Hello readers! Just a quick post on a publisher called OOO DIGITAL VEI that I found while running some tests for the upcoming FreeFixer release. The suspicious file is named adobe_flash_player.exe.
Viewing the certificate information is also possible by looking under the digital signature tab for the file. Here the certificate says that OOO DIGITAL VEI is located in Moscow, Russa.
And USERTrust and Comodo is upwards in the certificate chain:
What caught my attention was that the download was called adobe_flash_player.exe. This might look like an official Adobe Flash Player download, but it is not. If it was an official download, it should be digitally signed by Adobe Systems Incorporated. Here’s how the authentic Adobe Flash Player looks like when you double click on it. Notice that the “Verified publisher” says “Adobe Systems Incorporated”.
The problem with the OOO DIGITAL VEI file is that it is detected by many of the antivirus software. Here are some of the detection names: W32.HfsAdware.90CE, PUP.Optional.Bundle and InstallCore (fs).
Did you also find a OOO DIGITAL VEI download? What kind of download was it?
Did you just get interrupted by a pop-up ad from lp.freegameszonetab.com? You are not alone. I also get the lp.freegameszonetab.com pop-ups while browsing. Do the popups also bypass the pop-up blocker in Chrome, Firefox, Internet Explorer or Safari. Then read on…
Here’s how the lp.freegameszonetab.com pop-up looked like when I got it on my machine:
Does this sound like what you see your computer, you most likely have some adware installed on your machine that pops up the lp.freegameszonetab.com ads. Don’t blame the people that runs the web site you were at, the ads are most likely not coming from that web site, but from the adware that’s running on your computer. I’ll try help you to remove the lp.freegameszonetab.com pop-ups in this blog post.
Those that have been following this blog already know this, but here we go: Some time ago I dedicated some of my lab computers and intentionally installed some adware programs on them. I have been observing the actions on these machines to see what kinds of adverts that are displayed. I’m also looking on other interesting things such as if the adware auto-updates, or if it downloads additional unwanted software on the machines. I first observed the lp.freegameszonetab.com pop-up on one of these lab computers.
lp.freegameszonetab.com was created on 2014-10-02. lp.freegameszonetab.com resolves to the 94.31.0.55 IP address and so does.
So, how do you remove the lp.freegameszonetab.com pop-up ads? On the machine where I got the lp.freegameszonetab.com ads I had PriceFountain, PineTree, GamesDesktop and CheckMeUp installed. I removed them with FreeFixer and that stopped the lp.freegameszonetab.com pop-ups and all the other ads I was getting in Mozilla Firefox.
If you are wonder if there are many others out there also getting the lp.freegameszonetab.com ads, the answer is probably yes. Check out the traffic rank from Alexa:
The bad news with pop-ups such as this one is that it can be initiated by many variants of adware, not just the adware running on my machine. This makes it impossible to say exactly what you need to remove to stop the pop-ups.
So, what should done to solve the problem? To remove the lp.freegameszonetab.com pop-up ads you need to check your computer for adware or other types of unwanted software and uninstall it. Here’s my suggested removal procedure:
The first thing I would do to remove the lp.freegameszonetab.com pop-ups is to examine the software installed on the machine, by opening the “Uninstall programs” dialog. You can reach this dialog from the Windows Control Panel. If you are using one of the more recent versions of Windows you can just type in “uninstall” in the Control Panel’s search field to find that dialog:
Click on the “Uninstall a program” link and the Uninstall programs dialog will open up:
Do you see something dubious in there or something that you don’t remember installing? Tip: Sort on the “Installed On” column to see if something was installed approximately about the same time as you started getting the lp.freegameszonetab.com pop-ups.
The next thing to check would be your browser’s add-ons. Adware often appear under the add-ons menu in Chrome, Firefox, Internet Explorer or Safari. Is there anything that looks suspicious? Anything that you don’t remember installing?
I think you will be able to find and uninstall the adware with the steps outlined above, but in case that did not work you can try the FreeFixer removal tool to identify and remove the adware. FreeFixer is a freeware tool that I started develop many years ago. Freefixer is a tool built to manually identify and uninstall unwanted software. When you’ve found the unwanted files you can simply tick a checkbox and click on the Fix button to remove the unwanted file.
FreeFixer’s removal feature is not crippled like many other removal tools out there. It will not require you to pay a fee just when you are about to remove the unwanted files.
And if you’re having issues figuring out if a file is clean or adware in the FreeFixer scan result, click on the More Info link for the file. That will open up your browser with a page which contains more details about the file. On that web page, check out the VirusTotal report which can be very useful:
An example of FreeFixer’s “More Info” links. Click for full size.
Here’s a video tutorial showing FreeFixer in action removing pop-up ads:
Did this blog post help you to remove the lp.freegameszonetab.com pop-up ads? Please let me know or how I can improve this blog post.
Hello! If you’ve been following me for the last year you know that I’ve been examining many software publishers that put a digital signature on their downloads. Today I found another publisher called LLC “SOFT TRADE LTD”.
Typically you’d see the LLC “SOFT TRADE LTD” publisher name appear when double-clicking on the FlashPlayer__6741_i1609075630_il45347.exe file: It is also possible to check a digital signature by looking at a file’s properties. Here’s a screenshot of the LLC “SOFT TRADE LTD” certificate.
The company is located in Ukraine says the certificate. UserTrust and Comodo is found in the certificate chain:
What caught my attention was that the download was called FlashPlayer__6741_i1609075630_il45347.exe. This might look like an official Adobe Flash Player download, but it is not. If it was an official download, it should be digitally signed by Adobe Systems Incorporated. Here’s how the authentic Adobe Flash Player looks like when you double click on it. Notice that the “Verified publisher” says “Adobe Systems Incorporated”.
Here’s how the LLC “SOFT TRADE LTD” installer looks like:
ADWARE/Amonetize.Gen and a variant of Win32/Amonetize.HN potentially unwanted are some detection names according to VirusTotal:
Did you also find a LLC “SOFT TRADE LTD” file? What kind of download was it? If you remember the download link, please post it in the comments below.
Hello! Short on time today, but I just wanted to give you the heads up on a publisher called Sambamedia LLC.
Windows will display Sambamedia LLC as the publisher when running the file. It’s possible to view additional information about the certificate by right-clicking on the file, choosing properties and then clicking on the Digital Signatures tab. According to the certificate we can see that Sambamedia LLC is located in Wilmington, Delaware in US and that the certificate is issued by VeriSign Class 3 Code Signing 2010 CA.
The certification path, which shows VeriSign at the root:
The issue here is that if google_chrome.exe really was a setup file for Google Chrome, it should have been digitally signed by Google Inc. and not by some unknown company. I think this looks suspicious. Here’s how the authentic Google Chrome looks like when you double click on it. Notice that the “Verified publisher” says “Google Inc”.
The issue with the Sambamedia LLC file is that it is detected by many of the anti-malware progams. Here are some of the detection names: Riskware.Agent!, PUA/SoftPulse.oanu, W32.HfsAdware.7208, Trojan.Domaiq.302, Gen:Variant.Mikey.22953 (B), a variant of Win32/SoftPulse.AJ potentially unwanted and Gen:Variant.Mikey.22953.
Did you also find a Sambamedia LLC file? What kind of download was it? If you remember the download link, please post it in the comments below.
This page shows how to remove pesquisa.ninja from Mozilla Firefox, Google Chrome and Internet Explorer.
Did you just see pesquisa.ninja in the status bar of your browser and ask yourself where it came from? Or did pesquisa.ninja show up while you searched for something on one of the major search engines, such as the Google.com search engine?
(Sorry for the watermarks. Need to add them to prevent the most blatant attempts of other bloggers using my screenshots without attribution)
In my case, pesquisa.ninjam showed up in the status bar while I was doing a search at Google.
The following are some of the status bar messages you may see in your browser’s status bar:
Waiting for pesquisa.ninja…
Transferring data from pesquisa.ninja…
Looking up pesquisa.ninja…
Read pesquisa.ninja
Connected to pesquisa.ninja…
Does this sound like your experience, you probably have some potentially unwanted program installed on your system that makes the pesquisa.ninja domain appear in your web browser. Contacting the owner for the site you were at would be a waste of time. The pesquisa.ninja status bar messages are not coming from them. I’ll try help you to remove the pesquisa.ninja status bar messages in this blog post.
Those that have been following this blog already know this, but here we go: A little while back I dedicated some of my lab systems and deliberately installed some potentially unwanted programs on them. I have been observing the behaviour on these computers to see what kinds of advertisements, if any, that are displayed. I’m also looking on other interesting things such as if the potentially unwanted program updates itself, or if it downloads and installs additional software on the systems. I first noticed pesquisa.ninja in Mozilla Firefox’s status bar on one of these lab computers.
pesquisa.ninja resolves to the 89.30.141.30 address. pesquisa.ninja was registered on 2014-09-22.
According to DomainTools and YouGetSignal’s reverse lookup, the following domains also resolve to the same IP address:
bogots.com
dounty.com
pesquisa.ninja
pesquisa.gratis
vancouver.craigslist.ca
www.safesearch.co
zwiiky.com
So, how do you remove pesquisa.ninja from your browser? On the machine where pesquisa.ninja showed up in the status bar I had WNet, CashReminder, ActSys and Plain Savings installed. I removed them with FreeFixer and that stopped the browser from loading data from pesquisa.ninja.
Judging from Alexa’s traffic rank, pesquisa.ninja is getting quite a lot of traffic:
The bad news with status bar notifications such as this one is that it can be caused by many variants of potentially unwanted programs, not just the potentially unwanted program that’s installed on my system. This makes it impossible to say exactly what you need to remove to stop the statusbar messages.
Anyway, here’s my suggestion for the pesquisa.ninja removal:
What software do you have installed if you look in the Add/Remove programs dialog in the Windows Control Panel? Something that you don’t remember installing yourself or that was recently installed?
You can also check the web browser add-ons. Same thing here, do you see something that you don’t remember installing?
If that did not help, I’d recommend a scan with FreeFixer to manually track down the potentially unwanted program. FreeFixer is a freeware tool that I’m working on that scans your computer at lots of locations, such as browser add-ons, processes, Windows services, recently modified files, etc. If you want to get additional details about a file in the scan result, you can click the More Info link for that file and a web page will open up with a VirusTotal report which will be very useful to determine if the file is safe or malware:
An example of FreeFixer’s “More Info” links. Click for full size.
Did you find any potentially unwanted program on your machine? Did that stop pesquisa.ninja? Please post the name of the potentially unwanted program you uninstalled from your machine in the comment below.
Welcome! If you’ve been following me for the last year you know that I’ve been examining many software publishers that put a digital signature on their downloads. Today I found another publisher called Gencolabs LLC.
The following screenshot shows the User Account Control dialog when running the Gencolabs LLC file:
Viewing the certificate information is also possible by looking under the digital signature tab for the file. Here the certificate says that Gencolabs LLC is located in Lewes in Delaware, US. Comodo has issued the certificate:
30% of the scanners detected the file. Avast detects breaking-bad-1-2-3-4-e-5-temporada-torrent-bdrip-bluray-720p-dual-udio.exe as NSIS:Downloader-ACE [PUP], NANO-Antivirus classifies it as Trojan.Nsis.Fraudster.dsyctt and Sophos classifies it as AdLoad (PUA).
Did you also find a Gencolabs LLC download? What kind of download was it?
Hope this blog post helped you avoid some unwanted software on your machine.
Did you just get a pop-up from surveysforconsumers.com and wonder where it came from? Did the surveysforconsumers.com ad appear to have been popped up from a web site that under normal circumstances don’t use advertising such as pop-up windows? Or did the surveysforconsumers.com pop-up show up while you clicked a link on one of the major search engines, such as Google, Bing or Yahoo?
Here is a screenshot on the surveysforconsumers.com pop-up from my system:
(I’m sorry for the many watermarks. If I don’t add them, the screenshot always show up at some copy-cat blogs.)
If this sounds like what you are seeing on your system, you most likely have some adware installed on your computer that pops up the surveysforconsumers.com ads. So don’t flame the people that owns the website you were at, the ads are most likely not coming from that website, but from the adware that’s installed on your system. I’ll do my best to help you remove the surveysforconsumers.com pop-up in this blog post.
I found the surveysforconsumers.com pop-up on one of the lab systems where I have some adware running. I’ve talked about this in some of the previous blog posts. The adware was installed on purpose, and from time to time I check if something new has appeared, such as pop-up windows, new tabs in the browsers, injected ads on site that usually don’t show ads, or if some new files have been saved to the hard-drive.
surveysforconsumers.com was created on 2015-05-06. surveysforconsumers.com resolves to 162.159.241.141. According to YouGetSignal’s reverse lookup service, the following domains are located on the same server:
123-videos.fr
bayarea.yurisnight.net
buckhamduffy.com
chinammm.net
guvengroup.com.tr
mobilyukle.com.tr
nuagra.com
onroaders.com
restaurantsbrighton.co.uk
studentlaunchpad.com
surveysforconsumers.com
t1l1.org
tribundergi.com
www.automaticcorporation.com
www.digiscore.com.au
www.drinksmixer.com
www.lovejoyhospice.org
www.motorbikesandparts.co.uk
www.senatoronline.org.au
www.swesspharma.com
zoywiki.com
So, how do you remove the surveysforconsumers.com pop-up ads? On the machine where I got the surveysforconsumers.com ads I had istartsurf, MedPlayerNewVersion and Movie Wizard installed. I removed them with FreeFixer and that stopped the surveysforconsumers.com pop-ups and all the other ads I was getting in Mozilla Firefox.
If you are wonder if there are many others out there also getting the surveysforconsumers.com ads, the answer is probably yes. Check out the traffic rank from Alexa:
The bad news with pop-ups like the one described in this blog post is that it can be launched by many variants of adware, not just the adware that’s installed on my system. This makes it impossible to say exactly what you need to remove to stop the pop-ups.
To remove the surveysforconsumers.com pop up ads you need to examine your computer for adware or other types of unwanted software and uninstall it. Here’s my suggested removal procedure:
The first thing I would do to remove the surveysforconsumers.com pop-ups is to examine the software installed on the machine, by opening the “Uninstall programs” dialog. You can find this dialog from the Windows Control Panel. If you are using one of the more recent versions of Windows you can just type in “uninstall” in the Control Panel’s search field to find that dialog:
Click on the “Uninstall a program” link and the Uninstall programs dialog will open up:
Do you see something strange-looking listed there or something that you don’t remember installing? Tip: Sort on the “Installed On” column to see if some program was installed approximately about the same time as you started getting the surveysforconsumers.com pop-ups.
Then I would check the browser add-ons. Adware often show up under the add-ons menu in Google Chrome, Mozilla Firefox, Internet Explorer, Safari or Opera. Is there something that looks suspicious? Anything that you don’t remember installing?
I think you will be able to identify and remove the adware with the steps outlined above, but in case that did not work you can try the FreeFixer removal tool to identify and remove the adware. FreeFixer is a freeware tool that I’ve developed since 2006. Freefixer is a tool built to manually identify and remove unwanted software. When you’ve identified the unwanted files you can simply tick a checkbox and click on the Fix button to remove the unwanted file.
FreeFixer’s removal feature is not crippled like many other removal tools out there. It won’t require you to pay a fee just when you are about to remove the unwanted files.
And if you’re having a hard time figuring out if a file is legitimate or unsafe in the FreeFixer scan report, click on the More Info link for the file. That will open up your web browser with a page which contains more information about the file. On that web page, check out the VirusTotal report which can be quite useful:
An example of FreeFixer’s “More Info” links. Click for full size.
Here’s a video tutorial which shows FreeFixer in action removing adware that caused pop-up ads:
Did this blog post help you to remove the surveysforconsumers.com pop-up ads? Please let me know or how I can improve this blog post.
Does this sound like what you are seeing right now? You see pop-up ads from s.rev2pub.com while browsing sites that normally don’t advertise in pop-up windows. The pop-ups manage to sidestep the built-in pop-up blockers in Mozilla Firefox, Google Chrome, Internet Explorer or Safari. Maybe the s.rev2pub.com pop-ups appear when clicking search results from Google? Or does the pop-ups appear even when you’re not browsing?
Here’s a screen capture of the s.rev2pub.com pop-up ad when it showed up on my machine in a new tab:
(Sorry for the ridiculous use of watermarks. I have to do it to stop the copy-cats.)
If you also see this on your system, you presumably have some adware installed on your computer that pops up the s.rev2pub.com ads. So there’s no idea contacting the owner of the site you currently were browsing. The ads are not coming from them. I’ll do my best to help you remove the s.rev2pub.com pop-up in this blog post.
I found the s.rev2pub.com pop-up on one of the lab computers where I have some adware running. I’ve talked about this in some of the previous blog posts. The adware was installed on purpose, and from time to time I check if anything new has appeared, such as pop-up windows, new tabs in the browsers, injected ads on web site that usually don’t show ads, or if some new files have been saved to the hard-drive.
s.rev2pub.com resolves to the 146.148.88.12 address and rev2pub.com to 184.72.246.247. s.rev2pub.com was registered on 2013-11-27.
So, how do you remove the s.rev2pub.com pop-up ads? On the machine where I got the s.rev2pub.com ads I had istartsurf, MedPlayerNewVersion and Movie Wizard installed. I removed them with FreeFixer and that stopped the s.rev2pub.com pop-ups and all the other ads I was getting in Mozilla Firefox.
The s.rev2pub.com domain is attracting quite a lot of traffic, just check out the Alexa traffic rank:
The issue with pop-ups such as this one is that it can be popped up by many variants of adware, not just the adware running on my machine. This makes it impossible to say exactly what you need to remove to stop the pop-ups.
So, what can be done to solve the problem? To remove the s.rev2pub.com pop-up ads you need to review your computer for adware or other types of unwanted software and uninstall it. Here’s my suggested removal procedure:
Review what programs you have installed in the Add/Remove programs dialog in the Windows Control Panel. Do you see anything that you don’t remember installing or that was recently installed?
How about your browser add-ons. Anything in the list that you don’t remember installing?
If that didn’t solve the problem, I’d recommend a scan with FreeFixer to manually track down the adware. FreeFixer is a freeware tool that I’m working on that scans your computer at lots of locations, such as browser add-ons, processes, Windows services, recently modified files, etc. If you want to get additional details about a file in the scan result, you can click the More Info link for that file and a web page will open up with a VirusTotal report which will be very useful to determine if the file is safe or malware:
An example of FreeFixer’s “More Info” links. Click for full size.
Here you can see FreeFixer in action removing the adware that caused pop-up ads:
Did you find any adware on your machine? Did that stop the s.rev2pub.com ads? Please post the name of the adware you uninstalled from your machine in the comment below.
Hello! Just wanted to give you heads-up on suspicious file I found right now. The file is named vlc-media-player.exe and digitally signed by Social Voicing Solutions.
If you have a Social Voicing Solutions file on your machine you may have noticed that Social Voicing Solutions is displayed as the publisher in the UAC dialog when double-clicking on the file. Viewing the certificate information is also possible by looking under the digital signature tab for the file. Here the certificate says that Social Voicing Solutions is located in San Fransisco in California, US.
VeriSign has issued the certificate:
Gen:Variant.Application.Jaik, PUP.Optional.DownloadAdmin, DownloadAdmin and Trj/Genetic.gen are some detection names according to VirusTotal:
Did you also find a file digitally signed by Social Voicing Solutions? Where did you find it and are the anti-virus programs detecting it? Please share in the comments below.
Welcome! Just wanted to give you the heads up on a file called “additionaloffers-setup[1].exe” that’s digitally signed by TEA TIME BISCUITS.
I found this file on my lab machine after trying out a download from CNet’s Download.com site.
You can view the certificate shown above by right-clicking on the file, choosing properties and then clicking on the Digital Signatures tab. According to the embedded certificate we can see that TEA TIME BISCUITS seems to be located in San Fransisco, California, US and that the certificate is issued by VeriSign Class 3 Code Signing 2010 CA.
So, what the issue with the TEA TIME BISCUITS file? Just check out detection list by some of the anti-virus program:
F-Secure reports additionaloffers-setup[1].exe as Gen:Variant.Application.Jaik, GData detects it as Gen:Variant.Application.Jaik.8223 and Malwarebytes calls it PUP.Optional.DownloadAdmin.
Did you also find a TEA TIME BISCUITS file? Do you remember where you downloaded it?
