Monthly Archives: September 2015

Arkhigrad Proekt, TOV – 9% Detection Rate

Hello readers! Just wanted to give you the heads up on a publisher called Arkhigrad Proekt, TOV. Here how Arkhigrad Proekt, TOV appears in the UAC dialog when double-clicking on the Download__15022_i1683705761_il3.exe file:

Arkhigrad Proekt, TOV publisher

You can also view the certificate by right-clicking on the file, and looking under the Digital Signature tab: According to the embedded certificate we can see that Arkhigrad Proekt, TOV is located in Simferopol, Ukraine/Russia and that the certificate is issued by COMODO RSA Code Signing CA.

Arkhigrad Proekt, TOV certificate

Generic.3ED, ADWARE/Amonetize.Gen and PUP.Optional.Amonetize are some detection names according to VirusTotal:

Arkhigrad Proekt, TOV anti-virus report

Did you also find a file digitally signed by Arkhigrad Proekt, TOV? Where did you find it and are the anti-virus programs detecting it? Please share in the comments below.

Thank you for reading.

Registry Reviver (RegistryReviver.exe) Bundled With Software Downloads

Just a short note on a piece of software called Registry Reviver:

Registry Reviver

If this showed up unexpected on your machine, or you noticed a new process called RegistryReviver.exe in the Task Manager, it may have been bundled with a software download. I found Registry Reviver in a film-clip downloader installation package:

registry reviver bundled

I uploaded the RegistryReviver.exe file to VirusTotal, and 2 of the 56 scanners detected the file:

RegistryReviver.exe anti-virus report

In FreeFixer, the registryreviver.exe file shows up as listed in green since Corel Corporation, the company that digitally signed the file, is tagged as trusted.

Should I reconsider?

Remove adnetworkperformance.com Pop Up Ads

Did you just get a popup from adnetworkperformance.com and wonder where it came from? Did the adnetworkperformance.com ad appear to have been launched from a web site that under normal circumstances don’t use advertising such as pop-up windows? Or did the adnetworkperformance.com pop-up show up while you clicked a link on one of the big search engines, such as Google, Bing or Yahoo?

Here’s how the adnetworkperformance.com pop-up looked like when I got it on my computer:

adnetworkperformance.com pop up

(Sorry for the watermarks. Need to add them to prevent the most blatant attempts of other bloggers using my screenshots without attribution)

I’m not sure I remember this correctly, but I think I noticed reduxmediia.com in the address bar before adnetworkperformance.com loaded.

Does this sound like what you see your computer, you most likely have some adware installed on your computer that pops up the adnetworkperformance.com ads. So there’s no use contacting the site owner. The ads are not coming from them. I’ll do my best to help you with the adnetworkperformance.com removal in this blog post.

I found the adnetworkperformance.com pop-up on one of the lab machines where I have some adware running. I’ve talked about this in some of the previous blog posts. The adware was installed on purpose, and from time to time I check if something new has appeared, such as pop-up windows, new tabs in the browsers, injected ads on site that usually don’t show advertisements, or if some new files have been saved to the hard-drive.

adnetworkperformance.com was created on 2015-04-27. adnetworkperformance.com resolves to 130.211.186.109. The domain is protected by Domains By Proxy, LLC.

So, how do you remove the adnetworkperformance.com pop-up ads? On the machine where I got the adnetworkperformance.com ads I had Windows Menager, SmartComp Safe Network, gosearch.me and Live Malware Protection installed. I removed them with FreeFixer and that stopped the adnetworkperformance.com pop-ups and all the other ads I was getting in Mozilla Firefox.

If you are wonder if there are many others out there also getting the adnetworkperformance.com ads, the answer is probably yes. Check out the traffic rank from Alexa:

adnetworkperformance.com

Rank 222 means the adnetworkperformance.com web site is getting a crazy amount of traffic.

The issue with pop-ups such as this one is that it can be initiated by many variants of adware, not just the adware that’s installed on my machine. This makes it impossible to say exactly what you need to remove to stop the pop-ups.

So, what can be done? To remove the adnetworkperformance.com pop-up ads you need to examine your system for adware or other types of unwanted software and uninstall it. Here’s my suggested removal procedure:

The first thing I would do to remove the adnetworkperformance.com pop-ups is to examine the software installed on the machine, by opening the “Uninstall programs” dialog. You can reach this dialog from the Windows Control Panel. If you are using one of the more recent versions of Windows you can just type in “uninstall” in the Control Panel’s search field to find that dialog:
Uninstall a program search

Click on the “Uninstall a program” link and the Uninstall programs dialog will open up:
Uninstall a program dialog

Do you see something strange-looking listed there or something that you don’t remember installing? Tip: Sort on the “Installed On” column to see if some program was installed about the same time as you started seeing the adnetworkperformance.com pop-ups.

Then you can examine you browser add-ons. Adware often appear under the add-ons menu in Chrome, Firefox, Internet Explorer or Safari. Is there anything that looks suspicious? Something that you don’t remember installing?
Firefox add-ons manager

I think you will be able to find and uninstall the adware with the steps outlined above, but in case that did not work you can try the FreeFixer removal tool to identify and remove the adware. FreeFixer is a freeware tool that I started develop about 8 years ago. It’s a tool designed to manually find and uninstall unwanted software. When you’ve found the unwanted files you can simply tick a checkbox and click on the Fix button to remove the unwanted file.

FreeFixer’s removal feature is not locked like many other removal tools out there. It won’t require you to pay for the program just when you are about to remove the unwanted files.

And if you’re having difficulties figuring out if a file is clean or malware in FreeFixer’s scan result, click on the More Info link for the file. That will open up your browser with a page which contains more details about the file. On that web page, check out the VirusTotal report which can be very useful:

FreeFixer More Info link example
An example of FreeFixer’s “More Info” links. Click for full size.

Here’s a video tutorial on how to remove the pop-ups with FreeFixer:

Did you find any adware on your machine? Did that stop the adnetworkperformance.com ads? Please post the name of the adware you uninstalled from your machine in the comment below.

Thank you!

Remove reduxmediia.com Pop Up Ads

Having difficulties with pop-ups from reduxmediia.com? If so, you may have adware installed on your computer. I got the reduxmediia.com pop-ups in Firefox, but they can turn up if you are using Chrome, Internet Explorer, Safari or Opera too.

Here is how the reduxmediia.com ad looked like on my system:

reduxmediia.com pop up

After a while, I was redirected to another site.

Does this sound like your experience, you almost certainly have some adware installed on your computer that pops up the reduxmediia.com ads. Contacting the site owner would be a waste of time. The ads are not coming from them. I’ll try help you to remove the reduxmediia.com pop-ups in this blog post.

For those that are new to the blog: A little while back I dedicated a few of my lab computers and purposely installed some adware programs on them. Since then I’ve been observing the actions on these systems to see what kinds of advertisements that are displayed. I’m also looking on other interesting things such as if the adware updates itself automatically, or if it downloads additional unwanted software on the computers. I first found the reduxmediia.com pop-up on one of these lab machines.

reduxmediia.com was created on 2012-06-21. The domain is protected by WHOIS PRIVACY PROTECTION SERVICE, INC. reduxmediia.com resolves to the 78.140.181.189 address. According to DomainTools is admngronline.com hosted on the same server. I also noticed a few other pop-ups, such as one from app.pckeeper.com.

app.pckeeper.com pop up

So, how do you remove the reduxmediia.com pop-up ads? On the machine where I got the reduxmediia.com ads I had Windows Menager, SmartComp Safe Network, gosearch.me and Live Malware Protection installed. I removed them with FreeFixer and that stopped the reduxmediia.com pop-ups and all the other ads I was getting in Mozilla Firefox.

Judging from Alexa’s traffic rank, reduxmediia.com is getting quite a lot of traffic:

reduxmediia.com

The problem with pop-ups like this one is that it can be launched by many variants of adware. This makes it impossible to say exactly what you need to remove to stop the pop-ups.

Anyway, here’s my suggestion for the reduxmediia.com ads removal:

The first thing I would do to remove the reduxmediia.com pop-ups is to examine the software installed on the machine, by opening the “Uninstall programs” dialog. You can find this dialog from the Windows Control Panel. If you are using one of the more recent versions of Windows you can just type in “uninstall” in the Control Panel’s search field to find that dialog:
Uninstall a program search

Click on the “Uninstall a program” link and the Uninstall programs dialog will open up:
Uninstall a program dialog

Do you see something dubious listed there or something that you don’t remember installing? Tip: Sort on the “Installed On” column to see if something was installed about the same time as you started observing the reduxmediia.com pop-ups.

Then you can examine you browser add-ons. Adware often appear under the add-ons menu in Chrome, Firefox, Internet Explorer or Safari. Is there anything that looks suspicious? Something that you don’t remember installing?
Firefox add-ons manager

I think you will be able to identify and uninstall the adware with the steps outlined above, but in case that did not work you can try the FreeFixer removal tool to identify and remove the adware. FreeFixer is a freeware tool that I started develop many years ago. Freefixer is a tool built to manually track down and remove unwanted software. When you’ve identified the unwanted files you can simply tick a checkbox and click on the Fix button to remove the unwanted file.

FreeFixer’s removal feature is not locked down like many other removal tools out there. It won’t require you to pay a fee just when you are about to remove the unwanted files.

And if you’re having issues figuring out if a file is clean or malware in the FreeFixer scan report, click on the More Info link for the file. That will open up a web page which contains more details about the file. On that web page, check out the VirusTotal report which can be very useful:

FreeFixer More Info link example
An example of FreeFixer’s “More Info” links. Click for full size.

Here’s a video tutorial which shows FreeFixer in action removing adware that caused pop-up ads:

Did this blog post help you to remove the reduxmediia.com pop-up ads? Please let me know or how I can improve this blog post.

Thank you!

Remove static.planet49.com Pop Up Survey Ads

Did you just get a pop-up from static.planet49.com and wonder where it came from? Did the static.planet49.com ad appear to have been popped up from a web site that under normal circumstances don’t use advertising such as pop-up windows? Or did the static.planet49.com pop-up show up while you clicked a link on one of the major search engines, such as Google, Bing or Yahoo?

Here’s a screenshot of the static.planet49.com pop-up ad when it showed up on my machine:

static.planet49.com pop up

(I know, lots of watermarks. Have to do it to stop the copy-cats.) It’s a survey that claims that I could win a Volvo S60 car.

If this sounds like what you are seeing on your machine, you presumably have some adware installed on your system that pops up the static.planet49.com ads. Contacting the owner of the site would be a waste of time. They are not responsible for the ads. I’ll do my best to help you remove the static.planet49.com pop-up in this blog post.

I found the static.planet49.com pop-up on one of the lab systems where I have some adware running. I’ve talked about this in some of the previous blog posts. The adware was installed on purpose, and from time to time I check if anything new has appeared, such as pop-up windows, new tabs in the browsers, injected ads on web site that usually don’t show ads, or if some new files have been saved to the hard-drive.

static.planet49.com was registered on 2000-08-23. se.static.planet49.com resolves to 62.24.27.100. According to YouGetSignal, there’s a bunch of other domains located on the same IP:

  • ar.static.planet49.com
  • au.static.planet49.com
  • au.static.yourturn-au.com
  • be.static.planet49.com
  • br.static.planet49.com
  • de.static.planet49.com
  • fi.static.planet49.com
  • fr.static.planet49.com
  • it.static.planet49.com
  • no.static.planet49.com
  • nz.static.planet49.com
  • pl.static.planet49.com
  • pt.static.planet49.com
  • ru.static.planet49.com
  • se.static.planet49.com
  • sg.static.planet49.com
  • uk.static.planet49.com
  • us.static.big-giveaways.com
  • us.static.planet49.com
  • www.lowes.com

So, how do you remove the static.planet49.com pop-up ads? On the machine where I got the static.planet49.com ads I had istartsurf, MedPlayerNewVersion and Movie Wizard installed. I removed them with FreeFixer and that stopped the static.planet49.com pop-ups and all the other ads I was getting in Mozilla Firefox.

Judging from Alexa’s traffic rank, static.planet49.com is getting quite a lot of traffic:

planet49.com traffic

The bad news with pop-ups such as this one is that it can be popped up by many variants of adware, not just the adware that’s installed on my system. This makes it impossible to say exactly what you need to remove to stop the pop-ups.

Anyway, here’s my suggestion for the static.planet49.com ads removal:

The first thing I would do to remove the static.planet49.com pop-ups is to examine the programs installed on the machine, by opening the “Uninstall programs” dialog. You can find this dialog from the Windows Control Panel. If you are using one of the more recent versions of Windows Operating System you can just type in “uninstall” in the Control Panel’s search field to find that dialog:
Uninstall a program search

Click on the “Uninstall a program” link and the Uninstall programs dialog will open up:
Uninstall a program dialog

Do you see something strange-looking in there or something that you don’t remember installing? Tip: Sort on the “Installed On” column to see if something was installed about the same time as you started getting the static.planet49.com pop-ups.

The next thing to check would be your browser’s add-ons. Adware often appear under the add-ons dialog in Chrome, Firefox, Internet Explorer or Safari. Is there something that looks suspicious? Something that you don’t remember installing?
Firefox add-ons manager

I think most users will be able to find and uninstall the adware with the steps outlined above, but in case that did not work you can try the FreeFixer removal tool to identify and remove the adware. FreeFixer is a freeware tool that I started develop about 8 years ago. It’s a tool built to manually find and uninstall unwanted software. When you’ve found the unwanted files you can simply tick a checkbox and click on the Fix button to remove the unwanted file.

FreeFixer’s removal feature is not locked down like many other removal tools out there. It will not require you to pay for the program just when you are about to remove the unwanted files.

And if you’re having a mess figuring out if a file is safe or malware in the FreeFixer scan result, click on the More Info link for the file. That will open up a web page which contains additional details about the file. On that web page, check out the VirusTotal report which can be quite useful:

FreeFixer More Info link example
An example of FreeFixer’s “More Info” links. Click for full size.

Here’s a video tutorial which shows FreeFixer in action removing adware that caused pop-up ads:

Did this blog post help you to remove the static.planet49.com pop-up ads? Please let me know or how I can improve this blog post.

Thank you!

Hummingbird Limited – 26% Detection Rate At VirusTotal

Hello! Just a quick post today, since I’m busy working with the next release of FreeFixer. Did you see a file, such as vlc-media-player.exe, on your system digitally signed by Hummingbird Limited? Then read on..

Hummingbird Limited publisher

The certificate information can also be viewed from Windows Explorer. According to the embedded certificate we can see that Hummingbird Limited is located in Oakland in California, US and that the certificate is issued by VeriSign Class 3 Code Signing 2010 CA.

Hummingbird Limited cert

26% of the scanners detected the file. The vlc-media-player.exe file is detected as Trojan.Vittalia.456 by DrWeb, a variant of Win32/DownloadAdmin.N potentially unwanted by ESET-NOD32, PUP.Optional.DownLoadAdmin by Malwarebytes, DownloadAdmin by McAfee and Trojan.Win32.Generic!BT by VIPRE.

Hummingbird Limited anti-virus reportDid you also find a Hummingbird Limited file? Do you remember where you downloaded it?

Thank you for reading.

Remove lp.musicboxnewtab.com Pop Up Ads Caused By Adware

Does this sound familiar? You see pop-up ads from lp.musicboxnewtab.com while browsing sites that generally don’t advertise in pop-up windows. The pop-ups manage to bypass the built-in pop-up blockers in Google Chrome, Mozilla Firefox, Internet Explorer or Safari. Perhaps the lp.musicboxnewtab.com pop-ups appear when clicking search results from Google? Or does the pop-ups show up even when you’re not browsing?

lp.musicboxnewtab.com pop up

(Sorry for the watermarks. Need to add them to prevent the most blatant attempts of other bloggers using my screenshots without attribution)

Does this sound like what you see your computer, you presumably have some adware installed on your system that pops up the lp.musicboxnewtab.com ads. Contacting the site owner would be a waste of time. The ads are not coming from them. I’ll try help you to remove the lp.musicboxnewtab.com pop-ups in this blog post.

For those that are new to the blog: Not long ago I dedicated a few of my lab computers and intentionally installed some adware programs on them. Since then I have been monitoring the behaviour on these machines to see what kinds of advertisements that are displayed. I’m also looking on other interesting things such as if the adware auto-updates, or if it installs additional unwanted software on the computers. I first spotted the lp.musicboxnewtab.com pop-up on one of these lab machines.

musicboxnewtab.com resolves to 94.31.0.55 IP and the same goes for lp.musicboxnewtab.com. lp.musicboxnewtab.com was registered on 2015-05-04.

So, how do you remove the lp.musicboxnewtab.com pop-up ads? On the machine where I got the lp.musicboxnewtab.com ads I had istartsurf, MedPlayerNewVersion and Movie Wizard installed. I removed them with FreeFixer and that stopped the lp.musicboxnewtab.com pop-ups and all the other ads I was getting in Mozilla Firefox.

It seems as lp.musicboxnewtab.com is getting quite a lot of traffic, based on Alexa’s traffic rank:

The problem with this type of pop-up is that it can be initiated by many variants of adware, not just the adware that’s installed on my system. This makes it impossible to say exactly what you need to remove to stop the pop-ups.

So, what can be done to solve the problem? To remove the lp.musicboxnewtab.com pop-up ads you need to examine your computer for adware or other types of unwanted software and uninstall it. Here’s my suggested removal procedure:

The first thing I would do to remove the lp.musicboxnewtab.com pop-ups is to examine the software installed on the machine, by opening the “Uninstall programs” dialog. You can reach this dialog from the Windows Control Panel. If you are using one of the more recent versions of Windows you can just type in “uninstall” in the Control Panel’s search field to find that dialog:
Uninstall a program search

Click on the “Uninstall a program” link and the Uninstall programs dialog will open up:
Uninstall a program dialog

Do you see something suspect in there or something that you don’t remember installing? Tip: Sort on the “Installed On” column to see if some program was installed approximately about the same time as you started seeing the lp.musicboxnewtab.com pop-ups.

The next thing to check would be your browser’s add-ons. Adware often show up under the add-ons dialog in Mozilla Firefox, Google Chrome, Internet Explorer or Safari. Is there something that looks suspicious? Something that you don’t remember installing?
Firefox add-ons manager

I think most users will be able to track down and remove the adware with the steps outlined above, but in case that did not work you can try the FreeFixer removal tool to identify and remove the adware. FreeFixer is a freeware tool that I’ve developed since 2006. Freefixer is a tool designed to manually track down and remove unwanted software. When you’ve found the unwanted files you can simply tick a checkbox and click on the Fix button to remove the unwanted file.

FreeFixer’s removal feature is not locked like many other removal tools out there. It will not require you to pay a fee just when you are about to remove the unwanted files.

And if you’re having difficulties deciding if a file is safe or adware in the FreeFixer scan result, click on the More Info link for the file. That will open up a web page which contains more information about the file. On that web page, check out the VirusTotal report which can be quite useful:

FreeFixer More Info link example
An example of FreeFixer’s “More Info” links. Click for full size.

Here you can see FreeFixer in action removing the adware that caused pop-up ads:

Did you find any adware on your machine? Did that stop the lp.musicboxnewtab.com ads? Please post the name of the adware you uninstalled from your machine in the comment below.

Thank you!

Remove travian.com Pop Up Ads Caused By Adware

Did you just get interrupted by a pop-up ad from travian.com? You are not alone. I also get the travian.com pop-ups while browsing. Do the pop-ups also find a way round the pop-up blocker in Firefox, Chrome, Internet Explorer or Safari. Then read on…

Here’s how the travian.com pop-up looked like when I got it on my system:

travian.com pop up

 

 

If this sounds like what you are seeing on your system, you most likely have some adware installed on your computer that pops up the travian.com ads. Contacting the site owner would be a waste of time. The ads are not coming from them. The pop ups are most likely caused by some unwanted software on your machine. I’ll do my best to help you with the travian.com removal in this blog post.

Those that have been reading this blog already know this, but for new visitors: A little while back I dedicated a few of my lab computers and intentionally installed some adware programs on them. Since then I have been following the actions on these systems to see what kinds of adverts that are displayed. I’m also looking on other interesting things such as if the adware auto-updates, or if it downloads and installs additional unwanted software on the systems. I first spotted the travian.com pop-up on one of these lab machines.

So, how do you remove the travian.com pop-up ads? By removing the adware causing the pop ups.

On the machine where I got the travian.com ads I had WebShield, mystartsearch, Wajam, PhaseProfessor, FastSearch, PrimaryColor, SSFK.exe, SFKEX64.exe, YTDownloader and acengine installed. I removed them with FreeFixer and that stopped the travian.com pop-ups and all the other ads I was getting in Mozilla Firefox.

The pop pop-up ad was labelled with “Ads by GetPrivate“, however, I could not see anything installed named GetPrivate on my machine. What label did your pop up have?

What label did your pop-up ad have? Please share in the comments area.

The issue with pop-ups like this one is that it can be launched by many variants of adware. This makes it impossible to say exactly what you need to remove to stop the pop-ups.

Anyway, here’s my suggestion for the travian.com ads removal:

  1. What software do you have installed if you look in the Add/Remove programs dialog in the Windows Control Panel? Something that you don’t remember installing yourself or that was recently installed?
  2. You can also check the browser add-ons. Same thing here, do you see something that you don’t remember installing?
  3. If that didn’t help, you can give FreeFixer a try. FreeFixer is built to assist users when manually tracking down adware and other types of unwanted software. It is a freeware utility that I’ve been working since 2006 and it scans your system at lots of locations where unwanted software is known to hook into your computer. If you would like to get additional details about a file in FreeFixer’s scan result, you can just click the More Info link for that file and a web page with a VirusTotal report will open up, which can be very useful to determine if the file is safe or malware:

    FreeFixer More Info link example
    An example of FreeFixer’s “More Info” links. Click for full size.

Did this blog post help you to remove the travian.com pop-up ads? Please let me know or how I can improve this blog post.

Thank you!

LLC “LEVADIYA-PROEKT” – 5% Detection Rate At VirusTotal

Hi there! If you are a regular here on the FreeFixer blog, you know that I’ve been examining files that have a digital signature and bundle various types of potentially unwanted software. Today I found another publisher named LLC “LEVADIYA-PROEKT” that bundles some software.

LLC LEVADIYA-PROEKT warning

You can also see the LLC “LEVADIYA-PROEKT” certificate by looking under the Digital Signature tab on the file’s properties. According to the certificate, LLC “LEVADIYA-PROEKT” is located in Lviv, Ukraine. Comodo has issued the certificate.

LLC LEVADIYA-PROEKT certificate

The issue is that FlashPlayer__6741_i1651201445_il1668.exe is not an official Adobe Flash Player download. If it was, it would have been digitally signed by Adobe Systems Incorporated. Here’s how the authentic Adobe Flash Player looks like when you double click on it. Notice that the “Verified publisher” says “Adobe Systems Incorporated”.
Adobe Systems Incorporated - Adobe Flashplayer Installer

So, what does the anti-virus programs say about the LLC “LEVADIYA-PROEKT” file? No problem, I just uploaded the file to VirusTotal and it turned out that a few of the anti-virus programs detects the LLC “LEVADIYA-PROEKT” file, with names such as ADWARE/Amonetize.Gen and a variant of Win32/Amonetize.IQ potentially unwanted.

anti-virus scan LLC LEVADIYA-PROEKT

Did you also find a LLC “LEVADIYA-PROEKT” file?

Thank you for reading.

SRTSP64.SYS PAGE_FAULT_IN_NONPAGED_AREA Blue Screen Fix

I ran into a blue screen this morning in SRTSP64.SYS, with the PAGE_FAULT_IN_NONPAGED_AREA and “Your PC Ran into a problem and needs to restart” error messages. I fixed the srtsp64.sys blue screen error by uninstalling Norton 360.

SRTSP64.SYS PAGE_FAULT_IN_NONPAGED_AREA

I got this blue screen repeatedly, a few minutes after booting my Windows 8 machine. I figured out that SRTSP64.SYS was a Symantec driver by looking in regedit, where it appeared with the “Symantec Real Time Storage Protection x64” name.

srtsp64.sys symantec protection driver

I fixed the PAGE_FAULT_IN_NONPAGED_AREA / SRTSP64.sys blue screen by first restarting the machine into safe mode, and then I uninstalled Norton 360 from the Windows Control Panel.

Norton 360 uninstall

Did that help you solve the SRTSP64.sys bluescreen problem? Did you find another solution to the  SRTSP64.sys error which did not involve uninstalling Norton 360?