Monthly Archives: November 2014

wkj.datropy.com Web Forgery Says Mozilla

adware

If you’ve been following this blog for the last week, you know that I’ve been posting about pop-ups such as enh.guzzlepraxiscommune.com and aal.coupmatch.com. The good news is that Mozilla Firefox is now blocking wkj.datropy.com as a Web Forgery.

wkj.datropy.com web forgery says mozilla when loading the awl.coupmatch.com pop-up

If you get pop-ups like this one, you most likely have some adware on your machine. Check out the two links above for more info on how to track down and remove the adware.

Happy adware hunting! Please let me know which adware you had to remove to stop these pop-ups.

Update: Safari on my Mac is now reporting wkj.datropy.com as suspected phishing site.

wkj.datropy.com -warning suspected phishing site

Thanks for reading!

How To Scan a File for Viruses with VirusTotal

Uncategorized

If this is the first time you hear about VirusTotal.com, add it to your bookmarks right away. VirusTotal is an online service where you can upload a file and more than 50 anti-virus programs will scan the file to detect various types of malware. This can be quite useful if you have downloaded something and you are not confident the file is safe.

Here’s a quick demonstration on how to upload and scan a file at VirusTotal.

  1. Open your browser and go to www.virustotal.com. It will look something like this:
    virustotal front page
  2. Click on the Choose File button and browse to the file that you want to scan. When you’ve found the file, click Open.
    browse file dialog
  3. Then click the Scan it! button to start the scan.virustotal-scan-it-button
  4. After a few minutes the scan is usually complete. The file I chose to scan, tv.exe, is detected as malware by 8 of the 53 anti-virus scanners as you can see in the screenshot below. The scan result also shows the detection names. Some of the anti-virus programs calls the tv.exe file “Cyberservice” and “DownloadGuide”.

    virustotal scan report
    The scan report. Click for full size.

Another cool thing with VirusTotal is that they have a free API which allows web sites, such as this one, to upload samples and have the anti-virus programs scan the file. Thanks to this excellent API I can show scan results for files in FreeFixer’s library. Here’s an example of a scan result from freefixer.com for an adware file called PennyBeeW.exe:

PennyBeeW.exe virustotal report

Thank you for reading.

Li Mo Publisher – 22% Detection Rate at VirusTotal

Uncategorized, ,

Welcome! Lately I’ve been looking on the digital signatures on those files that push various types of unwanted programs. This morning I found a new file called w3i_webssearches.exe, digitally signed by Li Mo.

Li Mo Publisher

You can see who the signer is when double-clicking on an executable file. Li Mo appears in the publisher field in the dialog that pops up. It is also possible to check a digital signature by looking at a file’s properties. Here’s a screenshot of the Li Mo certificate.

Li Mo Certificate

At the moment, 22% of the scanners detected the file. The w3i_webssearches.exe file is detected as Riskware.Agent! by Agnitum, PUP/Win32.SearchHijacker by AhnLab-V3, PUA.Win32.LiMo.bA by Baidu-International, Adware.Mutabaha.80 by DrWeb and Win32.Application.Elex.E by GData.

Li Mo VirusTotal

Did you also find a file digitally signed by Li Mo? What kind of download was it and where did you find it?

Thank you for reading.

Remove aal.coupmatch.com Pop-Up Ads

adware, freefixer, pop-ups

Just wanted to let you know about the aal.coupmatch.com pop-ups. If you see these ads on your machine, you most likely have some adware on your machine that launch these pop-ups.

aal.coupmatch.com pop-up

I’m in a hurry, so please bare with this short post. Here’s my suggested removal for the aal.coupmatch.com pop-ups ads.

1.  Examine the programs installed on your machine in the Add/Remove programs dialog in the Windows Control Panel. Uninstall if you find some adware.

2. Go through the add-ons installed in your browser. If you find some adware, remove it.

3. If that did not help, you can use FreeFixer to manually track down the adware files that opened the aal.coupmatch.com pop-up. Tip: Use the More Info links to open up a VirusTotal report for a particular file in the scan result.

freefixer-more-info-blockandsurf
The More Info links. Click for full size

Did you find some adware on your machine? Please post the name of the adware in the comments below to help other users with the aal.coupmatch.com popup problem.

On my machine, the adware responsible for the aal.coupmatch.com pop-up was called Safer-Surf.

Thank you for reading!

Ads By new_player – Removal Instructions

adware, freefixer

Hello readers. This will be a short post on some ads labeled “Ads By new_player“. The four images in the ads are labeled “Buzzwok“.

Ads By new_player

I found these ads after installing a download that I new bundled lots of adware. After uninstalling everything that came bundled with the download, except an adware called Host Secure, the “Ads By new_player” still remained. So that’s the one responsible for the ads. You can find more info on how to remove HostSecure here.

Did that help you with the removal?

Volvan Premium SL – 28% Detection Rate

digital signature, ,

Welcome! Was looking for some downloads to play around with and found one, digitally signed by Volvan Premium SL. The file is named google_chrome.exe.

Volvan Premium SL publisher

To view more information about the embedded certificate you can right-click on the file, then choose Properties and then select the Digital Signatures tab. According to the embedded certificate we can see that Volvan Premium SL is located in Barcelona, Spain and that the certificate is issued by VeriSign Class 3 Code Signing 2010 CA.

Volvan Premium SL certificate

The problem here is that if google_chrome.exe really was a setup file for Google, it would be digitally signed by Google Inc and not by some unknown company. This looks very suspicious.

So, why did I put up this blog post? Well, the thing is that the Volvan Premium SL file is detected by many of the anti-virus scanners, according to VirusTotal. F-Secure classifies google_chrome.exe as Gen:Variant.Application.Bundler, Malwarebytes calls it PUP.Optional.DomaIQ and McAfee calls it SoftPulse.a

Volvan Premium SL virustotal

When I ran the Volvan Premium SL file it offered a bunch of bundled softwares, such as Wajam, HostSecurePlugin, Salus, SpeedChecker and Super Optimizer.

Did you also find a Volvan Premium SL file? Do you remember where you downloaded it?

Thanks for reading.

Remove HostSecure – HostSecurePlugin and HostSecure.exe Uninstall Guide

adware, freefixer,

Hello there and welcome to the FreeFixer blog. I just found another bundled adware called HostSecure or HostSecurePlugin and give you some removal instructions. If HostSecure is installed and running on your system, you will see HostSecure.exe running in the Windows Task Manager and an add-on called HostSecurePlugin added into Mozilla Firefox and Internet Explorer. I’ll show how to remove Host Secure in this blog post with the FreeFixer removal tool.

HostSecure.exe task manager

Here’s how the add-on shows up in Firefox:

HostSecurePlugin firefox 5.31.6

HostSecure is bundled in other software’s installers. Here’s one example how it appears in an installer for an unrelated program.

HostSecure installer

Generally, you can avoid bundled software such as HostSecurePlugin by being careful when installing software and declining the bundled offers in the installer.

As always when I stumble upon some new bundled software I uploaded it to VirusTotal to see if the anti-malware software there detect something interesting. 7 of the 54 anti-malware scanners detected the file. The HostSecurePlugin files are detected as Win-PUP/SoftPulse by AhnLab-V3, WS.Reputation.1 by Symantec and DomaIQ (fs) by VIPRE. Here’s the scan result for HostSecure.exe:

HostSecurePlugin virustotal

The file is digitally signed by Plugin Update SL.

Removing HostSecure is pretty straightforward with FreeFixer. Just select the Host Secure Plugin files for removal and then click the Fix button and the problem will be solved.

HostSecurePlugin startup remove HostSecurePlugin firefox remove HostSecure startup remove Host Secure Internet Explorer remove

Hope that helped you with the removal.

Do you also have HostSecure on your computer? Any idea how it was installed? Please share your story the comments below. Thanks a bunch!

Thank you for reading.

LiveSoftAction – 11% Detection Rate at VirusTotal

digital signature,

Hi there! Just wanted to let you know about a publisher called LiveSoftAction before going back to writing some code for FreeFixer.

The following screenshot shows the User Account Control dialog when running the LiveSoftAction file:LifeSoftAction SuperInstall publisher

Viewing the certificate information is also possible by looking under the digital signature tab for the file. Here the certificate says that LiveSoftAction is located in Bucharest in Romania.

LiveSoftAction certificate

11% of the scanners detected the file when I uploaded it to VirusTotal. ESET-NOD32 classifies provided through Diplodocs.exe as a variant of Win32/GetNow.D and Malwarebytes detects it as PUP.Optional.LiveSoftAction.

LiveSoftAction virustotal

Did you also find a file digitally signed by LiveSoftAction? Where did you find it and are the anti-virus programs detecting it? Please share in the comments below.

Thanks for reading.

Andrey Hmelnikov – 35% Detection Rate – Kazy/MultiPlug

digital signature,

Hi there! Just wanted to give you the heads up on files digitally signed by Andrey Hmelnikov.

Andrey Hmelnikov publisher

It is also possible to check a digital signature by looking at a file’s properties. Here’s a screenshot of the Andrey Hmelnikov certificate. He’s located in Russia.

Andrey Hmelnikov certificate

So, what does the anti-virus programs say about the Andrey Hmelnikov file? No problem, I just uploaded the file to VirusTotal and it turned out that many of the anti-virus programs detects the Andrey Hmelnikov file, with names such as Gen:Variant.Adware.Kazy, and MultiPlug.

Andrey Hmelnikov virustotal

 

To see more in details what changes the Andrey Hmelnikov file would do on a user’s computer I decided to run the file on my lab machine. The installer bundled some additional software such as GoSave and YoutubeAdBlocke.

Did you also find an Andrey Hmelnikov file? Do you remember the download link? Please post it in the comments below and I’ll upload it to VirusTotal to see if that one is also detected.

Thank you for reading.