Hello readers! Just a quick post on a publisher called OOO DIGITAL VEI that I found while running some tests for the upcoming FreeFixer release. The suspicious file is named adobe_flash_player.exe.
Viewing the certificate information is also possible by looking under the digital signature tab for the file. Here the certificate says that OOO DIGITAL VEI is located in Moscow, Russa.
And USERTrust and Comodo is upwards in the certificate chain:
What caught my attention was that the download was called adobe_flash_player.exe. This might look like an official Adobe Flash Player download, but it is not. If it was an official download, it should be digitally signed by Adobe Systems Incorporated. Here’s how the authentic Adobe Flash Player looks like when you double click on it. Notice that the “Verified publisher” says “Adobe Systems Incorporated”.
The problem with the OOO DIGITAL VEI file is that it is detected by many of the antivirus software. Here are some of the detection names: W32.HfsAdware.90CE, PUP.Optional.Bundle and InstallCore (fs).
Did you also find a OOO DIGITAL VEI download? What kind of download was it?
Welcome! If you’ve been following me for the last year you know that I’ve been examining many software publishers that put a digital signature on their downloads. Today I found another publisher called Gencolabs LLC.
The following screenshot shows the User Account Control dialog when running the Gencolabs LLC file:
Viewing the certificate information is also possible by looking under the digital signature tab for the file. Here the certificate says that Gencolabs LLC is located in Lewes in Delaware, US. Comodo has issued the certificate:
30% of the scanners detected the file. Avast detects breaking-bad-1-2-3-4-e-5-temporada-torrent-bdrip-bluray-720p-dual-udio.exe as NSIS:Downloader-ACE [PUP], NANO-Antivirus classifies it as Trojan.Nsis.Fraudster.dsyctt and Sophos classifies it as AdLoad (PUA).
Did you also find a Gencolabs LLC download? What kind of download was it?
Hope this blog post helped you avoid some unwanted software on your machine.
Does this sound like what you are seeing right now? You see pop-up ads from s.rev2pub.com while browsing sites that normally don’t advertise in pop-up windows. The pop-ups manage to sidestep the built-in pop-up blockers in Mozilla Firefox, Google Chrome, Internet Explorer or Safari. Maybe the s.rev2pub.com pop-ups appear when clicking search results from Google? Or does the pop-ups appear even when you’re not browsing?
Here’s a screen capture of the s.rev2pub.com pop-up ad when it showed up on my machine in a new tab:
(Sorry for the ridiculous use of watermarks. I have to do it to stop the copy-cats.)
If you also see this on your system, you presumably have some adware installed on your computer that pops up the s.rev2pub.com ads. So there’s no idea contacting the owner of the site you currently were browsing. The ads are not coming from them. I’ll do my best to help you remove the s.rev2pub.com pop-up in this blog post.
I found the s.rev2pub.com pop-up on one of the lab computers where I have some adware running. I’ve talked about this in some of the previous blog posts. The adware was installed on purpose, and from time to time I check if anything new has appeared, such as pop-up windows, new tabs in the browsers, injected ads on web site that usually don’t show ads, or if some new files have been saved to the hard-drive.
s.rev2pub.com resolves to the 146.148.88.12 address and rev2pub.com to 184.72.246.247. s.rev2pub.com was registered on 2013-11-27.
So, how do you remove the s.rev2pub.com pop-up ads? On the machine where I got the s.rev2pub.com ads I had istartsurf, MedPlayerNewVersion and Movie Wizard installed. I removed them with FreeFixer and that stopped the s.rev2pub.com pop-ups and all the other ads I was getting in Mozilla Firefox.
The s.rev2pub.com domain is attracting quite a lot of traffic, just check out the Alexa traffic rank:
The issue with pop-ups such as this one is that it can be popped up by many variants of adware, not just the adware running on my machine. This makes it impossible to say exactly what you need to remove to stop the pop-ups.
So, what can be done to solve the problem? To remove the s.rev2pub.com pop-up ads you need to review your computer for adware or other types of unwanted software and uninstall it. Here’s my suggested removal procedure:
Review what programs you have installed in the Add/Remove programs dialog in the Windows Control Panel. Do you see anything that you don’t remember installing or that was recently installed?
How about your browser add-ons. Anything in the list that you don’t remember installing?
If that didn’t solve the problem, I’d recommend a scan with FreeFixer to manually track down the adware. FreeFixer is a freeware tool that I’m working on that scans your computer at lots of locations, such as browser add-ons, processes, Windows services, recently modified files, etc. If you want to get additional details about a file in the scan result, you can click the More Info link for that file and a web page will open up with a VirusTotal report which will be very useful to determine if the file is safe or malware:
An example of FreeFixer’s “More Info” links. Click for full size.
Here you can see FreeFixer in action removing the adware that caused pop-up ads:
Did you find any adware on your machine? Did that stop the s.rev2pub.com ads? Please post the name of the adware you uninstalled from your machine in the comment below.
Hello! Just wanted to give you heads-up on suspicious file I found right now. The file is named vlc-media-player.exe and digitally signed by Social Voicing Solutions.
If you have a Social Voicing Solutions file on your machine you may have noticed that Social Voicing Solutions is displayed as the publisher in the UAC dialog when double-clicking on the file. Viewing the certificate information is also possible by looking under the digital signature tab for the file. Here the certificate says that Social Voicing Solutions is located in San Fransisco in California, US.
VeriSign has issued the certificate:
Gen:Variant.Application.Jaik, PUP.Optional.DownloadAdmin, DownloadAdmin and Trj/Genetic.gen are some detection names according to VirusTotal:
Did you also find a file digitally signed by Social Voicing Solutions? Where did you find it and are the anti-virus programs detecting it? Please share in the comments below.
Hello there and welcome to the FreeFixer blog. Today I wanted to talk about a bundled program called Malware Protection Live. If you have Malware Protection Live software installed on your machine, you will notice Malware Protection Live in the Remove programs list and MalwareProtectionClient.exe running in the Windows Task Manager:
Malware Protection Live is configured to run on startup. This is done by adding MalwareProtectionClient.exe as a startup in the Windows Registry:
So, how did Malware Protection Live install on your machine? Unless you downloaded it directly from their web site, it was probably bundled with some other download that you installed recently. Bundling means that software is included in other software’s installers. When I first found Malware Protection Live, it was bundled with CNET’s Download.com installer. Here’s how it appeared in the CNET’s Download.com installer where I found it:
According to the embedded certificate, Malware Protection Live is located in Florida, US:
So, what does the anti-virus programs over at VirusTotal say about the bundled MalwareProtectionClient.exe file? Detection rate is 0%, so hopefully the software is safe.
What do you think?
I’ll rescan it in a few days to see if detection ratio remain the same. Please check below for updates.
Did you also find Malware Protection Live on your machine? Any idea how it was installed? Was is also bundled in a download from Download.com? Please share your story the comments below. Thanks a bunch!
Thanks for reading. Welcome back!
Update Oct 11 2015: I checked out the MalwareProtectionClient.exe download again, and now it is detected by a few of the scanners over at VirusTotal. The detection ratio is 4/56:
Hello readers! Just a short note on a publisher called Simon Leshchuk.
It is also possible to check a digital signature by looking at a file’s properties. Here’s a screenshot of the Simon Leshchuk certificate. Simon is located in Ukraine.
The Certum CA has issued the certificate to mr Leshchuk as you can see in the certification path below:
The reason for posting about Simon Leshchuk is that the file is detected by many of the anti-virus programs. Arcabit detects Download.exe as Trojan.Adware.MPlug.65, Avira detects it as TR/Crypt.XPACK.Gen, F-Secure calls it Gen:Variant.Adware.MPlug, K7AntiVirus calls it Unwanted-Program ( 004c5f5e1 ) and Malwarebytes detects it as PUP.Optional.Multiplug.
Did you also find a Simon Leshchuk file? What kind of download was it? If you remember the download link, please post it in the comments below.
Sorry for the lack of post lately. I’m still short on time here, so I’ll just summarise some stuff I found lately:
Pop-ups from lp.leveltrade.com:
Pops ups from bbcc-news.com:
And pop-ups from vinnarum.com:
Here’s a few domains you may see in the browser’s status bar or in the network log if you have adware or other types of potentially unwanted software installed on your machine:
Hello readers! Just wanted to let you know about a publisher called SAfe downlOAd gtL before going back to writing some code for FreeFixer.
The following screenshot shows the User Account Control dialog when running the SAfe downlOAd gtL file:
By examining the certificate, we can see that SAfe downlOAd gtL is located in Dublin, Ireland. The certificate is issued by thawte SHA256 Code Signing CA.
The reason I’m writing this blog post is that the SAfe downlOAd gtL file is detected by many of the anti-malwares at VirusTotal. ESET-NOD32 classifies Player.exe as a variant of Win32/OutBrowse.CB potentially unwanted, Malwarebytes detects it as PUP.Optional.Outbrowse and Sophos calls it Generic PUA OC.
Did you also find an SAfe downlOAd gtL? Do you remember the download link? Please post it in the comments below and I’ll upload it to VirusTotal to see if that one is also detected.
Hello readers! Just a quick post today, since I’m busy working with the next release of FreeFixer. Did you see a file, such as provided through Diplodocs.exe, on your system digitally signed by DMN Partners SRL? Then read on..
You can look at the DMN Partners SRL certificate and digital signature by looking under the Digital Signatures tab on the file’s properties. According to the certificate, DMN Partners SRL is located in Bucharest, Romania.
The reason I’m writing this blog post is that the DMN Partners SRL file is detected by many of the anti-malware software at VirusTotal. Avira reports provided through Diplodocs.exe as PUA/GetNow.Gen, ESET-NOD32 names it a variant of Win32/GetNow.I potentially unwanted, McAfee-GW-Edition detects it as BehavesLike.Win32.LiveSoftAction.jc and NANO-Antivirus reports Riskware.Win32.Downware.duemgn.
Since you probably came here after finding a download that was digitally signed by DMN Partners SRL, please share what kind of download it was and if it was reported by the anti-malwares at VirusTotal.
Welcome! Just wanted to give you heads-up on suspicious file I found right now. The file is named vlc-media-player_setup.exe and digitally signed by PlatformMax (Fried Cookie Ltd).
If you have a PlatformMax (Fried Cookie Ltd) file on your machine you may have noticed that PlatformMax (Fried Cookie Ltd) is displayed as the publisher in the UAC dialog when double-clicking on the file. The certificate is issued by GlobalSign CodeSigning CA – G2.
If you are considering to run the PlatformMax (Fried Cookie Ltd) signed file, please check out detection list by some of the anti-virus programs:
AVG detects vlc-media-player_setup.exe as Generic.7D6, Comodo classifies it as Application.Win32.InstallCore.DXC, DrWeb detects it as Trojan.InstallCore.890 and Malwarebytes reports PUP.Optional.InstallCore.SID.C.
Did you also find an PlatformMax (Fried Cookie Ltd)? Do you remember the download link? Please post it in the comments below and I’ll upload it to VirusTotal to see if that one is also detected.
