Monthly Archives: October 2014

Click Yes – 6% Detection Rate at VirusTotal

October 22, 2014digital signatureOutBrowseRoger Karlsson

Hi there! If you’ve been following my recent posts here on the FreeFixer blog, you know that I’ve been looking at files that have a valid digital signature and bundle various types of potentially unwanted programs. This morning I found another publisher named Click Yes. The following screenshot shows the User Account Control dialog when running the Click Yes file:

By looking at the certificate we can see that Click Yes appears to be located in Dublin, Ireland. The certificate is quite new. It’s validity period started yesterday, on the 21st of October.

The VirusTotal report shows that the Click Yes file should probably be avoided, since setup.exe is detected as APPL/Downloader.Gen by Avira, Trojan.Packed.29192 by DrWeb and Win32/OutBrowse.AY by ESET-NOD32. The detection rate is only 6% which is quite low.

Did you also find a Click Yes file? What kind of download was it? If you remember the download link, please post it in the comments below and I’ll upload it to VirusTotal to see if the detection rate is improved.

Hope this blog post helped you avoid some unwanted software on your machine.

Thanks for reading.

Remove wwu.bouffebasculetimeous.com Pop-Up Ads

October 21, 2014pop-ups37.58.101.202, 37.58.101.203Roger Karlsson

Getting lots of pop-up ads from wwu.bouffebasculetimeous.com? If you have been following my posts here on the blog for the last week you know that I’ve been documenting the domain names that appears in pop-ups launched by adware installed on user machines.

Adware, that is probably why you are getting these wwu.bouffebasculetimeous.com pop-ups. I removed the wwu.bouffebasculetimeous.com ads by using the freeware tool FreeFixer to uninstalling two adwares that was installed on my machine. The first was called TinyWallet and the other was named BlockAndSurf.

I think that other variants of adware can launch these pop-ups. Please keep that in mind while examining your computer for the unwanted software.

If you had to remove something else than BlockAndSurf or TinyWallet, please post a comment below to help other users in the same situation.

I also tried to get some more information about the bouffebasculetimeous.com domain using a WHOIS lookup, but the domain is protected by the WHOISGUARD company 🙁 wwu.bouffebasculetimeous.com resolves to the 37.58.101.202 and 37.58.101.203 IP address.

Did this help you solve the bouffebasculetimeous.com problem?

Thanks for reading

Open Source Developer – 13% Detection Rate at VirusTotal

October 21, 2014digital signatureRoger Karlsson

Hello! Just a quick post on a publisher called Open Source Developer that I found some time ago while running some tests for the upcoming FreeFixer release. This is how it looks when double-clicking on the file and Open Source Developer appears as the publisher. It is also possible to check a digital signature by looking at a file’s properties, if you’d like to do that.

I decided to upload the file to VirusTotal. Of the 53 anti-malware scanners, 7 detected the file. That’s a 13% detection rate. InstallCore seem to be the common detection name.

Did you also find a file digitally signed by Open Source Developer? Where did you find it and are the anti-virus programs detecting it? Please share in the comments below.

Thank you for reading.

Zoobam – 20% Detection Rate – Detected as WebInstallBundle and DownloadAdmin

October 21, 2014digital signatureRoger Karlsson

Hi there! Just wanted to give you heads-up on a file I found right now. The file is named installer_jdownloader_Spanish.exe and digitally signed by Zoobam. This is how Zoobam appears when running the file:

Information about a digital signature and the certificate can also be found under the Digital Signature tab. According to the certificate we can see that Zoobam seems to be located in USA and that the certificate is issued by Go Daddy Secure Certificate Authority – G2.

Of the 54 anti-malware scanners at VirusTotal, 11 detected the file. The installer_jdownloader_Spanish.exe file is detected as Adware:W32/WebInstallBundle by F-Secure, PUP.Optional.DownloadAdmin by Malwarebytes and DownloadAdmin (fs) by VIPRE.

Did you also find a Zoobam download? What kind of download was it?

Thank you for reading.

WordProser Ads Removal Instructions

October 20, 2014adware, freefixerInfoAtoms, VitruvianRoger Karlsson

Hello readers. Welcome to the blog. Just a short post on a called Word Proser or WordProser. Word Proser appears to be a variant of Vitruvian that I’ve blogged about before. If you have WordProser installed and running on your computer, you will find ads labeled WordProser Ads or Ads by WordProser, new add-ons in Mozilla Firefox and Internet Explorer and a new service called wpsvc.exe. I’ll show how to remove WordProser in this blog post with the FreeFixer removal tool.

You may also see the “WordProser search results”:

Word Proser is bundled with a number of downloads. Bundling means that software is included in other software’s installers. When I first found Word Proser, it was bundled with a piece of software called FastPlayer. The screengrab below shows how the FastPlayer installer informed the user that Word Proser was bundled.

Generally, you can avoid bundled software such as Word Proser by being careful when installing software and declining the bundled offers in the installer.

As always when I find some new bundled software I uploaded it to VirusTotal to see if the anti-malware progams there detect anything interesting. 3 of the scanners detected the file. The Word Proser files are detected as a variant of Win32/AdWare.Vitruvian.D by ESET-NOD32 and InfoAtoms (fs) by VIPRE.

Since you probably want to remove Word Proser, wpnfd_1_10_1.sys, wpsvc.exe and WordProserClient.dll are the files you should check for removal if you want to remove it with FreeFixer. You might have to reboot your computer to complete the removal. Problem taken care of.

Hope that helped you with the removal.

Any idea how you got Word Proser on your computer? Please share your story the comments below. Thank you!

Hope you found this useful. Thanks for reading.

Remove RCore Trojan – RCore.exe Removal Instructions

October 20, 2014freefixer, trojanRoger Karlsson

Hello guys and gals. Just a quick post on the RCore trojan. If RCore is installed on your machine, you will see rcore.exe in in the Windows Task Manager and a new service called rcores pointing to rcore.exe. I’ll show how to remove RCore in this blog post with the FreeFixer removal tool.

RCore is distributed by a method called bundling. Bundling means that a piece of software is included in other software’s installers.

When I find some new bundled software I always upload it to VirusTotal to see if the anti-malware scanners there detect anything fishy. The detection rate is 14/52. The RCore files are detected as Trojan.Win32.Generic.pak!cobra by AVware, a variant of Win32/Agent.WGA by ESET-NOD32 and Artemis!0339F1025037 by McAfee.

You can remove RCore with the FreeFixer removal tool. Here’s a few screenshots from the removal that should help you: A restart of your computer may be required to complete the removal.

Hope that helped you with the removal.

Do you also have RCore on your computer? Any idea how it installed? Please let me and the readers know by posting a comments. Thanks!

Thanks for reading. Welcome back!

Remove ddl.militatesilkfrustum.com Pop-Up Ads

October 20, 2014pop-ups37.58.101.205Roger Karlsson

Morning! I was just examining some adware that I installed on my lab machine before the weekend. While playing around with it, I noticed lots of pop-ups from a web site named ddl.militatesilkfrustum.com. It showed an ad about something called “EuroMillionaireSystem”. The pop-up URL also mentioned a web site called jkc.thespatialists.com. What kind of ad appeared in the pop-up in your case?

Since you probably came here looking for information on how to stop these pop-ups I’ll give you some removal instructions.

The ddl.militatesilkfrustum.com pop-ups are, at least in my case, opened by the adware I had installed on my machine. To get rid of the pop-up ads I uninstalled a program called BlockAndSurf from the Add/Remove programs dialog.

Then I used the freeware FreeFixer tool to remove some other unwanted software, that was not listed under the Add/Remove programs dialog. These where, Browser Warden and TinyWallet. Look for these in the FreeFixer scan result. I also removed a bunch of other files with FreeFixer, located under “C:\Program Files (x86)\Bench\”

bservice.exe
bservice64.exe
wd.exe
updater.exe
bhelper64.dll

These ddl.militatesilkfrustum.com pop-ups can probably be caused by other adware as well, so you might have to review the items in the scan result in more detail if the pop-ups remain after uninstalling the adware and files mentioned above.

Hope that helped you solve the ddl.militatesilkfrustum.com pop-up problem.

Any idea how you got these pop-ups on your machine?

If you needed to remove some additional software or files to stop the ddl.militatesilkfrustum.com pop-ups, please share it the comment below to help other users in the same situation. Thank you very much!

search.sidecubes.com – Removal Instructions

October 17, 2014UncategorizedRoger Karlsson

Did you recently see search.sidecubes.com appear in a new tab in Chrome, Internet Explorer and Firefox? Unfortunately, you probably have some unwanted software on your machine.

I got the search.sidecubes.com web site installed in my browser, after testing out a download that bundled lots of potentially unwanted softwares.

This is how I did to remove search.sidecubes.com:

I went into the Windows Control Panel to uninstall some programs that appeared there recently. I checked the “Installed on” date, and removed SearchSnacks, VideosMediaPlayers, Browsers+Apps+1.1, Browser Warden, Search Protect and Shopop.
I ran FreeFixer to clean up even more.

This fixed the search.sidecubes.com problem for me. If it did not for you, you can also try the “Reset Browser” feature that is available in Chrome, Internet Explorer and Firefox. This will restore your browser into a state that is almost as when you installed it the first time.

Did this help you remove search.sidecubes.com?

Any idea how you got sidecubes.com on your machine?

How To Remove OfferBoulevard

October 17, 2014adware, freefixerLinkuryRoger Karlsson

Hello there. Found another adware called OfferBoulevard right now. OfferBoulevard seems to be a variant of Linkury. If the OfferBoulevard adware is installed on your system, you will see OfferBoulevard.exe and OfferBoulevardW.exe running in the Task Manager. I’ll show how to remove OfferBoulevard in this blog post with the FreeFixer removal tool.

OfferBoulevard is bundled with other software. Bundled means that it is included in another software’s installer. When I first found OfferBoulevard, it was bundled with FastPlayerPro. Here’s how it appeared in the FastPlayerPro installer where I found it:

For some reason it is called Offer Blvd in the EULA.

Generally, you can avoid bundled software such as OfferBoulevard by being careful when installing software and declining the bundled offers in the installer.

When I play around with some new bundled software I always upload it to VirusTotal to check if the anti-viruses there detect something fishy. 10 of the 54 anti-virus scanners detected the file. ESET-NOD32 reports OfferBoulevard as a variant of MSIL/Toolbar.Linkury.H, Malwarebytes classifies it as PUP.Optional.Offer and VIPRE detects it as Adware.Linkury (fs).

The OfferBoulevard removal with FreeFixer is pretty easy. Check all the OfferBoulevard files for removal and click fix. Here’s a few screenshots from the removal that should help you:

Hope this helped you remove the OfferBoulevard adware.

Any idea how OfferBoulevard was installed on your computer? Please let me and the readers know by posting a comments. Thank you very much!

Thank you for reading.

DOZ-DEKORUM LLC – 17% Detection Rate at VirusTotal

October 17, 2014digital signatureAmonetize, DownwareRoger Karlsson

Hello! Just a quick post today, since I’m busy working with the next release of FreeFixer. Did you see a file, such as FlashPlayer_6741_i1375671586_il280.exe, on your system signed by DOZ-DEKORUM LLC? Then read on..

Typically you’d see the DOZ-DEKORUM LLC publisher name appear when double-clicking on the FlashPlayer_6741_i1375671586_il280.exe file:

It’s possible to view additional information about the embedded certificate by right-clicking on the file, choosing properties and then clicking on the Digital Signatures tab. According to the certificate we can see that DOZ-DEKORUM LLC is located in Kiev in Ukraine and that the certificate is issued by Thawte Code Signing CA – G2.

The problem here is that if FlashPlayer_6741_i1375671586_il280.exe really was an installer file for Flash Player, it should have been signed by Adobe Inc. and not by some unknown company. I think this looks suspicious.

So, what does the anti-virus programs say about the DOZ-DEKORUM LLC file? No problem, I just uploaded the file to VirusTotal and it turned out that some (17%) of the anti-virus programs detects the DOZ-DEKORUM LLC file, with names such as Generic.AF5, Adware.Downware.8818 and PUP.Optional.Amonetize.

Since some of the anti-virus programs detected the DOZ-DEKORUM LLC file, I got curious and decided to test it to see what it installed. After stepping though the installer, RegClean Pro and Wajam appeared on my computer. Did you also find a file digitally signed by DOZ-DEKORUM LLC? What kind of download was it and where did you find it?

Thanks for reading.