Remove s.hnisdlmm.com Pop Up Ads

November 17, 2015pop-ups23.23.171.55Roger Karlsson

Did you just get a pop-up from s.hnisdlmm.com and wonder where it came from? Did the s.hnisdlmm.com ad appear to have been popped up from a web site that under normal circumstances don’t use advertising such as pop-up windows? Or did the s.hnisdlmm.com pop-up show up while you clicked a link on one of the major search engines, such as Google, Bing or Yahoo?

Here’s a screenshot of the s.hnisdlmm.com pop-up ad when it showed up on my system:

(I’m sorry for the many watermarks. If I don’t add them, the screenshot always show up at some copy-cat blogs.)

You can also see s.hnisdlmm.com in the browser’s status bar:

Does this sound like your machine, you presumably have some adware installed on your computer that pops up the s.hnisdlmm.com ads. Don’t flame the people that runs the site you were at, the ads are presumably not coming from that website, but from the adware that’s installed on your system. I’ll try help you with the s.hnisdlmm.com removal in this blog post.

Those that have been visiting this blog already know this, but here we go: Some time ago I dedicated some of my lab computers and intentionally installed some adware programs on them. Since then I have been tracking the behaviour on these machines to see what kinds of ads that are displayed. I’m also looking on other interesting things such as if the adware updates itself, or if it downloads and installs additional unwanted software on the machines. I first observed the s.hnisdlmm.com pop-up on one of these lab computers.

s.hnisdlmm.com was registered on 2015-10-29. s.hnisdlmm.com resolves to 23.23.171.55.

So, how do you remove the s.hnisdlmm.com pop-up ads? On the machine where I got the s.hnisdlmm.com ads I had gosearch.me, Windows Menager, SmartComp Safe Network and Live Malware Protection installed. I removed them with FreeFixer and that stopped the s.hnisdlmm.com pop-ups and all the other ads I was getting in Mozilla Firefox.

The problem with this type of pop-up is that it can be initiated by many variants of adware, not just the adware on my system. This makes it impossible to say exactly what you need to remove to stop the pop-ups.

So, what can be done to solve the problem? To remove the s.hnisdlmm.com pop-up ads you need to review your machine for adware or other types of unwanted software and uninstall it. Here’s my suggested removal procedure:

The first thing I would do to remove the s.hnisdlmm.com pop-ups is to examine the programs installed on the machine, by opening the “Uninstall programs” dialog. You can find this dialog from the Windows Control Panel. If you are using one of the more recent versions of Windows OS you can just type in “uninstall” in the Control Panel’s search field to find that dialog:

Click on the “Uninstall a program” link and the Uninstall programs dialog will open up:

Do you see something suspicious listed there or something that you don’t remember installing? Tip: Sort on the “Installed On” column to see if some program was installed about the same time as you started observing the s.hnisdlmm.com pop-ups.

Then I would check the browser add-ons. Adware often appear under the add-ons menu in Google Chrome, Mozilla Firefox, Internet Explorer, Safari or Opera. Is there anything that looks suspicious? Something that you don’t remember installing?

I think you will be able to identify and uninstall the adware with the steps outlined above, but in case that did not work you can try the FreeFixer removal tool to identify and remove the adware. FreeFixer is a freeware tool that I’ve developed since 2006. Freefixer is a tool built to manually identify and uninstall unwanted software. When you’ve tracked down the unwanted files you can simply tick a checkbox and click on the Fix button to remove the unwanted file.

FreeFixer’s removal feature is not locked down like many other removal tools out there. It will not require you to pay for the program just when you are about to remove the unwanted files.

And if you’re having a mess deciding if a file is safe or unsafe in FreeFixer’s scan report, click on the More Info link for the file. That will open up your web browser with a page which contains more details about the file. On that web page, check out the VirusTotal report which can be very useful:

FreeFixer More Info link example — An example of FreeFixer’s “More Info” links. Click for full size.

Here’s a video tutorial showing FreeFixer in action removing pop-up ads:

Did you find any adware on your machine? Did that stop the s.hnisdlmm.com ads? Please post the name of the adware you uninstalled from your machine in the comment below.

Thank you!

Remove s.iktmmny.com Pop Up Ads

November 16, 2015pop-ups23.21.211.254Roger Karlsson

Does this sound familiar? You see pop-up advertisements from s.iktmmny.com while browsing web sites that in general don’t advertise in pop-up windows. The pop-ups manage to bypass the built-in pop-up blockers in Firefox, Chrome, Internet Explorer or Safari. Maybe the s.iktmmny.com pop-ups turn up when clicking search results from Google? Or does the pop-ups turn up even when you’re not browsing?

(Sorry for the large number of watermarks. If I don’t add them, the screenshot will be used without attribution at some other blogs)

Does this sound like what you see your system, you probably have some adware installed on your computer that pops up the s.iktmmny.com ads. Don’t flame the people that runs the site you were at, the ads are presumably not coming from that site, but from the adware that’s installed on your computer. I’ll do my best to help you with the s.iktmmny.com removal in this blog post.

I found the s.iktmmny.com pop-up on one of the lab machines where I have some adware running. I’ve talked about this in some of the previous blog posts. The adware was installed on purpose, and from time to time I check if anything new has appeared, such as pop-up windows, new tabs in the browsers, injected ads on site that usually don’t show ads, or if some new files have been saved to the hard-drive.

s.iktmmny.com resolves to the 23.21.211.254 address. s.iktmmny.com was registered on 2015-10-28.

So, how do you remove the s.iktmmny.com pop-up ads? On the machine where I got the s.iktmmny.com ads I had Live Malware Protection, gosearch.me, SmartComp Safe Network and Windows Menager installed. I removed them with FreeFixer and that stopped the s.iktmmny.com pop-ups and all the other ads I was getting in Mozilla Firefox.

If you are wonder if there are many others out there also getting the s.iktmmny.com ads, the answer is probably yes. Check out the traffic rank from Alexa:

The issue with this type of pop-up is that it can be initiated by many variants of adware, not just the adware running on my machine. This makes it impossible to say exactly what you need to remove to stop the pop-ups.

To remove the s.iktmmny.com pop-up ads you need to check your system for adware or other types of unwanted software and uninstall it. Here’s my suggested removal procedure:

Check what programs you have installed in the Add/Remove programs dialog in the Windows Control Panel. Do you see anything that you don’t remember installing or that was recently installed?
How about your add-ons you have in your browsers. Anything in the list that you don’t remember installing?
If that does not help, I’d recommend a scan with FreeFixer to manually track down the adware. FreeFixer is a freeware tool that I’m working on that scans your computer at lots of locations, such as browser add-ons, processes, Windows services, recently modified files, etc. If you want to get additional details about a file in the scan result, you can click the More Info link for that file and a web page will open up with a VirusTotal report which will be very useful to determine if the file is safe or malware:
An example of FreeFixer’s “More Info” links. Click for full size.

Here you can see FreeFixer in action removing pop-up ads:

Did you find any adware on your machine? Did that stop the s.iktmmny.com ads? Please post the name of the adware you uninstalled from your machine in the comment below.

Thank you!

DIGITAL PLUGIN S.L.U – 53% Detection Rate – SoftPulse / Mikey / AdPlugin

November 16, 2015digital signatureSpain, TenerifeRoger Karlsson

Hello! Just a short note on a publisher called DIGITAL PLUGIN S.L.U.

You can also view the certificate by right-clicking on the file, and looking under the Digital Signature tab: According to the certificate we can see that DIGITAL PLUGIN S.L.U is located in Santa Cruz, Tenerife in Spain and that the certificate is issued by thawte SHA256 Code Signing CA.

After uploading the DIGITAL PLUGIN S.L.U file – Setup(1).exe – to VirusTotal, it was clear that it’s probably better to delete the file than running it. The detection rate was 53% and some of the detection names were: PUA.SoftPulse!, AdPlugin.FNB, Gen:Variant.Mikey.24388, Trojan.Domaiq.321, PUP.Optional.SoftPulse and HEUR/QVM11.1.Malware.Gen.

Did you also find a DIGITAL PLUGIN SLU file?

Thank you for reading.

LLC “YUTA-SOFT” – 13% Detection Rate – BundleApp.NWS / Amonetize

November 14, 2015UncategorizedUkraineRoger Karlsson

Hi there! Just wanted to give you the heads up on a file called that’s digitally signed by LLC “YUTA-SOFT”.

Windows will display LLC “YUTA-SOFT” as the publisher when running the file. The certificate is issued by COMODO RSA Code Signing CA. And the company appears to be located in Ukraine.

For the time being, 7 of the scanners detected the file. AVG detects the Yuta Soft file as BundleApp.NWS, Panda reports Trj/Genetic.gen, ESET-NOD32 detects it as a variant of Win32/Amonetize.LP potentially unwanted, DrWeb reports Trojan.Amonetize.11077 and Malwarebytes detects it as PUP.Optional.Amonetize.

Did you also find a LLC “YUTA-SOFT” download? What kind of download was it?

Hope this blog post helped you avoid some unwanted software on your machine.

Thank you for reading.

Remove s.admtpmp124.com Pop Up Ads

November 14, 2015pop-ups130.211.126.3Roger Karlsson

Does this sound like your story? You see pop-up ads from s.admtpmp124.com while browsing websites that mostl of the time don’t advertise in pop-up windows. The pop-ups manage to sidestep the built-in pop-up blockers in Mozilla Firefox, Google Chrome, Internet Explorer or Safari. Perhaps the s.admtpmp124.com pop-ups appear when clicking search results from Google? Or does the pop ups appear even when you’re not browsing?

Here’s a screenshot of the s.admtpmp124.com pop-up ad when it showed up on my computer:

If you also see this on your machine, you most likely have some adware installed on your machine that pops up the s.admtpmp124.com ads. Contacting the owner of the web site would be a waste of time. They are not responsible for the ads. I’ll do my best to help you with the s.admtpmp124.com removal in this blog post.

For those that are new to the blog: Recently I dedicated a few of my lab machines and purposely installed some adware programs on them. Since then I have been observing the behaviour on these computers to see what kinds of advertisements that are displayed. I’m also looking on other interesting things such as if the adware updates itself, or if it downloads and installs additional unwanted software on the machines. I first found the s.admtpmp124.com pop-up on one of these lab machines.

s.admtpmp124.com was registered on 2015-05-23. s.admtpmp124.com resolves to the 130.211.126.3 address.

The following domains are also registered and its possible that they are used for pop-ups too:

admtpmp123.com
admtpmp125.com
admtpmp126.com
admtpmp127.com
admtpmp128.com

So, how do you remove the s.admtpmp124.com pop-up ads? On the machine where I got the s.admtpmp124.com ads I had Shopper-Pro, ObjectBrowser, MyStartSearch, YTDownloader, iWebar, Wajam, Primary Color and WebShield installed. I removed them with FreeFixer and that stopped the s.admtpmp124.com pop-ups and all the other ads I was getting in Mozilla Firefox.

The s. domain is attracting quite a lot of traffic, just check out the Alexa traffic rank:

The issue with pop-ups such as this one is that it can be popped up by many variants of adware, not just the adware running on my computer. This makes it impossible to say exactly what you need to remove to stop the pop-ups.

Anyway, here’s my suggestion for the s.admtpmp124.com ads removal:

Examine what programs you have installed in the Add/Remove programs dialog in the Windows Control Panel. Do you see anything that you don’t remember installing or that was recently installed?
How about your add-ons you have in your browsers. Anything in the list that you don’t remember installing?
If that does not help, I’d recommend a scan with FreeFixer to manually track down the adware. FreeFixer is a freeware tool that I’m working on that scans your computer at lots of locations, such as browser add-ons, processes, Windows services, recently modified files, etc. If you want to get additional details about a file in the scan result, you can click the More Info link for that file and a web page will open up with a VirusTotal report which will be very useful to determine if the file is safe or malware:
An example of FreeFixer’s “More Info” links. Click for full size.

Here’s a video tutorial showing FreeFixer in action removing pop-up ads:

Did this blog post help you to remove the s.admtpmp124.com pop-up ads? Please let me know or how I can improve this blog post.

Thank you!

LLC “TRUKONF SOFT” – 33% Detection Rate – AdLoad / PUP.Optional.Amonetize

November 9, 2015digital signatureAmonetize, Donetsk, UkraineRoger Karlsson

Welcome! Just wanted to give you heads-up on suspicious file I found right now. The file is digitally signed by LLC “TRUKONF SOFT”.

This is how it looks when double-clicking on the file and LLC “TRUKONF SOFT” appears as the publisher. Viewing the certificate information is also possible by looking under the digital signature tab for the file. Here the certificate says that LLC “TRUKONF SOFT” is located in Ukraine.

The reason I’m writing this blog post is that the LLC “TRUKONF SOFT” file is detected by many of the antimalware progams at VirusTotal. VBA32 names it SScope.Trojan.Zbot.gen, Baidu-International detects the file as PUA.Win32.Amonetize.LI, Kaspersky calls it not-a-virus:Downloader.Win32.AdLoad.rppk, Sophos calls it Generic PUA JA (PUA), Panda reports PUP/Multitoolbar and Malwarebytes detects it as PUP.Optional.Amonetize.

Did you also find a LLC “TRUKONF SOFT” file?

Thank you for reading.

PremiumBeam (New Media Holdings Ltd.) – 15% Detection Rate – InstallCore

November 9, 2015digital signatureInstallCore, Israel, Tel AvivRoger Karlsson

Hi there! Just a quick post today, since I’m busy working with the next release of FreeFixer. Did you see a file, such as vlc-media-player.exe, on your system signed by PremiumBeam (New Media Holdings Ltd.)? Then read on..

If you have a PremiumBeam (New Media Holdings Ltd.) file on your computer you may have noticed that PremiumBeam (New Media Holdings Ltd.) pops up as the publisher in the User Account Control dialog when running the file. The PremiumBeam (New Media Holdings Ltd.) certificate shows that the publisher is located in Tel Aviv, Israel.

These are the current VirusTotal detections for the file. PUP.Optional.InstallCore, HEUR/QVM06.1.Malware.Gen, Install Core Click run software (PUA), SScope.Malware-Cryptor.InstallCore and InstallCore (fs) as a few of the detection names for the vlc-media-player.exe file.

Did you also find a file signed by PremiumBeam (New Media Holdings Ltd.)? What kind of download was it and where did you find it?

Thanks for reading.

Adverts Technologies – 25% Detection Rate – PUP.Optional.Adverts / ToDownload

November 9, 2015digital signatureMoscow, RussiaRoger Karlsson

Hi there! Just a quick post on a file named mediaplayer_update.exe signed by Adverts Technologies.

You can also see the Adverts Technologies certificate by looking under the Digital Signature tab on the file’s properties. According to the certificate, Adverts Technologies is located in Moscow, Russia.

The issue with the Adverts Technologies file is that it is detected by many of the antimalware progams. Here are some of the detection names: Generic.E4D, PUP.Optional.Adverts, HEUR/QVM06.1.Malware.Gen, InstallCore ToDownload (PUA), SAPE.InstallCore.2505, Trojan.Win32.Generic!BT and Adware.BrowseFox.Win32.128816.

Did you also find an Adverts Technologies? Do you remember the download link? Please post it in the comments below and I’ll upload it to VirusTotal to see if that one is also detected.

Thanks for reading.

RUn apps fOrevEr Lld – 35% Detection Rate

November 9, 2015digital signatureDublin, Ireland, OutBrowseRoger Karlsson

Hi there! Just a quick post on a file named Medal Of Honour PC Game Full version Free Download.exe signed by RUn apps fOrevEr Lld.

The following screenshot shows the User Account Control dialog when running the RUn apps fOrevEr Lld file:

It is also possible to check a digital signature by looking at a file’s properties. Here’s a screenshot of the RUn apps fOrevEr Lld certificate.

The VirusTotal report shows that the RUn apps fOrevEr Lld file should be avoided, since Medal Of Honour PC Game Full version Free Download.exe is detected as Trojan.OutBrowse.1613 by DrWeb, Downloader.AAPP by AVG, SoftwareBundler:Win32/Outbrowse by Microsoft, OutBrowse by VIPRE and HEUR/QVM42.0.Malware.Gen by Qihoo-360.

Did you also find a file that was digitally signed by RUn apps fOrevEr Lld? What kind of download was it and was it reported by the anti-malware scanners at VirusTotal? Please share by posting a comment.

Thanks for reading.

SaFE clIck LoL – 36% Detection Rate

November 8, 2015digital signatureDublin, Ireland, OutBrowseRoger Karlsson

Welcome! Just wanted to give you the heads up on files digitally signed by SaFE clIck LoL.

You will also see SaFE clIck LoL listed as the verified publisher in the User Account Control dialog that pops up if you try to run the file: It’s possible to view additional information about the embedded certificate by right-clicking on the file, choosing properties and then clicking on the Digital Signatures tab. According to the certificate we can see that SaFE clIck LoL appears to be located in Dublin, Ireland and that the certificate is issued by thawte SHA256 Code Signing CA.

The problem with the SaFE clIck LoL file is that it is detected by many of the antimalware scanners. Here are some of the detection names: Downloader.AAPP, PUA/Outbrowse.Gen, SoftwareBundler:Win32/Outbrowse and OutBrowse.

Did you also find an SaFE clIck LoL? Do you remember the download link? Please post it in the comments below and I’ll upload it to VirusTotal to see if that one is also detected.

Thanks for reading.