Monthly Archives: November 2014

Remove qiip.net Pop-Up Ad Surveys

pop-ups, survey, ,

Does this sound familiar? You see pop-up surveys from qiip.net while browsing sites that commonly don’t advertise in pop-up windows. The pop-ups manage to get round the built-in pop-up blockers in Google Chrome, Mozilla Firefox, Internet Explorer or Safari.

Here’s how the qiip.net survey looked like when I got it on my machine:qiip.net pop-up

If this description sounds like your story, you probably have some adware installed on your computer that pop up the qiip.net surveys. I’ll do my best to help you remove the qiip.net in this blog post.

Generally this type of surveys often try to make it appear that they are initiated from the web site you currently were visiting, often by quoting the domain name. In my case, it talks about google.se. The surveys often claim that you will get some reward from the web site you were browsing. Sometimes the surveys are localised to your language, but often its poorly translated. This is also true for the qiip.net survey.

Those that have been reading this blog already know this, but for new visitors: Not long ago I dedicated a few of my lab systems and intentionally installed some adware programs on them. Since then I have been following the actions on these computers to see what kinds of adverts that are displayed. I’m also looking on other interesting things such as if the adware auto-updates, or if it downloads additional unwanted software on the computers. I first found the qiip.net survey on one of these lab computers.

qiip.net was registered in the end of October 2014. otx.fr and zpz.fr are two domains hosted on the same IP (178.62.243.117) as qiip.net.

So, how do you remove the qiip.net pop-up survey? On the machine where I got the qiip.net ads I had TinyWallet and PriceHorse installed. I removed them with FreeFixer and that stopped the qiip.net pop-ups and all the other ads I was getting in Firefox.

TinyWallet was the adware that caused the pop-ups in my case. The pop-up was labelled “Ad by TinyWallet” in the bottom right corner of the browser, as shown in the screenshot:

qiip.net Ad by TinyWallet

What label did your pop-up ad have? Please share by posting a comment below.

The issue with this type of survey is that it can be launched by many variants of adware. This makes it impossible to say exactly what you need to remove to stop the pop-ups.

Anyway, here’s my suggestion for the qiip.net ads removal:

The first thing I would do to remove the qiip.net pop-up survey is to examine the programs installed on the machine, by opening the “Uninstall programs” dialog. You can open this dialog from the Windows Control Panel. If you are using one of the more recent versions of Windows you can just type in “uninstall” in the Control Panel’s search field to find that dialog:
Uninstall a program search

Click on the “Uninstall a program” link and the Uninstall programs dialog will open up:
Uninstall a program dialog

Do you see something suspicious listed there or something that you don’t remember installing? Do you see TinyWallet? Tip: Sort on the “Installed On” column to see if something was installed about the same time as you started seeing the qiip.net pop-ups.

I think you will be able to track down and remove the adware with the steps outlined above, but in case that did not work you can try the FreeFixer removal tool to identify and remove the adware. FreeFixer is a freeware tool that I’ve developed since 2006. It’s a tool designed to manually identify and uninstall unwanted software. When you’ve found the unwanted files you can simply tick a checkbox and click on the Fix button to remove the unwanted file.

FreeFixer’s removal feature is not locked like many other removal tools out there. It won’t require you to pay a fee just when you are about to remove the unwanted files.

And if you’re having problems figuring out if a file is clean or malware in FreeFixer’s scan report, click on the More Info link for the file. That will open up a web page which contains additional information about the file. On that web page, check out the VirusTotal report which can be very useful:

FreeFixer More Info link example
An example of FreeFixer’s “More Info” links. Click for full size.

Are you a Mac or Linux user and get the qiip.net pop-ups? What did you do to stop the pop-up in your browser? Please share in the comments below. Thank you!

Did this blog post help you to remove the qiip.net pop-up surveys? Please let me know or how I can improve this blog post.

Thank you!

Remove ash.coupbat.com Pop-Ups Ads

adware, pop-ups

Does this sound like your story? You see pop-up ads from ash.coupbat.com while browsing sites that generally don’t advertise in pop-up windows. The pop-ups manage to circumvent the built-in pop-up blockers in Google Chrome, Mozilla Firefox, Internet Explorer or Safari. Perhaps the ash.coupbat.com pop-ups appear when clicking search results from Google? Or does the pop-ups appear even when you’re not browsing?

Here’s how the ash.coupbat.com pop-up looked like when I got it on my computer:

ash.coupbat.com ad

 

(Sorry for the ridiculous use of watermarking. If I don’t add them my screenshots always show up at some copy-cat blogs.)

If this description sounds like what you are seeing, you almost certainly have some adware installed on your machine that pop up the ash.coupbat.com ads. So don’t send angry emails to the site you were browsing, the ads are presumably not coming from them, but from the adware on your machine. I’ll try help you to remove the ash.coupbat.com in this blog post.

If you have been spending some time on this blog already know this, but if you are new: Recently I dedicated a few of my lab machines and purposely installed a few adware programs on them. I’ve been monitoring the actions on these systems to see what kinds of advertisements that are displayed. I’m also looking on other interesting things such as if the adware updates itself, or if it installs additional unwanted software on the systems. I first noticed the ash.coupbat.com pop-up on one of these lab machines.

So, how do you remove the ash.coupbat.com pop-up ads? On the machine where I got the ash.coupbat.com ads I had TinyWallet, BrowserWarden and BlockAndSurf installed. I removed them with FreeFixer and that stopped the ash.coupbat.com pop-ups and all the other ads I was getting in Firefox.

BlockAndSurf was the adware that caused the pop-ups in my case. I could see this since it was kind enough to label the pop-up ad with “Ads by BlockAndSurf“:

Ads by BlockAndSurf pop-up

What label did your pop-up ad have? Please share in the comments area.

The issue with this type of pop-up is that it can be launched by many variants of adware. I think that adware such as NewPlayer, CheckMeUp, Salus and SaferSurf can also be responsible for the ash.coupbat.com popups. And there are probably other variants too. This makes it impossible to say exactly what you need to remove to stop the pop-ups.

Anyway, here’s my suggestion for the ash.coupbat.com ads removal:

The first thing I would do to remove the ash.coupbat.com pop-ups is to examine the software installed on the machine, by opening the “Uninstall programs” dialog. You can find this dialog from the Windows Control Panel. If you are using one of the more recent versions of Windows Operating System you can just type in “uninstall” in the Control Panel’s search field to find that dialog:
Uninstall a program search

Click on the “Uninstall a program” link and the Uninstall programs dialog will open up:
Uninstall a program dialog

Do you see something strange-looking in there or something that you don’t remember installing? Tip: Sort on the “Installed On” column to see if some program was installed about the same time as you started observing the ash.coupbat.com pop-ups.

The next thing to check would be your browser’s add-ons. Adware often appear under the add-ons menu in Google Chrome, Mozilla Firefox, Internet Explorer, Safari or Opera. Is there something that looks suspicious? Anything that you don’t remember installing?
Firefox add-ons manager

I think most users will be able to identify and remove the adware with the two steps outlined above, but in case that did not work you can try the FreeFixer removal tool to identify and remove the adware. FreeFixer is a freeware tool that I’ve developed since 2006. It’s a tool designed to manually identify and uninstall unwanted software. When you’ve found the unwanted files you can simply tick a checkbox and click on the Fix button to remove the unwanted file.

FreeFixer’s removal feature is not locked like many other removal tools out there. It won’t ask pay a fee just when you are about to remove the unwanted files.

And if you’re having difficulties determining if a file is clean or unsafe in the FreeFixer scan report, click on the More Info link for the file. That will open up your web browser with a page which contains more details about the file. On that web page, check out the VirusTotal report which can be quite useful:

FreeFixer More Info link example
An example of FreeFixer’s “More Info” links. Click for full size.

Are you a Mac or Linux user and get the ash.coupbat.com pop-ups? What did you do to stop the pop-up in your browser? Please share in the comments below. Thanks!

Did this blog post help you to remove the ash.coupbat.com pop-ups ads? Please let me know or how I can improve this blog post.

Thank you!

Remove aff.couploss.com Pop-Up Ads

pop-ups

Did you just get a pop-up from aff.couploss.com and wonder where it came from? Did the aff.couploss.com ad appear to have been initiated from a web site that under normal circumstances don’t use aggressive adverting such as pop-up windows? Or did the aff.couploss.com popup show up while you clicked a link on one of the major search engines, such as Google, Bing or Yahoo?aff.couploss.com popup

If this sounds like your story, it’s very likely that you have some unwanted advertising software on your computer. This type of software is often called adware. I’ll try to give you some advice on how to remove the aff.couploss.com pop-ups in this blog post which hopefully will help you to completely stop the popups.

In my case I had an adware called BlockAndSurf installed on my machine which I remove with FreeFixer. Problem solved. As a matter of fact, the pop-up was actually labeled with the adware name. What label did your pop-up have?

Ads by BlockAndSurf pop-up

But the problem is that this type of pop-up is popped up by other adware too, which makes it difficult to say exactly what should be removed.

I would start checking in the Add/Remove programs dialog for something suspicious, then check the browser’s add-on menu.

If you don’t find the adware there, try the FreeFixer removal tool. It’s a free tool that can help you track down and remove the adware. If you find something that looks suspicious in the scan result, click the More Info link to the a VirusTotal report.

FreeFixer More Info Links

What adware did you find on your machine? When you removed them, did that stop the aff.couploss.com pop-up ads?

Fileadventure – Fake Java Update – 38% Detection Rate

digital signature, ,

Hello! Just a short note on a publisher called Fileadventure.

Fileadventure publisher

If you have a Fileadventure file on your machine you may have noticed that Fileadventure is displayed as the publisher in the UAC dialog when double-clicking on the file. You can also look at the Fileadventure certificate and digital signature by looking under the Digital Signatures tab on the file’s properties. According to the certificate, Fileadventure is located in Kansas City, USA.

Fileadventure certificate

The problem here is that if setup.exe really was an installer file for Java, it would be digitally signed by Oracle America Inc. and not by some unknown company.

The Fileadventure file was promoted by adware that showed a pop-up in the browser saying “Your Java Version is Outdated“. The pop-up opened up a faked Java update site.

Your Java Version is Outdated

When I uploaded the Fileadventure file to VirusTotal, it came up with a 38% detection rate. The file is detected as Win32:IBryte-HL [PUP] by Avast, W32/A-138dbbfa!Eldorado by F-Prot, PUP.Optional.iBryte by Malwarebytes and AdKnowledge (fs) by VIPRE.

Fileadventure virustotal

Did you also find a Fileadventure file? Was it also promoted as a “Java Update”?

Thanks for reading.

CloudScout and CloudGuard.exe Removal Instructions

adware, freefixer, , ,

Just wanted to put up a short blog post before calling it a day. The post is about an adware called CloudGuard or CloudScout. If the CloudGuard adware is running on your system, you will see CloudGuard.exe in the Windows Task Manager, a new service called CloudScout starting the CloudGuard.exe process and name servers changed to 31.168.224.100 and 5.135.12.56. The software appears as CloudScout Parental Control in the Add/Remove programs dialog.

I’ll show how to remove CloudGuard in this blog post with the FreeFixer removal tool.

cloudguard.exe task manager

 

I’ve upload CloudGuard.exe to VirusTotal, but it was not detected by any of the scanners there. They probably will in the future.

CloudGuard is distributed by a strategy called bundling. Bundling means that a piece of software is included in other software’s installers. When I first found CloudGuard, it was bundled with a software download called FastPlayerPro. Here’s a screenshot from the cloudguard.me web site which shows the software is adware:

cloudguard adware

Generally, you can avoid bundled software such as CloudScout / CloudGuard by being careful when installing software and declining the bundled offers in the installer.

I’m sure you’d like to remove CloudScout, and that’s straightforward with FreeFixer. Select the CloudGuard files and settings, as shown in the screen dumps below, click Fix, and reboot your computer and the problem should be gone.

Check the CloudScout/CloudGuard.exe service for removal:cloudscout service remove

and the CloudGuard.exe process:cloudguard.exe remove

And restore your name server:

31.168.224.100 5.135.12.56 name servers

Hope that helped you with the removal.

Any idea how you got CloudGuard on your machine? Please share in the comments below. Thanks!

Hope you found this useful. Thanks for reading.

Update 2014-11-19: Now the DNS is changed to 31.168.224.106 and 5.135.12.52.

31.168.224.106 5.135.12.52 DNS

Remove Browser Guard – Uninstall Guide

adware, freefixer

Hello guys and gals. Did you just notice something called Browser Guard on your computer? If Browser Guard is installed on your computer, you will spot new add-ons installed in Mozilla Firefox and Internet Explorer called “Browser Guard 1.0” and “Browser Guard BHO” as shown in the screenshots below. Chrome seems to be unaffected by the adware 🙂 I’ll show how to remove Browser Guard in this blog post with the FreeFixer removal tool.

Here’s the add-on in Firefox:

Browser Guard 1.0 in Firefox

And here’s the Browser Guard add-on in Internet Explorer. The publisher says “Gratifying Apps“.

Browser Guard BHO by Gratifying Apps in Internet Explorer

BrowserGuard is bundled in other software’s installers. When I first found Browser Guard, it was bundled with an annoying piece of software called FastPlayerPro. It bundles a ton of unwanted programs. Generally, you can avoid bundled software such as Browser Guard by being careful when installing software and declining the bundled offers in the installer.

When I run into some new bundled software I always upload it to VirusTotal to check if the anti-viruses there find something. Of the 54 scanners, only 6 detected the file. Agnitum detects Browser Guard as PUA.SmartApps!, Antiy-AVL calls it GrayWare[AdWare:not-a-virus]/Win32.Agent and ESET-NOD32 detects it as a variant of Win32/AdWare.SmartApps.H.

browser guard virustotal

Since you probably want to remove Browser Guard, these are the files you should check for removal if you want to remove it with FreeFixer. You may have to reboot your computer to complete the removal.

BrowserGuard Internet Explorer remove browser guard remove

Hope that helped you with the removal.

Do you also have Browser Guard on your system? Any idea how it was installed? Please share in the comments below. Thank you!

Hope you found this useful. Thanks for reading.

Remove tikotin.com from Chrome

adware, freefixer

Are having problems that tikotin.com appears as the start page in Google Chrome when you start it from the desktop icon?

Here’s how tikotin.com showed up in my Chrome browser:

tikotin.com start page chromeYou can easily remove tikotin.com from Chrome with FreeFixer. Just select the following item in the scan result:

Remove tikotin.com from Chrome

If you are having the same problem, but in Internet Explorer or Mozilla Firefox, FreeFixer can fix that problem as well.

Thanks for reading. Any idea how you got tikotin.com on your machine?

 

Remove sendapplicationget.com from Google, Bing and Yahoo Search Results

search engine ads

If you hover the mouse over the links on the Google, Yahoo and Bing search results, does sendapplicationget.com appear in the status area of the browser as shown in the screenshots below? Then you have some adware installed on your machine. I’ll show how to remove the sendapplicationget.com links in this blog post.

sendapplicationget.com links Yahoo sendapplicationget.com links Google sendapplicationget.com links Bing

I got the sendapplicationget.com in Firefox, but they can appear if you are browsing with Chrome and Internet Explorer too.

I’ve seen s2.sendapplicationget.com, s3.sendapplicationget.com and s4.sendapplicationget.com show up, but I guess you might spot the following too:

  • s1.sendapplicationget.com
  • s5.sendapplicationget.com
  • s6.sendapplicationget.com
  • s7.sendapplicationget.com
  • s8.sendapplicationget.com

On the machine where I got the sendapplicationget.com links, I had the TinyWallet and BlockAndSurf adware installed. I removed these two with the FreeFixer removal tool, and the problem was solved.

I think that the sendapplicationget.com links can appear due to other adwares as well.

If you like you can use FreeFixer to track down the unwanted software on your machine. If you are having difficulties when determining if a file is safe or malware in FreeFixer’s scan result, please try the More Info links that appears for each file. That will open up a web page with some additional information that can be useful, such as a scan report from VirusTotal:

freefixer-more-info-skype_setup
FreeFixer’s More Info links – Click for full size.

What adware did you remove to stop the sendapplicationget.com links?

It seems as the sendapplicationget.com web site received quite a lot of clicks starting from August. Just check out the traffic rank:

sendapplicationget.com alexa

 

Sanflex – 33% Detection Rate – WebInstallBundle, DownloadAdmin and Artemis

digital signature, ,

Hello! Just a quick post on a file named installer_adobe_flash_player_Swedish.exe signed by Sanflex. The following screenshot shows the User Account Control dialog when running the Sanflex file:

Sanflex publisher

By looking at the certificate we can see that Sanflex appears to be located in San Fransisco, United States of America.

Sanflex certificate

The problem here is that if installer_adobe_flash_player_Swedish.exe really was a setup file for the official Adobe Flash Player, it would be digitally signed by Adobe Systems Incorporated and not by some unknown company. This looks very suspicious.

If you are considering to run the Sanflex signed file, I’ll advice you not to. Delete it instead. Just check out detection list by some of the anti-virus program. Big thanks to VirusTotal for the scan result.

Sanflex virustotal

F-Secure detects installer_adobe_flash_player_Swedish.exe as Adware:W32/WebInstallBundle, Fortinet reports Riskware/DownloadAdmin, Malwarebytes classifies it as PUP.Optional.DownloadAdmin and McAfee detects it as Artemis.

Did you also find a Sanflex file? What kind of download was it?

Thanks for reading.