Monthly Archives: November 2014

SVAN TRANS LLC – 25% Detection Rate

Hi there! Just wanted to give you the heads-up on suspicious file I found right now before having my lunch. The file is named FlashPlayer__6741_i1404957756_il13.exe and digitally signed by SVAN TRANS LLC.

SVAN TRANS LLC publisher

You can also see the SVAN TRANS LLC certificate by looking under the Digital Signature tab on the file’s properties. According to the certificate, SVAN TRANS LLC is located in Kiev, Ukraine.

SVAN TRANS LLC certificate

The issue is that FlashPlayer__6741_i1404957756_il13.exe is not an official Flash Player download. If it was, it would be digitally signed by Adobe Systems Incorporated, and not by some unknown company from Ukraine.

25% of the scanners detected the file. The FlashPlayer__6741_i1404957756_il13.exe file is detected as PUA.Amonetize! by Agnitum, Gen:Variant.Application.Jaik by F-Secure and PUP.Optional.Amonetize by Malwarebytes. Thanks to VirusTotal for the scan report.

svan trans llc virustotal

Since some of the anti-virus programs detected the SVAN TRANS LLC file, I got curious and decided to test it to see what it installed. After stepping though the installer, Salus Net Protector, RocketTab and My Start Search were disclosed.

SVAN TRANS Salus SVAN Trans Rockettab

Did you also find an SVAN TRANS LLC? Do you remember the download link? Please post it in the comments below and I’ll upload it to VirusTotal to see if that one is also detected.

Thanks for reading.

Skype Packages – Not part of Skype

If you see something called Skype Packages on your machine and wonder what it is, I just want to let you know that its not part of the official Skype download. It was installed by an unofficial Skype download that was signed by Astro Delivery.

I think you should remove Skype Packages.

Skype Packages

 

I’d also recommend a scan with FreeFixer to check if you got some other types of unwanted programs running on your machine.

Remove Vosteran.com and Vosteran.exe

Hello hello. Found another startpage modifier named Vosteran right now. If you got Vosteran on your computer, you will see start pages in Chrome, Firefox and Internet Explorer changed to Vosteran.com, lots of Vosteran.exe processes running in the Windows Task Manager which appears to be a custom build of the Chrome browser! You’ll also see add-ons and new search providers installed in Internet Explorer and Mozilla Firefox. I’ll show how to remove Vosteran in this blog post with the FreeFixer removal tool.

Here’s the vosteran.com start page in Firefox:

vosteran.com web site

and the new add-ons called Vosteran 2.3.0 and Vosteran Search 1.0.2:

Vosteran Search Firefox add-on

If you check the Task Manager, you’ll see a bunch of vosteran.exe processes running:

vosteran.exe task manager

 

When I uploaded vosteran.exe to VirusTotal none of the anti-virus programs there detected the file.

Vosteran is bundled with other software. Bundled means that it is included in another software’s installer. When I first found Vosteran, it was bundled with a piece of software named unofficial Skype download which was digitally signed by Astro Delivery.

Generally, you can avoid bundled software such as Vosteran by being careful when installing software and declining the bundled offers in the installer.

Since you probably want to remove Vosteran, these are the files you should check for removal if you want to remove it with FreeFixer. You may have to restart your system to complete the removal.

vosteran.exe process remove vosteran.com remove internet explorer vosteran.com remove firefox vosteran search remove firefox

Hope this helped you remove the Vosteran start page modifier and vosteran.exe. If some of the Vosteran.com stuff remains in you browser, you can try the reset feature in your browsers to reset your browser to state that is almost the same as when you installed it for the first time.

Any idea how you got Vosteran on your system? Please share by posting a comment. Thank you very much!

Hope you found this useful and thanks you for reading.

WindowsMangerProtect / WindowsProtect – Removal Instructions

Just another short post before going back to coding. Today I wanted to talk about a bundled program called WindowsMangerProtect / WindowsProtect and thought I should give you some removal instructions. If you got WindowsMangerProtect / WindowsProtect installed on your machine, you will find ProtectWindowsManager.exe running in the Windows Task Manager and an entry in the Uninstall Programs list named WindowsMangerProtect20.0.0.1270 by WindowsProtect LIMITED. You will also see a new Windows Service installed on your machine.

I’ll show how to remove WindowsMangerProtect / WindowsProtect in this blog post with the FreeFixer removal tool.

ProtectWindowsManager.exe task manager

WindowsMangerProtect / WindowsProtect is distributed by a tactic called bundling. Bundling means that a piece of software is included in other software’s installers. Often, you can avoid bundled software such as WindowsMangerProtect / WindowsProtect by being careful when installing software and declining the bundled offers in the installer.

As always when I stumble upon some new bundled software I uploaded it to VirusTotal to see if the anti-virus scanners there detect anything interesting. Only 5% of the scanners detected the file. Baidu-International detects WindowsMangerProtect / WindowsProtect as Adware.Win32.Elex.sig, Malwarebytes classifies it as PUP.Optional.WPM.A and McAfee-GW-Edition reports BehavesLike.Win32.DunDun.gh. It this the other anti-virus scanner will catch up in a few days.

WindowsProtectManager virustotal

So, how about the WindowsMangerProtect / WindowsProtect removal? All you need to do to remove WindowsMangerProtect / WindowsProtect is to check the WindowsMangerProtect / WindowsProtect file, that is ProtectWindowsManager.exe, in the scan result and click the Fix button. You might have to reboot your computer to complete the removal. Here’s a few screenshots that should help you along the way:

ProtectWindowsManager.exe remove WindowsMangerProtect service remove

Hope this helped you solved the WindowsMangerProtect / WindowsProtect problem.

I stumbled upon WindowsMangerProtect / WindowsProtect while testing out some downloads that are known to bundled lots of unwanted software. Any idea how WindowsMangerProtect / WindowsProtect was installed on your system? Please share your story the comments below. Thank you!

Hope you found this useful and thanks you for reading.

What is 337 Games and 337Games.exe?

Welcome! Found a program called 337 Games this morning. If you got 337 Games on your computer, you will notice a 337 Games icon on the desktop, a 337 Games icon on the task bar and 337Games.exe installed in the Roaming directory on your machine. If 337 Games showed up unexpectedly on your machine, it might have been bundled with another program.

337 Games icon

Nothing happened when I double-clicked on the icon.

337 Games is distributed by a strategy called bundling. Bundling means that a piece of software is included in other software’s installers. Generally, you can avoid bundled software such as 337 Games by being careful when installing software and declining the bundled offers in the installer.

When I find some new bundled software I always upload it to VirusTotal to verify if the anti-viruses there find anything. Only one anti-virus scanners detected the file: Baidu-International detects 337 Games as Adware.Win32.Elex.sig.

337Games.exe virustotal

If you came here looking for removal instructions for 337 Games, you can do so from the Windows Control Panel.

337 GAMES uninstall

If that did not work, you can uninstall it with the FreeFixer removal tool. Just select the 337 Games file as the screenshots below shows. A restart of your computer might be required to complete the removal.

337Games.exe remove

Hope that helped you with the removal.

Do you also have 337 Games on your machine? Any idea how it installed? Please share your story the comments below. Thanks!

Thanks for reading!

R2D2 Tech Software LLC – 27% Detection Rate – Eldorado/InstallBrain

Hi there! Just a note post this morning on a publisher called R2D2 Tech Software LLC. The R2D2 Tech Software LLC download – CodecPerformerSetup.exe – was detected when I uploaded it to VirusTotal. Did you also find a download by R2D2 Tech Software LLC? Was it also detected when you uploaded it to VirusTotal?

R2D2 Tech Software publisher in the UAC dialog

If you have a R2D2 Tech Software LLC file on your machine you may have noticed that R2D2 Tech Software LLC is displayed as the publisher in the UAC dialog when double-clicking on the file. Viewing the certificate information is also possible by looking under the digital signature tab for the file. Here the certificate says that R2D2 Tech Software LLC is located in Beaverton, Oregon, USA.

R2D2 Tech Software certificate shows the publisher is from the US

So, why am I writing about the R2D2 Tech Software LLC file? Check out what the anti-virus scanners report about the file:

R2D2 Tech Software LLC VirusTotal - InstallBrain, Eldorado

F-Prot reports CodecPerformerSetup.exe as W32/A-3442f84d!Eldorado, Qihoo-360 classifies it as Malware.QVM06.Gen and VIPRE detects it as InstallBrain (fs) are a few of the detection names for CodecPerformerSetup.exe.

Did you also find an R2D2 Tech Software LLC? Do you remember the download link? Please post it in the comments below and I’ll upload it to VirusTotal to see if that one is also detected.

Thank you for reading.

Remove ami.coupplayoffgame.com Pop-Up Ads

Getting pop-up ads from ami.coupplayoffgame.com? Do the pop-ups bypass Firefox’, Chrome’s and Internet Explorer’s pop-up blockers? Do the ami.coupplayoffgame.com popups appear on sites that normally don’t show any pop-ups? Most likely, you have some adware install and running on your machine. On the computer where I got these pop-ups I had Safer-Surf, SmarterOnes and Support 1.80 installed. I removed these with FreeFixer and the problem was solved.

Here’s how the ami.coupplayoffgame.com pop-up looked like:

ami.coupplayoffgame.com pop-up ad in Firefox

Sorry for the silly use of watermarks in the screenshot, but if I don’t that the screenshot always show up at some copy-cat blogs 🙂

In my case, the adware responsible for the ami.coupplayoffgame.com pop-ups was SaferSurf, since the pop-up was labeled with the adware name. What name appeared in your pop-up?

Ads by SaferSurf

So, how do you remove the ami.coupplayoffgame.com pop-ups? I would do it like this:

  1. First I’d check the Add/Remove programs dialog in the Windows Control Panel. Do you find some adware there? Uninstall it.
  2. Then I would check the browser’s add-on menu. Does something suspicious show up? Uninstall it.
  3. If that did not help, you can try the FreeFixer removal tool which is designed to manually track down and remove unwanted software. If you have difficulties to determine if some files in FreeFixer’s scan result are legit or malware, try the More Info link which will show a VirusTotal report for the file:
freefixer-more-info-blockandsurf
More Info links in FreeFixer. Click for full size.

Did you find this blog post useful. Please let me know by posting a comment.

Thanks for reading!

 

How To Remove BrowseStudio Adware

Just wanted to put up a short blog post before going back to coding. This is about an adware called BrowseStudio which appears to be a variant of CrossRider that I’ve previously blogged about many many times before. If the BrowseStudio adware is installed and running on your system, you will notice new add-ons installed in Mozilla Firefox and Internet Explorer called “BrowseStudio 1.0.1“. It did not install into Chrome. I was also expecting to see some BrowseStudio ads, but did not. Do you see some ads on your machine? I’ll show how to remove BrowseStudio in this blog post with the FreeFixer removal tool.

BrowseStudio 1.0.1 in Firefox' Add-on menu

So, how did Browse Studio install on your machine? It was probably bundled with some download that you installed recently. Bundling means that software is included in other software’s installers. When I first found Browse Studio, it was bundled with “Google Chrome”. This was not the official Google Chrome download, but an unofficial download which was signed by a company called Advertiso GmbH.

Generally, you can avoid bundled software such as BrowseStudio by being careful when installing software and declining the bundled offers in the installer.

As usual when I play around with some new bundled software I uploaded it to VirusTotal to see if the anti-malware progams there find something suspicious. Of the 54 anti-virus scanners, 10 detected the file. The BrowseStudio files are detected as BrowseFox.F by AVG, Trojan.BPlug.167 by DrWeb and AdWare.LinkSwift by VBA32.

BrowseStudio virustotal

Removing BrowseStudio is pretty straightforward with FreeFixer. Here’s a few screenshots that should help you along the way: A restart of your machine may be required to complete the removal.

How to remove BrowseStudio from Internet Explorer How to remove BrowseStudio from firefox

Hope this helped you remove the BrowseStudio adware.

Any idea how BrowseStudio was installed on your machine? Please share by posting a comment. Thank you!

Thank you for reading.