Tag Archives: fake flash software

LLC DE PROEKT – 39% Detection Rate – Amonetize / Strictor / PUP.Optional.Bundle

Hi there! Short on time this evening, but I just wanted to give you the heads up on a publisher called LLC DE PROEKT.

LLC DE PROEKT publisher

If you have a LLC DE PROEKT file on your machine you may have noticed that LLC DE PROEKT is displayed as the publisher in the UAC dialog when double-clicking on the file. The certificate is issued by COMODO RSA Code Signing CA. The publisher is located in the Ukraine.

LLC DE PROEKT cert

The problem here is that if FlashPlayer__6741_i1561835113_il7532.exe really was a setup file for Adobe Flash Player, it should have been digitally signed by Adobe Systems Incorporated and not by some unknown company. This looks suspicious. Here’s how the authentic Adobe Flash Player looks like when you double click on it. Notice that the “Verified publisher” says “Adobe Systems Incorporated”.
Adobe Systems Incorporated - Adobe Flashplayer Installer

The issue with the LLC DE PROEKT file is that it is detected by many of the antimalware software. Here are some of the detection names: Trojan.Application.Strictor.D164B3, BundleApp.IVU, W32.HfsAdware.B493, Gen:Variant.Application.Strictor, PUP.Optional.Bundle and Amonetize (fs).

LLC DE PROEKT virustotal report

Did you also find a download that was digitally signed by LLC DE PROEKT? What kind of download was it and was it detected by the anti-viruses at VirusTotal? Please share by posting a comment.

Thanks for reading.

Update 2015-08-18: Found another download today, also signed by LLC DE PROEKT and also using “Flash” in the filename to confuse users. The detection rate for this file was 25% according to VirusTotal:

LLC DE PROEKT av report update

 

When I ran the installer it disclosed that it bundled a bitcoin miner or some other type of crypto currency miner:

LLC DE PROEKT bitcoin miner

 

Just a quick update on the certificate chain. It begins with UserTrust, then Comodo and then LLC DE PROEKT:

LLC DE PROEKT certificate chain

Remove futureupdates.theperfectupdate.net Pop Up Ads

Sound familiar? You see pop-up ads from futureupdates.theperfectupdate.net while browsing web sites that in general don’t advertise in pop-up windows. The pop-ups manage to find a way round the built-in pop-up blockers in Mozilla Firefox, Google Chrome, Internet Explorer or Safari. Maybe the futureupdates.theperfectupdate.net pop-ups appear when clicking search results from Google? Or does the pop-ups appear even when you’re not browsing?

Here is a screenshot on the futureupdates.theperfectupdate.net pop-up from my machine:

futureupdates.theperfectupdate.net

Does this sound like your experience, you apparently have some adware installed on your computer that pops up the futureupdates.theperfectupdate.net ads. So there’s no use contacting the site owner. The ads are not coming from them. I’ll do my best to help you with the futureupdates.theperfectupdate.net removal in this blog post.

For those that are new to the blog: Some time ago I dedicated a few of my lab machines and deliberately installed a few adware programs on them. I have been monitoring the behaviour on these machines to see what kinds of adverts that are displayed. I’m also looking on other interesting things such as if the adware updates itself, or if it downloads and installs additional unwanted software on the machines. I first noticed the futureupdates.theperfectupdate.net pop-up on one of these lab systems.

futureupdates.theperfectupdate.net was registered on 2015-02-20. The domain is protected by PrivacyProtect.org. futureupdates.theperfectupdate.net resolves to the 199.115.114.52 address.

YouGetSignal’s reverse WHOIS states that s.system-update.net resolves to the same IP.

According to Alexa, theperfectupdate.net is getting quite a lot of traffic:

theperfectupdate.net

So, how do you remove the futureupdates.theperfectupdate.net pop-up ads? On the machine where I got the futureupdates.theperfectupdate.net ads I had BlockAndSurf, TinyWallet and BrowserWarden installed. I removed them with FreeFixer and that stopped the futureupdates.theperfectupdate.net pop-ups and all the other ads I was getting in Mozilla Firefox.

The problem with pop-ups such as this one is that it can be launched by many variants of adware. This makes it impossible to say exactly what you need to remove to stop the pop-ups.

Anyway, here’s my suggestion for the futureupdates.theperfectupdate.net ads removal:

  1. What software do you have installed if you look in the Add/Remove programs dialog in the Windows Control Panel? Something that you don’t remember installing yourself or that was recently installed?
  2. You can also review the add-ons you have in your browsers. Same thing here, do you see something that you don’t remember installing?
  3. If that didn’t help, I’d recommend a scan with FreeFixer to manually track down the adware. FreeFixer is a freeware tool that I’m working on that scans your computer at lots of locations, such as browser add-ons, processes, Windows services, recently modified files, etc. If you want to get additional details about a file in the scan result, you can click the More Info link for that file and a web page will open up with a VirusTotal report which will be very useful to determine if the file is safe or malware:

    FreeFixer More Info link example
    An example of FreeFixer’s “More Info” links. Click for full size.

Here’s a video tutorial showing FreeFixer in action removing pop-up ads:

Did you find any adware on your machine? Did that stop the futureupdates.theperfectupdate.net ads? Please post the name of the adware you uninstalled from your machine in the comment below.

Thank you!

Remove softnewready.freeupgrade24.com Pop Up Ads – freeupgrade24.com Removal Guide

Did you just get a pop-up from softnewready.freeupgrade24.com and wonder where it came from? Did the freeupgrade24.com ad appear to have been launched from a web site that under normal circumstances don’t use aggressive advertising such as pop-up windows? Or did the softnewready.freeupgrade24.com pop-up show up while you clicked a link on one of the big search engines, such as Google, Bing or Yahoo?

Here is how the softnewready.freeupgrade24.com ad looked like on my machine:

freeupgrade24.com pop-up

If you also see this on your system, you apparently have some adware installed on your machine that pops up the softnewready.freeupgrade24.com ads. Contacting the owner of the site would be a waste of time. They are not responsible for the ads. I’ll do my best to help you remove the softnewready.freeupgrade24.com pop-up in this blog post.

Those that have been reading this blog already know this, but for new visitors: Not long ago I dedicated some of my lab machines and knowingly installed a few adware programs on them. I’ve been observing the actions on these machines to see what kinds of advertisements that are displayed. I’m also looking on other interesting things such as if the adware updates itself automatically, or if it downloads and installs additional unwanted software on the machines. I first spotted the softnewready.freeupgrade24.com pop-up on one of these lab machines.

softnewready.freeupgrade24.com was created on 2015-01-26. softnewready.freeupgrade24.com resolves to 198.7.56.112.

So, how do you remove the softnewready.freeupgrade24.com pop-up ads? On the machine where I got the softnewready.freeupgrade24.com ads I had PriceHorse, PriceLess, OfferBoulevard and SpeedCheck installed. I removed them with FreeFixer and that stopped the softnewready.freeupgrade24.com pop-ups and all the other ads I was getting in Mozilla Firefox.

The issue with this type of pop-up is that it can be launched by many variants of adware, not just the adware on my computer. This makes it impossible to say exactly what you need to remove to stop the pop-ups.

Anyway, here’s my suggestion for the softnewready.freeupgrade24.com ads removal:

The first thing I would do to remove the softnewready.freeupgrade24.com pop-ups is to examine the software installed on the machine, by opening the “Uninstall programs” dialog. You can open this dialog from the Windows Control Panel. If you are using one of the more recent versions of Windows you can just type in “uninstall” in the Control Panel’s search field to find that dialog:
Uninstall a program search

Click on the “Uninstall a program” link and the Uninstall programs dialog will open up:
Uninstall a program dialog

Do you see something suspicious in there or something that you don’t remember installing? Tip: Sort on the “Installed On” column to see if something was installed about the same time as you started seeing the softnewready.freeupgrade24.com pop-ups.

Then I would check the browser add-ons. Adware often appear under the add-ons menu in Mozilla Firefox, Google Chrome, Internet Explorer or Safari. Is there anything that looks suspicious? Something that you don’t remember installing?
Firefox add-ons manager

I think you will be able to find and remove the adware with the steps outlined above, but in case that did not work you can try the FreeFixer removal tool to identify and remove the adware. FreeFixer is a freeware tool that I’ve developed since 2006. It’s a tool designed to manually find and uninstall unwanted software. When you’ve identified the unwanted files you can simply tick a checkbox and click on the Fix button to remove the unwanted file.

FreeFixer’s removal feature is not locked like many other removal tools out there. It will not require you to pay for the program just when you are about to remove the unwanted files.

And if you’re having difficulties determining if a file is clean or malware in the FreeFixer scan result, click on the More Info link for the file. That will open up a web page which contains more details about the file. On that web page, check out the VirusTotal report which can be very useful:

FreeFixer More Info link example
An example of FreeFixer’s “More Info” links. Click for full size.

Here you can see FreeFixer in action removing pop-up ads:

Did this blog post help you to remove the softnewready.freeupgrade24.com pop-up ads? Please let me know or how I can improve this blog post.

Thank you!

Remove pcchecker.plugin-update.org Pop Up Ads About Outdated Flash Player

Sound familiar? You see pop-up ads from pcchecker.plugin-update.org while browsing sites that in general don’t advertise in pop-up windows. The pop-ups manage to bypass the built-in pop-up blockers in Chrome, Firefox, Internet Explorer or Safari. Maybe the pcchecker.plugin-update.org pop-ups show up when clicking search results from Google? Or does the pop-ups appear even when you’re not browsing?

Here’s a screen capture of the plugin-update.org pop-up ad when it showed up on my computer:

pcchecker.plugin-update.org pop-up

Does this sound like what you see your computer, you almost certainly have some adware installed on your system that pops up the pcchecker.plugin-update.org ads. So don’t flame the people that runs the website you were at, the ads are presumably not coming from that website, but from the adware that’s installed on your machine. I’ll try help you to remove the plugin-update.org pop-ups in this blog post.

If you have been reading this blog already know this, but if you are new: A little while back I dedicated some of my lab computers and intentionally installed a few adware programs on them. Since then I have been tracking the behaviour on these computers to see what kinds of advertisements that are displayed. I’m also looking on other interesting things such as if the adware auto-updates, or if it installs additional unwanted software on the computers. I first noticed the pcchecker.plugin-update.org pop-up on one of these lab computers.

pcchecker.plugin-update.org resolves to 198.7.56.118. pcchecker.plugin-update.org was created on 2015-01-20.

So, how do you remove the pcchecker.plugin-update.org pop-up ads? On the machine where I got the pcchecker.plugin-update.org ads I had PriceLess, PriceHorse, OfferBoulevard and SpeedCheck installed. I removed them with FreeFixer and that stopped the pcchecker.plugin-update.org pop-ups and all the other ads I was getting in Mozilla Firefox.

The issue with pop-ups such as this one is that it can be initiated by many variants of adware. This makes it impossible to say exactly what you need to remove to stop the pop-ups.

So, what can be done to solve the problem? To remove the pcchecker.plugin-update.org pop-up ads you need to review your machine for adware or other types of unwanted software and uninstall it. Here’s my suggested removal procedure:

  1. What software do you have installed if you look in the Add/Remove programs dialog in the Windows Control Panel? Something that you don’t remember installing yourself or that was recently installed?
  2. You can also check the add-ons that you have in your browser. Same thing here, do you see something that you don’t remember installing?
  3. If that did not help, I’d recommend a scan with FreeFixer to manually track down the adware. FreeFixer is a freeware tool that I’m working on that scans your computer at lots of locations, such as browser add-ons, processes, Windows services, recently modified files, etc. If you want to get additional details about a file in the scan result, you can click the More Info link for that file and a web page will open up with a VirusTotal report which will be very useful to determine if the file is safe or malware:

    FreeFixer More Info link example
    An example of FreeFixer’s “More Info” links. Click for full size.

Here’s a video guide showing how to remove pop-up ads with FreeFixer:

Did this blog post help you to remove the pcchecker.plugin-update.org pop-up ads? Please let me know or how I can improve this blog post.

Thank you!

“Flash Video Downloader is required to download online video”

Are you getting a message saying

“Flash Video Downloader is required to download online video”

while browsing the web?Flash Video Downloader is required to download online video

Well, this is another misleading advert, hosted at hdpluginnow.com. If you download the “Flash Video Downloader” you will get a file called FlashPlayer__6741_i1387048386_il2537.exe digitally signed Shetef Solutions & Consulting. Now all of a sudden it’s not a downloader, but a “Flash Player” 🙂 That file is detected by many of the anti-virus programs, so don’t run it.

Did you also see this error message? Did it also appear on hdpluginnow.com?

PennyBee.exe and PennyBeeW.exe – Adware Removal Instructions

Just wanted to write a short blog post before going back to programming. Today I wanted to talk about an adware called PennyBee and thought I should give you some removal instructions. PennyBee appears to be a variant of the Linkury adware. If PennyBee is running on your system, you will spot PennyBee.exe and PennyBeeW.exe running in the Windows Task Manager and a new service installed, triggered to run PennyBee.exe. I’ll show how to remove PennyBee in this blog post with the FreeFixer removal tool.

pennybee.exe pennybeew.exe Task Manager

PennyBee is bundled with other software. Bundled means that it is included in another software’s installer. When I first found PennyBee, it was bundled with a software download named an unofficial Flash Player download. This is how PennyBee was disclosed in the unofficial Flash Player download’s installer when I found it.

pennybee in the bundling installer

Generally, you can avoid bundled software such as PennyBee by being careful when installing software and declining the bundled offers in the installer.

When I find some new bundled software I normally upload it to VirusTotal to test if the anti-virus progams there find something. Of the 54 anti-virus scanners, 26 detected the file. Some of the detection names for PennyBee are a variant of MSIL/Toolbar.Linkury.H, Artemis and Adware.Linkury (fs).

pennybee.exe virustotal

Since you probably want to remove PennyBee, these are the files you should check for removal if you want to remove it with FreeFixer. You might have restart your machine to complete the removal. Problem fixed.

pennybee processes and service

Hope that helped you with the removal.

Any idea how PennyBee was installed on your machine? Please share by posting a comment. Thank you!

Thanks for reading!

OOO Alians – 7% Detection Rate at VirusTotal

Just a short post on a publisher called OOO Alians. I just found a download named adobe_flash_setup.exe that was digitally by this publisher, and it turns out that it is detected by some of the anti-virus programs.

OOO Alians OOO Alians virus total report

 

Adware/InstallCore, AdWare.Win32.InstallCore and PUA.Alians are some of the detection names.

Did you also find a OOO Alians download? Was that also promoted as Adobe’s Flash Player.

Now, back to programming on the FreeFixer tool 🙂

Information Technology Systems – 16% Detection Rate at VirusTotal

Just a quick post on a faked Flash Player download, named adobe_flash_setup.exe, digitally signed by Information Technology Systems. This download was promoted with the following pop-up:

Faked Flash Update pop up windows

Information Technology Systems seems to be located in Montenegro based on the embedded certificate.

Information Technology Systems certificate, the publisher is located in montenegro

The current detection rate is 16% according to VirusTotal. InstallCore appears to be the most common detection name.

Information Technology Systems virus total report, InstallCore is one of the detection namesDid you also find a Information Technology Systems file? Do you remember where you downloaded it?