.

Thanks for reading.