Hello! Was looking for some downloads to play around with and found one, digitally signed by CrossBeam (New Media Holdings Ltd.). The file is named chrome-download.exe.
Typically you’d see the CrossBeam (New Media Holdings Ltd.) publisher name appear when double-clicking on the chrome-download.exe file: By examining the certificate, we can see that CrossBeam (New Media Holdings Ltd.) appears to be located in Tel Avivl, Israel.
The certificate is issued by GlobalSign CodeSigning CA – G2.
The issue here is that if chrome-download.exe really was a setup file for Google Chrome, it should be signed by Google Inc. and not by some unknown company. Here’s how the authentic Google Chrome looks like when you double click on it. Notice that the “Verified publisher” says “Google Inc”.
9% of the anti-virus scanners detected the file. Some of the detection names for the chrome-download.exe file are a variant of Win32/InstallCore.ACQ.gen potentially unwanted, PUP.Optional.InstallCore and InstallCore (fs).
When I tested the CrossBeam file it bundled StormFall and Norton 360. The checkbox for these two programs were not checked by default.
Did you also find a CrossBeam (New Media Holdings Ltd.) file? What kind of download was it? If you remember the download link, please post it in the comments below.
Does this sound like what you are seeing right now? You see pop-up ads from privilegesbox.net while browsing websites that usually don’t advertise in pop-up windows.
The pop-ups manage to bypass the built-in pop-up blockers in Firefox, Chrome, Internet Explorer or Safari. Maybe the privilegesbox.net pop-ups show up when clicking search results from Google? Or does the pop-ups show up even when you’re not browsing?
Here another privilegesbox.net pop up ad:
If this sounds like what you are seeing on your computer, you presumably have some adware installed on your machine that pops up the privilegesbox.net ads. So there’s no idea contacting the owner of the website you were browsing. The ads are not coming from them. I’ll try help you to remove the privilegesbox.net pop-ups in this blog post.
If you have been reading this blog already know this, but if you are new: Recently I dedicated some of my lab machines and knowingly installed some adware programs on them. I have been monitoring the behaviour on these systems to see what kinds of ads that are displayed. I’m also looking on other interesting things such as if the adware auto-updates, or if it downloads and installs additional unwanted software on the machines. I first observed the privilegesbox.net pop-up on one of these lab computers.
privilegesbox.net resolves to the 162.159.246.105 IP address. privilegesbox.net was registered on 2014-12-30.
So, how do you remove the privilegesbox.net pop-up ads? On the machine where I got the privilegesbox.net ads I had istartsurf, MedPlayerNewVersion and Movie Wizard installed. I removed them with FreeFixer and that stopped the privilegesbox.net pop-ups and all the other ads I was getting in Mozilla Firefox.
If you are wonder if there are many others out there also getting the privilegesbox.net ads, the answer is probably yes. Check out the traffic rank from Alexa:
The problem with pop-ups such as this one is that it can be launched by many variants of adware, not just the adware on my machine. This makes it impossible to say exactly what you need to remove to stop the pop-ups.
So, what can be done? To remove the privilegesbox.net pop-up ads you need to review your machine for adware or other types of unwanted software and uninstall it. Here’s my suggested removal procedure:
What software do you have installed if you look in the Add/Remove programs dialog in the Windows Control Panel? Something that you don’t remember installing yourself or that was recently installed?
You can also examine the add-ons you installed in Mozilla Firefox, Google Chrome, Internet Explorer or Safari. Same thing here, do you see something that you don’t remember installing?
If that didn’t solve the problem, I’d recommend a scan with FreeFixer to manually track down the adware. FreeFixer is a freeware tool that I’m working on that scans your computer at lots of locations, such as browser add-ons, processes, Windows services, recently modified files, etc. If you want to get additional details about a file in the scan result, you can click the More Info link for that file and a web page will open up with a VirusTotal report which will be very useful to determine if the file is safe or malware:
An example of FreeFixer’s “More Info” links. Click for full size.
Here’s a video tutorial on how to remove the pop-ups with FreeFixer:
Did you find any adware on your machine? Did that stop the privilegesbox.net ads? Please post the name of the adware you uninstalled from your machine in the comment below.
This page shows how to remove pstatic.pricemoon.co and istatic.pricemoon.co from Mozilla Firefox, Google Chrome and Internet Explorer.
Did you just see pstatic.pricemoon.co in the status bar of your browser and wonder where it came from? Or did pstatic.pricemoon.co show up while you searched for something on one of the major search engines, such as the Google search engine?
Here is how the pstatic.pricemoon.co status bar message looked like on my system:
The following are some of the status bar messages you may see in your browser’s status bar:
Waiting for pstatic.pricemoon.co…
Transferring data from pstatic.pricemoon.co…
Looking up pstatic.pricemoon.co…
Read pstatic.pricemoon.co
Connected to pstatic.pricemoon.co…
Does this sound like what you are seeing, you most likely have some potentially unwanted program installed on your computer that makes the pstatic.pricemoon.co domain appear in your browser. So there’s no idea contacting the owner of the web site you currently were browsing. The pstatic.pricemoon.co status bar messages are not coming from them. I’ll try help you to remove the pstatic.pricemoon.co status bar messages in this blog post.
Those that have been visiting this blog already know this, but here we go: A little while back I dedicated some of my lab machines and knowingly installed a few potentially unwanted programs on them. I’ve been observing the behaviour on these computers to see what kinds of advertisements, if any, that are displayed. I’m also looking on other interesting things such as if the potentially unwanted program updates itself, or if it installs additional software on the computers. I first spotted pstatic.pricemoon.co in Mozilla Firefox’s status bar on one of these lab systems.
pstatic.pricemoon.co was registered on 2015-05-27. istatic.pricemoon.co resolves to the 104.31.65.182 address and so does pstatic.pricemoon.co.
So, how do you remove pstatic.pricemoon.co and istatic.pricemoon.co from your browser? On the machine where pstatic.pricemoon.co showed up in the status bar I had ActSys, WNet, PlainSavings and CashReminder installed. I removed them with FreeFixer and that stopped the browser from loading data from pstatic.pricemoon.co.
The problem with status bar messages like the one described in this blog post is that it can be caused by many variants of potentially unwanted programs. This makes it impossible to say exactly what you need to remove to stop the status bar messages.
Anyway, here’s my suggestion for the pstatic.pricemoon.co removal:
What software do you have installed if you look in the Add/Remove programs dialog in the Windows Control Panel? Something that you don’t remember installing yourself or that was recently installed?
You can also examine the add-ons you installed in Mozilla Firefox, Google Chrome, Internet Explorer or Safari. Same thing here, do you see something that you don’t remember installing?
If that did not help, you can give FreeFixer a try. FreeFixer is built to assist users when manually tracking down potentially unwanted programs. It is a freeware utility that I’ve been working since 2006 and it scans your machine at lots of locations where unwanted software is known to hook into your system. If you would like to get additional details about a file in FreeFixer’s scan result, you can just click the More Info link for that file and a web page with a VirusTotal report will open up, which can be very useful to determine if the file is safe or malware:
An example of FreeFixer’s “More Info” links. Click for full size.
Did you find any potentially unwanted program on your machine? Did that stop pstatic.pricemoon.co? Please post the name of the potentially unwanted program you uninstalled from your machine in the comment below.
Hello! Just a quick post on a publisher called BeST ApP that I found while running some tests for the upcoming FreeFixer release. The suspicious file is named Player.exe.
You will also see BeST ApP listed as the verified publisher in the User Account Control dialog that pops up if you try to run the file: It is also possible to check a digital signature by looking at a file’s properties. Here’s a screenshot of the BeST ApP certificate.
Downloader.UVA, Generic PUA OP (PUA) and OutBrowse are some detection names according to VirusTotal:
Did you also find a file digitally signed by BeST ApP? Where did you find it and are the anti-virus programs detecting it? Please share in the comments below.
Welcome! Just a short post on a publisher called SM Install (Fried Cookie Ltd.) before going back to some coding on FreeFixer.
You can view additional information about the certificate by right-clicking on the file, choosing properties and then clicking on the Digital Signatures tab. According to the certificate we can see that SM Install (Fried Cookie Ltd.) is located in Tel Aviv, Israel and that the certificate is issued by GlobalSign CodeSigning CA – G2.
What caught my attention was that the download was called chrome-download.exe. This might look like an official Google Chrome download, but it is not. If it was an official download, it should be digitally signed by Google Inc.. Here’s how the authentic Google Chrome looks like when you double click on it. Notice that the “Verified publisher” says “Google Inc”.
When I uploaded the SM Install (Fried Cookie Ltd.) file to VirusTotal, it came up with a 12% detection rate. The file is detected as Generic.BEC by AVG, Install Core Click run software (PUA) by Sophos and InstallCore (fs) by VIPRE.
Did you also find a SM Install (Fried Cookie Ltd.) file?
Hi there! Just wanted to give you the heads up on files digitally signed by safe InStAll OPT.
You can see who the signer is when double-clicking on an executable file. safe InStAll OPT appears in the publisher field in the dialog that pops up. To get more details on the publisher, you can view the certificate by right-clicking on the file, and looking under the Digital Signatures tab. According to the certificate we can see that safe InStAll OPT appears to be located in Ireland and that the certificate is issued by thawte SHA256 Code Signing CA.
Here’s Thawte in the certificate chain:
When I uploaded the file to VirusTotal – as I usually do when I find something that looks suspicious – 28% of the antivirus scanners detected the file. The file is detected as Downloader.USS by AVG, PUP.Optional.Bundle by Malwarebytes and Adware-OutBrowse.h by McAfee-GW-Edition.
Did you also find a safe InStAll OPT file? What kind of download was it? If you remember the download link, please post it in the comments below.
Did you just get a pop-up from safedownloadsrus147.com and ponder where it came from? Did the safedownloadsrus147.com ad appear to have been initiated from a web site that under normal circumstances don’t use advertising such as pop-up windows? Or did the safedownloadsrus147.com pop-up show up while you clicked a link on one of the big search engines, such as Google, Bing or Yahoo?
Here’s a screenshot of the safedownloadsrus147.com pop-up ad when it showed up on my computer:
(I know, lots of watermarks. Have to do it to stop the copy-cats.)
If this sounds like what you are seeing on your machine, you presumably have some adware installed on your machine that pops up the safedownloadsrus147.com ads. So there’s no idea contacting the owner of the web site you currently were browsing. The ads are not coming from them. I’ll try help you with the safedownloadsrus147.com removal in this blog post.
Those that have been following this blog already know this, but for new visitors: Not long ago I dedicated some of my lab machines and deliberately installed a few adware programs on them. Since then I have been monitoring the behaviour on these computers to see what kinds of advertisements that are displayed. I’m also looking on other interesting things such as if the adware auto-updates, or if it installs additional unwanted software on the machines. I first spotted the safedownloadsrus147.com pop-up on one of these lab machines.
safedownloadsrus147.com was registered on 2015-08-20. safedownloadsrus147.com resolves to 162.159.248.237.
Update Nov 27 2015: I just ran into a pop up from safedownloadsrus169.com. The following similar domains are also registered:
safedownloadsrus160.com
safedownloadsrus161.com
safedownloadsrus162.com
safedownloadsrus163.com
safedownloadsrus164.com
safedownloadsrus165.com
safedownloadsrus166.com
safedownloadsrus167.com
safedownloadsrus168.com
safedownloadsrus170.com
safedownloadsrus171.com
safedownloadsrus172.com
safedownloadsrus173.com
safedownloadsrus174.com
safedownloadsrus175.com
And I will not be surprised if these domains starts to appear in pop-ups too:
safedownloadsrus176.com
safedownloadsrus177.com
safedownloadsrus178.com
safedownloadsrus179.com
safedownloadsrus180.com
safedownloadsrus181.com
safedownloadsrus182.com
safedownloadsrus183.com
safedownloadsrus184.com
safedownloadsrus185.com
So, how do you remove the safedownloadsrus147.com pop-up ads? On the machine where I got the safedownloadsrus147.com ads I had Windows Menager, SmartComp Safe Network, gosearch.me and Live Malware Protection installed. I removed them with FreeFixer and that stopped the safedownloadsrus147.com pop-ups and all the other ads I was getting in Mozilla Firefox.
It seems as safedownloadsrus147.com is getting quite a lot of traffic, based on Alexa’s traffic rank:
The issue with this type of pop-up is that it can be popped up by many variants of adware, not just the adware on my computer. This makes it impossible to say exactly what you need to remove to stop the pop-ups.
Anyway, here’s my suggestion for the safedownloadsrus147.com ads removal:
Review what programs you have installed in the Add/Remove programs dialog in the Windows Control Panel. Do you see anything that you don’t remember installing or that was recently installed?
How about your add-ons that you have in your browser. Anything in the list that you don’t remember installing?
If that didn’t help, I’d recommend a scan with FreeFixer to manually track down the adware. FreeFixer is a freeware tool that I’m working on that scans your computer at lots of locations, such as browser add-ons, processes, Windows services, recently modified files, etc. If you want to get additional details about a file in the scan result, you can click the More Info link for that file and a web page will open up with a VirusTotal report which will be very useful to determine if the file is safe or malware:
An example of FreeFixer’s “More Info” links. Click for full size.
Here’s a video tutorial which shows FreeFixer in action removing adware that caused pop-up ads:
Did this blog post help you to remove the safedownloadsrus147.com pop-up ads? Please let me know or how I can improve this blog post.
Hello readers! If you are a regular here on the FreeFixer blog, you know that I’ve been examining files that have a digital signature and bundle various types of potentially unwanted software. Today I found another publisher named viD PLAY that bundles some software.
If you have a viD PLAY file on your computer you may have noticed that viD PLAY pops up as the publisher in the User Account Control dialog when running the file. The certificate is issued by thawte SHA256 Code Signing CA.
Thawte at the root in the certificate chain:
After uploading the viD PLAY file – Player.exe – to VirusTotal, it was clear that it’s probably better to delete the file than running it. The detection rate was 33% and some of the detection names were: Downloader.UIA, PUP.Optional.Vidplay, Adware-OutBrowse.h and OutBrowse.
Did you also find a viD PLAY file? What kind of download was it? If you remember the download link, please post it in the comments below.
Hello readers! Just a short post on a publisher called Cash Buyer Media before going back to some coding on FreeFixer.
You will also see Cash Buyer Media listed as the verified publisher in the User Account Control dialog that pops up if you try to run the file: Information about a digital signature and the certificate can also be found under the Digital Signature tab. According to the certificate we can see that Cash Buyer Media is located in San Fransisco in California, US and that the certificate is issued by VeriSign Class 3 Code Signing 2010 CA.
Here’s VeriSign in the cert chain:
After uploading the Cash Buyer Media file – vlc-media-player.exe – to VirusTotal, it was clear that it’s probably better to delete the file than running it. The detection rate was 18% and some of the detection names were: GrayWare[AdWare]/Win32.GamePlayLabs.a, W32.HfsAdware.81DC, Trojan.Vittalia.368 and DownloadAdmin (PUA).
Did you also find a download that was signed by Cash Buyer Media? What kind of download was it and was it detected by the anti-malwares at VirusTotal? Please share in posting comments below.
