Remove pesquisa.ninja from Firefox, Chrome and Internet Explorer

August 28, 2015browser status bar89.30.141.30Roger Karlsson

This page shows how to remove pesquisa.ninja from Mozilla Firefox, Google Chrome and Internet Explorer.

Did you just see pesquisa.ninja in the status bar of your browser and ask yourself where it came from? Or did pesquisa.ninja show up while you searched for something on one of the major search engines, such as the Google.com search engine?

(Sorry for the watermarks. Need to add them to prevent the most blatant attempts of other bloggers using my screenshots without attribution)

In my case, pesquisa.ninjam showed up in the status bar while I was doing a search at Google.

The following are some of the status bar messages you may see in your browser’s status bar:

Waiting for pesquisa.ninja…
Transferring data from pesquisa.ninja…
Looking up pesquisa.ninja…
Read pesquisa.ninja
Connected to pesquisa.ninja…

Does this sound like your experience, you probably have some potentially unwanted program installed on your system that makes the pesquisa.ninja domain appear in your web browser. Contacting the owner for the site you were at would be a waste of time. The pesquisa.ninja status bar messages are not coming from them. I’ll try help you to remove the pesquisa.ninja status bar messages in this blog post.

Those that have been following this blog already know this, but here we go: A little while back I dedicated some of my lab systems and deliberately installed some potentially unwanted programs on them. I have been observing the behaviour on these computers to see what kinds of advertisements, if any, that are displayed. I’m also looking on other interesting things such as if the potentially unwanted program updates itself, or if it downloads and installs additional software on the systems. I first noticed pesquisa.ninja in Mozilla Firefox’s status bar on one of these lab computers.

pesquisa.ninja resolves to the 89.30.141.30 address. pesquisa.ninja was registered on 2014-09-22.

According to DomainTools and YouGetSignal’s reverse lookup, the following domains also resolve to the same IP address:

bogots.com
dounty.com
pesquisa.ninja
pesquisa.gratis
vancouver.craigslist.ca
www.safesearch.co
zwiiky.com

So, how do you remove pesquisa.ninja from your browser? On the machine where pesquisa.ninja showed up in the status bar I had WNet, CashReminder, ActSys and Plain Savings installed. I removed them with FreeFixer and that stopped the browser from loading data from pesquisa.ninja.

Judging from Alexa’s traffic rank, pesquisa.ninja is getting quite a lot of traffic:

The bad news with status bar notifications such as this one is that it can be caused by many variants of potentially unwanted programs, not just the potentially unwanted program that’s installed on my system. This makes it impossible to say exactly what you need to remove to stop the statusbar messages.

Anyway, here’s my suggestion for the pesquisa.ninja removal:

What software do you have installed if you look in the Add/Remove programs dialog in the Windows Control Panel? Something that you don’t remember installing yourself or that was recently installed?
You can also check the web browser add-ons. Same thing here, do you see something that you don’t remember installing?
If that did not help, I’d recommend a scan with FreeFixer to manually track down the potentially unwanted program. FreeFixer is a freeware tool that I’m working on that scans your computer at lots of locations, such as browser add-ons, processes, Windows services, recently modified files, etc. If you want to get additional details about a file in the scan result, you can click the More Info link for that file and a web page will open up with a VirusTotal report which will be very useful to determine if the file is safe or malware:
An example of FreeFixer’s “More Info” links. Click for full size.

Did you find any potentially unwanted program on your machine? Did that stop pesquisa.ninja? Please post the name of the potentially unwanted program you uninstalled from your machine in the comment below.

Thank you!

Gencolabs LLC – 30% Detection Rate

August 27, 2015UncategorizedComodoRoger Karlsson

Welcome! If you’ve been following me for the last year you know that I’ve been examining many software publishers that put a digital signature on their downloads. Today I found another publisher called Gencolabs LLC.

The following screenshot shows the User Account Control dialog when running the Gencolabs LLC file:

Viewing the certificate information is also possible by looking under the digital signature tab for the file. Here the certificate says that Gencolabs LLC is located in Lewes in Delaware, US. Comodo has issued the certificate:

30% of the scanners detected the file. Avast detects breaking-bad-1-2-3-4-e-5-temporada-torrent-bdrip-bluray-720p-dual-udio.exe as NSIS:Downloader-ACE [PUP], NANO-Antivirus classifies it as Trojan.Nsis.Fraudster.dsyctt and Sophos classifies it as AdLoad (PUA).

Did you also find a Gencolabs LLC download? What kind of download was it?

Hope this blog post helped you avoid some unwanted software on your machine.

Thanks for reading.

Remove surveysforconsumers.com Pop Up Ads

August 23, 2015pop-ups162.159.241.141Roger Karlsson

Did you just get a pop-up from surveysforconsumers.com and wonder where it came from? Did the surveysforconsumers.com ad appear to have been popped up from a web site that under normal circumstances don’t use advertising such as pop-up windows? Or did the surveysforconsumers.com pop-up show up while you clicked a link on one of the major search engines, such as Google, Bing or Yahoo?

Here is a screenshot on the surveysforconsumers.com pop-up from my system:

(I’m sorry for the many watermarks. If I don’t add them, the screenshot always show up at some copy-cat blogs.)

If this sounds like what you are seeing on your system, you most likely have some adware installed on your computer that pops up the surveysforconsumers.com ads. So don’t flame the people that owns the website you were at, the ads are most likely not coming from that website, but from the adware that’s installed on your system. I’ll do my best to help you remove the surveysforconsumers.com pop-up in this blog post.

I found the surveysforconsumers.com pop-up on one of the lab systems where I have some adware running. I’ve talked about this in some of the previous blog posts. The adware was installed on purpose, and from time to time I check if something new has appeared, such as pop-up windows, new tabs in the browsers, injected ads on site that usually don’t show ads, or if some new files have been saved to the hard-drive.

surveysforconsumers.com was created on 2015-05-06. surveysforconsumers.com resolves to 162.159.241.141. According to YouGetSignal’s reverse lookup service, the following domains are located on the same server:

123-videos.fr
bayarea.yurisnight.net
buckhamduffy.com
chinammm.net
guvengroup.com.tr
mobilyukle.com.tr
nuagra.com
onroaders.com
restaurantsbrighton.co.uk
studentlaunchpad.com
surveysforconsumers.com
t1l1.org
tribundergi.com
www.automaticcorporation.com
www.digiscore.com.au
www.drinksmixer.com
www.lovejoyhospice.org
www.motorbikesandparts.co.uk
www.senatoronline.org.au
www.swesspharma.com
zoywiki.com

So, how do you remove the surveysforconsumers.com pop-up ads? On the machine where I got the surveysforconsumers.com ads I had istartsurf, MedPlayerNewVersion and Movie Wizard installed. I removed them with FreeFixer and that stopped the surveysforconsumers.com pop-ups and all the other ads I was getting in Mozilla Firefox.

If you are wonder if there are many others out there also getting the surveysforconsumers.com ads, the answer is probably yes. Check out the traffic rank from Alexa:

The bad news with pop-ups like the one described in this blog post is that it can be launched by many variants of adware, not just the adware that’s installed on my system. This makes it impossible to say exactly what you need to remove to stop the pop-ups.

To remove the surveysforconsumers.com pop up ads you need to examine your computer for adware or other types of unwanted software and uninstall it. Here’s my suggested removal procedure:

The first thing I would do to remove the surveysforconsumers.com pop-ups is to examine the software installed on the machine, by opening the “Uninstall programs” dialog. You can find this dialog from the Windows Control Panel. If you are using one of the more recent versions of Windows you can just type in “uninstall” in the Control Panel’s search field to find that dialog:

Click on the “Uninstall a program” link and the Uninstall programs dialog will open up:

Do you see something strange-looking listed there or something that you don’t remember installing? Tip: Sort on the “Installed On” column to see if some program was installed approximately about the same time as you started getting the surveysforconsumers.com pop-ups.

Then I would check the browser add-ons. Adware often show up under the add-ons menu in Google Chrome, Mozilla Firefox, Internet Explorer, Safari or Opera. Is there something that looks suspicious? Anything that you don’t remember installing?

I think you will be able to identify and remove the adware with the steps outlined above, but in case that did not work you can try the FreeFixer removal tool to identify and remove the adware. FreeFixer is a freeware tool that I’ve developed since 2006. Freefixer is a tool built to manually identify and remove unwanted software. When you’ve identified the unwanted files you can simply tick a checkbox and click on the Fix button to remove the unwanted file.

FreeFixer’s removal feature is not crippled like many other removal tools out there. It won’t require you to pay a fee just when you are about to remove the unwanted files.

And if you’re having a hard time figuring out if a file is legitimate or unsafe in the FreeFixer scan report, click on the More Info link for the file. That will open up your web browser with a page which contains more information about the file. On that web page, check out the VirusTotal report which can be quite useful:

FreeFixer More Info link example — An example of FreeFixer’s “More Info” links. Click for full size.

Here’s a video tutorial which shows FreeFixer in action removing adware that caused pop-up ads:

Did this blog post help you to remove the surveysforconsumers.com pop-up ads? Please let me know or how I can improve this blog post.

Thank you!

Remove s.rev2pub.com Pop Up Ads

August 23, 2015Uncategorized146.148.88.12, 184.72.246.247Roger Karlsson

Does this sound like what you are seeing right now? You see pop-up ads from s.rev2pub.com while browsing sites that normally don’t advertise in pop-up windows. The pop-ups manage to sidestep the built-in pop-up blockers in Mozilla Firefox, Google Chrome, Internet Explorer or Safari. Maybe the s.rev2pub.com pop-ups appear when clicking search results from Google? Or does the pop-ups appear even when you’re not browsing?

Here’s a screen capture of the s.rev2pub.com pop-up ad when it showed up on my machine in a new tab:

(Sorry for the ridiculous use of watermarks. I have to do it to stop the copy-cats.)

If you also see this on your system, you presumably have some adware installed on your computer that pops up the s.rev2pub.com ads. So there’s no idea contacting the owner of the site you currently were browsing. The ads are not coming from them. I’ll do my best to help you remove the s.rev2pub.com pop-up in this blog post.

I found the s.rev2pub.com pop-up on one of the lab computers where I have some adware running. I’ve talked about this in some of the previous blog posts. The adware was installed on purpose, and from time to time I check if anything new has appeared, such as pop-up windows, new tabs in the browsers, injected ads on web site that usually don’t show ads, or if some new files have been saved to the hard-drive.

s.rev2pub.com resolves to the 146.148.88.12 address and rev2pub.com to 184.72.246.247. s.rev2pub.com was registered on 2013-11-27.

So, how do you remove the s.rev2pub.com pop-up ads? On the machine where I got the s.rev2pub.com ads I had istartsurf, MedPlayerNewVersion and Movie Wizard installed. I removed them with FreeFixer and that stopped the s.rev2pub.com pop-ups and all the other ads I was getting in Mozilla Firefox.

The s.rev2pub.com domain is attracting quite a lot of traffic, just check out the Alexa traffic rank:

The issue with pop-ups such as this one is that it can be popped up by many variants of adware, not just the adware running on my machine. This makes it impossible to say exactly what you need to remove to stop the pop-ups.

So, what can be done to solve the problem? To remove the s.rev2pub.com pop-up ads you need to review your computer for adware or other types of unwanted software and uninstall it. Here’s my suggested removal procedure:

Review what programs you have installed in the Add/Remove programs dialog in the Windows Control Panel. Do you see anything that you don’t remember installing or that was recently installed?
How about your browser add-ons. Anything in the list that you don’t remember installing?
If that didn’t solve the problem, I’d recommend a scan with FreeFixer to manually track down the adware. FreeFixer is a freeware tool that I’m working on that scans your computer at lots of locations, such as browser add-ons, processes, Windows services, recently modified files, etc. If you want to get additional details about a file in the scan result, you can click the More Info link for that file and a web page will open up with a VirusTotal report which will be very useful to determine if the file is safe or malware:
An example of FreeFixer’s “More Info” links. Click for full size.

Here you can see FreeFixer in action removing the adware that caused pop-up ads:

Did you find any adware on your machine? Did that stop the s.rev2pub.com ads? Please post the name of the adware you uninstalled from your machine in the comment below.

Thank you!

Social Voicing Solutions – 23% Detection Rate – Jaik / DownloadAdmin / Trj/Genetic.gen

August 21, 2015UncategorizedVerisignRoger Karlsson

Hello! Just wanted to give you heads-up on suspicious file I found right now. The file is named vlc-media-player.exe and digitally signed by Social Voicing Solutions.

If you have a Social Voicing Solutions file on your machine you may have noticed that Social Voicing Solutions is displayed as the publisher in the UAC dialog when double-clicking on the file. Viewing the certificate information is also possible by looking under the digital signature tab for the file. Here the certificate says that Social Voicing Solutions is located in San Fransisco in California, US.

VeriSign has issued the certificate:

Gen:Variant.Application.Jaik, PUP.Optional.DownloadAdmin, DownloadAdmin and Trj/Genetic.gen are some detection names according to VirusTotal:

Did you also find a file digitally signed by Social Voicing Solutions? Where did you find it and are the anti-virus programs detecting it? Please share in the comments below.

Thanks for reading.

TEA TIME BISCUITS – 21% Detection Rate – DownloadAdmin / Jaik

August 16, 2015browser status barDownloadAdmin, Jaik, San Fransisco, USRoger Karlsson

Welcome! Just wanted to give you the heads up on a file called “additionaloffers-setup[1].exe” that’s digitally signed by TEA TIME BISCUITS.

I found this file on my lab machine after trying out a download from CNet’s Download.com site.

You can view the certificate shown above by right-clicking on the file, choosing properties and then clicking on the Digital Signatures tab. According to the embedded certificate we can see that TEA TIME BISCUITS seems to be located in San Fransisco, California, US and that the certificate is issued by VeriSign Class 3 Code Signing 2010 CA.

So, what the issue with the TEA TIME BISCUITS file? Just check out detection list by some of the anti-virus program:

F-Secure reports additionaloffers-setup[1].exe as Gen:Variant.Application.Jaik, GData detects it as Gen:Variant.Application.Jaik.8223 and Malwarebytes calls it PUP.Optional.DownloadAdmin.

Did you also find a TEA TIME BISCUITS file? Do you remember where you downloaded it?

Thank you for reading.

Vega Resource, LLC – 16% Detection Rate – HEUR:AdWare.Win32.Generic

August 14, 2015digital signatureMultiPlug, Thawte, UkraineRoger Karlsson

Hello readers! Just a short post on a publisher called Vega Resource, LLC. I just found a download named “Download.exe” that was digitally by this publisher, and it turns out that it is detected by some anti-virus programs.

This is how it looks when double-clicking on the file and Vega Resource, LLC appears as the publisher. It is also possible to check a digital signature by looking at a file’s properties. Here’s a screenshot of the Vega Resource, LLC certificate.

By clicking at the Certificate Path tab, we can see that Thawte has issued the certificate:

The scan result from VirusTotal below clearly shows why you should avoid the Vega Resource, LLC file. It is detected under names such as Generic6.BURQ, a variant of Win32/Adware.MultiPlug.NX, Unwanted-Program ( 004ccd421 ), not-a-virus:HEUR:AdWare.Win32.Generic, PE:Packer.Win32.Mian007.a!1074235325 and Trojan.Agent/Gen-Downloader.

Did you also run into a download that was digitally signed by Vega Resource, LLC? What kind of download was it and was it reported by the anti-malwares at VirusTotal? Please share in posting comments below.

Hope this blog post helped you avoid some unwanted software on your machine.

Thanks for reading.

BEst inSTall TLl – 49% Detection Rate

August 13, 2015digital signatureDublin, Ireland, OutBrowseRoger Karlsson

Hello readers! If you are a regular here on the FreeFixer blog you know that I’ve been looking on the certificates used to sign files that bundled various types of unwanted software. Today I found another certificate, used by a publisher called BEst inSTall TLl.

If you have a BEst inSTall TLl file on your machine you may have noticed that BEst inSTall TLl is displayed as the publisher in the UAC dialog when double-clicking on the file. You can also check the digital signature under the file’s properties. According to the embedded certificate we can see that BEst inSTall TLl is located in Dublin, Ireland and that the certificate is issued by thawte SHA256 Code Signing CA.

Thawte has issued the certificate.

So, what does the anti-virus programs say about the BEst inSTall TLl file? No problem, I just uploaded the file to VirusTotal and it turned out that many of the anti-virus programs detects the BEst inSTall TLl file, with names such as NSIS:OutBrowse-DQ [PUP], Downloader.QWU, Gen:Variant.Adware.Mikey.21084, HEUR/QVM30.1.Malware.Gen and Generic PUA AA (PUA).

Did you also find a BEst inSTall TLl file? What kind of download was it? If you remember the download link, please post it in the comments below.

Thanks for reading.

Update 2015-08-18: Found another download, also signed by Best Install TLl, claiming to be an episode of a famous TV series. The detection rate for this file was 45%. Notice that the installer does not have any button to cancel the installation.

Semen Korzuba – VirusTotal: 33% Detection – MultiPlug, Trj/Genetic.gen

August 11, 2015digital signatureCertum, UkraineRoger Karlsson

Hello! Just a short post before I call it a day. I found yet another file that bundled a bunch of unwanted programs, and the file was signed by Semen Korzuba.

Windows will display Semen Korzuba as the publisher when running the file. The certificate is issued by Certum Code Signing CA.

The VirusTotal report shows that the Semen Korzuba file should be avoided, since Download Uc Browser V Handler Zip.exe is detected as TR/Dropper.Gen by Avira, a variant of Win32/Adware.MultiPlug.NU by ESET-NOD32, PUP.Optional.Multiplug by Malwarebytes, Trj/Genetic.gen by Panda and MultiPlug (v) by VIPRE.

Did you also find a file digitally signed by Semen Korzuba? Where did you find it and are the anti-virus programs detecting it? Please share in the comments below.

Thanks for reading.

starT PlaYInG – 53% Detection Rate – Mikey / PUGO / OutBrowse

August 10, 2015digital signatureDublin, Ireland, ThawteRoger Karlsson

Hi there! Just wanted to let you know about a publisher called starT PlaYInG before going back to writing some code for FreeFixer.

If you have a starT PlaYInG file on your machine you may have noticed that starT PlaYInG is displayed as the publisher in the UAC dialog when double-clicking on the file. It is also possible to check a digital signature by looking at a file’s properties. Here’s a screenshot of the starT PlaYInG certificate.

Thawte has issued the certificate:

If you are considering to run the starT PlaYInG signed file, I’ll advice you not to. Delete it instead. Just check out detection list by some of the anti-virus program:

Avast reports Player.exe as NSIS:OutBrowse-DQ [PUP], AVG calls it Downloader.OPP, BitDefender detects it as Gen:Variant.Adware.Mikey.21084, Cyren reports W32/Adware.PUGO-0761 and VIPRE reports OutBrowse (fs).

Did you also find a starT PlaYInG file?

Thank you for reading.