“WARNING!!! Your Java Version is Outdated, Have Security Risks, Please Update Now!”

adware, misleading advertising, pop-ups

Are you getting messages or pop-ups while browsing the web saying:

“The page at http://s.mjytsw com says: WARNING!!! Your Java Version is Outdated, Have Security Risks, Please Update Now!”

WARNING!!! Your Java Version is Outdated, Have Security Risks, Please Update Now!

When I got this message I was redirected to a “Java Update”. The update was digitally signed by a company called Fileangels, so it’s clearly not an official Java update. The Fileangels file is detected by some of the anti-virus programs at VirusTotal. A real Java update should be digitally signed by the company that owns Java, that is Oracle America, Inc.

I got these faked Java warnings while browsing with Firefox, but they can probably also appear if you are using Chrome or Internet Explorer as you web browser.

So, why are you getting these faked Java Update pop-ups? Most likely you have some adware installed on your machine. When I got these ads, I had lots of adwares installed on my lab machine. After removing them with FreeFixer, the “Java Update” pop-ups stopped. These where the adware programs I had and uninstalled: Browser WardenSmartOnesTinyWalletBlockAndSurfHQ-Video-Pro-2.1c.

To remove these faked Java warnings I would begin to examine the Add/Remove programs dialog in the Control Panel to see if something suspicious is listed there and remove it. Do you see some program that you don’t remember installing? If you sort the programs on the “Installed On” date, do you see anything that was installed approximately about the same time as you first noticed the “Java” warnings?

I think you should also check the add-ons installed into Chrome, Firefox, Internet Explorer. Do you see anything suspicious? Something that you don’t remember installing?

If that did not fix the problem, you can give FreeFixer a try. It’s a tool that I’ve been working on for some time now. FreeFixer is designed to help you manually identify and remove unwanted software, such as the adware that’s running on your machine. FreeFixer scans the processes running on your computer, browser add-ons, startups, scheduled tasks, recently modified files, and lots of other locations. FreeFixer is freeware and its removal feature is not crippled liked many other malware removers out there. If FreeFixer solved your problem, please help me spread the word and let your friends know about it.

Tip: If you are having difficulties to figure out whether a file or setting in FreeFixer’s scan result is legitimate or if it should be removed, please check out the information shown on the More Info page. It will show a VirusTotal report which can be quite useful when trying to determine whether to keep or remove a file.

Click the More Info links to get a VirusTotal report about the file.
The “More Info” links in FreeFixer. Click for full size.

Which adware programs did you have to uninstall to get rid of the “Java Update” warnings?

And if you are looking for the real Java download, go to the official Java site: https://www.java.com/en/

Thanks for reading.

Update 2014-10-26: These fake Java warnings are still going on. Found the same type of pop-up, but this time it mentions another web site: d.andoie.com. What web site does your  warning message mention?

d.andoie.com fake java warning pop-up

When clicking on the warning message, the faked Java site at phohyt.com opens up. Is this the site you are redirected to as well?

phohyt.com fake java site

Update 2014-10-27: The pop-ups are still appearing. Now they mention d.mobcgm.com and d.mobdty.com. If clicking the OK button in the dialog, apprfv.com opens up containing a faked java update site.

d.mobcgm.com pop-up d.mobdty.com fake java

s4.apprfv.com site

Update 2014-10-30: These fake Java warnings and faked Java sites are still popping up. Today the pop-up mention www.qposwe.com and debajxcj.com and the faked site is hosted at irzsmdcs.com:

debajxcj.com warning

www.qposwe.com warning

irzsmdcs.com fake java site

 

Update 2014-11-11: This is still going on. zpkaid.com is used host the fake Java Update site. The title of the page is “Update for Your Computer” and the download is signed by Safe Down.

zpkaid.com java warning

Update 2014-11-13: Today the fake update site is hosted zrmica.com.

Update 2014-11-14: Today the fake site is hosted at zszpkt.com and ztcdnr.com. The downloads are signed by “Safe Down” and Fileangels.

Update 2014-11-16: Now the fake site is hosted at zwkuvp.com.

Remove InetStat – InetStat.exe Removal Instructions

freefixer

Just found a file called InetStat.exe, bundled in another software download. InetStat.exe was located in c:\users\%USERNAME%\appdata\roaming\inetstat. I could also see it running in the Windows Task Manager.

inetstat.exe task manager

InetStat.exe was not detected by the anti-virus programs over at VirusTotal when I uploaded it, but I think it should be removed anyway. It was bundled with another software download, but as far as I could see, not disclosed in the installer. The file did not have a digital signature or any version information that could help users figure out the purpose of the file and who developed it.

inetstat.exe virustotal

I’ve saved a copy of the InetStat.exe file to see if it will be added to the anti-virus programs detection list in the future.

Anyway, if you’d like to remove InetStat, you can do so with FreeFixer. Just select InetStat.exe for removal:

inetstat.exe startup remove inetstat.exe remove

Thanks for reading.

Safe Down – 22% Detection Rate – Detected as IBryte and

digital signature,

Welcome! Just a short post on a publisher called Safe Down. I just found a download named Java_Setup.exe that was digitally by this publisher, and it turns out that it is detected by some anti-virus programs.

What caught my attention was that the download was called Java_Setup.exe. This might look like an official Java download, but it is not. If it was an official download, it should be digitally signed by Oracle INC.

22% of the scanners detected the file. ESET-NOD32 reports Java_Setup.exe as a variant of Win32/AdWare.iBryte.BM, Fortinet detects it as W32/Zbot.AAN!tr, Kaspersky calls it Trojan.Win32.Badur.joje, McAfee reports IBryte-FRK and VIPRE names it Optimum Installer (fs).

safe down virustotal

Did you also find a Safe Down file?

Thank you for reading.

Astro Network (Fried Cookie Ltd.) Publisher Information

digital signature

Hello! If you’ve been following my recent posts here on the FreeFixer blog, you know that I’ve been looking at files that have a valid digital signature and bundle various types of  programs. This morning I found another publisher named Astro Network (Fried Cookie Ltd.).

The following screenshot shows the User Account Control dialog when running the Astro Network (Fried Cookie Ltd.) file:

Astro Network Fried Cookie Ltd publisher

You can also check who signed a file by checking the digital signature tab. According to the certificate we can see that Astro Network appears to be located in Tel Aviv, Israel and that the certificate is issued by GlobalSign CodeSigning CA – G2.

Astro Network Fried Cookie Ltd certificate

What caught my attention was that the download was called Skype_Setup.exe. This might look like an official Skype download, but it is not. If it was an official download, it would have been signed by Skype Software Sarl. And that’s why I’m writing this blog post. If you are looking for the official Skype download, go to http://www.skype.com/ to get the real deal.

I uploaded the Skype_Setup.exe file to VirusTotal, but none of the 50+ anti-virus scanners detected it. Was your file detected by the anti-virus programs?

Did you also find a file signed by Astro Network? What kind of download was it and where did you find it? How was the download promoted? Did it appear in the sponsored search results in one of the search engines?

Remove surveygenieonline.com Pop-Up Surveys

pop-ups, survey

Did you just get a new tab or a pop-up from surveygenieonline.com that managed to leak through your browser’s pop-up blocker, or did you get redirected to surveygenieonline.com from the web page you were browsing? It’s possible that you have some adware installed on your machine that launched the  surveygenieonline.com surveys. I’ll try to help you remove the surveygenieonline.com pop-ups in this blog post.

Here’s a few screenshots of the surveygenieonline.com surveys that I got on my lab machine. They all have the country as a subdomain, in my case that’s sweden.

sweden.surveygenieonline.com pop-up 2 surveygenieonline.com pop-up survey surveygenieonline.com pop-up surveygenieonline.com firefox survey

 

All of these appeared in Mozilla Firefox, but you will most likely have the same problem if you are browsing the web with Google Chrome or Microsoft Internet Explorer.

I recently started to examine what advertisements adware are showing to the users. I think its important to talk about these pop-ups and surveys since it’s usually the first sign the user sees after getting the adware. In my case, I’ve installed a few adwares on my lab machine and now I’m closely following and documenting the ads that appear.

Generally, these surveys appears in a new tab while you are browsing the web. They often try to make it appear as the survey was initiated by the site you were browsing, by mentioning the domain name. That happened to me too, as you can see in the screenshots above, they mention the www.freefixer.com site which was the site I was currently browsing. The surveys sometimes claim that you will be compensated for completing it. That also happened here, where one of the surveys said it would give me a price worth 400 SEK.

Something that’s interesting is the amount of traffic the surveygenieonline.com web site it getting. Just check out the traffic rank from Alexa. Rank 12500 means that its getting a lot of traffic. So you are probably not the only one getting these surveys 😉

surveygenieonline.com traffic rank

So, what is required to remove surveygenieonline.com? Well, in my case, I had three adwares installed on my machine. They were Browser Warden, BlockAndSurf, TinyWallet. One of them were responsible for the pop-ups. I removed those three with FreeFixer and the surveygenieonline.com surveys were gone. The problem is that the surveygenieonline.com surveys can be launched by many variants of adware, so if you don’t have any of the three adwares mentioned above, you might have dig in a little deeper to track down the unwanted software.

If you had to remove something else, in addition to the 3 adwares I mentioned above, please post a comment below to help other users that are struggling in the same situation.

Thanks for reading.

 

Remove “powered by SmartOnes” Ads

adware, freefixer

Hello guys and gals. As usual I was looking around on the Internet to see what is being bundled with some software downloads. This time I found something called SmartOnes. If you have SmartOnes on your computer, you’ll find new add-ons installed in Chrome, Internet Explorer and Mozilla Firefox and ads labeled powered by SmartOnes while browsing the web. I’ll show how to remove SmartOnes in this blog post with the FreeFixer removal tool.

powered by SmartOnes powered by SmartOnes banner

Here’s how SmartOnes appears in Firefox and Internet Explorer:

SmartOnes in the Firefox add-ons manager SmartOnes in the Internet Explorer add-ons menu

SmartOnes is distributed by a strategy called bundling. Bundling means that a piece of software is included in other software’s installers. When I first found SmartOnes, it was bundled with a download called a download claiming to be an episode of the Game of Thrones TV serie. Here’s how it appeared in the installer where I found it:

smartones bundled

Generally, you can avoid bundled software such as SmartOnes by being careful when installing software and declining the bundled offers in the installer.

As always when I test some new bundled software I uploaded it to VirusTotal to see if the anti-viruses there detect anything. 4 of the scanners detected the file. MultiPlug seems to be the common detection name.

smartones virustotal

The SmartOnes removal with FreeFixer is straightforward. Check all the SmartOnes items for removal and click fix. Here’s a few screenshots from the removal that should help you:

smartones chrome smartones firefox remove SmartOnes Internet Explorer remove

To remove the Chrome extension, type in chrome://extensions/ in Chrome’s address bar.

Hope this helped you remove the SmartOnes adware.

Any idea how SmartOnes was installed on your computer? Please share by posting a comment. Thanks a bunch!

Thank you for reading and welcome back.

Remove HQ-Video-Pro-2.1cV22.10 Ads

adware, freefixer

Hello there and welcome to the FreeFixer blog. Did something called HQ-Video-Pro-2.1cV22.10 appear on your machine? HQ-Video-Pro-2.1cV22.10 seems to be a variant of CrossRider that I’ve written about before. If you have HQ-Video-Pro-2.1cV22.10 on your machine, you will find ads labeled powered by HQ-Video-Pro-2.1cV22.10 in Google search results. You will also see new add-ons installed in Internet Explorer and Mozilla Firefox. I’ll show how to remove HQ-Video-Pro-2.1c in this blog post with the FreeFixer removal tool.powered by hq-video-pro-2.1

HQ-Video-Pro-2.1 firefox

HQ-Video-Pro-2.1cV22.10 internet explorer

HQ-Video-Pro-2.1c is bundled with a number of downloads. Bundling means that software is included in other software’s installers. When I first found HQ-Video-Pro-2.1cV22.10, it was bundled with a download called FlvPlayer. Generally, you can avoid bundled software such as HQ-Video-Pro-2.1c by being careful when installing software and declining the bundled offers in the installer.

As usual when I play around with some new bundled software I uploaded it to VirusTotal to test if the anti-malware software there find something. The detection rate is 4/54 which I’d say is pretty low. Some of the detection names for HQ-Video-Pro-2.1cV22.10 are a variant of Win64/Toolbar.Crossrider.L, PUP.Optional.HQVideo.A and Crossrider (fs). The file is signed by “Radon Battery Technologies“.

HQ-Video-Pro-2.1cV22.10 virustotal

The HQ-Video-Pro-2.1cV22.10 removal with FreeFixer is pretty straightforward. Check all the HQ-Video-Pro-2.1cV22.10 files/settings for removal and click fix. Here’s a few screenshots from the removal that should help you:

HQ-Video-Pro-2.1cV22.10 internet explorer remove HQ-Video-Pro-2.1cV22.10 firefox remove

Hope this helped you remove the HQ-Video-Pro-2.1cV22.10 Adware.

Any idea how you got HQ-Video-Pro-2.1cV22.10 on your computer? Please share in the comments below. Thanks a bunch!

Hope you found this useful. Thanks for reading.

Update 2014-10-24: Found another variant called HQ-Video-Pro-2.1cV23.10.

Update 2014-10-25: Another variant: HQ-Video-Pro-2.1cV24.10.

Seems like the version number is updated every day. So I’ll assume we will see the following variants shortly:

  • HQ-Video-Pro-2.1cV25.10
  • HQ-Video-Pro-2.1cV26.10
  • HQ-Video-Pro-2.1cV27.10
  • HQ-Video-Pro-2.1cV28.10
  • HQ-Video-Pro-2.1cV29.10
  • HQ-Video-Pro-2.1cV30.10

Fileangels – Detected as IBryte and OptimunInstaller

digital signature, ,

Welcome! Just a note on a publisher called Fileangels. The Fileangels download – setup.exe – was detected when I uploaded it to VirusTotal. Did you also find a download by Fileangels? Was it also detected when you uploaded it to VirusTotal?

This is how Fileangels appears when running the file:

fileangels publisher

By looking at the certificate we can see that Fileangels appears to be located in Kansas City, USA.

Fileangels certificate

The reason I’m writing this blog post is that the Fileangels file is detected by some of the anti-malware scanners at VirusTotal. AVG detects setup.exe as AdPlugin.BNR, Fortinet detects it as W32/Zbot.AAN!tr, Kaspersky detects it as Trojan.Win32.Badur.jukw, Malwarebytes reports PUP.Optional.OptimunInstaller and McAfee detects it as IBryte-FRT. In addition, the Fileangels download was also promoted as a “Java Update”.

fileangels virustotal ibryte

Did you also find a file digitally signed by Fileangels? Where did you find it and are the anti-virus programs detecting it? Please share in the comments below.

Thanks for reading.

Astro Delivery (Fried Cookie Ltd.) – 4% Detection Rate

digital signature

Welcome! If you’ve been following me for the last year you know that I’ve been examining many software publishers that put a digital signature on their downloads. Today I found another publisher called Astro Delivery (Fried Cookie Ltd.).

Astro Delivery Fried Cookie Ltd. publisher

You can also check the digital signature under the file’s properties. According to the certificate we can see that Astro Delivery (Fried Cookie Ltd.) is located in Tel Aviv, Israel and that the certificate is issued by GlobalSign CodeSigning CA – G2. The certificate is pretty new: its validity period started yesterday, on the 21st of October.

Astro Delivery Fried Cookie Ltd certificate

One issue here, and this could perhaps be one of the reason why a few anti-virus programs have chosen to detect the file, is that Skype_Setup.exe is not an official Skype download. If it was, it would be digitally signed by Skype Software Sarl.

The scan result from VirusTotal below shows that only 4% of the antivirus programs detect the Astro Delivery (Fried Cookie Ltd.) file. It is detected under names such as a variant of Win32/InstallCore.QH and Riskware.Win32.InstallCore.dfgoti. It will be interesting to see if other anti-virus scanners choose to follow ESET and NANO.

astro delivery fried cookie ltd virustotal report

Did you also find a Astro Delivery (Fried Cookie Ltd.) file?

Thanks for reading.