Recently I’ve been looking at some pop-ups that are launched by adware. These pop-ups, such as enh.guzzlepraxiscommune.com and aal.coupmatch.com, loaded some content from wkj.datropy.com. wkj.datropy.com just recently got blocked in Firefox and Safari due to “Reported Web Forgery” and “Suspected Phishing”. Now the pop-ups appear to load content from inb.genorithm.com instead. It will be interesting to see if inb.genorithm.com also gets blocked by the browsers in the near future.
If there’s pop-ups from aim.couphomegame.com appearing on your machine, that managed to sneak through the built-in pop-up blockers in your browser and that appears on web sites that normally does not have any pop-ups, you probably have some adware installed on your computer.
As you can see above, I got the aim.couphomegame.com pop-up while browsing in Mozilla Firefox, but the pop-ups can appear if you are using other browsers, such as Google Chrome or Microsoft’s Internet Explorer.
If you’ve been visiting this blog the for the last month you probably know that I’ve been building a little lab with machines, where I’ve deliberately installed some software that shows advertisements. This type of software is often called adware and most people think is unwanted and wants to uninstall it right away. I totally agree with that. On the lab machine where I found the aim.couphomegame.com pop-ups ads, I had installed BlockAndSurf and TinyWallet. I removed these with FreeFixer and the problem was solved. If you got any of these on your machine, that’s a pretty good start: Removing those may solve the aim.couphomegame.com problem.
The problem is that the aim.couphomegame.com can be caused by other variants of adware too. So, unfortunately I cannot say exactly what should be removed. Here’s my suggested removal procedure:
If you are having difficulties to determine if a files is safe or malware in FreeFixer’s scan result, please check out what’s behind the More Info links. You can find lots of useful info there that will help you, among other things a scan report from VirusTotal that can be very useful when tracking down the adware.
Well, hope that helped you remove the aim.couphomegame.com ads. What adware did you uninstall to stop the pop-ups? Please share by posting a comment below.
By they way, if you like this blog or the FreeFixer program, please follow me on Twitter, YouTube, Facebook or Google+.
Thanks for reading!
If you’ve been following this blog for the last week, you know that I’ve been posting about pop-ups such as enh.guzzlepraxiscommune.com and aal.coupmatch.com. The good news is that Mozilla Firefox is now blocking wkj.datropy.com as a Web Forgery.
If you get pop-ups like this one, you most likely have some adware on your machine. Check out the two links above for more info on how to track down and remove the adware.
Happy adware hunting! Please let me know which adware you had to remove to stop these pop-ups.
Update: Safari on my Mac is now reporting wkj.datropy.com as suspected phishing site.
Thanks for reading!
If this is the first time you hear about VirusTotal.com, add it to your bookmarks right away. VirusTotal is an online service where you can upload a file and more than 50 anti-virus programs will scan the file to detect various types of malware. This can be quite useful if you have downloaded something and you are not confident the file is safe.
Here’s a quick demonstration on how to upload and scan a file at VirusTotal.
Another cool thing with VirusTotal is that they have a free API which allows web sites, such as this one, to upload samples and have the anti-virus programs scan the file. Thanks to this excellent API I can show scan results for files in FreeFixer’s library. Here’s an example of a scan result from freefixer.com for an adware file called PennyBeeW.exe:
Thank you for reading.
Welcome! Lately I’ve been looking on the digital signatures on those files that push various types of unwanted programs. This morning I found a new file called w3i_webssearches.exe, digitally signed by Li Mo.
You can see who the signer is when double-clicking on an executable file. Li Mo appears in the publisher field in the dialog that pops up. It is also possible to check a digital signature by looking at a file’s properties. Here’s a screenshot of the Li Mo certificate.
At the moment, 22% of the scanners detected the file. The w3i_webssearches.exe file is detected as Riskware.Agent! by Agnitum, PUP/Win32.SearchHijacker by AhnLab-V3, PUA.Win32.LiMo.bA by Baidu-International, Adware.Mutabaha.80 by DrWeb and Win32.Application.Elex.E by GData.
Did you also find a file digitally signed by Li Mo? What kind of download was it and where did you find it?
Thank you for reading.
Just wanted to let you know about the aal.coupmatch.com pop-ups. If you see these ads on your machine, you most likely have some adware on your machine that launch these pop-ups.
I’m in a hurry, so please bare with this short post. Here’s my suggested removal for the aal.coupmatch.com pop-ups ads.
1. Examine the programs installed on your machine in the Add/Remove programs dialog in the Windows Control Panel. Uninstall if you find some adware.
2. Go through the add-ons installed in your browser. If you find some adware, remove it.
3. If that did not help, you can use FreeFixer to manually track down the adware files that opened the aal.coupmatch.com pop-up. Tip: Use the More Info links to open up a VirusTotal report for a particular file in the scan result.
Did you find some adware on your machine? Please post the name of the adware in the comments below to help other users with the aal.coupmatch.com popup problem.
On my machine, the adware responsible for the aal.coupmatch.com pop-up was called Safer-Surf.
Thank you for reading!
Found GoogleCrashHandler.exe bundled with the TornTV adware. I thought the GoogleCrashHandler.exe file looked suspicious since it was bundled with the adware and digitally signed by a self-signed certificate named Google Inc (TEST).
But VirusTotal reported it as clean:
Hello readers. This will be a short post on some ads labeled “Ads By new_player“. The four images in the ads are labeled “Buzzwok“.
I found these ads after installing a download that I new bundled lots of adware. After uninstalling everything that came bundled with the download, except an adware called Host Secure, the “Ads By new_player” still remained. So that’s the one responsible for the ads. You can find more info on how to remove HostSecure here.
Did that help you with the removal?
Welcome! Was looking for some downloads to play around with and found one, digitally signed by Volvan Premium SL. The file is named google_chrome.exe.
To view more information about the embedded certificate you can right-click on the file, then choose Properties and then select the Digital Signatures tab. According to the embedded certificate we can see that Volvan Premium SL is located in Barcelona, Spain and that the certificate is issued by VeriSign Class 3 Code Signing 2010 CA.
The problem here is that if google_chrome.exe really was a setup file for Google, it would be digitally signed by Google Inc and not by some unknown company. This looks very suspicious.
So, why did I put up this blog post? Well, the thing is that the Volvan Premium SL file is detected by many of the anti-virus scanners, according to VirusTotal. F-Secure classifies google_chrome.exe as Gen:Variant.Application.Bundler, Malwarebytes calls it PUP.Optional.DomaIQ and McAfee calls it SoftPulse.a
When I ran the Volvan Premium SL file it offered a bunch of bundled softwares, such as Wajam, HostSecurePlugin, Salus, SpeedChecker and Super Optimizer.
Did you also find a Volvan Premium SL file? Do you remember where you downloaded it?
Thanks for reading.
Hello there and welcome to the FreeFixer blog. I just found another bundled adware called HostSecure or HostSecurePlugin and give you some removal instructions. If HostSecure is installed and running on your system, you will see HostSecure.exe running in the Windows Task Manager and an add-on called HostSecurePlugin added into Mozilla Firefox and Internet Explorer. I’ll show how to remove Host Secure in this blog post with the FreeFixer removal tool.
Here’s how the add-on shows up in Firefox:
HostSecure is bundled in other software’s installers. Here’s one example how it appears in an installer for an unrelated program.
Generally, you can avoid bundled software such as HostSecurePlugin by being careful when installing software and declining the bundled offers in the installer.
As always when I stumble upon some new bundled software I uploaded it to VirusTotal to see if the anti-malware software there detect something interesting. 7 of the 54 anti-malware scanners detected the file. The HostSecurePlugin files are detected as Win-PUP/SoftPulse by AhnLab-V3, WS.Reputation.1 by Symantec and DomaIQ (fs) by VIPRE. Here’s the scan result for HostSecure.exe:
The file is digitally signed by Plugin Update SL.
Removing HostSecure is pretty straightforward with FreeFixer. Just select the Host Secure Plugin files for removal and then click the Fix button and the problem will be solved.
Hope that helped you with the removal.
Do you also have HostSecure on your computer? Any idea how it was installed? Please share your story the comments below. Thanks a bunch!
Thank you for reading.