Monthly Archives: February 2015

Remove 888poker.com Pop Up Ads Caused By Adware

pop-ups

Did you just get a pop-up from 888poker.com in a new tab and wonder where it came from? Did the 888poker.com ad appear to have been popped up from a web site that under normal circumstances don’t use aggressive advertising such as pop-up windows? Or did the 888poker.com pop-up show up while you clicked a link on one of the major search engines, such as Google, Bing or Yahoo?

Here’s a screen capture of the 888poker.com pop-up ad when it showed up on my system in a new tab:

888poker.com pop up

If you also see this on your system, you apparently have some adware installed on your system that pops up the 888poker.com ads. Contacting the site owner of the site you were browsing would be a waste of time. The ads are not coming from them. I’ll do my best to help you with the 888poker.com removal in this blog post.

Those that have been visiting this blog already know this, but for new visitors: Recently I dedicated some of my lab systems and intentionally installed some adware programs on them. I’ve been tracking the actions on these machines to see what kinds of ads that are displayed. I’m also looking on other interesting things such as if the adware auto-updates, or if it downloads additional unwanted software on the machines. I first noticed the 888poker.com pop-up on one of these lab computers.

So, how do you remove the 888poker.com pop-up ads? On the machine where I got the 888poker.com ads I had TinyWallet, BlockAndSurf and BrowserWarden installed. I removed them with FreeFixer and that stopped the 888poker.com pop-ups and all the other ads I was getting in Mozilla Firefox.

The problem with pop-ups like this one is that it can be popped up by many variants of adware. This makes it impossible to say exactly what you need to remove to stop the pop-ups.

So, what can be done to solve the problem? To remove the 888poker.com pop-up ads you need to check your machine for adware or other types of unwanted software and uninstall it. Here’s my suggested removal procedure:

  1. What software do you have installed if you look in the Add/Remove programs dialog in the Windows Control Panel? Something that you don’t remember installing yourself or that was recently installed?
  2. How about your add-ons that you have in your browser. Anything in the list that you don’t remember installing?
  3. If that did not help, you can give FreeFixer a try. FreeFixer is built to assist users when manually tracking down adware and other types of unwanted software. It is a freeware utility that I’ve been working since 2006 and it scans your computer at lots of locations where unwanted software is known to hook into your machine. If you would like to get additional details about a file in FreeFixer’s scan result, you can just click the More Info link for that file and a web page with a VirusTotal report will open up, which can be very useful to determine if the file is safe or malware:

    FreeFixer More Info link example
    An example of FreeFixer’s “More Info” links. Click for full size.

Here’s a video guide showing how to remove pop-up ads with FreeFixer:

Did this blog post help you to remove the 888poker.com pop-up ads? Please let me know or how I can improve this blog post.

Thank you!

Remove playmillion.com Pop Up Ads

pop-ups

Does this sound familiar? You see pop-up ads from playmillion.com in new tabs while browsing web sites that generally don’t advertise in pop-ups. The pop-ups manage to evade the built-in pop-up blockers in Mozilla Firefox, Google Chrome, Internet Explorer or Safari. Perhaps the playmillion.com pop-ups show up when clicking search results from the Google search engine? Or does the pop-ups appear even when you’re not browsing?

Here’s how the playmillion.com pop-up looked like when I got it on my system when it appeared in a new tab:

playmillion.com pop up

If this sounds like what you are seeing on your machine, you almost certainly have some adware installed on your computer that pops up the playmillion.com ads. So there’s no idea contacting the owner of the website you currently were browsing. The adverts are not coming from them. I’ll try help you to remove the playmillion.com pop-ups in this blog post.

Those that have been following this blog already know this, but for new visitors: Some time ago I dedicated some of my lab machines and knowingly installed some adware programs on them. Since then I have been monitoring the actions on these computers to see what kinds of ads that are displayed. I’m also looking on other interesting things such as if the adware updates itself, or if it installs additional unwanted software on the computers. I first found the playmillion.com pop-up on one of these lab machines.

So, how do you remove the playmillion.com pop-up ads? On the machine where I got the playmillion.com ads I had TinyWallet, BlockAndSurf and BrowserWarden installed. I removed them with FreeFixer and that stopped the playmillion.com pop-ups and all the other ads I was getting in Mozilla Firefox.

The issue with popups such as this one is that it can be popped up by many variants of adware, not just the adware on my machine. This makes it impossible to say exactly what you need to remove to stop the pop-ups.

Anyway, here’s my suggestion for the playmillion.com ads removal:

The first thing I would do to remove the playmillion.com pop-ups is to examine the programs installed on the machine, by opening the “Uninstall programs” dialog. You can open this dialog from the Windows Control Panel. If you are using one of the more recent versions of Windows Operating System you can just type in “uninstall” in the Control Panel’s search field to find that dialog:
Uninstall a program search

Click on the “Uninstall a program” link and the Uninstall programs dialog will open up:
Uninstall a program dialog

Do you see something suspicious listed there or something that you don’t remember installing? Tip: Sort on the “Installed On” column to see if some program was installed about the same time as you started observing the playmillion.com pop-ups.

Then I would check the browser add-ons. Adware often appear under the add-ons dialog in Google Chrome, Mozilla Firefox, Internet Explorer or Safari. Is there anything that looks suspicious? Anything that you don’t remember installing?
Firefox add-ons manager

I think most users will be able to find and remove the adware with the steps outlined above, but in case that did not work you can try the FreeFixer removal tool to identify and remove the adware. FreeFixer is a freeware tool that I’ve developed since 2006. Freefixer is a tool built to manually identify and remove unwanted software. When you’ve found the unwanted files you can simply tick a checkbox and click on the Fix button to remove the unwanted file.

FreeFixer’s removal feature is not locked down like many other removal tools out there. It won’t require you to pay for the program just when you are about to remove the unwanted files.

And if you’re having a hard time determining if a file is clean or adware in FreeFixer’s scan result, click on the More Info link for the file. That will open up your browser with a page which contains additional details about the file. On that web page, check out the VirusTotal report which can be very useful:

FreeFixer More Info link example
An example of FreeFixer’s “More Info” links. Click for full size.

Did you find any adware on your machine? Did that stop the playmillion.com ads? Please post the name of the adware you uninstalled from your machine in the comment below.

Thank you!

Polyanskaya Irina – 21% Detection Rate – Vonteera / Crossid

digital signature,

Welcome! If you’ve been following me for the last year you know that I’ve been examining many software publishers that put a digital signature on their downloads. Today I found another publisher called Polyanskaya Irina while reviewing the latest submissions to the FreeFixer database.

So, why did I put up this blog post? Well, the thing is that the Polyanskaya Irina file is detected by many of the antivirus scanners, according to VirusTotal. ESET-NOD32 names Convertor.exe as a variant of Win32/Adware.Vonteera.L, Ikarus classifies it as PUA.Vonteera, Symantec calls it Adware.Crossid and VIPRE detects it as Adware.Crossid.

Polyanskaya Irina anti-virus report

Did you also find a file signed by Polyanskaya Irina? What download was it and where did you find it? Please let me know. I’d like to test this download on my lab machine.

Thanks for reading.

Remove foxi69.tlscdn.com from Firefox, Chrome and Internet Explorer

browser status bar

This page shows how to remove foxi69.tlscdn.com from Mozilla Firefox, Google Chrome and Internet Explorer.

Did you just see foxi69.tlscdn.com in the statusbar of your browser and wonder where it came from? Or did foxi69.tlscdn.com show up while you search for something on one of the major search engines, such as the Google.com search engine?

Here are some of the status bar messages you may see in your browser’s status bar:

  • Waiting for foxi69.tlscdn.com…
  • Transferring data from foxi69.tlscdn.com…
  • Looking up foxi69.tlscdn.com…
  • Read foxi69.tlscdn.com
  • Connected to foxi69.tlscdn.com…

If this sounds like what you are seeing on your computer, you probably have some potentially unwanted program installed on your computer that makes the foxi69.tlscdn.com domain appear in your browser. So there’s no use contacting the owner of the site you were browsing. The foxi69.tlscdn.com status bar messages are not coming from them. I’ll do my best to help you remove the foxi69.tlscdn.com message in this blog post.

I found foxi69.tlscdn.com on one of the lab machines where I have some potentially unwanted programs running. I’ve talked about this in some of the previous blog posts. The potentially unwanted programs was installed on purpose, and from time to time I check if something new has appeared, such as pop-up windows, new tabs in the browsers, injected ads on web site that usually don’t show ads, or if some new files have been saved to the hard-drive.

foxi69.tlscdn.com resolves to the 198.7.58.94 IP address.

So, how do you remove foxi69.tlscdn.com from your web browser? On the machine where foxi69.tlscdn.com showed up in the status bar I had TinyWallet, BlockAndSurf and BrowserWarden installed. I removed them with FreeFixer and that stopped the browser from loading data from foxi69.tlscdn.com.

The issue with status bar messages such as this one is that it can be caused by many variants of potentially unwanted programs, not just the potentially unwanted program on my computer. This makes it impossible to say exactly what you need to remove to stop the status bar messages.

To remove foxi69.tlscdn.com you need to examine your system for potentially unwanted programs and uninstall them. Here’s my suggested removal procedure:

  1. Check what programs you have installed in the Add/Remove programs dialog in the Windows Control Panel. Do you see something that you don’t remember installing or that was recently installed?
  2. You can also review the add-ons you installed in your browsers. Same thing here, do you see something that you don’t remember installing?
  3. If that didn’t help, you can give FreeFixer a try. FreeFixer is built to assist users when manually tracking down potentially unwanted programs. It is a freeware utility that I’ve been working since 2006 and it scans your computer at lots of locations where unwanted software is known to hook into your computer. If you would like to get additional details about a file in FreeFixer’s scan result, you can just click the More Info link for that file and a web page with a VirusTotal report will open up, which can be very useful to determine if the file is safe or malware:

    FreeFixer More Info link example
    An example of FreeFixer’s “More Info” links. Click for full size.

Did you find any potentially unwanted program on your machine? Did that stop foxi69.tlscdn.com? Please post the name of the potentially unwanted program you uninstalled from your machine in the comment below.

Thank you!

Remove Strong Signal Adware

adware

Hello readers. Another day, another blog post. Today I wanted to talk about an adware named Strong Signal and give you some removal instructions. Strong Signal appears to be a variant of BrowseFox that I’ve written about before. Here’s how it appears in Firefox:

Strong Signal

Strong Signal is bundled in other software’s installers. The following screenshot shows how Strong Signal was disclosed when I found it.strong signal eula

Generally, you can avoid bundled software such as Strong Signal by being careful when installing software and declining the bundled offers in the installer.

None of the anti-virus programs at VirusTotal detected the file, except Bkav which reported it as W32.HfsAdware.2D5E.

So, how about the removal? You can remove Strong Signal with the FreeFixer removal tool. Just select the Strong Signal files as the screen captures below shows. A reboot of your computer may be required to complete the removal.

remove strong signal firefox remove strong signal internet explorer

Hope that helped you with the removal.

Do you also have Strong Signal on your computer? Any idea how it installed? Please share in the comments below. Thanks!

Thanks for reading. Welcome back!

Remove binaryprofessional.com Pop Up Ads Caused By Adware

pop-ups

Did you just get a pop-up from binaryprofessional.com and ask yourself where it came from? Did the binaryprofessional.com ad appear to have been launched from a web site that under normal circumstances don’t use aggressive advertising such as pop up windows? Or did the binaryprofessional.com pop-up show up while you clicked a link on one of the major search engines, such as Google, Bing or Yahoo?

Here is a screenshot on the binaryprofessional.com pop-up tab from my machine:binaryprofessional.com pop up tab

If this description sounds like your experience, you most likely have some adware installed on your system that pops up the binaryprofessional.com ads. So there’s no idea contacting the owner of the web site you currently were browsing. The ads are not coming from them. I’ll try help you with the binaryprofessional.com removal in this blog post.

I found the binaryprofessional.com pop-up on one of the lab systems where I have some adware running. I’ve talked about this in some of the previous blog posts. The adware was installed on purpose, and from time to time I check if something new has appeared, such as pop-up windows, new tabs in the browsers, injected ads on site that usually don’t show ads, or if some new files have been saved to the hard-drive.

binaryprofessional.com was registered on 2014-05-25. binaryprofessional.com resolves to the 50.7.157.122 address.

The binaryprofessional.com domain is attracting quite a lot of traffic, just check out the Alexa traffic rank:

binaryprofessional.com traffic rank

So, how do you remove the binaryprofessional.com pop-up ads? On the machine where I got the binaryprofessional.com ads I had TinyWallet, BrowserWarden and BlockAndSurf installed. I removed them with FreeFixer and that stopped the binaryprofessional.com pop-ups and all the other ads I was getting in Mozilla Firefox.

The problem with pop-ups like the one described in this blog post is that it can be launched by many variants of adware, not just the adware on my computer. This makes it impossible to say exactly what you need to remove to stop the pop-ups.

To remove the binaryprofessional.com pop-up ads you need to examine your computer for adware or other types of unwanted software and uninstall it. Here’s my suggested removal procedure:

  1. What software do you have installed if you look in the Add/Remove programs dialog in the Windows Control Panel? Something that you don’t remember installing yourself or that was recently installed?
  2. How about your browser add-ons. Anything in the list that you don’t remember installing?
  3. If that did not help, I’d recommend a scan with FreeFixer to manually track down the adware. FreeFixer is a freeware tool that I’m working on that scans your computer at lots of locations, such as browser add-ons, processes, Windows services, recently modified files, etc. If you want to get additional details about a file in the scan result, you can click the More Info link for that file and a web page will open up with a VirusTotal report which will be very useful to determine if the file is safe or malware:

    FreeFixer More Info link example
    An example of FreeFixer’s “More Info” links. Click for full size.

Here’s a video tutorial which shows FreeFixer in action removing adware that caused pop-up ads:

Did this blog post help you to remove the binaryprofessional.com pop-up ads? Please let me know or how I can improve this blog post.

Thank you!

Max Source (After Download Ltd.) – 9% Detection Rate – InstallCore

digital signature, , ,

Hello readers! Just a short post on a publisher called Max Source (After Download Ltd.) that I found while downloading “FileZilla” from SourceForge. Big thanks to Peter for letting me know about this download.

This is how Max Source (After Download Ltd.) appears when running the file:

Max Source After Download Ltd in the User Account Control dialog

To get more details on the publisher, you can view the certificate by right-clicking on the file, and looking under the Digital Signatures tab. According to the certificate we can see that Max Source (After Download Ltd.) is located in Tel Aviv, Israel and that the certificate is issued by GlobalSign CodeSigning CA – G2.

Max Source After Download Ltd certificate

It turns out that SourceForge.net has been into bundling for quite some time. Here’s a blog post dated July 2013 which describes the DevShare bundling program.

The reason I’m writing this blog post is that the Max Source (After Download Ltd.) file is detected by some of the anti-malware software at VirusTotal. Avira detects FileZilla_3.10.1.1_win32-setup.exe as Adware/InstallCore.765232, DrWeb classifies it as Trojan.InstallCore.52, ESET-NOD32 reports a variant of Win32/InstallCore.WI potentially unwanted, K7AntiVirus calls it Trojan ( 004b52261 ) and K7GW calls it Trojan ( 004b52261 ).

Max Source anti-virus report

Did you also find a file digitally signed by Max Source (After Download Ltd.)? Where did you find it and are the anti-virus programs detecting it? Please share in the comments below.

Here’s how the download screen looks like for FileZilla at sourceforge.net. It hints that something will be bundled by saying “provide you some options during the installation process…”

sourceforge downloader

Thanks for reading.

Remove gal.adviceoncarsse.com from Firefox, Google Chrome and Internet Explorer

Uncategorized,

This page shows how to remove gal.adviceoncarsse.com from Mozilla Firefox, Google Chrome and Internet Explorer.

Did you just see gal.adviceoncarsse.com in the status bar of your web browser and wonder where it came from? Or did gal.adviceoncarsse.com show up while you search for something on one of the major search engines, such as the Google search engine?

Here’s a screen capture of gal.adviceoncarsse.com when it showed up on my computer, in the network log, while I did a search at Google.se:

gal.adviceoncarsse.com connection

The following are some of the statusbar messages you may see in your browser’s status bar:

  • Waiting for gal.adviceoncarsse.com…
  • Transferring data from gal.adviceoncarsse.com…
  • Looking up gal.adviceoncarsse.com…
  • Read gal.adviceoncarsse.com
  • Connected to gal.adviceoncarsse.com…

If this description sounds like your computer, you probably have some potentially unwanted program installed on your machine that makes the gal.adviceoncarsse.com domain appear in your browser. Contacting the owner of the website you were browsing would be a waste of time. They are not responsible for the gal.adviceoncarsse.com status bar messages. I’ll do my best to help you remove the gal.adviceoncarsse.com message in this blog post.

For those that are new to the blog: Not long ago I dedicated a few of my lab computers and intentionally installed a few potentially unwanted programs on them. Since then I’ve been observing the behaviour on these machines to see what kinds of advertisements that are displayed. I’m also looking on other interesting things such as if the potentially unwanted program updates itself automatically, or if it downloads and installs additional potentially unwanted programs on the machines. I first noticed the gal.adviceoncarsse.com in Mozilla Firefox’s statusbar on one of these lab systems.

gal.adviceoncarsse.com was created on 2014-12-02. gal.adviceoncarsse.com resolves to 50.22.215.30. A Whois query does not offer much information, since the domain is protected by by WhoisGuard INC.

So, how do you remove gal.adviceoncarsse.com from your browser? On the machine where gal.adviceoncarsse.com showed up in the status bar I had PriceFountain, YTDownloader, WebWaltz and SpeedChecker installed. I removed them with FreeFixer and that stopped the browser from loading data from gal.adviceoncarsse.com.

Most likely, WebWaltz was responsible for the gal.adviceoncarsse.com connection, since the loaded URL mentions “web waltz”, as shown in the screenshot above.

The issue with status bar messages such as this one is that it can be caused by many variants of potentially unwanted programs, not just the potentially unwanted program running on my system. This makes it impossible to say exactly what you need to remove to stop the status bar messages.

Anyway, here’s my suggestion for the gal.adviceoncarsse.com removal:

The first thing I would do to remove gal.adviceoncarsse.com is to examine the software installed on the machine, by opening the “Uninstall programs” dialog. You can reach this dialog from the Windows Control Panel. If you are using one of the more recent versions of Windows OS you can just type in “uninstall” in the Control Panel’s search field to find that dialog:
Uninstall a program search

Click on the “Uninstall a program” link and the Uninstall programs dialog will open up:
Uninstall a program dialog

Do you see something suspicious in there or something that you don’t remember installing? Tip: Sort on the “Installed On” column to see if something was installed approximately about the same time as you started seeing the gal.adviceoncarsse.com status bar messages.

The next thing to check would be your browser’s add-ons. Potentially unwanted program often appear under the add-ons menu in Chrome, Firefox, Internet Explorer or Safari. Is there anything that looks suspicious? Anything that you don’t remember installing?
Firefox add-ons manager

I think most users will be able to track down and uninstall the potentially unwanted program with the steps outlined above, but in case that did not work you can try the FreeFixer removal tool to identify and remove the potentially unwanted program. FreeFixer is a freeware tool that I started develop many years ago. It’s a tool designed to manually track down and remove unwanted software. When you’ve identified the unwanted files you can simply tick a checkbox and click on the Fix button to remove the unwanted file.

FreeFixer’s removal feature is not locked like many other removal tools out there. It won’t require you to pay a fee just when you are about to remove the unwanted files.

And if you’re having issues deciding if a file is clean or potentially unwanted in FreeFixer’s scan report, click on the More Info link for the file. That will open up a web page which contains additional information about the file. On that web page, check out the VirusTotal report which can be very useful:

FreeFixer More Info link example
An example of FreeFixer’s “More Info” links. Click for full size.

Did this blog post help you to remove gal.adviceoncarsse.com? Please let me know or how I can improve this blog post.

Thank you!

Symcd.com – Online Certificate Status Protocol Server Owned By Symantec Corporation

Uncategorized,

Morning! Hope you are having a great weekend. I’ve been experimenting with some network monitoring of HTTP requests and responses in Mozilla Firefox. While playing around with one of the tools I’m evaluating I noticed a request to gv.symcd.com:

gv.symcd.com connection

I had not heard of the symcd.com domain before so I got curious. The request is a “application/ocsp-request“. OCSP is a abbreviation for Online Certificate Status Protocol and it is an Internet protocol used for retrieve the revocation status of a digital certificate.

That’s what the symcd.com connection is about: Checking the revocation state for some  certificate. The tool I used to track the network traffic does not have any advanced features to decode the OSCP communication so I don’t know exactly what information Firefox requests from symcd.com.

So, who owns symcd.com? The WHOIS database answer is Symantec Corporation:

Registrant Organization: Symantec Corporation
Registrant Street: 350 Ellis Street
Registrant City: Mountain View
Registrant State/Province: CA
Registrant Postal Code: 94043
Registrant Country: US

Symcd.com was created on 2013-12-12.

I did not find much information about gv.symdc.com, and the reason for that is probably because there’s a large number of subdomains used. I found this list over at VirusTotal:

  • sm.symcd.com
  • gz.symcd.com
  • gp.symcd.com
  • tl.symcd.com
  • sn.symcd.com
  • tm.symcd.com
  • gq.symcd.com
  • sk.symcd.com
  • gw.symcd.com
  • si.symcd.com
  • gx.symcd.com
  • gk.symcd.com
  • s.symcd.com
  • sw.symcd.com
  • gu.symcd.com
  • sh.symcd.com
  • tf.symcd.com
  • t.symcd.com
  • tn.symcd.com
  • gv.symcd.com
  • ta.symcd.com
  • gd.symcd.com
  • st.symcd.com
  • tg.symcd.com
  • sr.symcd.com
  • sd.symcd.com
  • sf.symcd.com
  • sg.symcd.com
  • th.symcd.com
  • ga.symcd.com
  • gn.symcd.com
  • se.symcd.com
  • sv.symcd.com
  • tj.symcd.com
  • su.symcd.com
  • tb.symcd.com
  • ti.symcd.com
  • tc.symcd.com
  • sc.symcd.com
  • gm.symcd.com
  • sb.symcd.com
  • gb.symcd.com
  • ss.symcd.com
  • sj.symcd.com
  • gj.symcd.com
  • td.symcd.com
  • sa.symcd.com
  • tk.symcd.com

I checked a few of the domains, and they all resolved to the 23.43.139.27 IP address.

Thanks for reading!

 

Bon Don Jov – Anti-Virus Detection: 18% – OutBrowse Revenyou

digital signature, ,

Welcome! Did you just find a file that’s digitally signed by Bon Don Jov and came here to find more about it? You will see Bon Don Jov listed as the verified publisher in the User Account Control dialog that pops up if you try to run the file:

Bon Don Jov in the User Account Control dialog

To get more details on the publisher, you can view the embedded certificate by right-clicking on the file, and looking under the Digital Signatures tab. According to the certificate we can see that Bon Don Jov seems to be located in Dublin, Ireland and that the certificate is issued by GlobalSign CodeSigning CA – G2.

Bon Don Jov certificate - States that the publisher is located in Dublin, Ireland

10 of the scanners at VirusTotal detected the file. Win32:OutBrowse-X [PUP], APPL/Downloader.Gen, Trojan.OutBrowse.54, Win32/OutBrowse.BU potentially unwanted, OutBrowse Revenyou and OutBrowse (fs) were the detection names.

Bon Don Jov anti virus report. 18% Detection Rate. Detection name: OutBrowse

Did you also find a Bon Don Jov file? What kind of download was it? If you remember the download link, please post it in the comments below.

Thanks for reading.