Monthly Archives: May 2015

ocsp.digicert.com – Revocation Status Server For Digital Certificate

Uncategorized

If you see connections to ocsp.digicert.com in your browser or in your network traffic logger, there’s no need to worry. ocsp.digicert.com is DigiCert’s OCSP (Online Certificate Status Protocol) server and is used to check the revocation status of DigiCert’s digital certificates.

Here’s a screenshot of the ocsp.digicert.com HTTP requests and responses:

ocsp.digicert.com

If you see Google Chrome, Mozilla Firefox or Internet Explorer connecting to ocsp.digicert.com, they are in the middle of the process of verifying a digital certificate. Perhaps a certificate for a HTTPS connection you just made?

Thanks for reading!

Setup Super (Fried Cookie Ltd.) – 16% Detection Rate – InstallCore

digital signature, ,

Hello! I was playing around and testing some downloads when I found a file digitally signed by Setup Super (Fried Cookie Ltd.).

This is how Setup Super (Fried Cookie Ltd.) appears when running the file:

Setup Super Fried Cookie Ltd publisher

By examining the certificate, we can see that Setup Super (Fried Cookie Ltd.) is located in Tel Aviv, Israel. The certificate is issued by GlobalSign CodeSigning CA – G2.

Setup Super Fried Cookie certificate

The reason I’m writing this blog post is that the Setup Super (Fried Cookie Ltd.) file is detected by some of the anti-virus scanners at VirusTotal. Comodo detects installer_jdownloader_English.exe as Application.Win32.InstallCore.UD, Malwarebytes reports PUP.Optional.InstallCore.SID.C and VIPRE detects it as InstallCore (fs).

Setup Super anti-virus report

Did you also find a file digitally signed by Setup Super (Fried Cookie Ltd.)? Where did you find it and are the anti-virus programs detecting it? Please share in the comments below.

Thanks for reading.

Igor Menyalo – 41% Detection Rate – MultiPlug / Qudamah / Kazy

digital signature, , ,

Hi there! Just a note on a publisher called Igor Menyalo. The Igor Menyalo download  was detected when I uploaded it to VirusTotal. Did you also find a download by Igor Menyalo? Was it also detected when you uploaded it to VirusTotal?

Igor Menyalo publisher

That’s how it looks when double-clicking on the file and Igor Menyalo appears as the publisher. It is also possible to check a digital signature by looking at a file’s properties. Here’s a screenshot of the Igor Menyalo certificate.

Igor Menyalo certificate

 

Igor Menyalo appears to be located in Russia.

TR/Crypt.XPACK.Gen, Gen:Variant.Adware.Kazy.611186, W32/S-0625bdde!Eldorado, PUP.Optional.MultiPlug and Trojan.Win32.Qudamah.Gen.0 are some detection names according to VirusTotal:

Igor Menyalo anti-virus report

I decided to run the Igor Menyalo signed file, and it offered three additional programs called PriceMinus, BestAdBlocker and MyPC Backup in the installer.

Did you also find an Igor Menyalo? Do you remember the download link? Please post it in the comments below and I’ll upload it to VirusTotal to see if that one is also detected.

Thank you for reading.

Download Verified – 9% Detection Rate – DownloadAdmin / Atraps / Qudamah

digital signature

Hello! Lately I’ve been looking on the digital signatures on those files that push various types of potentially unwanted programs. This morning I found a new file digitally signed by Download Verified.

Just wanted to let you know that the Download Verified file is that it is detected by some of the anti-malwares. Here are some of the detection names: Trojan.Win32.Atraps.b, Trojan.Win32.Qudamah.Gen.7 and DownloadAdmin (fs).

Download Verified anti-virus report

Did you also find a Download Verified file? What kind of download was it? If you remember the download link, please post it in the comments below.

Thank you for reading.

Rubin Sister – 16% Detection Rate – MultiPlug / Qudamah / Badur

digital signature, , ,

Hello! I was playing around and testing some downloads when I found a file digitally signed by Rubin Sister.

Rubin Sister publisher

If you have a Rubin Sister file on your computer you may have noticed that Rubin Sister pops up as the publisher in the User Account Control dialog when running the file. The certificate is issued by Certum Code Signing CA.

Rubin Sister certificate

A variant of Win32/Adware.MultiPlug.JZ, Riskware/Badur, Trojan.Win32.Qudamah.Gen.7 and suspected of Heur.Malware-Cryptor.Multiplug are some detection names according to VirusTotal:

Rubin Sister anti-virus report

Did you also find an Rubin Sister? Do you remember the download link? Please post it in the comments below and I’ll upload it to VirusTotal to see if that one is also detected.

Thanks for reading.

66.249.64.117 – You Got A Visit From GoogleBot

IP addresses

Was troubleshooting some heavy usage on the web site this morning and noticed huge number of connections from 66.249.64.117 in the  Apache HTTP access.log. If you also see connections from 66.249.64.117 in your HTTP log you simply had a visit from the GoogleBot. It uses “Googlebot/2.1” as its User Agent string.

66.249.64.117 Googlebot

If you’d like to get more details about the connections from 66.249.64.117 and have the privilege of shell access to your Apache HTTP log, just run the following command

cat access.log| grep 66.249.64.117

and you’ll see all connections, the access times and User Agent data, etc.

Remove PriceMinus – “Ads by PriceMinus” Removal

adware,

Welcome! Just a quick post on the PriceMinus adware. PriceMinus seems to be a variant of SalePlus that I blogged about some time ago. If PriceMinus is running on your computer, you will notice ads labeled “Ads by PriceMinus” inserted into Google search results and on other web sites.

Ads by PriceMinus on web site Ads by PriceMinus on Google

You will also see new add-ons installed into Firefox and Internet Explorer. In my case, it was called PriceMinus 2.0.

PriceMinus 2.0 Firefox add-on

 

In my specific case, the installer file was digitally signed by Rodion Veresev. I’ve also seen Saul Perec  signing PriceMinus installer files.

I’ll show how to remove PriceMinus in this blog post with the FreeFixer removal tool.

PriceMinus is bundled in other software’s installers. Here’s how it appeared in the installer:

PriceMinus installer

Generally, you can avoid bundled software such as PriceMinus by being careful when installing software and declining the bundled offers in the installer.

Here’s a screenshot of the adware’s web site, priceminus.info:

priceminus.info web site

Another program, called BestAdBlocker was also bundled side by side with PriceMinus. You probably want to remove BestAdBlocker too.

When I run into some new bundled software I always upload it to VirusTotal to see if the anti-malware programs there detect something suspicious. 36 of the 56 scanners detected the file. ClamAV classifies PriceMinus as Win.Trojan.Multiplug-3213, F-Secure calls it Gen:Variant.Application.Zusy, GData detects it as Gen:Variant.Application.Zusy.139555, Malwarebytes calls it PUP.Optional.MultiPlug.A and TrendMicro reports TROJ_GEN.R08NC0EE515.

PriceMinus anti-virus report

All you need to do to remove PriceMinus is to check the PriceMinus files in the scan result and click the Fix button. You may have to restart your machine to complete the removal. Just select the PriceMinus files as shown in the screenshots below.

PriceMinus remove ie PriceMinus remove firefox

Hope this helped you remove the PriceMinus adware.

Do you also have PriceMinus on your computer? Any idea how it was installed? Please let me and the readers know by posting a comments. Thank you!

Thanks for reading. Welcome back!

Remove tr553.com from Firefox, Chrome and Internet Explorer

browser status bar

This page shows how to remove tr553.com from Mozilla Firefox, Google Chrome and Internet Explorer.

Did you just see tr553.com in the status bar of your browser and wonder where it came from? Or did tr553.com show up while you searched for something on one of the major search engines, such as the Google.com search engine?

Here’s how the tr553.com status bar message looked like when I got it on my system:

tr553.com status bar

Here are some of the status bar notifications you may see in your browser’s status bar:

  • Waiting for tr553.com…
  • Transferring data from tr553.com…
  • Looking up tr553.com…
  • Read tr553.com
  • Connected to tr553.com…

Does this sound like what you see your machine, you probably have some potentially unwanted program installed on your computer that makes the tr553.com domain appear in your browser. Don’t flame the people that owns the site you were at when you first spotted tr553.com in the status bar. They are probably not responsible, but from the potentially unwanted program that’s installed on your computer. I’ll try help you with the tr553.com removal in this blog post.

I found tr553.com on one of the lab computers where I have some potentially unwanted programs running. I’ve talked about this in some of the previous blog posts. The potentially unwanted programs was installed on purpose, and from time to time I check if something new has appeared, such as pop-up windows, new tabs in the browsers, injected ads on site that usually don’t show advertisements, or if some new files have been saved to the hard-drive.

tr553.com resolves to the 8.19.136.101 IP address. tr553.com was registered on 2014-08-25.

So, how do you remove tr553.com from your web browser? On the machine where tr553.com showed up in the status bar I had NetMon and Jelbrus Secure Web installed. I removed them with FreeFixer and that stopped the browser from loading data from tr553.com.

The tr553.com domain is attracting quite a lot of traffic, just check out the Alexa traffic rank:

tr553.com traffic rank

The issue with status bar notifications like this one is that it can be caused by many variants of potentially unwanted programs. This makes it impossible to say exactly what you need to remove to stop the status bar messages.

To remove tr553.com you need to examine your system for potentially unwanted programs and uninstall them. Here’s my suggested removal procedure:

The first thing I would do to remove tr553.com is to examine the programs installed on the machine, by opening the “Uninstall programs” dialog. You can reach this dialog from the Windows Control Panel. If you are using one of the more recent versions of Windows Operating System you can just type in “uninstall” in the Control Panel’s search field to find that dialog:
Uninstall a program search

Click on the “Uninstall a program” link and the Uninstall programs dialog will open up:
Uninstall a program dialog

Do you see something strange-looking listed there or something that you don’t remember installing? Tip: Sort on the “Installed On” column to see if something was installed about the same time as you started observing the tr553.com status bar messages.

Then you can examine you browser add-ons. Potentially unwanted programs often show up under the add-ons menu in Google Chrome, Mozilla Firefox, Internet Explorer or Safari. Is there anything that looks suspicious? Something that you don’t remember installing?
Firefox add-ons manager

I think most users will be able to track down and remove the potentially unwanted program with the steps outlined above, but in case that did not work you can try the FreeFixer removal tool to identify and remove the potentially unwanted program. FreeFixer is a freeware tool that I started develop about 8 years ago. It’s a tool designed to manually track down and remove unwanted software. When you’ve tracked down the unwanted files you can simply tick a checkbox and click on the Fix button to remove the unwanted file.

FreeFixer’s removal feature is not locked down like many other removal tools out there. It will not require you to purchase the program just when you are about to remove the unwanted files.

And if you’re having issues deciding if a file is clean or potentially unwanted in FreeFixer’s scan report, click on the More Info link for the file. That will open up a web page which contains additional information about the file. On that web page, check out the VirusTotal report which can be quite useful:

FreeFixer More Info link example
An example of FreeFixer’s “More Info” links. Click for full size.

Did you find any potentially unwanted program on your machine? Did that stop tr553.com? Please post the name of the potentially unwanted program you uninstalled from your machine in the comment below.

Thank you!

Remove stamplive.com Pop Ups from Firefox, Chrome and Internet Explorer

pop-ups

Did you just get a pop-up from stamplive.com and ask yourself where it came from? Did the stamplive.com ad appear to have been launched from a web site that under normal circumstances don’t use advertising such as pop-up windows? Or did the stamplive.com pop-up show up while you clicked a link on one of the major search engines, such as Google, Bing or Yahoo?

Here’s a screenshot of the stamplive.com pop-up ad when it showed up on my machine:

stamplive.com pop up

 

After a while I was redirected to 590.xyz.

If you also see this on your computer, you almost certainly have some adware installed on your computer that pops up the stamplive.com ads. There’s no use contacting the owners of the web site you were browsing. The ads are not coming from them. I’ll try help you to remove the stamplive.com pop-ups in this blog post.

For those that are new to the blog: A little while back I dedicated a few of my lab computers and deliberately installed a few adware programs on them. I’ve been observing the actions on these computers to see what kinds of adverts that are displayed. I’m also looking on other interesting things such as if the adware updates itself, or if it downloads and installs additional unwanted software on the systems. I first noticed the stamplive.com pop-up on one of these lab computers.

stamplive.com was created on 2014-12-01. stamplive.com resolves to the 78.140.181.183 IP address.

So, how do you remove the stamplive.com pop-up ads? On the machine where I got the stamplive.com ads I had istartsurf, MedPlayerNewVersion and Movie Wizard installed. I removed them with FreeFixer and that stopped the stamplive.com pop-ups and all the other ads I was getting in Mozilla Firefox.

Judging from Alexa’s traffic rank, stamplive.com is getting quite a lot of traffic:

stamplive.com traffic rank

The issue with pop-ups such as this one is that it can be initiated by many variants of adware, not just the adware running on my computer. This makes it impossible to say exactly what you need to remove to stop the pop-ups.

Anyway, here’s my suggestion for the stamplive.com ads removal:

The first thing I would do to remove the stamplive.com pop-ups is to examine the programs installed on the machine, by opening the “Uninstall programs” dialog. You can reach this dialog from the Windows Control Panel. If you are using one of the more recent versions of Windows you can just type in “uninstall” in the Control Panel’s search field to find that dialog:
Uninstall a program search

Click on the “Uninstall a program” link and the Uninstall programs dialog will open up:
Uninstall a program dialog

Do you see something suspicious listed there or something that you don’t remember installing? Tip: Sort on the “Installed On” column to see if some program was installed about the same time as you started observing the stamplive.com pop-ups.

Then you can examine you browser add-ons. Adware often appear under the add-ons dialog in Google Chrome, Mozilla Firefox, Internet Explorer or Safari. Is there something that looks suspicious? Anything that you don’t remember installing?
Firefox add-ons manager

I think you will be able to identify and uninstall the adware with the steps outlined above, but in case that did not work you can try the FreeFixer removal tool to identify and remove the adware. FreeFixer is a freeware tool that I started develop about 8 years ago. It’s a tool designed to manually find and uninstall unwanted software. When you’ve tracked down the unwanted files you can simply tick a checkbox and click on the Fix button to remove the unwanted file.

FreeFixer’s removal feature is not crippled like many other removal tools out there. It won’t require you to pay for the program just when you are about to remove the unwanted files.

And if you’re having issues figuring out if a file is clean or adware in FreeFixer’s scan report, click on the More Info link for the file. That will open up your browser with a page which contains more information about the file. On that web page, check out the VirusTotal report which can be quite useful:

FreeFixer More Info link example
An example of FreeFixer’s “More Info” links. Click for full size.

Here you can see FreeFixer in action removing pop-up ads:

Did you find any adware on your machine? Did that stop the stamplive.com ads? Please post the name of the adware you uninstalled from your machine in the comment below.

Thank you!

VerifiedInstallation – 11% Detection Rate – AdGazelle

digital signature

Hello! If you are a regular here on the FreeFixer blog you know that I’ve been looking on the certificates used to sign files that bundled various types of unwanted software. Today I found another certificate, used by a publisher called VerifiedInstallation.

So, what does the anti-virus programs say about the VerifiedInstallation file? No problem, I just uploaded the file to VirusTotal and it turned out that some of the anti-virus programs detects the VerifiedInstallation file, with names such as AdGazelle.246, Adware.Downware.11074, a variant of Win32/AdGazelle.J potentially unwanted and AdGazelle (fs).

VerifiedInstallation anti-virus report

Did you also find a VerifiedInstallation file? Do you remember where you downloaded it? Was your file also detected at VirusTotal?

Thanks for reading.