Category Archives: Uncategorized

What is Vi-View or ViView?

December 12, 2014UncategorizedRoger Karlsson

If you noticed something called Vi-View or ViView appear on your machine and have no idea where it came from, it may have been bundled with another download. That’s where I found it:

Remove new-install.com Pop-Up Ads

December 9, 2014misleading advertising, Uncategorized198.7.56.107Roger Karlsson

Did you just get a pop-up from new-install.com or check.new-install.com and ask yourself where it came from? Did the new-install.com ad appear to have been launched from a web site that under normal circumstances don’t use aggressive advertising such as pop-up windows? Or did the new-install.com popup show up while you clicked a link on one of the big search engines, such as Google, Bing or Yahoo?

Here is a screenshot on the new-install.com pop-up from my computer:

The web site makes some false claims that my Adobe Flash Player is not updated and vulnerable to malware.

Does this sound like your story, you presumably have some adware installed on your machine that pops up the new-install.com ads. So there’s no use contacting the site owner. The ads are not coming from them. I’ll do my best to help you remove the new-install.com pop-up in this blog post.

Those that have been reading this blog already know this, but for new visitors: Some time ago I dedicated some of my lab machines and deliberately installed some adware programs on them. Since then I’ve been following the behaviour on these computers to see what kinds of advertisements that are displayed. I’m also looking on other interesting things such as if the adware updates itself automatically, or if it installs additional unwanted software on the machines. I first spotted the new-install.com pop-up on one of these lab machines.

check.new-install.com resolves to the 198.7.56.107 IP address and so do new-install.com. new-install.com was registered on 2014-12-06.

So, how do you remove the new-install.com pop-up ads? On the machine where I got the new-install.com ads I had PriceHorse, OfferBouleward, Salus, Browsers_App_pro and Lampy Lighty installed. I removed them with FreeFixer and that stopped the new-install.com pop-ups and all the other ads I was getting in Mozilla Firefox.

The problem with pop-ups such as this one is that it can be launched by many variants of adware. This makes it impossible to say exactly what you need to remove to stop the pop-ups.

So, what should done to solve the problem? To remove the new-install.com pop-up ads you need to check your machine for adware or other types of unwanted software and uninstall it. Here’s my suggested removal procedure:

Review what programs you have installed in the Add/Remove programs dialog in the Windows Control Panel. Do you see something that you don’t remember installing or that was recently installed?
How about your add-ons you have in your browsers. Anything in the list that you don’t remember installing?
If that didn’t solve the problem, you can give FreeFixer a try. FreeFixer is built to assist users when manually tracking down adware and other types of unwanted software. It is a freeware utility that I’ve been working since 2006 and it scans your machine at lots of locations where unwanted software is known to hook into your machine. If you would like to get additional details about a file in FreeFixer’s scan result, you can just click the More Info link for that file and a web page with a VirusTotal report will open up, which can be very useful to determine if the file is safe or malware:
An example of FreeFixer’s “More Info” links. Click for full size.

Here you can see FreeFixer in action removing the adware that caused pop-up ads:

Did this blog post help you to remove the new-install.com pop-up ads? Please let me know or how I can improve this blog post.

Thank you!

How To Remove PremiumEnforcer

November 21, 2014UncategorizedRoger Karlsson

Found a new program called PremiumEnforcer bundled with another download this morning. You probably want to remove PremiumEnforcer and it’s pretty easy. Just uninstall it from the Add/Remove programs dialog:

R2D2 Tech Software LLC – 27% Detection Rate – Eldorado/InstallBrain

November 14, 2014UncategorizedEldorado, InstallBrainRoger Karlsson

Hi there! Just a note post this morning on a publisher called R2D2 Tech Software LLC. The R2D2 Tech Software LLC download – CodecPerformerSetup.exe – was detected when I uploaded it to VirusTotal. Did you also find a download by R2D2 Tech Software LLC? Was it also detected when you uploaded it to VirusTotal?

If you have a R2D2 Tech Software LLC file on your machine you may have noticed that R2D2 Tech Software LLC is displayed as the publisher in the UAC dialog when double-clicking on the file. Viewing the certificate information is also possible by looking under the digital signature tab for the file. Here the certificate says that R2D2 Tech Software LLC is located in Beaverton, Oregon, USA.

So, why am I writing about the R2D2 Tech Software LLC file? Check out what the anti-virus scanners report about the file:

F-Prot reports CodecPerformerSetup.exe as W32/A-3442f84d!Eldorado, Qihoo-360 classifies it as Malware.QVM06.Gen and VIPRE detects it as InstallBrain (fs) are a few of the detection names for CodecPerformerSetup.exe.

Did you also find an R2D2 Tech Software LLC? Do you remember the download link? Please post it in the comments below and I’ll upload it to VirusTotal to see if that one is also detected.

Thank you for reading.

How To Scan a File for Viruses with VirusTotal

November 7, 2014UncategorizedRoger Karlsson

If this is the first time you hear about VirusTotal.com, add it to your bookmarks right away. VirusTotal is an online service where you can upload a file and more than 50 anti-virus programs will scan the file to detect various types of malware. This can be quite useful if you have downloaded something and you are not confident the file is safe.

Here’s a quick demonstration on how to upload and scan a file at VirusTotal.

Open your browser and go to www.virustotal.com. It will look something like this:
Click on the Choose File button and browse to the file that you want to scan. When you’ve found the file, click Open.
Then click the Scan it! button to start the scan.
After a few minutes the scan is usually complete. The file I chose to scan, tv.exe, is detected as malware by 8 of the 53 anti-virus scanners as you can see in the screenshot below. The scan result also shows the detection names. Some of the anti-virus programs calls the tv.exe file “Cyberservice” and “DownloadGuide”.
The scan report. Click for full size.

Another cool thing with VirusTotal is that they have a free API which allows web sites, such as this one, to upload samples and have the anti-virus programs scan the file. Thanks to this excellent API I can show scan results for files in FreeFixer’s library. Here’s an example of a scan result from freefixer.com for an adware file called PennyBeeW.exe:

Thank you for reading.

Li Mo Publisher – 22% Detection Rate at VirusTotal

November 6, 2014UncategorizedAdware.Mutabaha.80, PUP/Win32.SearchHijacker, Win32.Application.Elex.ERoger Karlsson

Welcome! Lately I’ve been looking on the digital signatures on those files that push various types of unwanted programs. This morning I found a new file called w3i_webssearches.exe, digitally signed by Li Mo.

You can see who the signer is when double-clicking on an executable file. Li Mo appears in the publisher field in the dialog that pops up. It is also possible to check a digital signature by looking at a file’s properties. Here’s a screenshot of the Li Mo certificate.

At the moment, 22% of the scanners detected the file. The w3i_webssearches.exe file is detected as Riskware.Agent! by Agnitum, PUP/Win32.SearchHijacker by AhnLab-V3, PUA.Win32.LiMo.bA by Baidu-International, Adware.Mutabaha.80 by DrWeb and Win32.Application.Elex.E by GData.

Did you also find a file digitally signed by Li Mo? What kind of download was it and where did you find it?

Thank you for reading.

How To Remove Sup-SW 0.22

November 4, 2014UncategorizedRoger Karlsson

Found a Firefox add-on called Sup-SW 0.22 yesterday. It was bundled with another download. You can remove Sup-SW manually in Firefox or with FreeFixer.

Did you also get Sup-SW on your machine? Any idea how it installed?

FRGSmartBar bundled in fake Flash Player

November 2, 2014UncategorizedRoger Karlsson

If you found something called FRGSmartBar and wonder where it came from, you might have got it bundled with another download. I found FRGSmartBar bundled in a fake Flash Player download.

You can remove FRGSmartBar with FreeFixer. The files that you need to check for removal contains “FRG” or “Smartbar”, so they are pretty easy to locate.

What is Super Optimizer and How To Remove It

October 26, 2014UncategorizedRoger Karlsson

Hello, just a quick post on a program called Super Optimizer. If Super Optimizer appeared unexpectedly on your machine, it may have been bundled with some other program that you installed recently. Here’s how Super Optimizer was disclosed in two installers when I found it:

Here’s how Super Optimizer’s user interface looks like:

If you’d like to remove Super Optimizer, you can do so from the Windows Control Panel.

Thanks for reading.

Remove websearch.searc-hall.info from Firefox, Chrome and Internet Explorer

October 22, 2014UncategorizedRoger Karlsson

Found an installer this morning that claimed it would change many of my browser settings to websearch.searc-hall.info, but instead it changed them to websearch.searchfix.info. Perhaps due to a programming error or perhaps on purpose. I don’t know.

You can remove the websearch.searc-hall.info hijack, or websearch.searchfix.info, with FreeFixer. You can also use the Reset Browser feature in Chrome, Firefox and Chrome to restore your browsers to the default state.

Thanks for reading.