Hi there! Just wanted to give you the heads up on files digitally signed by safe InStAll OPT.
You can see who the signer is when double-clicking on an executable file. safe InStAll OPT appears in the publisher field in the dialog that pops up. To get more details on the publisher, you can view the certificate by right-clicking on the file, and looking under the Digital Signatures tab. According to the certificate we can see that safe InStAll OPT appears to be located in Ireland and that the certificate is issued by thawte SHA256 Code Signing CA.
Here’s Thawte in the certificate chain:
When I uploaded the file to VirusTotal – as I usually do when I find something that looks suspicious – 28% of the antivirus scanners detected the file. The file is detected as Downloader.USS by AVG, PUP.Optional.Bundle by Malwarebytes and Adware-OutBrowse.h by McAfee-GW-Edition.
Did you also find a safe InStAll OPT file? What kind of download was it? If you remember the download link, please post it in the comments below.
Did you just get a pop-up from safedownloadsrus147.com and ponder where it came from? Did the safedownloadsrus147.com ad appear to have been initiated from a web site that under normal circumstances don’t use advertising such as pop-up windows? Or did the safedownloadsrus147.com pop-up show up while you clicked a link on one of the big search engines, such as Google, Bing or Yahoo?
Here’s a screenshot of the safedownloadsrus147.com pop-up ad when it showed up on my computer:
(I know, lots of watermarks. Have to do it to stop the copy-cats.)
If this sounds like what you are seeing on your machine, you presumably have some adware installed on your machine that pops up the safedownloadsrus147.com ads. So there’s no idea contacting the owner of the web site you currently were browsing. The ads are not coming from them. I’ll try help you with the safedownloadsrus147.com removal in this blog post.
Those that have been following this blog already know this, but for new visitors: Not long ago I dedicated some of my lab machines and deliberately installed a few adware programs on them. Since then I have been monitoring the behaviour on these computers to see what kinds of advertisements that are displayed. I’m also looking on other interesting things such as if the adware auto-updates, or if it installs additional unwanted software on the machines. I first spotted the safedownloadsrus147.com pop-up on one of these lab machines.
safedownloadsrus147.com was registered on 2015-08-20. safedownloadsrus147.com resolves to 162.159.248.237.
Update Nov 27 2015: I just ran into a pop up from safedownloadsrus169.com. The following similar domains are also registered:
safedownloadsrus160.com
safedownloadsrus161.com
safedownloadsrus162.com
safedownloadsrus163.com
safedownloadsrus164.com
safedownloadsrus165.com
safedownloadsrus166.com
safedownloadsrus167.com
safedownloadsrus168.com
safedownloadsrus170.com
safedownloadsrus171.com
safedownloadsrus172.com
safedownloadsrus173.com
safedownloadsrus174.com
safedownloadsrus175.com
And I will not be surprised if these domains starts to appear in pop-ups too:
safedownloadsrus176.com
safedownloadsrus177.com
safedownloadsrus178.com
safedownloadsrus179.com
safedownloadsrus180.com
safedownloadsrus181.com
safedownloadsrus182.com
safedownloadsrus183.com
safedownloadsrus184.com
safedownloadsrus185.com
So, how do you remove the safedownloadsrus147.com pop-up ads? On the machine where I got the safedownloadsrus147.com ads I had Windows Menager, SmartComp Safe Network, gosearch.me and Live Malware Protection installed. I removed them with FreeFixer and that stopped the safedownloadsrus147.com pop-ups and all the other ads I was getting in Mozilla Firefox.
It seems as safedownloadsrus147.com is getting quite a lot of traffic, based on Alexa’s traffic rank:
The issue with this type of pop-up is that it can be popped up by many variants of adware, not just the adware on my computer. This makes it impossible to say exactly what you need to remove to stop the pop-ups.
Anyway, here’s my suggestion for the safedownloadsrus147.com ads removal:
Review what programs you have installed in the Add/Remove programs dialog in the Windows Control Panel. Do you see anything that you don’t remember installing or that was recently installed?
How about your add-ons that you have in your browser. Anything in the list that you don’t remember installing?
If that didn’t help, I’d recommend a scan with FreeFixer to manually track down the adware. FreeFixer is a freeware tool that I’m working on that scans your computer at lots of locations, such as browser add-ons, processes, Windows services, recently modified files, etc. If you want to get additional details about a file in the scan result, you can click the More Info link for that file and a web page will open up with a VirusTotal report which will be very useful to determine if the file is safe or malware:
An example of FreeFixer’s “More Info” links. Click for full size.
Here’s a video tutorial which shows FreeFixer in action removing adware that caused pop-up ads:
Did this blog post help you to remove the safedownloadsrus147.com pop-up ads? Please let me know or how I can improve this blog post.
Hello readers! If you are a regular here on the FreeFixer blog, you know that I’ve been examining files that have a digital signature and bundle various types of potentially unwanted software. Today I found another publisher named viD PLAY that bundles some software.
If you have a viD PLAY file on your computer you may have noticed that viD PLAY pops up as the publisher in the User Account Control dialog when running the file. The certificate is issued by thawte SHA256 Code Signing CA.
Thawte at the root in the certificate chain:
After uploading the viD PLAY file – Player.exe – to VirusTotal, it was clear that it’s probably better to delete the file than running it. The detection rate was 33% and some of the detection names were: Downloader.UIA, PUP.Optional.Vidplay, Adware-OutBrowse.h and OutBrowse.
Did you also find a viD PLAY file? What kind of download was it? If you remember the download link, please post it in the comments below.
Hello readers! Just a short post on a publisher called Cash Buyer Media before going back to some coding on FreeFixer.
You will also see Cash Buyer Media listed as the verified publisher in the User Account Control dialog that pops up if you try to run the file: Information about a digital signature and the certificate can also be found under the Digital Signature tab. According to the certificate we can see that Cash Buyer Media is located in San Fransisco in California, US and that the certificate is issued by VeriSign Class 3 Code Signing 2010 CA.
Here’s VeriSign in the cert chain:
After uploading the Cash Buyer Media file – vlc-media-player.exe – to VirusTotal, it was clear that it’s probably better to delete the file than running it. The detection rate was 18% and some of the detection names were: GrayWare[AdWare]/Win32.GamePlayLabs.a, W32.HfsAdware.81DC, Trojan.Vittalia.368 and DownloadAdmin (PUA).
Did you also find a download that was signed by Cash Buyer Media? What kind of download was it and was it detected by the anti-malwares at VirusTotal? Please share in posting comments below.
Welcome! Just a short post on a publisher called LLC `FOTO-TSENTR `. I just found a download named Moboroboexe__15022_i1619995140_il543480.exe that was digitally by this publisher, and it turns out that it is detected by some anti-virus programs.
You may see LLC `FOTO-TSENTR ` appear as the publisher when double-clicking on the Moboroboexe__15022_i1619995140_il543480.exe file. To view more information about the embedded certificate you can right-click on the file, then choose Properties and then select the Digital Signatures tab. According to the certificate we can see that LLC `FOTO-TSENTR ` seems to be located in Ukraine and that the certificate is issued by COMODO RSA Code Signing CA.
Here’s Comodo in the certificate chain:
The issue with the LLC `FOTO-TSENTR ` file is that it is detected by some of the anti-viruses. Here are some of the detection names: ADWARE/Amonetize.Gen, a variant of Win32/Amonetize.HU potentially unwanted and HEUR/QVM10.1.Malware.Gen.
Since you probably came here after finding a file that was digitally signed by LLC `FOTO-TSENTR `, please share what kind of download it was and if it was detected by the anti-malwares at VirusTotal.
Thank you for reading.
Update 2015-09-08: I found another file signed by LLC FOTO-TSENTR. The detection rate has increased to 13/56:
Hello readers! Just a quick post on a publisher called OOO DIGITAL VEI that I found while running some tests for the upcoming FreeFixer release. The suspicious file is named adobe_flash_player.exe.
Viewing the certificate information is also possible by looking under the digital signature tab for the file. Here the certificate says that OOO DIGITAL VEI is located in Moscow, Russa.
And USERTrust and Comodo is upwards in the certificate chain:
What caught my attention was that the download was called adobe_flash_player.exe. This might look like an official Adobe Flash Player download, but it is not. If it was an official download, it should be digitally signed by Adobe Systems Incorporated. Here’s how the authentic Adobe Flash Player looks like when you double click on it. Notice that the “Verified publisher” says “Adobe Systems Incorporated”.
The problem with the OOO DIGITAL VEI file is that it is detected by many of the antivirus software. Here are some of the detection names: W32.HfsAdware.90CE, PUP.Optional.Bundle and InstallCore (fs).
Did you also find a OOO DIGITAL VEI download? What kind of download was it?
Did you just get interrupted by a pop-up ad from lp.freegameszonetab.com? You are not alone. I also get the lp.freegameszonetab.com pop-ups while browsing. Do the popups also bypass the pop-up blocker in Chrome, Firefox, Internet Explorer or Safari. Then read on…
Here’s how the lp.freegameszonetab.com pop-up looked like when I got it on my machine:
Does this sound like what you see your computer, you most likely have some adware installed on your machine that pops up the lp.freegameszonetab.com ads. Don’t blame the people that runs the web site you were at, the ads are most likely not coming from that web site, but from the adware that’s running on your computer. I’ll try help you to remove the lp.freegameszonetab.com pop-ups in this blog post.
Those that have been following this blog already know this, but here we go: Some time ago I dedicated some of my lab computers and intentionally installed some adware programs on them. I have been observing the actions on these machines to see what kinds of adverts that are displayed. I’m also looking on other interesting things such as if the adware auto-updates, or if it downloads additional unwanted software on the machines. I first observed the lp.freegameszonetab.com pop-up on one of these lab computers.
lp.freegameszonetab.com was created on 2014-10-02. lp.freegameszonetab.com resolves to the 94.31.0.55 IP address and so does.
So, how do you remove the lp.freegameszonetab.com pop-up ads? On the machine where I got the lp.freegameszonetab.com ads I had PriceFountain, PineTree, GamesDesktop and CheckMeUp installed. I removed them with FreeFixer and that stopped the lp.freegameszonetab.com pop-ups and all the other ads I was getting in Mozilla Firefox.
If you are wonder if there are many others out there also getting the lp.freegameszonetab.com ads, the answer is probably yes. Check out the traffic rank from Alexa:
The bad news with pop-ups such as this one is that it can be initiated by many variants of adware, not just the adware running on my machine. This makes it impossible to say exactly what you need to remove to stop the pop-ups.
So, what should done to solve the problem? To remove the lp.freegameszonetab.com pop-up ads you need to check your computer for adware or other types of unwanted software and uninstall it. Here’s my suggested removal procedure:
The first thing I would do to remove the lp.freegameszonetab.com pop-ups is to examine the software installed on the machine, by opening the “Uninstall programs” dialog. You can reach this dialog from the Windows Control Panel. If you are using one of the more recent versions of Windows you can just type in “uninstall” in the Control Panel’s search field to find that dialog:
Click on the “Uninstall a program” link and the Uninstall programs dialog will open up:
Do you see something dubious in there or something that you don’t remember installing? Tip: Sort on the “Installed On” column to see if something was installed approximately about the same time as you started getting the lp.freegameszonetab.com pop-ups.
The next thing to check would be your browser’s add-ons. Adware often appear under the add-ons menu in Chrome, Firefox, Internet Explorer or Safari. Is there anything that looks suspicious? Anything that you don’t remember installing?
I think you will be able to find and uninstall the adware with the steps outlined above, but in case that did not work you can try the FreeFixer removal tool to identify and remove the adware. FreeFixer is a freeware tool that I started develop many years ago. Freefixer is a tool built to manually identify and uninstall unwanted software. When you’ve found the unwanted files you can simply tick a checkbox and click on the Fix button to remove the unwanted file.
FreeFixer’s removal feature is not crippled like many other removal tools out there. It will not require you to pay a fee just when you are about to remove the unwanted files.
And if you’re having issues figuring out if a file is clean or adware in the FreeFixer scan result, click on the More Info link for the file. That will open up your browser with a page which contains more details about the file. On that web page, check out the VirusTotal report which can be very useful:
An example of FreeFixer’s “More Info” links. Click for full size.
Here’s a video tutorial showing FreeFixer in action removing pop-up ads:
Did this blog post help you to remove the lp.freegameszonetab.com pop-up ads? Please let me know or how I can improve this blog post.
Hello! If you’ve been following me for the last year you know that I’ve been examining many software publishers that put a digital signature on their downloads. Today I found another publisher called LLC “SOFT TRADE LTD”.
Typically you’d see the LLC “SOFT TRADE LTD” publisher name appear when double-clicking on the FlashPlayer__6741_i1609075630_il45347.exe file: It is also possible to check a digital signature by looking at a file’s properties. Here’s a screenshot of the LLC “SOFT TRADE LTD” certificate.
The company is located in Ukraine says the certificate. UserTrust and Comodo is found in the certificate chain:
What caught my attention was that the download was called FlashPlayer__6741_i1609075630_il45347.exe. This might look like an official Adobe Flash Player download, but it is not. If it was an official download, it should be digitally signed by Adobe Systems Incorporated. Here’s how the authentic Adobe Flash Player looks like when you double click on it. Notice that the “Verified publisher” says “Adobe Systems Incorporated”.
Here’s how the LLC “SOFT TRADE LTD” installer looks like:
ADWARE/Amonetize.Gen and a variant of Win32/Amonetize.HN potentially unwanted are some detection names according to VirusTotal:
Did you also find a LLC “SOFT TRADE LTD” file? What kind of download was it? If you remember the download link, please post it in the comments below.
Hello! Short on time today, but I just wanted to give you the heads up on a publisher called Sambamedia LLC.
Windows will display Sambamedia LLC as the publisher when running the file. It’s possible to view additional information about the certificate by right-clicking on the file, choosing properties and then clicking on the Digital Signatures tab. According to the certificate we can see that Sambamedia LLC is located in Wilmington, Delaware in US and that the certificate is issued by VeriSign Class 3 Code Signing 2010 CA.
The certification path, which shows VeriSign at the root:
The issue here is that if google_chrome.exe really was a setup file for Google Chrome, it should have been digitally signed by Google Inc. and not by some unknown company. I think this looks suspicious. Here’s how the authentic Google Chrome looks like when you double click on it. Notice that the “Verified publisher” says “Google Inc”.
The issue with the Sambamedia LLC file is that it is detected by many of the anti-malware progams. Here are some of the detection names: Riskware.Agent!, PUA/SoftPulse.oanu, W32.HfsAdware.7208, Trojan.Domaiq.302, Gen:Variant.Mikey.22953 (B), a variant of Win32/SoftPulse.AJ potentially unwanted and Gen:Variant.Mikey.22953.
Did you also find a Sambamedia LLC file? What kind of download was it? If you remember the download link, please post it in the comments below.
