Category Archives: Uncategorized

Remove gal.adviceoncarsse.com from Firefox, Google Chrome and Internet Explorer

Uncategorized,

This page shows how to remove gal.adviceoncarsse.com from Mozilla Firefox, Google Chrome and Internet Explorer.

Did you just see gal.adviceoncarsse.com in the status bar of your web browser and wonder where it came from? Or did gal.adviceoncarsse.com show up while you search for something on one of the major search engines, such as the Google search engine?

Here’s a screen capture of gal.adviceoncarsse.com when it showed up on my computer, in the network log, while I did a search at Google.se:

gal.adviceoncarsse.com connection

The following are some of the statusbar messages you may see in your browser’s status bar:

  • Waiting for gal.adviceoncarsse.com…
  • Transferring data from gal.adviceoncarsse.com…
  • Looking up gal.adviceoncarsse.com…
  • Read gal.adviceoncarsse.com
  • Connected to gal.adviceoncarsse.com…

If this description sounds like your computer, you probably have some potentially unwanted program installed on your machine that makes the gal.adviceoncarsse.com domain appear in your browser. Contacting the owner of the website you were browsing would be a waste of time. They are not responsible for the gal.adviceoncarsse.com status bar messages. I’ll do my best to help you remove the gal.adviceoncarsse.com message in this blog post.

For those that are new to the blog: Not long ago I dedicated a few of my lab computers and intentionally installed a few potentially unwanted programs on them. Since then I’ve been observing the behaviour on these machines to see what kinds of advertisements that are displayed. I’m also looking on other interesting things such as if the potentially unwanted program updates itself automatically, or if it downloads and installs additional potentially unwanted programs on the machines. I first noticed the gal.adviceoncarsse.com in Mozilla Firefox’s statusbar on one of these lab systems.

gal.adviceoncarsse.com was created on 2014-12-02. gal.adviceoncarsse.com resolves to 50.22.215.30. A Whois query does not offer much information, since the domain is protected by by WhoisGuard INC.

So, how do you remove gal.adviceoncarsse.com from your browser? On the machine where gal.adviceoncarsse.com showed up in the status bar I had PriceFountain, YTDownloader, WebWaltz and SpeedChecker installed. I removed them with FreeFixer and that stopped the browser from loading data from gal.adviceoncarsse.com.

Most likely, WebWaltz was responsible for the gal.adviceoncarsse.com connection, since the loaded URL mentions “web waltz”, as shown in the screenshot above.

The issue with status bar messages such as this one is that it can be caused by many variants of potentially unwanted programs, not just the potentially unwanted program running on my system. This makes it impossible to say exactly what you need to remove to stop the status bar messages.

Anyway, here’s my suggestion for the gal.adviceoncarsse.com removal:

The first thing I would do to remove gal.adviceoncarsse.com is to examine the software installed on the machine, by opening the “Uninstall programs” dialog. You can reach this dialog from the Windows Control Panel. If you are using one of the more recent versions of Windows OS you can just type in “uninstall” in the Control Panel’s search field to find that dialog:
Uninstall a program search

Click on the “Uninstall a program” link and the Uninstall programs dialog will open up:
Uninstall a program dialog

Do you see something suspicious in there or something that you don’t remember installing? Tip: Sort on the “Installed On” column to see if something was installed approximately about the same time as you started seeing the gal.adviceoncarsse.com status bar messages.

The next thing to check would be your browser’s add-ons. Potentially unwanted program often appear under the add-ons menu in Chrome, Firefox, Internet Explorer or Safari. Is there anything that looks suspicious? Anything that you don’t remember installing?
Firefox add-ons manager

I think most users will be able to track down and uninstall the potentially unwanted program with the steps outlined above, but in case that did not work you can try the FreeFixer removal tool to identify and remove the potentially unwanted program. FreeFixer is a freeware tool that I started develop many years ago. It’s a tool designed to manually track down and remove unwanted software. When you’ve identified the unwanted files you can simply tick a checkbox and click on the Fix button to remove the unwanted file.

FreeFixer’s removal feature is not locked like many other removal tools out there. It won’t require you to pay a fee just when you are about to remove the unwanted files.

And if you’re having issues deciding if a file is clean or potentially unwanted in FreeFixer’s scan report, click on the More Info link for the file. That will open up a web page which contains additional information about the file. On that web page, check out the VirusTotal report which can be very useful:

FreeFixer More Info link example
An example of FreeFixer’s “More Info” links. Click for full size.

Did this blog post help you to remove gal.adviceoncarsse.com? Please let me know or how I can improve this blog post.

Thank you!

Symcd.com – Online Certificate Status Protocol Server Owned By Symantec Corporation

Uncategorized,

Morning! Hope you are having a great weekend. I’ve been experimenting with some network monitoring of HTTP requests and responses in Mozilla Firefox. While playing around with one of the tools I’m evaluating I noticed a request to gv.symcd.com:

gv.symcd.com connection

I had not heard of the symcd.com domain before so I got curious. The request is a “application/ocsp-request“. OCSP is a abbreviation for Online Certificate Status Protocol and it is an Internet protocol used for retrieve the revocation status of a digital certificate.

That’s what the symcd.com connection is about: Checking the revocation state for some  certificate. The tool I used to track the network traffic does not have any advanced features to decode the OSCP communication so I don’t know exactly what information Firefox requests from symcd.com.

So, who owns symcd.com? The WHOIS database answer is Symantec Corporation:

Registrant Organization: Symantec Corporation
Registrant Street: 350 Ellis Street
Registrant City: Mountain View
Registrant State/Province: CA
Registrant Postal Code: 94043
Registrant Country: US

Symcd.com was created on 2013-12-12.

I did not find much information about gv.symdc.com, and the reason for that is probably because there’s a large number of subdomains used. I found this list over at VirusTotal:

  • sm.symcd.com
  • gz.symcd.com
  • gp.symcd.com
  • tl.symcd.com
  • sn.symcd.com
  • tm.symcd.com
  • gq.symcd.com
  • sk.symcd.com
  • gw.symcd.com
  • si.symcd.com
  • gx.symcd.com
  • gk.symcd.com
  • s.symcd.com
  • sw.symcd.com
  • gu.symcd.com
  • sh.symcd.com
  • tf.symcd.com
  • t.symcd.com
  • tn.symcd.com
  • gv.symcd.com
  • ta.symcd.com
  • gd.symcd.com
  • st.symcd.com
  • tg.symcd.com
  • sr.symcd.com
  • sd.symcd.com
  • sf.symcd.com
  • sg.symcd.com
  • th.symcd.com
  • ga.symcd.com
  • gn.symcd.com
  • se.symcd.com
  • sv.symcd.com
  • tj.symcd.com
  • su.symcd.com
  • tb.symcd.com
  • ti.symcd.com
  • tc.symcd.com
  • sc.symcd.com
  • gm.symcd.com
  • sb.symcd.com
  • gb.symcd.com
  • ss.symcd.com
  • sj.symcd.com
  • gj.symcd.com
  • td.symcd.com
  • sa.symcd.com
  • tk.symcd.com

I checked a few of the domains, and they all resolved to the 23.43.139.27 IP address.

Thanks for reading!

 

Remove foxi180_c.tlscdn.com from Firefox, Chrome and Internet Explorer

Uncategorized

This page shows how to remove foxi180_c.tlscdn.com from Mozilla Firefox, Google Chrome and Internet Explorer.

Did you just see foxi180_c.tlscdn.com in the status bar of your web browser and ask yourself where it came from? Or did foxi180_c.tlscdn.com show up while you search for something on one of the major search engines, such as the Google search engine?

The following are some of the status bar messages you may see in your browser’s status bar:

  • Waiting for foxi180_c.tlscdn.com…
  • Transferring data from foxi180_c.tlscdn.com…
  • Looking up foxi180_c.tlscdn.com…
  • Read foxi180_c.tlscdn.com
  • Connected to foxi180_c.tlscdn.com…

If this description sounds like what you are seeing, you almost certainly have some adware installed on your system that makes the foxi180_c.tlscdn.com domain appear in your browser. Contacting the site owner would be a waste of time. The foxi180_c.tlscdn.com status bar messages are not coming from them. I’ll try help you to remove the foxi180_c.tlscdn.com status bar messages in this blog post.

Those that have been spending some time on this blog already know this, but here we go: Some time ago I dedicated some of my lab machines and deliberately installed a few adware programs on them. I have been tracking the behaviour on these computers to see what kinds of advertisements that are displayed. I’m also looking on other interesting things such as if the adware auto-updates, or if it downloads additional unwanted software on the computers. I first noticed the foxi180_c.tlscdn.com in Mozilla Firefox’s status bar on one of these lab computers.

foxi180_c.tlscdn.com resolves to the 199.115.115.77 IP address. I’ve also seen a similar domain names such as foxi180_f.tlscdn.com and foxi180_c0.tlscdn.com in use.

So, how do you remove foxi180_c.tlscdn.com from your browser? On the machine where foxi180_c.tlscdn.com showed up in the status bar I had CheckMeUp installed. I removed it with FreeFixer and that stopped the browser from loading data from foxi180_c.tlscdn.com.

The problem with status bar messages such as this one is that it can be caused by many variants of adware, not just the adware running on my computer. I think that adware such as NewPlayer, BlockAndSurf, SaferSurf and SpeedCheck can also be responsible for foxi180_c.tlscdn.com appearing in the web browser. And there are probably other variants too. This makes it impossible to say exactly what you need to remove to stop the status bar messages.

Anyway, here’s my suggestion for the foxi180_c.tlscdn.com removal:

  1. What software do you have installed if you look in the Add/Remove programs dialog in the Windows Control Panel? Something that you don’t remember installing yourself or that was recently installed?
  2. You can also check the browser add-ons. Same thing here, do you see something that you don’t remember installing?
  3. If that didn’t solve the problem, I’d recommend a scan with FreeFixer to manually track down the adware. FreeFixer is a freeware tool that I’m working on that scans your computer at lots of locations, such as browser add-ons, processes, Windows services, recently modified files, etc. If you want to get additional details about a file in the scan result, you can click the More Info link for that file and a web page will open up with a VirusTotal report which will be very useful to determine if the file is safe or malware:

    FreeFixer More Info link example
    An example of FreeFixer’s “More Info” links. Click for full size.

Did you find any adware on your machine? Did that stop foxi180_c.tlscdn.com? Please post the name of the adware you uninstalled from your machine in the comment below.

Thank you!

Symbu LLC – 9% Detection Rate – DownloadAdmin / WebInstallBundle

Uncategorized,

Hello! Was looking for some downloads to play around with and found one, digitally signed by Symbu LLC. The file is named freeallinonemediaplayer-setup.exe. You may see Symbu LLC appear as the publisher when double-clicking on the freeallinonemediaplayer-setup.exe file.

Symbu LLC uac

By examining the certificate, we can see that Symbu LLC is located in San Fransisco, the US. The certificate is issued by DigiCert SHA2 Assured ID Code Signing CA.

Symbu LLC certificate

9% of the scanners detected the file when uploaded to VirusTotal. The freeallinonemediaplayer-setup.exe file is detected as Trojan.Win32.Atraps.b by ByteHero, Adware:W32/WebInstallBundle by F-Secure, Win32.Application.DownloadAdmin.A by GData and DownloadAdmin (fs) by VIPRE.

Symbu LLC virustotal

Did you also find a Symbu LLC file?

Hope this blog post helped you avoid some unwanted software on your machine.

Thank you for reading.

What is Google Chrome Packages?

Uncategorized

If you got something called Google Chrome Packages installed on your machine, I just want to let you know that it is not something that comes with the official Google Chrome  download.

Google Chrome Packages

I found Google Chrome Packages yesterday, while installing an unofficial Chrome download, that was digitally signed by World Setup (New Media Holdings Ltd.). That file was detected by 11% of the anti-virus scanners over at VirusTotal.

Hope that helped you figure out what Google Chrome Packages is and how it got onto your system.

Did you also get Google Chrome Packages from this “Chrome” download?

Thanks for reading!

HTTP 503 – “temporarily closed for maintainance” on FreeFixer.com and other anti-malware sites

Uncategorized

Just wanted let you know about a nasty piece of malware that blocks access to many of the anti-virus sites out there. Freefixer.com is one of them. If you see a HTTP 503 error message saying:

“The site is temporarily closed for maintainance. Please try again later.”

when visiting freefixer.com and other sites you have this infection, or some variant of it. Notice that “maintainance” is spelled incorrectly. A few users had already reported this issue to me, starting in the beginning of January 2015. I first thought I had made some configuration error at the web server but I could not find any issue, nor that spelling error.

Today, Martin who is located in Hamburg, Germany, reported that he had been able to track down the root caused. I’ve not been able to get my hands on this malware myself, so I cannot verify it, but according to him nothing showed up in FreeFixer, nor in any of the 3 anti-rootkit scanners he tried.

However, after rebooting from the live Knoppix Linux DVD he was able to track down a malware driver called msreadyboost.sys, located in C:\WINDOWS\system32\drivers. After deleting this driver the system operated normally again.

Thanks Martin!  Good job!

Do you also see the HTTP 503 message? Did the removal of msreadyboost.sys solve the problem?

 

Yes Apps – 36% Detection Rate – OutBrowse

Uncategorized, ,

Welcome! Short on time today, but I just wanted to give you the heads up on a publisher called Yes Apps.Yes Apps UAC

Typically you’d see the Yes Apps publisher name appear when double-clicking on the installer_jdownloader_English.exe file: You can also look at the Yes Apps certificate and digital signature by looking under the Digital Signatures tab on the file’s properties. According to the certificate, Yes Apps is located in Dublin, Ireland.

Yes Apps certificate

After uploading the Yes Apps file – installer_jdownloader_English.exe – to VirusTotal, it was clear that it’s probably better to delete the file than running it. The detection rate was 36% and some of the detection names were: Downloader.DGR, APPL/Downloader.Gen, PUP.Optional.OutBrowse, Adware-OutBrowse.e and Trojan.Win32.Generic!BT.

Yes Apps virustotal

Did you also find a file signed by Yes Apps? What kind of download was it and where did you find it?

Thank you for reading.

Remove SettingsGuard – Sg.exe and SettingsGuard.exe Removal Instructions

Uncategorized

Hello there. I just found another bundled program called SettingsGuard and wanted give you some removal instructions. SettingsGuard seems to be a variant of BitGuard that I’ve written about before. If SettingsGuard is running on your computer, you will see SettingsGuard.exe and sg.exe running in the Windows Task Manager:settingsguard.exe sg.exe task manager

You will also see loader.dll and ld64.dll registered as APPInit_Dlls. I’ll show how to remove SettingsGuard in this blog post with the FreeFixer removal tool.

So, how did SettingsGuard install on your machine? It was probably bundled with some download that you installed recently. Bundling means that software is included in other software’s installers. When I first found SettingsGuard, it was bundled with a download called Codec Perforer. Guess that is typo and it should be Codec Performer. This is how SettingsGuard was disclosed in Codec Perforer’s installer when I found it:

SettingsGuard installer Searchalgo

The installer file is digitally signed by Elephant Tech Software LLC.

Elephant Tech Software LLC

Generally, you can avoid bundled software such as SettingsGuard by being careful when installing software and declining the bundled offers in the installer.

When I mess around with some new bundled software I usually upload it to VirusTotal to test if the anti-virus tools there find something. 35% of the antimalware scanners detected the sg.exe file. The SettingsGuard files are detected as Gen:Variant.Strictor.73974 by Ad-Aware, Riskware.Agent! by Agnitum and a variant of Win32/SmartCyberTech.A by ESET-NOD32.

sg.exe virustotal

If you would like to remove SettingsGuard you can do so with the freeware FreeFixer tool. Select the SettingsGuard items for removal in FreeFixer, click Fix, restart your machine and the problem will be gone. Here’s a few screenshots to point you in the right direction:

settingsguard sg.exe process settingsguard settingsguard.exe remove settingsguard remove startup settingsguard loader.dll ld64.dll appinit_dlls settingsguard ld64.dll remove settingsguard ld64 removal

Hope that helped you to figure out how to do the removal.

Did you also find SettingsGuard on your system? Any idea how it installed? Please share in the comments below. Thank you very much!

Hope you found this useful. Thanks for reading.

Install Source (Fried Cookie Ltd.) – 9% Detection Rate – InstallCore

Uncategorized

Hello! I was playing around and testing some downloads when I found a file signed by Install Source (Fried Cookie Ltd.).

If you have a Install Source (Fried Cookie Ltd.) file on your computer you may have noticed that Install Source (Fried Cookie Ltd.) pops up as the publisher in the User Account Control dialog when running the file. It is also possible to check a digital signature by looking at a file’s properties.

The issue is that chrome_setup.exe is not an official Google Chrome download. If it was, it should be signed by Google Inc.. Here’s how the authentic Google Chrome looks like when you double click on it. Notice that the “Verified publisher” says “Google Inc”.
Chrome Google Inc publisher

Of the 56 anti-virus scanners, 5 detected the file. AVG reports chrome_setup.exe as Generic.834, AVware detects it as InstallCore (fs), Comodo detects it as Application.Win32.FriedCookie.CIRK, ESET-NOD32 reports a variant of Win32/InstallCore.UT and VIPRE detects it as InstallCore (fs).

Install Source virustotal

Did you also find a file digitally signed by Install Source (Fried Cookie Ltd.)? Where did you find it and are the anti-virus programs detecting it? Please share in the comments below.

Thanks for reading.

TOV Doychkhof – 34% Detection Rate – Amonetize

Uncategorized

Hello readers! I was playing around and testing some downloads when I found a file digitally signed by TOV Doychkhof.

TOV Doychkhof uac

It is also possible to check a digital signature by looking at a file’s properties. Here’s a screenshot of the TOV Doychkhof certificate.

TOV Doychkhof certificate

The issue is that FlashPlayer__6741_i1439870194_il674.exe is not an official Adobe Flash Player download. If it was, it should have been digitally signed by Adobe Systems Incorporated. Here’s how the authentic Adobe Flash Player looks like when you double click on it. Notice that the “Verified publisher” says “Adobe Systems Incorporated”.
Adobe Systems Incorporated - Adobe Flashplayer Installer

When I uploaded the TOV Doychkhof file to VirusTotal, it came up with a 34% detection rate. The file is detected as Trojan.Amonetize.341 by DrWeb, Riskware/Amonetize by Fortinet, not-a-virus:AdWare.Win32.Amonetize.sfd by Kaspersky, Artemis by McAfee-GW-Edition and HEUR/QVM10.1.Malware.Gen by Qihoo-360.

TOV Doychkhof virustotal

Did you also find a file digitally signed by TOV Doychkhof? What kind of download was it and where did you find it?

Thanks for reading.