Monthly Archives: October 2014

Remove consumers-response.org Pop-Up Surveys

pop-ups, survey

Did you just get a pop-up survey from consumers-response.org while browsing in Google Chrome, Mozilla Firefox or Internet Explorer? Did the survey from consumers-response.org pop up while browsing a web site that normally does not have any pop-ups? If so, you probably have some software installed on your machine that shows the pop-ups rather than that they are coming from the web site you currently visit. I’ll give you some advice on how remove the consumers-response.org surveys in this blog post.

consumers-response.org pop-up survey

If you’ve been reading the FreeFixer blog during the last week you already know that I’ve installed a bunch of adware on my labs machine, and that I’m monitoring the advertising that these adwares display to the user. I noticed the consumers-response.org pop-up on one of the lab machines where I had installed the BlockAndSurf and SmartOnes adware. So that’s a good starting point if you’d like to remove the consumers-response.org surveys.

However, I’d like to point out that the consumers-response.org surveys are probably launched by other variants of adware, in addition to the ones I mentioned above, which makes it difficult to point out exactly what needs to be remove to stop the consumers-response.org pop-ups. More on the consumers-response.org removal later on.

Generally, this type of surveys often tries to make it appear as if they are official surveys from the web site you were currently browsing, typically by showing the domain name of the site you were browsing. Sometimes they also claim that your feedback will improve the site that you were currently visiting and that you will get some type of reward when completing the survey. As you can see in the screenshot the above, the survey claims to be from freefixer.com, which of course is fake. I own the freefixer.com web site and I do not show surveys like this. If you can read Swedish you can also see that the consumers-response.org survey promises you will get an “exclusive gift from freefixer.com”, which is a lie.

If you are wondering if you are the only one getting the consumers-response.org surveys. The answer is NO. Just check out the traffic report from Alexa. This web site is getting a ton of traffic. There are probably tens of thousands of users that see some content from consumers-response.org every day. I wish I had that traffic rank on freefixer.com 😉

consumers-response.org traffic rank

So the consumers-response.org removal? Personally I would start to check the Add/Remove programs dialog in the Windows Control Panel to see if anything suspicious appears there and remove it. Do you see stuff that you don’t remember installing? In particular, if you sort on the “Installed on” date, do you see something that was installed about the same time as you first spotted the consumers-response.org surveys?

I would also check the add-ons installed into Chrome, Firefox, Internet Explorer or whatever browser you are using. Do you see anything suspicious? Is there something listed that you don’t remember installing?

If that did not solve the problem, you can try FreeFixer, a tool that I’ve been working on for quite some time now. FreeFixer is a tool designed to help users manually identify and remove unwanted software, such as the adware that’s running on your machine. Basically it scans the processes running on your machine, browser add-ons, startups, scheduled tasks, recently modified files, and lots of other locations. FreeFixer is freeware and its removal feature is not crippled liked many other cleaners out there. If FreeFixer solved your problem, I’d appreciate it a lot if you let your friends know about the tool.

Tip: If you are having difficulties to figure out whether a file or setting in FreeFixer’s scan result is legitimate or if it should be removed, please check out the information shown on the More Info page. It will show a VirusTotal report which can be quite useful when trying to determine whether to keep or remove a file.

freefixer-more-info-skype_setup
The More Info links opens up a VirusTotal report. Click for full size.

Hope you found this useful and that it helped you with the consumers-response.org removal.

What adware did you remove to stop the consumers-response.org pop-ups on your computer? Please share by posting a comment below. That will help other users in the same situation. Thank you very much!

Box Rock Ads Removal Instructions

adware, freefixer

Hello readers. Another day, another blog post. I just found another bundled adware named Box Rock this morning and wanted to give you some removal instructions. This seems to be a variant of CrossRider that I’ve previously written about. If the Box Rock adware is running on your computer, you will find floating ads labeled Powered by Box Rock, ads labeled Box Rock Ads in Google’s search results and a new add-on added in Internet Explorer and Mozilla Firefox called Box Rock. Chrome seems to have remained clean. I’ll show how to remove Box Rock in this blog post with the FreeFixer removal tool.

Box Rock ads in Google search results powered by Box Rock ad

Here’s BoxRock in Mozilla Firefox’ add-on menu:

Box Rock firefox add-on

Box Rock is distributed by a strategy called bundling. Bundling means that a piece of software is included in other software’s installers. When I first found Box Rock, it was bundled with GoForFiles. Here’s one example how it appears in the GoForFiles installer.

Box Rock bundled in GoForFiles

Generally, you can avoid bundled software such as Box Rock by being careful when installing software and declining the bundled offers in the installer.

When I stumble upon some new bundled software I always upload it to VirusTotal to test if the anti-malware scanners there find something. 7 of the anti-virus scanners detected the file. The Box Rock files are detected as BrowseFox.F by AVG, Trojan.BPlug.144 by DrWeb and PUP.Optional.BoxRock.A by Malwarebytes.

BoxRock virustotal: BrowseFox

If you would like to remove Box Rock you can do so with the freeware FreeFixer tool. Select the Box Rock files for removal in FreeFixer, click Fix, reboot your system and the problem will be gone. Here’s a few screenshots to point you in the right direction:

Box Rock removal firefox Box Rock Internet Explorer removal of BoxRockBho.dll

Hope that helped you to figure out how to do the removal.

Any idea how BoxRock was installed on your computer? Please share your story the comments below. Thanks a bunch!

Thanks for reading!

Verti Technology Group, Inc. – 33% Detection Rate by VirusTotal

digital signature

Hello! Just a note on a publisher called Verti Technology Group, Inc.. The Verti Technology Group, Inc. download that I found yesterday – MediaPlayerClassic_RocketFuelInstaller.exe – was detected when I uploaded it to VirusTotal. Did you also find a download by Verti Technology Group, Inc.? Was it also detected when you uploaded it to VirusTotal?

Verti Technology Group, Inc

You can see who the signer is when double-clicking on an executable file. Verti Technology Group, Inc. appears in the publisher field in the dialog that pops up. To view more information about the certificate you can right-click on the file, then choose Properties and then select the Digital Signatures tab. According to the certificate we can see that Verti Technology Group, Inc. is located in BelleVue, USA and that the certificate is issued by VeriSign Class 3 Code Signing 2010 CA.

Verti Technology Group certificate

Adware.Downware.8721, Riskware/Verti, PUP.Optional.Rocketfuel, Artemis and Rocketfuel Installer (fs) are some detection names according to VirusTotal:

Verti Technology Group Inc VirusTotal report

Did you also find a file digitally signed by Verti Technology Group, Inc.? What kind of download was it and where did you find it?

Thank you for reading.

How To Remove Support TW 1.1

freefixer

Hello there and welcome to the FreeFixer blog. Did something named Support TW 1.1 appear on your machine? If Support TW 1.1 is installed and running on your machine, you’ll see it listed in the Add/Remove programs dialog. I’ll show how to remove Support TW 1.1 in this blog post with the FreeFixer removal tool in case the Add/Remove programs uninstall fails.Support TW 1.1 uninstall

Support TW 1.1 is bundled in other software’s installers. When I found Support TW 1.1 this morning, it was bundled with a download promoted at The Pirate Bay.

Since you probably want to remove Support TW 1.1, these are the items you should check for removal if you want to remove it with FreeFixer. A restart of your machine might be required to complete the removal.

support TW remove dll Support TW appinit_dll

Hope this helped you remove the Support TW 1.1.

Did you also get Support TW 1.1 from a Pirate Bay download? Please share in the comments below. Thanks!

And, if you also see something called TinyWallet, remove that one as well 😉

Thank you for reading and welcome back.

“Flash Video Downloader is required to download online video”

misleading advertising

Are you getting a message saying

“Flash Video Downloader is required to download online video”

while browsing the web?Flash Video Downloader is required to download online video

Well, this is another misleading advert, hosted at hdpluginnow.com. If you download the “Flash Video Downloader” you will get a file called FlashPlayer__6741_i1387048386_il2537.exe digitally signed Shetef Solutions & Consulting. Now all of a sudden it’s not a downloader, but a “Flash Player” 🙂 That file is detected by many of the anti-virus programs, so don’t run it.

Did you also see this error message? Did it also appear on hdpluginnow.com?

Shetef Solutions & Consulting (1998) Ltd. – 25% Detection Rate

digital signature, ,

Good evening! Lately I’ve been looking on the digital signatures on those files that push various types of unwanted programs. Right now I found a new file called FlashPlayer__6741_i1387048386_il2537.exe, digitally signed by Shetef Solutions & Consulting (1998) Ltd..

Shetef Solutions Consulting 1998 Ltd Publisher

You can also look at the Shetef Solutions & Consulting (1998) Ltd. certificate and digital signature by looking under the Digital Signatures tab on the file’s properties. According to the certificate, Shetef Solutions & Consulting (1998) Ltd. is located in Rannana, Israel. The certificate appears to relatively new. Its validity began on the 13th of October.

Shetef Solutions certificate, Rannana, Israel

The issue here is that if FlashPlayer__6741_i1387048386_il2537.exe really was an installer file for Flash Player, it should have been digitally signed by Adobe System Incorporated and not by some unknown company. This looks suspicious.

The VirusTotal report shows that the Shetef Solutions & Consulting (1998) Ltd. file should be avoided, since FlashPlayer__6741_i1387048386_il2537.exe is detected as Adware.Downware.8876 by DrWeb, Gen:Variant.Graftor.161610 by F-Secure and PUP.Optional.Amonetize by Malwarebytes.

Shetef Solutions & Consulting (1998) Ltd. virustotal report

Since the download was detected I decided to give it a try to see what it installed. During my test I could see Wajam, Salus – Net Protector and My Start Search install on my lab machine.

Did you also find a file digitally signed by Shetef Solutions & Consulting (1998) Ltd.? What kind of download was it and where did you find it?

Thanks for reading.

How To Remove enh.guzzlepraxiscommune.com Pop-Up Ads

adware, freefixer, pop-ups

Getting pop-ups from enh.guzzlepraxiscommune.com? If those pop-ups also sneak through the built-in pop-up blockers in Chrome, Firefox and Internet Explorer, you most likely have some adware installed on your machine. I’ll give some advice on how to remove the enh.guzzlepraxiscommune.com pop-up in this blog post.enh.guzzlepraxiscommune.com pop-up

The enh.guzzlepraxiscommune.com removal is pretty straightforward, I uninstalled the adware that was installed on my machine with help from the FreeFixer removal tool. The adware were BlockAndSurf, Browser Warden and Tiny Wallet. In my case, BlockAndSurf was responsible for the pop-ups. Please keep in mind, that the enh.guzzlepraxiscommune.com pop-ups can be launched by other variants of adware. I think Safer-Surf and CheckMeUp, SpeedCheck and Salus can also be responsible for the pop-ups.

Tip: If you are having problems to determine whether a file or setting in FreeFixer’s scan result is good or bad, please have a look at the information shown on the More Info page, which appears when clicking on the More Info link as shown in the screenshot below. It will show a VirusTotal scan which can be useful when trying to determine whether to keep or remove the file.

FreeFixer More Info opening up the info page for Skype_setup.exe
The More Info links in FreeFixer opens up a VirusTotal report. Click for full size.

Hope that stopped the enh.guzzlepraxiscommune.com pop-ups on your machine.

What adware did you uninstall on your machine to get rid of the enh.guzzlepraxiscommune.com ads? Thank you very much for sharing and helping other users in the same situation.

Thank you for reading and welcome back! I’m going to follow up this one with more info later today or tomorrow.

Update 2014-10-30: Below is the full URL for the pop-up when I spotted it in Chrome. It mentions the datropy.com domain (wkj.datropy.com), it also sends the name of the adware to the server, in this case SaferSurf. The URL also contains www.google.se, which was the web site I was visiting when the pop-up appeared. The URL also contains WhiteLabelBidRequestHandlerServlet, indicating that something in the back-end is written in Java.

http://enh.guzzlepraxiscommune.com/sd/dw32.html?u=http%3A%2F%2Fwkj.datropy.com%2FWhiteLabelBidRequestHandlerServlet%3Foid%3D1%26width%3D1%26height%3D100%26pubid%3D9050%26tagid%3D5771%26noaop%3D1%26revmod%3DCRD%26cb%3Dcybabw%26encoded%3D1%26cirf%3Dhttps%3A%2F%2Fwww.google.se%2F%26pstn%3D90505771&p=SaferSurf&a=&c=9050-5771&b=chrome&bv=37&t1=1414676170615&tt=1414676170615&r=www.google.se&ua=0&n=convertmedia&sn=&mpa=0&mp=0

Based on the traffic I’m getting to this blog post it appears that there’s a large number of users having problems with the enh.guzzlepraxiscommune.com pop-ups. The Alexa traffic rank today shows that the enh.guzzlepraxiscommune.com site has reached a global rank of 26153 in just a few days.guzzlepraxiscommune.com traffic rank

Remove “Powered by HQ-Video-Pro-2.1cV26.10” Ads in Google Search results

adware, freefixer

Hello readers. Welcome to the blog. Did something called HQ-Video-Pro-2.1cV26.10 appear on your computer? HQ-Video-Pro-2.1cV26.10 seems to be a variant of CrossRider that I’ve talked about previously. If the HQ-Video-Pro-2.1cV26.10 Adware is installed on your computer, you will find ads labeled powered by HQ-Video-Pro-2.1cV26.10 in Google’s search results. I’ll show how to remove HQ-Video-Pro-2.1cV26.10 in this blog post with the FreeFixer removal tool.

powered by hq-video-pro-2.1

Here’s HQ-Video-Pro-2.1cV26.10 in Firefox’ add-on menu:

hq-video-pro-2.1v26 in mozilla firefox

HQ-Video-Pro-2.1cV26.10 is bundled with other software. Bundled means that it is included in another software’s installer.

You can remove HQ-Video-Pro-2.1cV26.10 with the FreeFixer removal tool. Just select the HQ-Video-Pro-2.1cV26.10 files as shown in the screen dumps below. You may have to restart your computer to complete the removal.

How to remove the hq-video-pro-2.1v26.10 tasks Removal of HQ-video-pro-2.1cv26 from Firefox How to remove hq video pro 2.1 in Internet Explorer

Hope this helped you solved the HQ-Video-Pro-2.1cV26.10 problem.

I stumbled upon HQ-Video-Pro-2.1cV26.10 while testing out some downloads that are known to bundled lots of unwanted software. Any idea how HQ-Video-Pro-2.1cV26.10 was installed on your machine? Please share by posting a comment. Thank you!

Thank you for reading.

“Disable developer mode extensions” Pop-Up in Chrome caused by malware.

adware, freefixer

Are you getting a pop-up from Google Chrome saying:

“Disable developer mode extensions. Extensions running in developer mode can harm your computer. If you’re not a developer, you should disable these extensions running in developer mode to stay safe.”

Disable developer mode extensions chrome

 

As the pop-up says, if you are a developer and working on an extension in developer mode, it’s fine.

If you are not a developer, this pop-up is an indication that you have some unwanted software on your machine that you need to remove. In my case, Chrome alerted me due to an extension called PriceLess which often is classified as adware. I think you should disable the extensions, and then get your hands dirty  tracking down the unwanted software running on your machine. If you are lucky, it’s just the Chrome extension, but most likely you will see other changes and new files on your machine that you will need to remove. If you are comfortable with using a tool used to manually track down unwanted software, you can try the FreeFixer removal tool. It’s freeware.

Hope this blog post pointed you in the right direction.

What unwanted software did you find on your machine?

Thanks for reading.