wiz-survey.com Pop-Ups – Removal Instructions

October 15, 2014pop-upsRoger Karlsson

Getting bombarded with survey pop-ups from wiz-survey.com? If so you probably have some unwanted adware installed on your machine that is launching these pop-ups. I got lots of these pop-ups when playing around with a download that bundled some unwanted software.

I removed the wiz-survey.com pop-up ads by uninstalling the adware I had on the lab machine with FreeFixer. In my case, the adware was Browser Warden, BlockAndSurf and TinyWallet. Keep and eye for these in the FreeFixer scan result. Please keep in mind that there may be other adwares that opens these survey pop-ups too.

Are you also getting these wiz-survey.com surveys? How did you get rid of them?

PortalMore Adware – How To Remove It

October 15, 2014adware, freefixerAltbrowse, BrowseFoxRoger Karlsson

Hello there and welcome to the FreeFixer blog. Today I wanted to talk about an adware called PortalMore that I found a few days ago and give you some removal instructions. PortalMore seems to be a variant of BrowseFox/AltBrowse that I wrote about previously. If the PortalMore adware is installed and running on your computer, you’ll see ads labeled PortalMore Ads inserted into web pages while you browse and new add-ons added in Firefox and Internet Explorer. I’ll show how to remove PortalMore in this blog post with the FreeFixer removal tool.

PortalMore is bundled with a number of downloads. Bundling means that software is included in other software’s installers. This is how PortalMore was disclosed in the installer when I found it:

Generally, you can avoid bundled software such as PortalMore by being careful when installing software and declining the bundled offers in the installer.

As usual when I run into some new bundled software I uploaded it to VirusTotal to check if the anti-viruses there find something. Of the 55 anti-malware scanners, 37 detected the file. Some of the detection names for PortalMore are BrowseFox.F, Application.Win32.Altbrowse.AK and PUP.Optional.PortalMore.A.

All you need to do to remove PortalMore is to check the PortalMore files in the FreeFixer scan result and click the Fix button. You may have to restart your machine to complete the removal. Here’s a few screenshots that should help you along the way:

Hope that helped you to figure out how to do the removal.

I stumbled upon PortalMore while testing out some downloads that are known to bundled lots of unwanted software. Any idea how you got PortalMore on your machine? Please share in the comments below. Thank you very much!

Thank you for reading.

You are currently browsing the web with Firefox and your Video Player might outdated

October 15, 2014misleading advertisingRoger Karlsson

Here’s another of those misleading ads used to trick you into installing some adware or other types of unwanted software:

“You are currently browsing the web with Firefox and your Video Player might be outdated.”

“You are currently browsing the web with Firefox and it is recommended that you update your video player to the fastest version available. Please update to continue.”

How To Remove nes.dilutionbarberryplangent.com Pop-Ups

October 14, 2014pop-upsRoger Karlsson

I’m currently playing around with some adware on one of my lab machine. I started to get lots of pop-ups ads from nes.dilutionbarberryplangent.com and I just wanted to let you know how I stopped them.

The nes.dilutionbarberryplangent.com pop-ups where caused by the adware, and by removing them with FreeFixer the pop-up problem stopped. Keep an eye for BlockAndSurf, Browser Warden and TinyWallet in the FreeFixer scan result and remove them. These pop-ups can probably be launched by other adwares as well, so you might need to review the scan result in more detail if the pop-ups remain after uninstalling the 3 adwares mentioned above.

Hope that helped you with the nes.dilutionbarberryplangent.com removal.

Any idea how you got these pop-ups on your machine?

dtw.getupslipperyskullcap.com Pop-Ups – Removal Instructions

October 14, 2014adware, pop-upsRoger Karlsson

Getting pop-ups from dtw.getupslipperyskullcap.com in Chrome, Firefox or Internet Explorer? Then it’s likely you have some adware installed on your machine 🙁

I got the dtw.getupslipperyskullcap.com pop-up ads after testing out a download on my lab machine, that I knew bundled some unwanted software. It installed BlockAndSurf, TinyWallet and Browser Warden. After removing these unwanted programs, and a bunch of other unwanted files, with the FreeFixer removal tool, the pop-ups ads stopped. These were the files I also deleted in FreeFixer:

bservice.exe
bservice64.exe
wd.exe
webinstrnew.sys

Hope that helped you with the removal.

Any idea how you got the dtw.getupslipperyskullcap.com pop-up ads on your machine?

STMSetup – 18% Detection Rate by VirusTotal

October 14, 2014digital signatureCryptInno, InstallCoreRoger Karlsson

Hello readers! Just found yet another interesting file, this time signed by STMSetup. The following screenshot shows the User Account Control dialog when running the STMSetup file:

You can also view the certificate by right-clicking on the file, and looking under the Digital Signature tab: According to the embedded certificate we can see that STMSetup appears to be located in Tel-Aviv in Israel and that the certificate is issued by COMODO Code Signing CA 2.

What caught my attention was that the download was called Skype_Setup.exe. This might look like an official Skype download, but it is not. If it was an official download, it would be digitally signed by Skype Software Sarl. Here’s how the official Skype signature looks like:

So, what does VirusTotal say about Skype_Setup.exe? BehavesLike.Win32.CryptInno.bc, Install Core Click run software and InstallCore (fs) are some detection names:

Did you also find a STMSetup file?

Thanks for reading.

Client.exe by Software Jockey – Detected as IBryte and AdKnowledge

October 13, 2014adwareAdKnowledge, iBryteRoger Karlsson

Do you see a file called Client.exe that’s signed by Software Jockey in the Task Manager?Then you have an adware called RocketTab installed on your machine. Client.exe is detected as iBryte and AdKnowledge:

Lampy Lighty Removal Instructions

October 13, 2014adware, freefixerAltbrowse, BPlug, BrowseFoxRoger Karlsson

Hello there and welcome to the FreeFixer blog. I just found another bundled adware called Lampy Lighty and thought I should give you some removal instructions. Lampy Lighty seems to be a variant of BrowseFox/AltBrowse that I’ve blogged about before. If the Lampy Lighty adware is installed on your computer, you will notice ads labeled Lampy Light Ads, something called Related Searches appearing in the left column of the browser window and new add-ons added in Internet Explorer and Mozilla Firefox. I’ll show how to remove Lampy Lighty in this blog post with the FreeFixer removal tool.

LampyLighty is bundled with other software. Bundled means that it is included in another software’s installer. Generally, you can avoid bundled software such as Lampy Lighty by being careful when installing software and declining the bundled offers in the installer. The screenshot shows how LampyLighty was disclosed in the installer:

As always when I find some new bundled software I uploaded it to VirusTotal to test if the anti-viruses there find something fishy. 13% of the anti-malware scanners detected the file which is in my view a pretty low detection rate. The Lampy Lighty files are detected as BrowseFox.F by AVG, Trojan.BPlug.167 by DrWeb and PUP.Optional.LampyLighty.A by Malwarebytes.

If you would like to remove Lampy Lighty you can do so with the FreeFixer removal tool. Just select the Lampy Lighty files as the screenshots below shows. You might have to restart your machine to complete the removal.

Hope that helped you to figure out how to do the removal.

Did you also find LampyLighty on your machine? Any idea how it was installed? Please let me and the readers know by posting a comments. Thanks!

Thank you for reading and welcome back.

Webcellence Ltd. – Detected by AVG, NOD32 and DrWeb

October 13, 2014digital signatureInstallCoreRoger Karlsson

Hi there! If you’ve been following me for the last year you know that I’ve been examining many software publishers that put a digital signature on their downloads. A few days ago I found another publisher called Webcellence Ltd..

To get more details on the publisher, you can view the certificate by right-clicking on the file, and looking under the Digital Signatures tab: According to the certificate we can see that Webcellence Ltd. is located in Moshav Ora, Israel and that the certificate is issued by VeriSign Class 3 Code Signing 2010 CA.

The reason I’m writing this blog post is that the Webcellence Ltd. file is detected by a few of the anti-virus progams at VirusTotal. DrWeb classifies adobe_flash_player.exe as Trojan.MulDrop5.38502 and ESET-NOD32 calls it a variant of Win32/InstallCore.QD.

Although the file is named adobe_flash_player.exe it’s not the official download for the Adobe Flash Player. The real flash player installer should be digitally signed by the Adobe company.

Did you also find an Webcellence Ltd.? Do you remember the download link? Please post it in the comments below and I’ll upload it to VirusTotal to see if that one is also detected.

Thank you for reading.

ICS Setup – 16% Detection Rate By VirusTotal

October 11, 2014digital signatureCryptInno, Eldorado, InstallCoreRoger Karlsson

Hello! Just a quick post on a file named ChromeSetup.exe signed by ICS Setup before calling it a day. This is how appears when running the file:

To get more details on the publisher, you can view the certificate by right-clicking on the file, and looking under the Digital Signatures tab. According to the certificate we can see that ICS Setup seems to be located in Tel-Aviv, Israel and that the certificate is issued by COMODO Code Signing CA 2.

9 of the anti-virus scanners detected the file. Some of the detection names for the ChromeSetup.exe file are W32/InstallCore.AC.gen!Eldorado, BehavesLike.Win32.CryptInno.bc and InstallCore.b (fs).

Did you also find a ICS Setup file? What kind of download was it? If you remember the download link, please post it in the comments below.

Thank you for reading.