Monthly Archives: October 2014

STMSetup – 18% Detection Rate by VirusTotal

digital signature,

Hello readers! Just found yet another interesting file, this time signed by STMSetup. The following screenshot shows the User Account Control dialog when running the STMSetup file:

STMSetup for Skype_Setup.exe

You can also view the certificate by right-clicking on the file, and looking under the Digital Signature tab: According to the embedded certificate we can see that STMSetup appears to be located in Tel-Aviv in Israel and that the certificate is issued by COMODO Code Signing CA 2.

STMSetup certificate

What caught my attention was that the download was called Skype_Setup.exe. This might look like an official Skype download, but it is not. If it was an official download, it would be digitally signed by Skype Software Sarl. Here’s how the official Skype signature looks like:

Skype Software Sarl

So, what does VirusTotal say about Skype_Setup.exe? BehavesLike.Win32.CryptInno.bc, Install Core Click run software and InstallCore (fs) are some detection names:

STMSetup virustotal report

Did you also find a STMSetup file?

Thanks for reading.

Lampy Lighty Removal Instructions

adware, freefixer, ,

Hello there and welcome to the FreeFixer blog. I just found another bundled adware called Lampy Lighty and thought I should give you some removal instructions. Lampy Lighty seems to be a variant of BrowseFox/AltBrowse that I’ve blogged about before. If the Lampy Lighty adware is installed on your computer, you will notice ads labeled Lampy Light Ads, something called Related Searches appearing in the left column of the browser window and new add-ons added in Internet Explorer and Mozilla Firefox. I’ll show how to remove Lampy Lighty in this blog post with the FreeFixer removal tool.

Lampy Lighty ads Lampy Lighty related searches

Lampy Lighty firefox add-on

LampyLighty is bundled with other software. Bundled means that it is included in another software’s installer. Generally, you can avoid bundled software such as Lampy Lighty by being careful when installing software and declining the bundled offers in the installer. The screenshot shows how LampyLighty was disclosed in the installer:

LampyLighty installer

As always when I find some new bundled software I uploaded it to VirusTotal to test if the anti-viruses there find something fishy. 13% of the anti-malware scanners detected the file which is in my view a pretty low detection rate. The Lampy Lighty files are detected as BrowseFox.F by AVG, Trojan.BPlug.167 by DrWeb and PUP.Optional.LampyLighty.A by Malwarebytes.

Lampy Lighty virustotal

If you would like to remove Lampy Lighty you can do so with the FreeFixer removal tool. Just select the Lampy Lighty files as the screenshots below shows. You might have to restart your machine to complete the removal.

Lampy Lighty internet explorer removal Lampy Lighty firefox removal

Hope that helped you to figure out how to do the removal.

Did you also find LampyLighty on your machine? Any idea how it was installed? Please let me and the readers know by posting a comments. Thanks!

Thank you for reading and welcome back.

Webcellence Ltd. – Detected by AVG, NOD32 and DrWeb

digital signature

Hi there! If you’ve been following me for the last year you know that I’ve been examining many software publishers that put a digital signature on their downloads. A few days ago I found another publisher called Webcellence Ltd..

Webcellence Ltd. UAC prompt

To get more details on the publisher, you can view the certificate by right-clicking on the file, and looking under the Digital Signatures tab: According to the certificate we can see that Webcellence Ltd. is located in Moshav Ora, Israel and that the certificate is issued by VeriSign Class 3 Code Signing 2010 CA.

Webcellence Ltd. certificate - adobe_flash_player.exe

The reason I’m writing this blog post is that the Webcellence Ltd. file is detected by a few of the anti-virus progams at VirusTotal. DrWeb classifies adobe_flash_player.exe as Trojan.MulDrop5.38502 and ESET-NOD32 calls it a variant of Win32/InstallCore.QD.

Webcellence Ltd virus totalAlthough the file is named adobe_flash_player.exe it’s not the official download for the Adobe Flash Player. The real flash player installer should be digitally signed by the Adobe company.

Did you also find an Webcellence Ltd.? Do you remember the download link? Please post it in the comments below and I’ll upload it to VirusTotal to see if that one is also detected.

Thank you for reading.

ICS Setup – 16% Detection Rate By VirusTotal

digital signature, ,

Hello! Just a quick post on a file named ChromeSetup.exe signed by ICS Setup before calling it a day. This is how  appears when running the file:

ICS Setup

To get more details on the publisher, you can view the certificate by right-clicking on the file, and looking under the Digital Signatures tab. According to the certificate we can see that ICS Setup seems to be located in Tel-Aviv, Israel and that the certificate is issued by COMODO Code Signing CA 2.

ICS Setup certificate

9 of the anti-virus scanners detected the file. Some of the detection names for the ChromeSetup.exe file are W32/InstallCore.AC.gen!Eldorado, BehavesLike.Win32.CryptInno.bc and InstallCore.b (fs).

ICS Setup virustotal

Did you also find a ICS Setup file? What kind of download was it? If you remember the download link, please post it in the comments below.

Thank you for reading.

SearchSnacks Removal Instructions

adware, freefixer

Hello there. Today I wanted to talk about an adware called SearchSnacks and give you some removal instructions. If the Search Snacks Adware is installed and running on your system, you will see new add-ons in your web browsers and sssvc.exe running in the Windows Task Manager. You will also see ads labeled “brought by Search Snacks” and “Powered by SearchSnacks”. I’ll show how to remove Search Snacks in this blog post with the FreeFixer removal tool.

brought by searchsnacks powered by searchsnacks

ads by SearchSnacks

 

 

 

 

Search Snack 1.9.0.8 firefox add-on sssvc.exe and Search Snacks in the task manager

SearchSnacks is bundled with a number of downloads. Bundling means that software is included in other software’s installers. When I first found SearchSnacks, it was bundled with a software called FastPlayerPro. Here’s one example how it appears in the FastPlayerPro installer.

searchsnacks disclosure when bundling

This screenshot also clearly explains that Search Snacks is adware.

When I mess around with some new bundled software I normally upload it to VirusTotal to test if the anti-malwares there find anything. 20% of the scanners detected the file. Some of the detection names for SearchSnacks are Adware.Vitruvian.B, a variant of Win32/AdWare.Vitruvian.D and InfoAtoms (fs).

searchsnacks virustotal

If you would like to remove SearchSnacks you can do so with the freeware FreeFixer tool. Select the SearchSnacks files for removal in FreeFixer, click Fix, restart your machine and the problem will be gone. Here’s a few screenshots to point you in the right direction:

searchsnacks sssvc.exe process removal searchsnacks ssscv.exe service removal Search Snacks firefox add-on removal with freefixer

Hope this helped you solved the SearchSnacks problem.

Any idea how SearchSnacks was installed on your machine? Please let me and the readers know by posting a comments. Thank you!

Thanks for reading. Welcome back!

How To Remove BrowsersApp_Pro_v1.1

adware, freefixer, , , ,

Hello there and welcome to the FreeFixer blog. Just a quick post on the BrowsersApp_Pro_v1.1 adware. This appears to be a variant of CrossRider that I’ve previously written about. If the BrowsersApp_Pro_v1.1 adware is installed on your computer, you will find ads labeled Ad by BrowsersApp_Pro_v1.1 while browsing the web, new add-ons added in your web browsers and new files, digitally signed by Numlock Apps, on the hard-drive. I’ll show how to remove BrowsersApp_Pro_v1.1 in this blog post with the FreeFixer removal tool.

BrowsersApp_Pro_v1.1 0.95.11 firefox add-on

BrowsersApp_Pro_v1.1 ads inserted into web page ad by BrowsersApp_Pro_v1.1 pop-up

BrowsersApp_Pro_v1.1 is bundled with other software. Bundled means that it is included in another software’s installer.

Generally, you can avoid bundled software such as BrowsersApp_Pro_v1.1 by being careful when installing software and declining the bundled offers in the installer.

When I play around with some new bundled software I always upload it to VirusTotal to check if the anti-malware scanners there find anything suspicious. 6 of the 54 scanners detected the file. The BrowsersApp_Pro_v1.1 files are detected as PUP/Win32.CrossRider by AhnLab-V3, PUP.Optional.BrowserApp.A by Malwarebytes and Crossrider (fs) by VIPRE.

BrowsersApp_Pro_v1.1-bho.dll virustotal. File signed by Numlock Apps

Since you probably want to remove BrowsersApp_Pro_v1.1, these are the files you should check for removal if you want to remove it with FreeFixer. A restart of your computer might be required to complete the removal.

BrowsersApp_Pro_v1.1 tasks removal in FreeFixer BrowsersApp_Pro_v1.1 firefox extension removal BrowsersApp_Pro_v1.1 bhos removal

Hope this helped you remove the BrowsersApp_Pro_v1.1 adware.

Did you also find BrowsersApp_Pro_v1.1 on your computer? Any idea how it was installed? Please let me and the readers know by posting a comments. Thank you!

Thanks for reading. Welcome back!

Update 2014-11-05: The BrowsersApp_Pro_v1.1 adware is still distributed through bundling. The files are now signed by Railroad Party Apps as you can see in the screenshot below. The Railroad Party Apps company appears to be located in Nicosia, Cyprus.Railroad Party Apps

 

Remove Web Finder Pro

Uncategorized

Welcome! Did you just find something called Web Finder Pro on your computer? If Web Finder Pro is running on your system, you will spot see a new add-on, called Web Finder Pro 0.1, added in Mozilla Firefox. I’ll show how to remove Web Finder Pro in this blog post with the FreeFixer removal tool.

Web Finder Pro 0.1 in Mozilla Firefox

Web Finder Pro is bundled with other software. Bundled means that it is included in another software’s installer. However, I could not see any disclosure in the installer that Web Finder Pro 0.1 would be installed. Perhaps I did not review the licenses displayed during installation enough to find it.

Generally, you can avoid bundled software such as Web Finder Pro by being careful when installing software and declining the bundled offers in the installer.

If you would like to remove Web Finder Pro you can do so with the freeware FreeFixer tool. Select the Web Finder Pro files for removal in FreeFixer, click Fix, restart your computer and the problem will be gone. Here’s a screenshot to point you in the right direction:

web finder pro

Hope that helped you with the removal.

I stumbled upon Web Finder Pro while testing out some downloads that are known to bundled lots of unwanted software. Any idea how you got Web Finder Pro on your computer? Please let me and the readers know by posting a comments. Thanks!

Thank you for reading.

How To Remove The Framed Display Adware

adware, freefixer, ,

Just wanted to write a short post before going calling it a day. Stumbled upon the Framed Display adware. Framed Display appears to be a variant of AltBrowse/BrowseFox. If the Framed Display adware is running on your machine, you will see various type of advertisements according to the Frame Display EULA. However, for some reason I don’t see any ads. Do you? If you got this on your machine, you will also notice it in the browser’s add-on menu. For example, here’s Frame Display in Firefox:

framed display 1.0.1 firefox

Framed Display is bundled with a number of downloads. Bundling means that software is included in other software’s installers. Here’s one example how it appears in an installer for an unrelated program.

framed display disclosure

When I find some new bundled software I usually upload it to VirusTotal to check if the antimalware scanners there detect something interesting. 20% of the anti-virus scanners detected the file. The Framed Display files are detected as BrowseFox.F by AVG, PUP.Optional.FramedDisplay.A by Malwarebytes and Artemis!032AA150BDFB by McAfee.framed display virustotal

So, how about the Framed Display removal? You can remove Framed Display with the FreeFixer removal tool. Just select the Framed Display files as the screenshots below shows. A restart of your machine might be required to complete the removal.

framed display firefox extension FramedDisplaybho.dll in internet explorer

Hope that helped you to figure out how to do the removal.

I found Framed Display while testing out some downloads that are known to bundled lots of unwanted software. Any idea how you got Framed Display on your computer? Please share your story the comments below. Thank you very much!

Hope you found this useful. Thanks for reading.

InstallationSafe – 15% Detection Rate – Detected as AdGazelle

adware, digital signature

Was looking for some downloads to play around with and found one, digitally signed by InstallationSafe, that claimed “Your Java version may be outdated” trying to get me to installs something else than the official Java download.

InstallationSafe publisher in the UAC dialog

InstallationSafe fake java installer

The InstallationSafe download is distributed from fugupdates101 dot com. Some of the anti-virus programs are detecting the InstallationSafe file. The detection rate is 15 %. AdGazelle is one of the detection names.

InstallationSafe virustotal report - AdGazelle

Did you also find a download that was digitally signed by InstallationSafe? What kind of download was it and was it detected by the anti-virus programs at VirusTotal? Please share by posting a comment.

Thank you for reading.