Monthly Archives: October 2014

Remove “powered by SmartOnes” Ads

October 23, 2014adware, freefixerMultiPlugRoger Karlsson

Hello guys and gals. As usual I was looking around on the Internet to see what is being bundled with some software downloads. This time I found something called SmartOnes. If you have SmartOnes on your computer, you’ll find new add-ons installed in Chrome, Internet Explorer and Mozilla Firefox and ads labeled powered by SmartOnes while browsing the web. I’ll show how to remove SmartOnes in this blog post with the FreeFixer removal tool.

Here’s how SmartOnes appears in Firefox and Internet Explorer:

SmartOnes is distributed by a strategy called bundling. Bundling means that a piece of software is included in other software’s installers. When I first found SmartOnes, it was bundled with a download called a download claiming to be an episode of the Game of Thrones TV serie. Here’s how it appeared in the installer where I found it:

Generally, you can avoid bundled software such as SmartOnes by being careful when installing software and declining the bundled offers in the installer.

As always when I test some new bundled software I uploaded it to VirusTotal to see if the anti-viruses there detect anything. 4 of the scanners detected the file. MultiPlug seems to be the common detection name.

The SmartOnes removal with FreeFixer is straightforward. Check all the SmartOnes items for removal and click fix. Here’s a few screenshots from the removal that should help you:

To remove the Chrome extension, type in chrome://extensions/ in Chrome’s address bar.

Hope this helped you remove the SmartOnes adware.

Any idea how SmartOnes was installed on your computer? Please share by posting a comment. Thanks a bunch!

Thank you for reading and welcome back.

Remove Site Pro 0.1

October 23, 2014freefixerRoger Karlsson

Here’s another bundled program. Sites Pro 0.1. You can remove it with FreeFixer or from Firefox’s add-on menu. I seems it only added itself into Firefox and not in Chrome or Internet Explorer.

Sites Pro 0.1 firefox add-on

Thanks for reading.

Remove HQ-Video-Pro-2.1cV22.10 Ads

October 23, 2014adware, freefixerCrossRiderRoger Karlsson

Hello there and welcome to the FreeFixer blog. Did something called HQ-Video-Pro-2.1cV22.10 appear on your machine? HQ-Video-Pro-2.1cV22.10 seems to be a variant of CrossRider that I’ve written about before. If you have HQ-Video-Pro-2.1cV22.10 on your machine, you will find ads labeled powered by HQ-Video-Pro-2.1cV22.10 in Google search results. You will also see new add-ons installed in Internet Explorer and Mozilla Firefox. I’ll show how to remove HQ-Video-Pro-2.1c in this blog post with the FreeFixer removal tool.

HQ-Video-Pro-2.1c is bundled with a number of downloads. Bundling means that software is included in other software’s installers. When I first found HQ-Video-Pro-2.1cV22.10, it was bundled with a download called FlvPlayer. Generally, you can avoid bundled software such as HQ-Video-Pro-2.1c by being careful when installing software and declining the bundled offers in the installer.

As usual when I play around with some new bundled software I uploaded it to VirusTotal to test if the anti-malware software there find something. The detection rate is 4/54 which I’d say is pretty low. Some of the detection names for HQ-Video-Pro-2.1cV22.10 are a variant of Win64/Toolbar.Crossrider.L, PUP.Optional.HQVideo.A and Crossrider (fs). The file is signed by “Radon Battery Technologies“.

The HQ-Video-Pro-2.1cV22.10 removal with FreeFixer is pretty straightforward. Check all the HQ-Video-Pro-2.1cV22.10 files/settings for removal and click fix. Here’s a few screenshots from the removal that should help you:

Hope this helped you remove the HQ-Video-Pro-2.1cV22.10 Adware.

Any idea how you got HQ-Video-Pro-2.1cV22.10 on your computer? Please share in the comments below. Thanks a bunch!

Hope you found this useful. Thanks for reading.

Update 2014-10-24: Found another variant called HQ-Video-Pro-2.1cV23.10.

Update 2014-10-25: Another variant: HQ-Video-Pro-2.1cV24.10.

Seems like the version number is updated every day. So I’ll assume we will see the following variants shortly:

HQ-Video-Pro-2.1cV25.10
HQ-Video-Pro-2.1cV26.10
HQ-Video-Pro-2.1cV27.10
HQ-Video-Pro-2.1cV28.10
HQ-Video-Pro-2.1cV29.10
HQ-Video-Pro-2.1cV30.10

Fileangels – Detected as IBryte and OptimunInstaller

October 23, 2014digital signaturefake Java software, iBryte, OptimunInstallerRoger Karlsson

Welcome! Just a note on a publisher called Fileangels. The Fileangels download – setup.exe – was detected when I uploaded it to VirusTotal. Did you also find a download by Fileangels? Was it also detected when you uploaded it to VirusTotal?

This is how Fileangels appears when running the file:

By looking at the certificate we can see that Fileangels appears to be located in Kansas City, USA.

The reason I’m writing this blog post is that the Fileangels file is detected by some of the anti-malware scanners at VirusTotal. AVG detects setup.exe as AdPlugin.BNR, Fortinet detects it as W32/Zbot.AAN!tr, Kaspersky detects it as Trojan.Win32.Badur.jukw, Malwarebytes reports PUP.Optional.OptimunInstaller and McAfee detects it as IBryte-FRT. In addition, the Fileangels download was also promoted as a “Java Update”.

Did you also find a file digitally signed by Fileangels? Where did you find it and are the anti-virus programs detecting it? Please share in the comments below.

Thanks for reading.

Astro Delivery (Fried Cookie Ltd.) – 4% Detection Rate

October 22, 2014digital signatureInstallCoreRoger Karlsson

Welcome! If you’ve been following me for the last year you know that I’ve been examining many software publishers that put a digital signature on their downloads. Today I found another publisher called Astro Delivery (Fried Cookie Ltd.).

You can also check the digital signature under the file’s properties. According to the certificate we can see that Astro Delivery (Fried Cookie Ltd.) is located in Tel Aviv, Israel and that the certificate is issued by GlobalSign CodeSigning CA – G2. The certificate is pretty new: its validity period started yesterday, on the 21st of October.

One issue here, and this could perhaps be one of the reason why a few anti-virus programs have chosen to detect the file, is that Skype_Setup.exe is not an official Skype download. If it was, it would be digitally signed by Skype Software Sarl.

The scan result from VirusTotal below shows that only 4% of the antivirus programs detect the Astro Delivery (Fried Cookie Ltd.) file. It is detected under names such as a variant of Win32/InstallCore.QH and Riskware.Win32.InstallCore.dfgoti. It will be interesting to see if other anti-virus scanners choose to follow ESET and NANO.

Did you also find a Astro Delivery (Fried Cookie Ltd.) file?

Thanks for reading.

Remove icf.unbentdilativecutpurse.com Pop-Up Ads

October 22, 2014pop-ups37.58.101.200, 37.58.101.203, 37.58.101.204, 37.58.101.205, WhoisGuard IncRoger Karlsson

Hello folks, just a quick post before dinner. Are you getting pop-up ads from icf.unbentdilativecutpurse.com? I’m sorry to say this, but you may have some adware installed on your machine. Here’s how the pop-up looked like when I was browsing with Mozilla Firefox. The pop-up can probably appear in Chrome and Internet Explorer too.

Anyway, the icf.unbentdilativecutpurse.com removal is pretty straightforward, I scanned the computer with FreeFixer and uninstalled an adware called Salus and the icf.unbentdilativecutpurse.com pop-ups were gone. It’s possible that these pop-up ads can be launched by variants of Salus or by other types of unwanted software on your machine. Did you have to remove something else than Salus? Please share in the comments below.

Hope this helped you remove icf.unbentdilativecutpurse.com.

Thanks for reading.

Now, dinner..

Back again.. I checked the WHOIS database hoping to find some useful stuff about unbentdilativecutpurse.com, but the unbentdilativecutpurse.com domain is protected by WhoisGuard, Inc. company. The domain was created 2014-08-14, and the whois record was updated today.

icf.unbentdilativecutpurse.com resolves to the following IP addresses:

37.58.101.200
37.58.101.203
37.58.101.204
37.58.101.205

Update 2014-10-23: I noticed the same pop-up while testing some other bundled software. One of them is responsible for the pop-up. My guess is Safer-Surf:

Update 2 2014-10-23: I just noticed that some of the pop-up ads were labeled “Ads by BlockAndSurf“. If your pop-up is labeled like this, removing BlockAndSurf will probably solve the problem.

Update 2014-10-24: Found the same pop-up, but this time labelled “Ads by SpeedCheck“. Uninstalling SpeedCheck may solve the problem.

Update 2014-10-25: Tested to load the BlockAndSurf adware on my lab machine again, and it’s still popping up the icf.unbentdilativecutpurse.com web site. Are you finding a way to stop the icf.unbentdilativecutpurse.com pop-ups? Please share in the comments below.

Update 2 2014-10-25: Found another icf.unbentdilativecutpurse.com pop-up. This time labeled “Ads by salus“. If you have the Salus Adware installed on your machine, uninstall it. That might solve the problem.

Update 2014-10-27: I’m no longer getting this pop-up, instead it is loaded from enh.guzzlepraxiscommune.com.

a.sendads.net Pop-Up Ads Removal Instructions

October 22, 2014pop-upsRoger Karlsson

Did you suddenly start to get pop-up ads loaded from a.sendads.net? Even from web sites that normally does not have any ads? If so, you might have some adware installed on your machine. I though I should write a short post about it since pop-ups are usually the first sign of some unwanted software running on a users’ computers. Hopefully I can also help you with the removal.

In my case, I got lots of pop-ups loading from a.sendads.net, which then redirected to some other site. If I remember it correctly, it showed some type of casino ad. The ads appeared while I was using Mozilla Firefox, but they can probably also appear if you are browsing the web with Google Chrome and Microsoft Internet Explorer. The built-in pop-up blockers did not stop the ads.

The sendads.net site seems to be serving quite a lot of ads. Just check out the traffic ranking from Alexa:

Based on the graph, it appears that traffic has increased from August until now. sendads.net is now ranked at place 1999 in the States.

So, how about the a.sendads.net removal? I removed the a.sendads.net pop-ups by inspecting my machine with the FreeFixer removal tool and removed the adware that was installed on my machine. The adware were Salus and TinyWallet. I’m not sure which one of them that launched the pop-ups. However, please keep in mind that there are a bunch of variants of adware out there. Some of them are probably also popping up ads from sendads.net.

Did you have to remove some additional software to get rid of the pop-ups? Please share with the other readers of this blog by posting a comment.

Thanks for reading! Hope this helped you fix the a.sendads.net pop-up problem.

Remove supermarktquiz.com Survey Pop-Ups

October 22, 2014pop-ups, survey209.236.113.247Roger Karlsson

Recently I started to examine the various types of ads that are launched by adware or other types of unwanted software installed on users’ machines. Today I noticed a pop-up “survey” from supermarktquiz.com as you can see in the screenshot below. I think it is important to document these pop-ups and the domains that host them since it is usually the first sign of an adware infection that users see.

Typically, these pop-ups surveys tries give the impression that they are launched by the web site that the user was currently browsing, often by quoting the domain name. In my case, I was visiting the 4shared site, and suddenly a “4shared survey” popped up. But the pop-up ads were fact launched by the adware running on my machine.

So how can you remove the supermarktquiz.com pop-ups? I removed it by uninstalling the adware that was running on my machine. The adware were TinyWallet, ProtectedBrowsing and BlockAndSurf. I used the freeware tool FreeFixer to remove them.

I think that the supermarktquiz.com survey pop-ups can be triggered by other variants of adware as well, so keep that in mind when tracking down the unwanted software. Did you have to uninstall something else than the 3 adwares mentioned above? Please post a comment to help other users in the same situation.

supermarktquiz.com resolves to the 209.236.113.247 IP address which appears to be a dedicated server. The supermarktquiz.com domain is attracting quite a lot of traffic, just check out the Alexa traffic rank:

Thanks for reading.

Remove websearch.searc-hall.info from Firefox, Chrome and Internet Explorer

October 22, 2014UncategorizedRoger Karlsson

Found an installer this morning that claimed it would change many of my browser settings to websearch.searc-hall.info, but instead it changed them to websearch.searchfix.info. Perhaps due to a programming error or perhaps on purpose. I don’t know.

You can remove the websearch.searc-hall.info hijack, or websearch.searchfix.info, with FreeFixer. You can also use the Reset Browser feature in Chrome, Firefox and Chrome to restore your browsers to the default state.

Thanks for reading.

Green Tech Software LLC – Detected as InstallBrain – 37% Detection Rate

October 22, 2014digital signatureInstallBrain, SoftangoRoger Karlsson

Hello! If you are a regular visitor here on the FreeFixer blog you know that I’ve been looking on the certificates used to sign files that bundled various types of potentially unwanted softwares. Today I found another certificate, used by a publisher called Green Tech Software LLC.

This is how it looks when double-clicking on the file and Green Tech Software LLC appears as the publisher. You can also see the Green Tech Software LLC certificate by looking under the Digital Signature tab on the file’s properties. According to the certificate, Green Tech Software LLC is located in Beaverton, Oregon, USA.

The download I found was the “Softango Downloader“. It downloads some third party software, in my case a Zip program, and during the installation process, it will offer the user to install additional software.

The reason for posting about Green Tech Software LLC is that the file is detected by many of the anti-virus programs. F-Secure reports SoftangoDownloader_Zip.exe as Application.Bundler.InstallBrain, Malwarebytes detects it as PUP.Optional.Softango.A and VIPRE classifies it as InstallBrain (fs). The detection rate is 37%

I decided to run the Green Tech Software LLC signed file, and it offered four additional programs called Speed Test, PC Performer, UnknownFile and MyPC Backup in the installer.

Since you probably came here after finding a file that was signed by Green Tech Software LLC, please share what kind of download it was and if it was reported by the anti-malware software at VirusTotal.

Hope this blog post helped you avoid some potentially unwanted software on your machine.

Thank you for reading.