Tag Archives: fake Java software

Remove upgrade2check.check-live.com Pop-Up Ads

pop-ups,

Does this sound like what you are seeing right now? You see pop-up ads from upgrade2check.check-live.com while browsing websites that typically don’t advertise in pop-up windows. The pop-ups manage to get round the built-in pop-up blockers in Google Chrome, Mozilla Firefox, Internet Explorer, Safari or Opera. Maybe the check-live.com pop-ups appear when clicking search results from a Google search? Or does the pop-ups appear even when you’re not browsing?

Here’s how the check-live.com pop-up looked like when I got it on my machine:check-live.com pop-up

If this sounds like what you are seeing on your system, you probably have some adware installed on your machine that pops up the check-live.com ads. Contacting the site owner would be a waste of time. The ads are not coming from them. I’ll do my best to help you remove the check-live.com pop-up in this blog post.

Those that have been reading this blog already know this, but for new visitors: Some time ago I dedicated a few of my lab machines and deliberately installed a few adware programs on them. Since then I have been following the behaviour on these machines to see what kinds of ads that are displayed. I’m also looking on other interesting things such as if the adware auto-updates, or if it downloads and installs additional unwanted software on the systems. I first observed the check-live.com pop-up on one of these lab systems.

check-live.com was registered on 2015-01-14. upgrade2check.check-live.com resolved to 198.7.56.110.

So, how do you remove the check-live.com pop-up ads? On the machine where I got the check-live.com ads I had PriceLess, PriceHorse, OfferBoulevard and SpeedCheck installed. I removed them with FreeFixer and that stopped the check-live.com pop-ups and all the other ads I was getting in Internet Explorer.

The problem with pop-ups such as this one is that it can be popped up by many variants of adware. This makes it impossible to say exactly what you need to remove to stop the pop-ups.

So, what can be done? To remove the check-live.com pop-up ads you need to examine your system for adware or other types of unwanted software and uninstall it. Here’s my suggested removal procedure:

  1. What software do you have installed if you look in the Add/Remove programs dialog in the Windows Control Panel? Something that you don’t remember installing yourself or that was recently installed?
  2. You can also examine the add-ons you installed in your browsers. Same thing here, do you see something that you don’t remember installing?
  3. If that didn’t help, I’d recommend a scan with FreeFixer to manually track down the adware. FreeFixer is a freeware tool that I’m working on that scans your computer at lots of locations, such as browser add-ons, processes, Windows services, recently modified files, etc. If you want to get additional details about a file in the scan result, you can click the More Info link for that file and a web page will open up with a VirusTotal report which will be very useful to determine if the file is safe or malware:

    FreeFixer More Info link example
    An example of FreeFixer’s “More Info” links. Click for full size.

Here’s a video guide showing how to remove pop-up ads with FreeFixer:

Did this blog post help you to remove the check-live.com pop-up ads? Please let me know or how I can improve this blog post.

Thank you!

“WARNING!!! Your Java Version is Outdated, Have Security Risks, Please Update Now!”

adware, misleading advertising, pop-ups

Are you getting messages or pop-ups while browsing the web saying:

“The page at http://s.mjytsw com says: WARNING!!! Your Java Version is Outdated, Have Security Risks, Please Update Now!”

WARNING!!! Your Java Version is Outdated, Have Security Risks, Please Update Now!

When I got this message I was redirected to a “Java Update”. The update was digitally signed by a company called Fileangels, so it’s clearly not an official Java update. The Fileangels file is detected by some of the anti-virus programs at VirusTotal. A real Java update should be digitally signed by the company that owns Java, that is Oracle America, Inc.

I got these faked Java warnings while browsing with Firefox, but they can probably also appear if you are using Chrome or Internet Explorer as you web browser.

So, why are you getting these faked Java Update pop-ups? Most likely you have some adware installed on your machine. When I got these ads, I had lots of adwares installed on my lab machine. After removing them with FreeFixer, the “Java Update” pop-ups stopped. These where the adware programs I had and uninstalled: Browser WardenSmartOnesTinyWalletBlockAndSurfHQ-Video-Pro-2.1c.

To remove these faked Java warnings I would begin to examine the Add/Remove programs dialog in the Control Panel to see if something suspicious is listed there and remove it. Do you see some program that you don’t remember installing? If you sort the programs on the “Installed On” date, do you see anything that was installed approximately about the same time as you first noticed the “Java” warnings?

I think you should also check the add-ons installed into Chrome, Firefox, Internet Explorer. Do you see anything suspicious? Something that you don’t remember installing?

If that did not fix the problem, you can give FreeFixer a try. It’s a tool that I’ve been working on for some time now. FreeFixer is designed to help you manually identify and remove unwanted software, such as the adware that’s running on your machine. FreeFixer scans the processes running on your computer, browser add-ons, startups, scheduled tasks, recently modified files, and lots of other locations. FreeFixer is freeware and its removal feature is not crippled liked many other malware removers out there. If FreeFixer solved your problem, please help me spread the word and let your friends know about it.

Tip: If you are having difficulties to figure out whether a file or setting in FreeFixer’s scan result is legitimate or if it should be removed, please check out the information shown on the More Info page. It will show a VirusTotal report which can be quite useful when trying to determine whether to keep or remove a file.

Click the More Info links to get a VirusTotal report about the file.
The “More Info” links in FreeFixer. Click for full size.

Which adware programs did you have to uninstall to get rid of the “Java Update” warnings?

And if you are looking for the real Java download, go to the official Java site: https://www.java.com/en/

Thanks for reading.

Update 2014-10-26: These fake Java warnings are still going on. Found the same type of pop-up, but this time it mentions another web site: d.andoie.com. What web site does your  warning message mention?

d.andoie.com fake java warning pop-up

When clicking on the warning message, the faked Java site at phohyt.com opens up. Is this the site you are redirected to as well?

phohyt.com fake java site

Update 2014-10-27: The pop-ups are still appearing. Now they mention d.mobcgm.com and d.mobdty.com. If clicking the OK button in the dialog, apprfv.com opens up containing a faked java update site.

d.mobcgm.com pop-up d.mobdty.com fake java

s4.apprfv.com site

Update 2014-10-30: These fake Java warnings and faked Java sites are still popping up. Today the pop-up mention www.qposwe.com and debajxcj.com and the faked site is hosted at irzsmdcs.com:

debajxcj.com warning

www.qposwe.com warning

irzsmdcs.com fake java site

 

Update 2014-11-11: This is still going on. zpkaid.com is used host the fake Java Update site. The title of the page is “Update for Your Computer” and the download is signed by Safe Down.

zpkaid.com java warning

Update 2014-11-13: Today the fake update site is hosted zrmica.com.

Update 2014-11-14: Today the fake site is hosted at zszpkt.com and ztcdnr.com. The downloads are signed by “Safe Down” and Fileangels.

Update 2014-11-16: Now the fake site is hosted at zwkuvp.com.

Fileangels – Detected as IBryte and OptimunInstaller

digital signature, ,

Welcome! Just a note on a publisher called Fileangels. The Fileangels download – setup.exe – was detected when I uploaded it to VirusTotal. Did you also find a download by Fileangels? Was it also detected when you uploaded it to VirusTotal?

This is how Fileangels appears when running the file:

fileangels publisher

By looking at the certificate we can see that Fileangels appears to be located in Kansas City, USA.

Fileangels certificate

The reason I’m writing this blog post is that the Fileangels file is detected by some of the anti-malware scanners at VirusTotal. AVG detects setup.exe as AdPlugin.BNR, Fortinet detects it as W32/Zbot.AAN!tr, Kaspersky detects it as Trojan.Win32.Badur.jukw, Malwarebytes reports PUP.Optional.OptimunInstaller and McAfee detects it as IBryte-FRT. In addition, the Fileangels download was also promoted as a “Java Update”.

fileangels virustotal ibryte

Did you also find a file digitally signed by Fileangels? Where did you find it and are the anti-virus programs detecting it? Please share in the comments below.

Thanks for reading.

Plugin Update SL – Warning! Stay away from this file

adware, digital signature, freefixer, malware, ,

I’m in a hurry here, trying to wrap up the v1.12 release of FreeFixer, but I though I must write a few lines of about a file, digitally signed by Plugin Update SL, that was promoted as a Java update. Here’s how the ad appeared:

plugin update s.l ad - java update

When clicking on the ad, a download for something called Player_Setup.exe appeared. That file, is not a Java Update.

Plugin Update SL Certificate

The file is digitally signed by Plugin Update SL, which is a company that appears to be located on Tenerife, and if you run the file, it will start an installation of something called NewPlayer. During the installation, it offers lots of bundled unwanted software, such as Findopolis, FreeSoftToday, IStartSurf, etc, etc.

The VirusTotal scan also clearly shows why you should stay away from the Plugin Update SL malware file:

Plugin Update SL - Virus Total report

Some of the scanners report it as DomaIQ and SoftPulse.

Did you also find a file signed by Plugin Update SL? Was it also promoted as a Java update?

If you installed any of the bundled software, you can remove those with FreeFixer.

Hope this helped you avoid the Plugin Update SL software. Thanks for reading.

Information Technology Systems doo – VirusTotal Report

digital signature,

Just wanted to give you the heads up on a publisher called Information Technology Systems doo.

Information Technology Systems doo Publisher

According to the certificate, the publisher is located in Montenegro:

Information Technology Systems doo Certificate

This is the VirusTotal scan report for the Information Technology Systems doo file:

Information Technology Systems doo - VirusTotal

Generic.DAA, Unwanted-Program and  are some of the detection names.

Did you also find a file signed by Information Technology Systems doo? What kind of download was it? In my case, the download claimed to be the Flash Player installer.

Update 2014-09-03: Found a file promoted as a Java installer, signed by Information Technology Systems doo:

Information Technology Systems doo

The web page is hosted on softkopro.net. The file is called java_setup.exe and is detected by 10 of the 55 anti-virus programs at VirusTotal.

According to the web page, java_setup.exe is a downloader, rather than the real Java setup file:

“Coinis downloader is distributing a proprietary download manager that will take you to the official download of this program. Prior to taking you to the official download, we will offer optional sponsored software that you may be interested in. You are not required to install any additional software to receive your download.”

Update 2016-09-23: I’ve rescanned the java_setup.exe file. Now the detection rate is 31/57. Based on the scan result over at VirusTotal and by looking at the java_setup.exe executable file, it seems that the file contains the InstallCore software rather the Coinis downloader, contrary to what the web page at softkopro.net stated.