Hello readers! Just a quick post on a publisher called ClIck to StaRt that I found while running some tests for the upcoming FreeFixer release. The suspicious file is named Animal Porn On Android.exe.
The following screenshot shows the User Account Control dialog when running the ClIck to StaRt file:
To get more details on the publisher, you can view the certificate by right-clicking on the file, and looking under the Digital Signatures tab.. The screenshot below shows the Click to StaRt certificate. From the certificate info we can see that ClIck to StaRt appears to be located in Dublin, Ireland.
The reason I’m writing this blog post is that the ClIck to StaRt file is detected by many of the anti-virus software at VirusTotal. AVG reports Luhe.Fiha.A, McAfee reports Adware-OutBrowse.h, Avast names Animal Porn On Android.exe as Win32:Malware-gen, ClamAV detects it as Win.Adware.Outbrowse-1167 and DrWeb detects it as Trojan.OutBrowse.1694.
Did you also find a ClIck to StaRt file? What kind of download was it? If you remember the download link, please post it in the comments below.
Hello! Just a note on a publisher called Media Story (New Media Holdings Ltd). The Media Story (New Media Holdings Ltd) download – chrome-download.exe – was detected when I uploaded it to VirusTotal. Did you also find a download by Media Story (New Media Holdings Ltd)? Was it also detected when you uploaded it to VirusTotal?
By looking at the certificate we can see that Media Story (New Media Holdings Ltd) appears to be located in Tel Aviv in Israel.
What caught my attention was that the download was called chrome-download.exe. This might look like an official Google Chrome download, but it is not. If it was an official download, it would be digitally signed by Google Inc.. Here’s how the authentic Google Chrome looks like when you double click on it. Notice that the “Verified publisher” says “Google Inc”.
The scan result from VirusTotal below clearly shows why you should avoid the Media Story (New Media Holdings Ltd) file. It is detected under names such as Adware ( 004cf5d71 ), Adware ( 004cf5d71 ), PUP.Optional.InstallCore and Install Core Click run software (PUA).
Since you probably came here after finding a download that was signed by Media Story (New Media Holdings Ltd), please share what kind of download it was and if it was detected by the anti-virus progams at VirusTotal.
Hi there! Ran into a BoxI DJV file about a week ago, but decided not to blog about it since I got the schedule full with other things. I’m currently working on improving the freefixer.com web site with some new features.
However, I changed my mind today about BoxI DJV since there currently a large number of files being distributed with the BoxI DJV signature. And since the Boxl DJV file is detected by many of the anti-virus programs out there I wanted to give you the heads up with a short blog post about it. Here’s BoxI DJV listed as the verified publisher:
You can see who the signer is when double-clicking on an executable file. BoxI DJV appears in the publisher field in the dialog that pops up. The certificate is issued by thawte SHA256 Code Signing CA.
Here’s the detections from VirusTotal for BoxI DJV:
The detection rate is 26/53. The Moborobo.exe file is detected as OutBrowse by VIPRE, Riskware/OutBrowse by Fortinet, PUA.Boxidjv1.Gen by CAT-QuickHeal, Trojan.OutBrowse.1215 by DrWeb, Downloader.YVA by AVG, W32.HfsAdware.9EC9 by Bkav and SAPE.Heur.BB351 by Symantec.
Did you also find a file digitally signed by BoxI DJV? What kind of download was it and where did you find it?
Sound familiar? You see pop-up ads from topf1le.com while browsing sites that typically don’t advertise in pop-up windows. The pop-ups manage to get round the built-in pop-up blockers in Google Chrome, Mozilla Firefox, Internet Explorer or Safari. Perhaps the topf1le.com pop-ups appear when clicking search results from Google? Or does the pop-ups appear even when you’re not browsing?
Here is how the topf1le.com ad looked like on my computer:
If this sounds like what you are seeing on your computer, you presumably have some adware installed on your system that pops up the topf1le.com ads. So there’s no use contacting the site owner. The ads are not coming from them. I’ll try help you with the topf1le.com removal in this blog post.
I found the topf1le.com pop-up on one of the lab machines where I have some adware running. I’ve talked about this in some of the previous blog posts. The adware was installed on purpose, and from time to time I check if something new has appeared, such as pop-up windows, new tabs in the browsers, injected ads on website that usually don’t show ads, or if some new files have been saved to the hard-drive.
topf1le.com was registered on 2015-07-24. In the pop up URL I’ve spotted the following domain:
www.ultifiletur.com
www.defile4.com
So, how do you remove the topf1le.com pop-up ads? On the machine where I got the topf1le.com ads I had gosearch.me, SmartComp Safe Network, Live Malware Protection and Windows Menager installed. I removed them with FreeFixer and that stopped the topf1le.com pop-ups and all the other ads I was getting in Mozilla Firefox.
If you are wonder if there are many others out there also getting the topf1le.com ads, the answer is probably yes. Check out the traffic rank from Alexa:
The issue with pop-ups like the one described in this blog post is that it can be popped up by many variants of adware. This makes it impossible to say exactly what you need to remove to stop the pop-ups.
So, what can be done? To remove the topf1le.com pop-up ads you need to check your machine for adware or other types of unwanted software and uninstall it. Here’s my suggested removal procedure:
Review what programs you have installed in the Add/Remove programs dialog in the Windows Control Panel. Do you see something that you don’t remember installing or that was recently installed?
You can also check the add-ons you have in your browsers. Same thing here, do you see something that you don’t remember installing?
If that did not help, you can give FreeFixer a try. FreeFixer is built to assist users when manually tracking down adware and other types of unwanted software. It is a freeware utility that I’ve been working since 2006 and it scans your computer at lots of locations where unwanted software is known to hook into your computer. If you would like to get additional details about a file in FreeFixer’s scan result, you can just click the More Info link for that file and a web page with a VirusTotal report will open up, which can be very useful to determine if the file is safe or malware:
An example of FreeFixer’s “More Info” links. Click for full size.
Here’s a video tutorial which shows FreeFixer in action removing adware that caused pop-up ads:
Did this blog post help you to remove the topf1le.com pop-up ads? Please let me know or how I can improve this blog post.
Hi there. Just a quick post on the WMiniPro.exe. If you got WMiniPro.exe on your system, you will notice WMiniPro.exe running in the task manager and WMiniPro.exe installed as a new service. I’ll show how to remove WMiniPro.exe in this blog post with the FreeFixer removal tool.
WMiniPro.exe is bundled with a number of downloads. Bundling means that software is included in other software’s installers. When I first found WMiniPro.exe, it was bundled with FlvPlayer.
As always when I find some new bundled software I uploaded it to VirusTotal to verify if the anti-viruses there detect anything. 3 of the anti-malware scanners detected the file. ESET-NOD32 reports a variant of Win32/ELEX.FF potentially unwanted, DrWeb detects it as Adware.Mutabaha.672 and Baidu-International detects WMiniPro.exe as Adware.Win32.ELEX.FF.
All you need to do to remove WMiniPro.exe is to check the WMiniPro.exe files in the scan result and click the Fix button. You may have to restart your computer to complete the removal. Here’s a few screenshots from the removal that should help you:
Hope that helped you with the removal.
Do you also have WMiniPro.exe on your machine? Any idea how it was installed? Please share your story the comments below. Thank you!
Does this sound like what you are seeing right now? You see pop-up adverts from en.reimageplus.com while browsing websites that typically don’t advertise in pop-up windows. The pop ups manage to find a way round the built-in pop-up blockers in Google Chrome, Mozilla Firefox, Internet Explorer or Safari. Maybe the en.reimageplus.com pop-ups show up when clicking search results from Google? Or does the pop-ups appear even when you’re not browsing?
Here’s a screenshot of the en.reimageplus.com pop-up ad when it showed up on my computer:
(I’m sorry for the many watermarks. If I don’t add them, the screenshot always show up at some copy-cat blogs.)
Does this sound like your machine, you apparently have some adware installed on your system that pops up the en.reimageplus.com ads. There’s no use contacting the owners of the website you currently were browsing. The advertisements are not coming from them. I’ll do my best to help you remove the en.reimageplus.com pop-up in this blog post.
I found the en.reimageplus.com pop-up on one of the lab computers where I have some adware running. I’ve talked about this in some of the previous blog posts. The adware was installed on purpose, and from time to time I check if something new has appeared, such as pop-up windows, new tabs in the browsers, injected ads on web site that usually don’t show ads, or if some new files have been saved to the hard-drive.
en.reimageplus.com resolves to the 192.237.225.117 IP address.
So, how do you remove the en.reimageplus.com pop-up ads? On the machine where I got the en.reimageplus.com ads I had Live Malware Protection, gosearch.me, SmartComp Safe Network and Windows Menager installed. I removed them with FreeFixer and that stopped the en.reimageplus.com pop-ups and all the other ads I was getting in Mozilla Firefox.
The issue with pop-ups such as this one is that it can be launched by many variants of adware, not just the adware running on my system. This makes it impossible to say exactly what you need to remove to stop the pop-ups.
So, what should done to solve the problem? To remove the en.reimageplus.com pop-up ads you need to check your system for adware or other types of unwanted software and uninstall it. Here’s my suggested removal procedure:
Examine what programs you have installed in the Add/Remove programs dialog in the Windows Control Panel. Do you see something that you don’t remember installing or that was recently installed?
How about your browser add-ons. Anything in the list that you don’t remember installing?
If that does not help, I’d recommend a scan with FreeFixer to manually track down the adware. FreeFixer is a freeware tool that I’m working on that scans your computer at lots of locations, such as browser add-ons, processes, Windows services, recently modified files, etc. If you want to get additional details about a file in the scan result, you can click the More Info link for that file and a web page will open up with a VirusTotal report which will be very useful to determine if the file is safe or malware:
An example of FreeFixer’s “More Info” links. Click for full size.
Here’s a video tutorial showing FreeFixer in action removing pop-up ads:
Did this blog post help you to remove the en.reimageplus.com pop-up ads? Please let me know or how I can improve this blog post.
Hi there! Just a short post on a publisher called Safemode Install (Fried Cookie Ltd). I just found a download named chrome-download.exe that was digitally by this publisher, and it turns out that it is detected by some anti-virus programs.
By looking at the certificate we can see that Safemode Install (Fried Cookie Ltd) appears to be located in Israel. GlobalSign has issued the certificate.
The issue here is that if chrome-download.exe really was a setup file for Google Chrome, it would be digitally signed by Google Inc. and not by some unknown company. I think this looks suspicious. Here’s how the authentic Google Chrome looks like when you double click on it. Notice that the “Verified publisher” says “Google Inc”.
So, why did I put up this blog post? Well, the thing is that the Safemode Install (Fried Cookie Ltd) file is detected by many of the scanners, according to VirusTotal. ESET-NOD32 detects it as a variant of Win32/InstallCore.ADE potentially unwanted, Malwarebytes detects it as PUP.Optional.InstallCore, AVG names chrome-download.exe as InstallCore.F22 and Sophos detects it as Install Core Click run software (PUA).
Did you also find a file digitally signed by Safemode Install (Fried Cookie Ltd)? What kind of download was it and where did you find it?
Hello! Having a quick break from the programming I’m doing right now. I’m doing some work on the freefixer.com web site. Just wanted to give you the heads up on a publisher called LLC “DIVAROS SOFT” that I ran into this morning:
You will also see LLC “DIVAROS SOFT” listed as the verified publisher in the User Account Control dialog that pops up if you try to run the file: It is also possible to check a digital signature by looking at a file’s properties. Here’s a screenshot of the LLC “DIVAROS SOFT” certificate. As you can see LLC DIVAROS SOFT is located in Kiev, Ukraine.
Comodo has issued the certificate.
So, why am I writing about the LLC “DIVAROS SOFT” file? Check out what the anti-virus software report about the file:
Avira calls it ADWARE/Amonetize.Gen7, AVG names it as Generic.A6F, VBA32 calls it SScope.Downware.Amonetize and Malwarebytes calls it PUP.Optional.LoadMoney are a few of the detection names for the file.
Hi there! Just a short post on a publisher called MaxAgile (New Media Holdings Ltd.) before going back to some coding on FreeFixer.
You can also check who signed a file by checking the digital signature tab. According to the embedded certificate we can see that MaxAgile (New Media Holdings Ltd.) seems to be located in Tel Aviv, Israel and that the certificate is issued by GlobalSign CodeSigning CA – G2.
The issue is that chrome-download.exe is not an official Google Chrome download. If it was, it should be digitally signed by Google Inc.. Here’s how the authentic Google Chrome looks like when you double click on it. Notice that the “Verified publisher” says “Google Inc”.
The scan result from VirusTotal below clearly shows why you should avoid the MaxAgile (New Media Holdings Ltd.) file. It is detected under names such as Trojan.InstallCore.1364, PUP.Optional.InstallCore and InstallCore (fs).
Did you also find a MaxAgile (New Media Holdings Ltd.) file?
Did you just notice ocsp.comodoca4.com in Firefox’, Chrome’s, Internet Explorer’s or Safari’s status bar or in the network log and wonder where it came from?
You will see a connection to ocsp.comodoca4.com when the browser is using the Online Certificate Status Protocol (OCSP) to obtaining the revocation status for a COMODO certificate.
This is standard procedure and is nothing to worry about, with one exception that I ran into:
I noticed the connection to ocsp.comodoca4.com on one of my lab machines where I play around with some unwanted software. I noticed the connection to ocsp.comodoca4.com while doing a search at Google.com. Under normal circumstances, a visit to Google should not trigger a connection ocsp.comodoca4.com. Google’s certificate points the clients1.google.com OCSP server.
The lab machine had the SalePlus, YouTubeAdBlocke and IStart 5.3.7 software running. Most likely, one of these inserted some HTML code into Google’s page that triggered the OCSP connection. After removing these three potentially unwanted programs, the connections to ocsp.comodoca4.comno longer appeared when searching at the Google search engine.
What site did you visit when you noticed the connection to ocsp.comodoca4.com? Did you also see it while visiting Google? If so, what potentially unwanted software did you find on your machine?
