Monthly Archives: October 2014

Advertiso GmbH – 15% Detection Rate at VirusTotal

October 6, 2014digital signatureInstallCoreRoger Karlsson

Found another software publisher that bundles lots of potentially unwanted software. The publisher is called Advertiso GmbH and the file was called adobe-flash-player_setup.exe.

When I uploaded the file to VirusTotal, it came up with a 15% detection rate.

InstallCore seems to be the common detection name for the Advertiso GmbH file.

When I ran the Advertiso GmbH file it offered a bunch of bundled softwares, such as Web Finder Pro (Site Finder Pro), AdvanceElite, AstroMenda, PennyBee, etc. An in addition, it failed to install Adobe’s Flash Player, with the error “Installation encountered errors“:

Hope this helped figure out what the Advertiso GmbH installer will do to your system.

If you want to download the Flash Player, please do so from Adobe’s official web site:

http://get.adobe.com/flashplayer/

Did you also find a file from Advertiso GmbH? What kind of download was it? Was it also detected by the anti-virus programs at VirusTotal? Please share in the comments below?

Update 2015-09-10: Found another download signed by Advertiso called chrome_download.exe. The detection rate for that file is 20%:

PennyBee.exe and PennyBeeW.exe – Adware Removal Instructions

October 6, 2014Uncategorizedartemis, fake flash software, LinkuryRoger Karlsson

Just wanted to write a short blog post before going back to programming. Today I wanted to talk about an adware called PennyBee and thought I should give you some removal instructions. PennyBee appears to be a variant of the Linkury adware. If PennyBee is running on your system, you will spot PennyBee.exe and PennyBeeW.exe running in the Windows Task Manager and a new service installed, triggered to run PennyBee.exe. I’ll show how to remove PennyBee in this blog post with the FreeFixer removal tool.

PennyBee is bundled with other software. Bundled means that it is included in another software’s installer. When I first found PennyBee, it was bundled with a software download named an unofficial Flash Player download. This is how PennyBee was disclosed in the unofficial Flash Player download’s installer when I found it.

Generally, you can avoid bundled software such as PennyBee by being careful when installing software and declining the bundled offers in the installer.

When I find some new bundled software I normally upload it to VirusTotal to test if the anti-virus progams there find something. Of the 54 anti-virus scanners, 26 detected the file. Some of the detection names for PennyBee are a variant of MSIL/Toolbar.Linkury.H, Artemis and Adware.Linkury (fs).

Since you probably want to remove PennyBee, these are the files you should check for removal if you want to remove it with FreeFixer. You might have restart your machine to complete the removal. Problem fixed.

Hope that helped you with the removal.

Any idea how PennyBee was installed on your machine? Please share by posting a comment. Thank you!

Thanks for reading!

Remove Cantataweb – Adware Removal Instructions

October 6, 2014adware, freefixerAltbrowse, BrowseFox, New IT LimitedRoger Karlsson

Welcome! Found another adware called Cantataweb right now. This appears to be yet another variant of BrowseFox/AltBrowse that I’ve previously written about. According to the other anti-malware bloggers, Cantataweb has been around since August 2014.

If you got Cantataweb installed on your computer, you will see new add-ons added in Mozilla Firefox and Internet Explorer and a folder called Cantataweb added under the Programs Files folder. I’ll show how to remove Cantataweb in this blog post with the FreeFixer removal tool.

Cantataweb is bundled with a number of downloads. Bundling means that software is included in other software’s installers. When I first found Cantataweb, it was bundled with a software download claiming to be an episode of the Game of Thrones TV show. The download was digitally signed by New IT Limited.

Generally, you can avoid bundled software such as Cantataweb by being careful when installing software and declining the bundled offers in the installer.

As usual when I stumble upon some new bundled software I uploaded it to VirusTotal to test if the anti-malwares there find anything suspicious. 40 of the scanners detected the file which is a pretty good detection rate. The Cantataweb files are detected as Win32:BrowseFox-AW [PUP] by Avast, Application.Win32.Altbrowse.AK by Comodo, a variant of Win32/BrowseFox.F by ESET-NOD32 and PUP.Optional.Cantataweb.A by Malwarebytes.

You probably came here looking for removal instructions for Cantataweb and you can do so with the FreeFixer removal tool. Just select the Cantataweb files/settings as the screenshots below shows. A reboot of your computer may be required to complete the removal. Problem solved.

Hope this helped you remove the Cantataweb adware.

Do you also have Cantataweb on your system? Any idea how it was installed? Please let me and the readers know by posting a comments. Thank you!

Hope you found this useful and thanks you for reading.

How to remove ProtectedBrowsing adware

October 4, 2014adware, freefixerGeneric.D4CRoger Karlsson

Just wanted to write a short post before going back to coding on FreeFixer. Found another adware called ProtectedBrowsing right now.

If ProtectedBrowsing is installed on your machine, you will find ads labeled Ad by ProtectedBrowsing and green links inserted into web pages saying Click to Continue by ProtectedBrowsing.

You will also see a notification message from the system tray saying Proxy Protection Enabled and an icon in the system tray. New processes will appear in the Windows Task Manager: bservice.exe, bservice64.exe, wd.exe, pwdg.exe and proc.exe. ProtectedBrowsing also adds a new entry “54.204.28.26 baefoldjnepdncjikpmjiamfbjgicfol” in the HOSTS file. I’ll show how to remove ProtectedBrowsing in this blog post with the FreeFixer removal tool.

ProtectedBrowsing also installs add-ons in your browsers. Here’s two screenshots showing the adware in Chrome and Firefox:

ProtectedBrowsing is bundled with a number of downloads. Bundling means that software is included in other software’s installers.

Generally, you can avoid bundled software such as ProtectedBrowsing by being careful when installing software and declining the bundled offers in the installer.

When I test some new bundled software I always upload it to VirusTotal to test if the anti-virus scanners there find something fishy. I uploaded FrameworkBHO.dll which is digitally signed by Gratifying Apps. The detection rate is very low. Only 1 of the scanners detected the file. AVG names ProtectedBrowsing as Generic.D4C.

Removing ProtectedBrowsing is pretty easy with FreeFixer. Here’s a few screenshots from the removal that should help you: A restart of your system may be required to complete the removal. Problem fixed.

To remove the ProtectedBrowsing Chrome extension, open up the Settings menu in Chrome and click on Extensions in the left pane.

Hope this helped you remove the ProtectedBrowsing adware.

Do you also have ProtectedBrowsing on your machine? Any idea how it installed? Please share your story the comments below. Thanks!

Thanks for reading!

Remove Ads by CheckMeUp

October 3, 2014adware, freefixerAddLyrics, OutBrowse, RevizerRoger Karlsson

Hello there and welcome to the FreeFixer blog. Just a short post on an adware called CheckMeUp. If the CheckMeUp adware is installed on your machine, you’ll find ads labeled “Ads by CheckMeUp”, a new add-on named CheckMeUp added into Internet Explorer and Firefox and a process called CheckMeUp.exe running in the Windows Task Manager. I’ll show how to remove CheckMeUp in this blog post with the FreeFixer removal tool.

Here’s how CheckMeUp shows up in Firefox and Internet Explorer:

CheckMeUp is distributed by a tactic called bundling. Bundling means that a piece of software – in this case CheckMeUp – is included in other software’s installers. When I first found CheckMeUp, it was bundled with a download called FLV Player by OutBrowse.

Generally, you can avoid bundled software such as CheckMeUp by being careful when installing software and declining the bundled offers in the installer.

When I find some new bundled software I usually upload it to VirusTotal to see if the anti-malware tools there detect something. 3 of the 55 anti-virus scanners detected the file. The CheckMeUp.exe file is detected as AddLyrics by Sophos and Revizer (fs) by VIPRE.

Since you probably want to remove CheckMeUp, these are the items you should check for removal if you want to remove it with FreeFixer. You might have to restart your machine to complete the removal. Problem taken care of.

Hope that helped you to figure out how to do the removal.

Any idea how CheckMeUp was installed on your computer? Please let me and the readers know by posting a comments. Thank you!

Thanks for reading. Welcome back!

Update 2014-12-06: CheckMeUp is now using files named webinstrNewH.sys, 184_x64.dll and 184.dll.

Websearch.searchfix.info Hijack Removal Instructions

October 3, 2014UncategorizedRoger Karlsson

Just a quick post on the Websearch.searchfix.info hijack. You can remove Websearch.searchfix.info from Internet Explorer and Mozilla Firefox by selecting the following items in FreeFixer:

If that did not completely remove Websearch.searchfix.info you use can the Reset Feature in your browsers.

Thanks for reading.

What is Rich Media Player?

October 2, 2014UncategorizedRoger Karlsson

Did you find something called Rich Media Player and wonder where it came from? It might have been installed on your machine in a software bundle. Here’s how the Rich Media Player was disclosed in an installer for another program:

Here’s how the Rich Media Player icon and user interface looks like:

According to the EULA, Rich Media Player may show

“offers and/or advertisements.”

None of the the 54 anti-virus programs at VirusTotal is detecting the rmhelper.exe file:

Hope that helped you figure out how Rich Media Player was installed on your machine.

Thanks for reading.

What is Music Search App for Internet Explorer and Mozilla Firefox?

October 1, 2014UncategorizedSearchSuiteRoger Karlsson

Did you find a program called “Music Search App” on your computer and wonder what it is? Music Search App is a toolbar and “search settings protector” for Firefox and Internet Explorer.

How did you get it on your machine? Perhaps through bundling. Here’s a screenshot which shows jZip bundling Music App.

Some anti-virus programs are detecting Music Search App. Here’s the scan result for DatamngrCoordinator.exe:

SearchSuite appears to be the common detection name.

Will you keep or remove Music Search App? Please share by posting a comment below.

Thanks for reading.

“Ads by Sense” – Sense Adware Removal Instructions

October 1, 2014adware, freefixerCrossRider, Cyprus, Krance Development, Ni, Nicosia, Porter Studio Plus, Sara Kodama Project, Tita-nium Great MindsRoger Karlsson

Hello readers. Another day, another blog post. As usual I was looking around on the Internet to see what is being bundled with some software downloads. This time I found something called Sense. This appears to be a variant of CrossRider that I’ve previously written about.

If the Sense adware is installed on your computer, you will find banners labeled “Ads by Sense“, “Ad by Sense1“, green links added to web pages, saying “Click to Continue -> by Sense“, new add-ons added into Internet Explorer and Firefox and new processes running in the Task Manager. You’ll also see some files on your hard-drive that are digitally signed by Krance Development. I’ll show how to remove Sense in this blog post with the FreeFixer removal tool.

Sense is bundled with other software. Bundled means that it is included in another software’s installer. When I first found Sense, it was bundled with a piece of software called Free Download Manager.

As usual when I find some new bundled software I uploaded it to VirusTotal to test if the anti-viruses there find anything suspicious. CrossRider seems to be the common detection name.

The file is digitally signed by a company called Krance Development.

Removing Sense is straightforward with FreeFixer. Just select the Sense files for removal and then click the Fix button and the problem will be solved.

Hope that helped you with the removal.

Any idea how Sense was installed on your system? Please let me and the readers know by posting a comments. Thanks!

Thank you for reading.

Update 5 November 2014: The Sense adware is still being distributed. Now the files are signed by Porter Studio Plus as you can see in the screenshot from the Digital Signatures tab for the Sense-bg.exe file. According to the information in the certificate, Porter Studio Plus is located in Nicosia, Cyprus.

Update 7 Nov 2014: Now the files are signed by Sara Kodama Project. They seem to change the certificate quite often.

Update 2014-11-19: Now the files are signed by Tita-nium Great Minds. They are located in Nicosia, Cyprus.

How To Remove PriceHorse – Adware Removal Instructions

October 1, 2014adware, freefixerFirst Offerz Ltd, Montiera, PayByAdsRoger Karlsson

Hello there. As usual I was looking around on the Internet to see what is being bundled with some software downloads. This time I found something called PriceHorse. If you have PriceHorse on your system, you will see a new process called pricehorse.exe, signed by PayByAds ltd., running in the Windows Task Manager and 2 new scheduled tasks. You can also see ads labeled “Ads by Price-Horse”. I’ll show how to remove PriceHorse in this blog post with the FreeFixer removal tool.

Here’s a screenshot from the www.price-horse.com web site which shows how the PriceHorse ads look like:

PriceHorse is bundled with a number of downloads. Bundling means that software is included in other software’s installers. When I first found PriceHorse, it was bundled with a download named Free Download Manager. Here’s how it appeared in the Free Download Manager installer where I found it:

The EULA refers to the software as Price-Horse instead of PriceHorse. The EULA also mention a company called First Offerz Ltd.

Generally, you can avoid bundled software such as PriceHorse by being careful when installing software and declining the bundled offers in the installer.

As usual when I stumble upon some new bundled software I uploaded it to VirusTotal to check if the antiviruses there detect something fishy. The PriceHorse.exe file is detected as PayByAds and Montiera.

Removing PriceHorse is pretty easy with FreeFixer. Just select the PriceHorse files for removal and then click the Fix button and the problem will be solved.

Hope this helped you solved the PriceHorse ad problem.

Do you also have PriceHorse on your computer? Any idea how it installed? Please share in the comments below. Thanks!

Thanks for reading. Welcome back!