Monthly Archives: November 2015

Remove thearbitragetrader.com Pop Up Ads

Did you just get a pop-up from thearbitragetrader.com and ask yourself where it came from? Did the thearbitragetrader.com ad appear to have been popped up from a web site that under normal circumstances don’t use advertising such as pop-up windows? Or did the thearbitragetrader.com pop-up show up while you clicked a link on one of the major search engines, such as Google, Bing or Yahoo?

Here is a screen-cap on the thearbitragetrader.com pop-up from my system:

thearbitragetrader.com pop up

(Sorry for the ridiculous use of watermarks. I have to do it to stop the copy-cats.)

Does this sound like your experience, you most likely have some adware installed on your machine that pops up the thearbitragetrader.com ads. So don’t write angry emails to the website you were browsing, the ads are almost certainly not coming from them, but from the adware on your computer. I’ll do my best to help you remove the thearbitragetrader.com pop-up in this blog post.

Those that have been reading this blog already know this, but here we go: A little while back I dedicated some of my lab computers and deliberately installed some adware programs on them. Since then I have been tracking the behaviour on these machines to see what kinds of advertisements that are displayed. I’m also looking on other interesting things such as if the adware auto-updates, or if it installs additional unwanted software on the machines. I first observed the thearbitragetrader.com pop-up on one of these lab computers.

www.thearbitragetrader.com resolves to the 198.232.124.192 IP address and thearbitragetrader.com to 54.72.139.26. thearbitragetrader.com was registered on 2014-10-14.

So, how do you remove the thearbitragetrader.com pop-up ads? On the machine where I got the thearbitragetrader.com ads I had Windows Menager, Live Malware Protection, SmartComp Safe Network and gosearch.me installed. I removed them with FreeFixer and that stopped the thearbitragetrader.com pop-ups and all the other ads I was getting in Mozilla Firefox.

If you are wonder if there are many others out there also getting the thearbitragetrader.com ads, the answer is probably yes. Check out the traffic rank from Alexa:

thearbitragetrader.com traffic

The issue with pop-ups such as this one is that it can be popped up by many variants of adware. This makes it impossible to say exactly what you need to remove to stop the pop-ups.

So, what should done to solve the problem? To remove the thearbitragetrader.com pop-up ads you need to check your system for adware or other types of unwanted software and uninstall it. Here’s my suggested removal procedure:

  1. Check what programs you have installed in the Add/Remove programs dialog in the Windows Control Panel. Do you see something that you don’t remember installing or that was recently installed?
  2. You can also examine the add-ons you installed in Mozilla Firefox, Google Chrome, Internet Explorer or Safari. Same thing here, do you see something that you don’t remember installing?
  3. If that didn’t help, I’d recommend a scan with FreeFixer to manually track down the adware. FreeFixer is a freeware tool that I’m working on that scans your computer at lots of locations, such as browser add-ons, processes, Windows services, recently modified files, etc. If you want to get additional details about a file in the scan result, you can click the More Info link for that file and a web page will open up with a VirusTotal report which will be very useful to determine if the file is safe or malware:

    FreeFixer More Info link example
    An example of FreeFixer’s “More Info” links. Click for full size.

Here’s a video tutorial which shows FreeFixer in action removing adware that caused pop-up ads:

Did you find any adware on your machine? Did that stop the thearbitragetrader.com ads? Please post the name of the adware you uninstalled from your machine in the comment below.

Thank you!

93.89.204.67 – That “Free Piano” Spam

I don’t know how many of these “Free Piano” spam I’ve been getting from 93.89.204.67:

93.89.204.67 Free Piano spam

The spam bot seems to have to problem with my anti-bot question. I guess the question is to easy answer.

Here’s some details for 93.89.204.67, thanks to DomainTools:

Poland Barwice Telewizja Kablowa Kolobrzeg Agencja Uslugowo – Reklamowa Sp. Z O.o.
ASN Poland AS201328 TKK-NET-ASN Telewizja Kablowa Kolobrzeg, Agencja Uslugowo – Reklamowa sp. z o.o. (registered Nov 24, 2014)
Resolve Host host-abn-93-89-204-67.tkk.pl

Are you also getting spammed by 93.89.204.67?

NEW SOFT Inkorporeishn, TOV – 11% Detection Rate – Amonetize

Welcome! If you’ve been following me for the last year you know that I’ve been examining many software publishers that put a digital signature on their downloads. Today I found another publisher called NEW SOFT Inkorporeishn, TOV.

NEW SOFT Inkorporeishn, TOV publisher

You can see who the signer is when double-clicking on an executable file. NEW SOFT Inkorporeishn, TOV appears in the publisher field in the dialog that pops up. It is also possible to check a digital signature by looking at a file’s properties. Here’s a screenshot of the NEW SOFT Inkorporeishn, TOV certificate.

NEW SOFT Inkorporeishn, TOV cert

So, why am I writing about the NEW SOFT Inkorporeishn, TOV file? Check out what the anti-malware software report about the file:

NEW SOFT Inkorporeishn TOV anti-virus report

SUPERAntiSpyware reports PUP.Amonetize/Variant, Malwarebytes classifies it as PUP.Optional.Amonetize, Qihoo-360 calls it HEUR/QVM10.1.Malware.Gen and DrWeb reports Download Uc Browser V Handler Zip__15022_i1756037767_il542797.exe as Trojan.Amonetize.11110 are a few of the detection names for Download Uc Browser V Handler Zip__15022_i1756037767_il542797.exe.

Did you also find a NEW SOFT Inkorporeishn, TOV download? What kind of download was it?

Thanks for reading.

SetupFlash (New Media Holdings Ltd.) – 18% Detection Rate

Hello readers! Just wanted to let you know about a publisher called SetupFlash (New Media Holdings Ltd.) before going back to writing some code for FreeFixer.

SetupFlash New Media Holdings Ltd publisher

This is how it looks when double-clicking on the file and SetupFlash (New Media Holdings Ltd.) appears as the publisher. To get more details on the publisher, you can view the certificate by right-clicking on the file, and looking under the Digital Signatures tab. According to the certificate we can see that SetupFlash (New Media Holdings Ltd.) seems to be located in Israel and that the certificate is issued by GlobalSign CodeSigning CA – G2.

SetupFlash (New Media Holdings Ltd.) cert

What caught my attention was that the download was called chrome-download.exe. This might look like an official Google Chrome download, but it is not. If it was an official download, it should be signed by Google Inc.. Here’s how the authentic Google Chrome looks like when you double click on it. Notice that the “Verified publisher” says “Google Inc”.
Chrome Google Inc publisher

If you are considering to run the SetupFlash (New Media Holdings Ltd.) signed file, I’ll advice you not to. Delete it instead. Just check out detection list by some of the anti-virus program:

SetupFlash New Media Holdings Ltd. report

Ikarus classifies chrome-download.exe as PUA.InstallCore, VIPRE detects it as InstallCore (fs), Malwarebytes detects it as PUP.Optional.InstallCore and Sophos reports Install Core Click run software (PUA).

Did you also find a SetupFlash (New Media Holdings Ltd.) file?

Thank you for reading.

Free-mium GmbH – 9% Detection Rate – Adware.Covus / DownloadGuide

Hello! Just a note on a publisher called Free-mium GmbH. The Free-mium GmbH download – vlc-media-player.exe – was detected when I uploaded it to VirusTotal. Did you also find a download by Free-mium GmbH? Was it also detected when you uploaded it to VirusTotal?

Free-mium GmbH publisher

By looking at the certificate we can see that Free-mium GmbH appears to be located in Berlin, Germany.

Free-mium GmbH cert

The scan result from VirusTotal below clearly shows why you probably should avoid the Free-mium GmbH file. The file is not the official VLC player, but detected under names such as Adware.Covus.6, a variant of Win32/DownloadGuide.D potentially unwanted, PUA.DownloadGuide and PE:Adware.DownloadGuide!1.A1DB [F].

Free-mium GmbH anti-virus report

If you want to download the official VLC player, you can do so from videolan.org.

Did you also find a file digitally signed by Free-mium GmbH? What kind of download was it and where did you find it?

Thank you for reading.

LLC “KIPER – SOFT” – 19% Detection Rate – PUP.Optional.Amonetize

Hello! Just a short post on a publisher called LLC “KIPER – SOFT”. I just found a download  that was digitally by this publisher, and it turns out that it is detected by some anti-virus programs.

LLC KIPER - SOFT publisher

If you have a LLC “KIPER – SOFT” file on your computer you may have noticed that LLC “KIPER – SOFT” pops up as the publisher in the User Account Control dialog when running the file. The certificate is issued by COMODO RSA Code Signing CA. The company is located in Ukraine.

LLC KIPER - SOFT certificate

The scan result from VirusTotal below clearly shows why you should avoid the LLC “KIPER – SOFT” file. It is detected under names such as Generic.959, W32/Amonetize.AO.gen!Eldorado, PUP.Optional.Amonetize and Trojan.Win32.Amonetize.dytukr.

LLC KIPER SOFT anti-virus report

Did you also find a file digitally signed by LLC “KIPER – SOFT”? Where did you find it and are the anti-virus programs detecting it? Please share in the comments below.

Thank you for reading.

Remove rackcdn.com Pop Up Survey Ads

Does this sound like what you are seeing right now? You see pop-up ads from rackcdn.com while browsing websites that generally don’t advertise in pop-up windows. The pop ups manage to get round the built-in pop-up blockers in Firefox, Chrome, Internet Explorer or Safari. Maybe the rackcdn.com pop-ups appear when clicking search results from a Google search? Or does the pop-ups show up even when you’re not browsing?

Here’s how the rackcdn.com pop-up looked like when I got it on my machine:

rackcdn.com pop up survey

(Sorry for the large number of watermarks. If I don’t add them, the screenshot will be used without attribution at some other blogs)

If you also see this on your system, you most likely have some adware installed on your system that pops up the rackcdn.com ads. So there’s no idea contacting the owner of the website you currently were browsing. The ads are not coming from them. I’ll do my best to help you with the rackcdn.com removal in this blog post.

If you have been visiting this blog already know this, but if you are new: Recently I dedicated some of my lab computers and wilfully installed some adware programs on them. I’ve been tracking the actions on these systems to see what kinds of advertisements that are displayed. I’m also looking on other interesting things such as if the adware auto-updates, or if it installs additional unwanted software on the machines. I first spotted the rackcdn.com pop-up on one of these lab computers.

So, how do you remove the rackcdn.com pop-up ads? On the machine where I got the rackcdn.com ads I had CPUMiner, PineTree and GamesDesktop installed. I removed them with FreeFixer and that stopped the rackcdn.com pop-ups and all the other ads I was getting in Mozilla Firefox.

The issue with pop-ups such as this one is that it can be launched by many variants of adware, not just the adware that’s installed on my computer. This makes it impossible to say exactly what you need to remove to stop the pop-ups.

Anyway, here’s my suggestion for the rackcdn.com ads removal:

  1. What software do you have installed if you look in the Add/Remove programs dialog in the Windows Control Panel? Something that you don’t remember installing yourself or that was recently installed?
  2. How about your add-ons that you have in your browser. Anything in the list that you don’t remember installing?
  3. If that does not help, you can give FreeFixer a try. FreeFixer is built to assist users when manually tracking down adware and other types of unwanted software. It is a freeware utility that I’ve been working since 2006 and it scans your system at lots of locations where unwanted software is known to hook into your machine. If you would like to get additional details about a file in FreeFixer’s scan result, you can just click the More Info link for that file and a web page with a VirusTotal report will open up, which can be very useful to determine if the file is safe or malware:

    FreeFixer More Info link example
    An example of FreeFixer’s “More Info” links. Click for full size.

Here you can see FreeFixer in action removing pop-up ads:

Did you find any adware on your machine? Did that stop the rackcdn.com ads? Please post the name of the adware you uninstalled from your machine in the comment below.

Thank you!

Remove s.hnisdlmm.com Pop Up Ads

Did you just get a pop-up from s.hnisdlmm.com and wonder where it came from? Did the s.hnisdlmm.com ad appear to have been popped up from a web site that under normal circumstances don’t use advertising such as pop-up windows? Or did the s.hnisdlmm.com pop-up show up while you clicked a link on one of the major search engines, such as Google, Bing or Yahoo?

Here’s a screenshot of the s.hnisdlmm.com pop-up ad when it showed up on my system:

s.hnisdlmm.com pop up

(I’m sorry for the many watermarks. If I don’t add them, the screenshot always show up at some copy-cat blogs.)

You can also see s.hnisdlmm.com in the browser’s status bar:

s.hnisdlmm.com status bar

Does this sound like your machine, you presumably have some adware installed on your computer that pops up the s.hnisdlmm.com ads. Don’t flame the people that runs the site you were at, the ads are presumably not coming from that website, but from the adware that’s installed on your system. I’ll try help you with the s.hnisdlmm.com removal in this blog post.

Those that have been visiting this blog already know this, but here we go: Some time ago I dedicated some of my lab computers and intentionally installed some adware programs on them. Since then I have been tracking the behaviour on these machines to see what kinds of ads that are displayed. I’m also looking on other interesting things such as if the adware updates itself, or if it downloads and installs additional unwanted software on the machines. I first observed the s.hnisdlmm.com pop-up on one of these lab computers.

s.hnisdlmm.com was registered on 2015-10-29. s.hnisdlmm.com resolves to 23.23.171.55.

So, how do you remove the s.hnisdlmm.com pop-up ads? On the machine where I got the s.hnisdlmm.com ads I had gosearch.me, Windows Menager, SmartComp Safe Network and Live Malware Protection installed. I removed them with FreeFixer and that stopped the s.hnisdlmm.com pop-ups and all the other ads I was getting in Mozilla Firefox.

The problem with this type of pop-up is that it can be initiated by many variants of adware, not just the adware on my system. This makes it impossible to say exactly what you need to remove to stop the pop-ups.

So, what can be done to solve the problem? To remove the s.hnisdlmm.com pop-up ads you need to review your machine for adware or other types of unwanted software and uninstall it. Here’s my suggested removal procedure:

The first thing I would do to remove the s.hnisdlmm.com pop-ups is to examine the programs installed on the machine, by opening the “Uninstall programs” dialog. You can find this dialog from the Windows Control Panel. If you are using one of the more recent versions of Windows OS you can just type in “uninstall” in the Control Panel’s search field to find that dialog:
Uninstall a program search

Click on the “Uninstall a program” link and the Uninstall programs dialog will open up:
Uninstall a program dialog

Do you see something suspicious listed there or something that you don’t remember installing? Tip: Sort on the “Installed On” column to see if some program was installed about the same time as you started observing the s.hnisdlmm.com pop-ups.

Then I would check the browser add-ons. Adware often appear under the add-ons menu in Google Chrome, Mozilla Firefox, Internet Explorer, Safari or Opera. Is there anything that looks suspicious? Something that you don’t remember installing?
Firefox add-ons manager

I think you will be able to identify and uninstall the adware with the steps outlined above, but in case that did not work you can try the FreeFixer removal tool to identify and remove the adware. FreeFixer is a freeware tool that I’ve developed since 2006. Freefixer is a tool built to manually identify and uninstall unwanted software. When you’ve tracked down the unwanted files you can simply tick a checkbox and click on the Fix button to remove the unwanted file.

FreeFixer’s removal feature is not locked down like many other removal tools out there. It will not require you to pay for the program just when you are about to remove the unwanted files.

And if you’re having a mess deciding if a file is safe or unsafe in FreeFixer’s scan report, click on the More Info link for the file. That will open up your web browser with a page which contains more details about the file. On that web page, check out the VirusTotal report which can be very useful:

FreeFixer More Info link example
An example of FreeFixer’s “More Info” links. Click for full size.

Here’s a video tutorial showing FreeFixer in action removing pop-up ads:

Did you find any adware on your machine? Did that stop the s.hnisdlmm.com ads? Please post the name of the adware you uninstalled from your machine in the comment below.

Thank you!

Remove s.iktmmny.com Pop Up Ads

Does this sound familiar? You see pop-up advertisements from s.iktmmny.com while browsing web sites that in general don’t advertise in pop-up windows. The pop-ups manage to bypass the built-in pop-up blockers in Firefox, Chrome, Internet Explorer or Safari. Maybe the s.iktmmny.com pop-ups turn up when clicking search results from Google? Or does the pop-ups turn up even when you’re not browsing?

s.iktmmny.com pop up

(Sorry for the large number of watermarks. If I don’t add them, the screenshot will be used without attribution at some other blogs)

Does this sound like what you see your system, you probably have some adware installed on your computer that pops up the s.iktmmny.com ads. Don’t flame the people that runs the site you were at, the ads are presumably not coming from that site, but from the adware that’s installed on your computer. I’ll do my best to help you with the s.iktmmny.com removal in this blog post.

I found the s.iktmmny.com pop-up on one of the lab machines where I have some adware running. I’ve talked about this in some of the previous blog posts. The adware was installed on purpose, and from time to time I check if anything new has appeared, such as pop-up windows, new tabs in the browsers, injected ads on site that usually don’t show ads, or if some new files have been saved to the hard-drive.

s.iktmmny.com resolves to the 23.21.211.254 address. s.iktmmny.com was registered on 2015-10-28.

So, how do you remove the s.iktmmny.com pop-up ads? On the machine where I got the s.iktmmny.com ads I had Live Malware Protection, gosearch.me, SmartComp Safe Network and Windows Menager installed. I removed them with FreeFixer and that stopped the s.iktmmny.com pop-ups and all the other ads I was getting in Mozilla Firefox.

If you are wonder if there are many others out there also getting the s.iktmmny.com ads, the answer is probably yes. Check out the traffic rank from Alexa:

iktmmny.com traffic

The issue with this type of pop-up is that it can be initiated by many variants of adware, not just the adware running on my machine. This makes it impossible to say exactly what you need to remove to stop the pop-ups.

To remove the s.iktmmny.com pop-up ads you need to check your system for adware or other types of unwanted software and uninstall it. Here’s my suggested removal procedure:

  1. Check what programs you have installed in the Add/Remove programs dialog in the Windows Control Panel. Do you see anything that you don’t remember installing or that was recently installed?
  2. How about your add-ons you have in your browsers. Anything in the list that you don’t remember installing?
  3. If that does not help, I’d recommend a scan with FreeFixer to manually track down the adware. FreeFixer is a freeware tool that I’m working on that scans your computer at lots of locations, such as browser add-ons, processes, Windows services, recently modified files, etc. If you want to get additional details about a file in the scan result, you can click the More Info link for that file and a web page will open up with a VirusTotal report which will be very useful to determine if the file is safe or malware:

    FreeFixer More Info link example
    An example of FreeFixer’s “More Info” links. Click for full size.

Here you can see FreeFixer in action removing pop-up ads:

Did you find any adware on your machine? Did that stop the s.iktmmny.com ads? Please post the name of the adware you uninstalled from your machine in the comment below.

Thank you!

DIGITAL PLUGIN S.L.U – 53% Detection Rate – SoftPulse / Mikey / AdPlugin

Hello! Just a short note on a publisher called DIGITAL PLUGIN S.L.U.

DIGITAL PLUGIN S.L.U publisher

You can also view the certificate by right-clicking on the file, and looking under the Digital Signature tab: According to the certificate we can see that DIGITAL PLUGIN S.L.U is located in Santa Cruz, Tenerife in Spain and that the certificate is issued by thawte SHA256 Code Signing CA.

DIGITAL PLUGIN S.L.U certificate

After uploading the DIGITAL PLUGIN S.L.U file – Setup(1).exe – to VirusTotal, it was clear that it’s probably better to delete the file than running it. The detection rate was 53% and some of the detection names were: PUA.SoftPulse!, AdPlugin.FNB, Gen:Variant.Mikey.24388, Trojan.Domaiq.321, PUP.Optional.SoftPulse and HEUR/QVM11.1.Malware.Gen.

DIGITAL PLUGIN S.L.U anti-virus report

 

Did you also find a DIGITAL PLUGIN SLU file?

Thank you for reading.