Monthly Archives: August 2014

Plugin Update SL – Warning! Stay away from this file

August 25, 2014adware, digital signature, freefixer, malwareDomaIQ, fake Java software, SoftPulseRoger Karlsson

I’m in a hurry here, trying to wrap up the v1.12 release of FreeFixer, but I though I must write a few lines of about a file, digitally signed by Plugin Update SL, that was promoted as a Java update. Here’s how the ad appeared:

When clicking on the ad, a download for something called Player_Setup.exe appeared. That file, is not a Java Update.

The file is digitally signed by Plugin Update SL, which is a company that appears to be located on Tenerife, and if you run the file, it will start an installation of something called NewPlayer. During the installation, it offers lots of bundled unwanted software, such as Findopolis, FreeSoftToday, IStartSurf, etc, etc.

The VirusTotal scan also clearly shows why you should stay away from the Plugin Update SL malware file:

Some of the scanners report it as DomaIQ and SoftPulse.

Did you also find a file signed by Plugin Update SL? Was it also promoted as a Java update?

If you installed any of the bundled software, you can remove those with FreeFixer.

Hope this helped you avoid the Plugin Update SL software. Thanks for reading.

Orbiter, ORBTR, SPPD.sys and SearchProtect by ClientConnect LTD.

August 25, 2014UncategorizedAdware.Orbiter, ClientConnect LTD., conduit, PUP.Optional.Conduit.ARoger Karlsson

I was playing around with a download this morning to see if it bundled some software. When running the installer “Search Protect by Conduit” was offered. The installer also displayed a few links – as shown in the screenshot below – to learn more about the SearchProtect software and to the EULA and the privacy policy, but for some unknown reason, no browser popped up when clicking the links.

Search Protect is designed to change search settings in Firefox, Chrome and Internet Explorer to trovi.com and pop up a notification window when these settings are changed.

Since I more or less on a daily basis look on what’s being bundled with various downloads, I’m used to see Search Protect, but this was a new variant that I had not seen before. It also installed something called Orbiter in “c:\Program Files (x86)\ORBTR” or “c:\Program Files\ORBTR”. The files were named Orbiter.dll and Orbt.ext. A new driver name SPPD.sys also appeared on the hard drive located in “c:\Windows\System32\drivers“. All these files were digitally signed by ClientConnect LTD.

I was curious to see if the anti-virus programs over at VirusTotal detected the orbiter.dll file, and some of them did. As shown in the screenshot, 10 of the 55 anti-virus scanners detected the orbiter.dll file, under various detection names, such as PUP.Optional.Conduit.A and Adware.Orbiter.

If you’d like to remove SearchProtect and Orbiter, you can do so from the Add/Remove programs dialog, by right-clicking on the Search Protect icon and selecting Uninstall. This also uninstalled the Orbiter software.

Did you also get SearchProtect and Orbiter on your machine? Any idea how it was installed? Did the uninstaller work successfully?

Videos MediaPlay-Air – Removal instructions

August 23, 2014UncategorizedRoger Karlsson

It saturday, but since I just found this new adware variant called “Videos MediaPlay-Air” I though I should write a quick post about it. The ads are labeled “Ad by Videos MediaPlay-Air” or “Click to Continue -> by Videos MediaPlay-Air” as shown below.

The Videos MediaPlay-Air adware is detected by some of the anti-virus programs. CrossRider and AppRider are some of the detection names:

Notice how the adware modified the webpage with the “PROGRAMS” link 🙂

Removing Videos MediaPlay-Air is easy. Just select the Videos MediaPlay-Air for removal in FreeFixer, click Fix, reboot your machine and the ads will be gone.

Any idea how you got this on your machine?

Remove PicRec – “Ads by PicRec” Removal Instructions

August 22, 2014UncategorizedOne Call Ltd.Roger Karlsson

Hello, found a new adware just before heading off to the local indian restaurant for lunch. Back in front of the computer now to write the blog post. The adware is called PicRec and displays ads labeled “Ads by PicRec“. Here’s some examples of the ads:

If you have PicRec installed on your machine, you will also see three files, privoxy.exe, picrecs.exe and picrdrw.sys on your computer. The files are digitally signed by One Call Ltd.

Currently none of the anti-virus programs detect the picrecs.exe file according to VirusTotal. I’m sure the anti-virus vendors will add PicRec to their detection database sooner than later.

Since you probably came here searching for removal instructions, let’s get on with it. PicRec can easily be removed by FreeFixer. Just select picrecs.exe, picrdrw.sys and privoxy.exe for removal as shown in the screenshots.

How did you get PicRec on your computer? I found it bundled with another software download where the “I agree” checkbox for PicRec was already checked. Here’s how it was disclosed:

The PicRec’s web site is picrec.com where you can find the Terms and Conditions and privacy policy:

Thanks for reading. Hope this helped you remove PicRec.

Remove Rewin_Cinematic 1.1 – Uninstall Guide

August 22, 2014UncategorizedCrossRider, Monkey Code LabRoger Karlsson

Found a new variant of the CrossRider adware called Rewin_Cinematic 1.1, so I thought I should write a removal guide. If you have the Rewin_Cinematic 1.1 adware on your machine, you will see ads labeled “Ads by Rewin_Cinematic 1.1“. These ads are inserted into web pages when you browse:

Obviously Rewin_Cinematic is adware. The adware files are digitally signed by Monkey Code Lab.

Rewin_Cinematic is installed as add-ons in your web browsers. Here’s how it appears in Mozilla Firefox:

Removing Rewin_Cinematic is pretty easy. All you have to do is check the Rewin_Cinematic files in FreeFixer for removal as shown in the screenshots below.

That’s it! Hope that helped you remove Rewin_Cinematic.

Do you also have the Rewin_Cinematic adware installed on your machine? Any idea how it was installed? Please share by posting a comment.

What is Maxiget Software Manager (Softsonic)? – Removal Instructions

August 21, 2014freefixerRoger Karlsson

Did you find something called Maxiget Software Manger on you machine and wonder where it came from? The Maxiget Software Manger is a desktop application showing a web page named “Softsonic” that promotes software downloads and shows, what to appears to be Google Adsense Ads:

If you have Maxiget Software Manger installed on your computer you may also see a process called MaxigetUpdater.exe running in the Windows Task Manager.

So, how did Maxiget Software Manger install on you computer? It could have been installed as a bundled offer, that was displayed when installing some other software on your machine. I found Maxiget while installing software, and here’s how Maxiget was disclosed:

As usual when I find some bundled software, I upload it to VirusTotal to see what the anti-virus programs says about the file. AVG was the only anti-virus scanner that detected Maxiget, under the Generic.E22 detection name:

If you would like to remove the Maxiget Software Manger, you can do so by selecting the MaxigetUpdater.exe file in FreeFixer:

Or by using the Uninstall programs dialog:

Hope this helped you figure out what Maxiget is.

Did you also get Maxiget as a bundled software offer?

What is One More Game (OMG) And How To Uninstall It

August 21, 2014freefixerRoger Karlsson

Just a quick post about a piece of software called One More Game before going back to programming on the FreeFixer tool. I’m working on a feature that scans Google Chrome Extensions.

Anyway, what’s One More Game? OMG is a piece of software that sits in the system tray and pops up notification about “new and exclusive offers and gaming tips“.

You will also see a process called omg.exe running in the Windows Task Manager.

Did One More Game pop up unexpectedly on your machine? If so, One More Game might have been bundled in another download’s installer. That’s where I found it. Here’s how One More Game was disclosed in the installer of “FLV Player”:

So, what does the anti-virus programs say about the omg.exe file. Not much actually, none of the anti-virus detects OMG, except Symantec that reports omg.exe as WS.Reputation.1:

If you’d like to remove One More Game (OMG) you can do some from the “Uninstall Programs” dialog in the Windows Control Panel. There should be an entry named “One More Game” which you can right-click and select Uninstall.

Any idea how One More Game installed on your computer? Please share by posting a comment.

TubeHD Adware – Removal Instructions

August 19, 2014adware, freefixerCrossRiderRoger Karlsson

I was reviewing some of the files submitted to the FreeFixer database tonight and found something new called TubeHD. This looked like a new variant of the CrossRider adware and the VirusTotal scan result clearly shows that is the case:

Typically, adware such as TubeHD is distributed through bundling. That is, when downloading and installing some application, an additional offer is shown that suggests you should also install TubeHD.

Did you get Tube HD though bundling? If you remember the download link or the name of the software that bundled TubeHD, please let me know by posting a comment below. I’d like to try the installer to see how well TubeHD is disclosed.

Removing TubeHD with FreeFixer is pretty straightforward, assuming it’s just a regular variant of the Crossrider adware. Just select the TubeHD files for removal in the scan result, and then click Fix. The files should all be located in C:\Program Files (x86)\TubeHD-V1.8\ or C:\Program Files\TubeHD-V1.8\. The version number can vary depending on which version of TubeHD you have on your machine.

Thanks for reading!

Oleh Aleksyuk – Stay away from files signed this publisher!

August 19, 2014digital signatureMultiPlugRoger Karlsson

Hello readers, just wanted to warn you about a publisher called Oleh Aleksyuk. I downloaded a file that claimed to be an e-book, but instead the file had an .exe extension and was digitally signed by someone named Oleh Aleksyuk. When launching the file, a bunch of bundled programs was offered in the installer. EZDownloader, SW-Booster and Adblocker were some of the programs that appeared after running the file.

The digital certificate appears to be rather new. It’s valid from the 24th of June, 2014. According to the certificate, Oleh Aleksyuk is located in Russia.

Currently the detection rate for the Oleh Alexsyuk file is very low. When I uploaded the file to VirusTotal, only MalwareBytes detected the file. The detection name is PUP.Optional.MultiPlug. It will be interesting to see if the other anti-virus programs will detect it in the future.

Did you also find a file digitally signed by Oleh Aleksyuk? Do you remember where you downloaded it? Please share by posting a comment.

Ads by Rewin Cinema – Removal Instructions

August 19, 2014adware, freefixerRoger Karlsson

Do you see ads labeled “Ads by Rewin Cinema” in your web browser. If that is the case, you have the Rewin Cinema adware installed and running on your machine. Rewin Cinema is bundled with various free software downloads, and that’s probably how it was installed on your machine. In my case, it was bundled with a download called JDownloader.

You will also see Rewin Cinema installed as an add-on in your web browser. Here’s how it appears in Firefox:

If you would like to uninstall the Rewin Cinema adware you can easily do so by checking the Rewin Cinema files in FreeFixer:

Do you also have the Rewin Cinema adware installed on your machine? Do you remember what download that bundled it? Please share by posting a comment.