Monthly Archives: November 2014

How To Remove AppEnable Ads

November 4, 2014adware, freefixerBrowseFoxRoger Karlsson

Hello guys and gals. Did something called AppEnable appear on your system? AppEnable appears to be a variant of CrossRider that I blogged about previously. If AppEnable is installed and running on your computer, you will spot a toolbar with YouTube, Twitter, eBay and Flickr links. I’ll show how to remove AppEnable in this blog post with the FreeFixer removal tool.

Here’s how AppEnable appears in Firefox and Internet Explorer:

Here’s a screenshot from the the AppEnable EULA. It clearly shows that AppEnable is adware:

AppEnable is bundled in other software’s installers. When I first found AppEnable, it was bundled with a “Skype” download that was digitally signed by Astro Delivery.

When I play around with some new bundled software I always upload it to VirusTotal to check if the anti-virus progams there find anything suspicious. Of the 51 scanners, 9 detected the file. AVG reports AppEnable as BrowseFox.F, F-Prot detects it as W32/A-0909c198!Eldorado and NANO-Antivirus classifies it as Trojan.Win32.BPlug.ddwtte.

Removing AppEnable is a piece of cake with FreeFixer. Just check the AppEnable files for removal and then click the Fix button and the problem will be solved.

Hope this helped you solved the AppEnable problem.

Did you also find AppEnable on your machine? Any idea how it was installed? Please share by posting a comment. Thanks a bunch!

Thank you for reading and welcome back.

How To Remove TornTV

November 4, 2014adware, freefixerPess Kess Games, VASSANA KONGSOONGNERNRoger Karlsson

Did you just find something called TornTV on your machine? So did I. TornTV is added into Internet Explorer and Mozilla Firefox. You can remove it from the Add/Remove programs dialog from the Windows Control Panel or by checking the TornTV files for removal in FreeFixer.

TornTV has been around for some time but I noticed that it is being signed by a different certificated now. One of the files, TornTV.exe is digitally signed by VASSANA KONGSOONGNERN, which appears to be an individual developer in Phuket, Thailand.

The Browser Helper Object, which is loaded into Internet Explorer, is signed by Kess Pess Games which according to the certificate is a company located in Nicosia, Cyprus.

Remove mwl.petuniasaucecockup.com Pop-Up Ads

November 4, 2014adware, freefixer, pop-upsRoger Karlsson

Did a pop-up ad from mwl.petuniasaucecockup.com just appear while you were browsing, perhaps when clicking on a search result in one of the major search engines, such as Google, Bing or Yahoo? Did the built-in pop-up stoppers in Chrome, Firefox or Internet Explorer fail to block the mwl.petuniasaucecockup.com popup? If so, you most likely have some adware installed on your machine that pop up these ads. I’ll show how to remove the mwl.petuniasaucecockup.com pop-ups in this blog post.

If you have been reading this blog post during the autumn you know that I’ve been playing around with some of the most common adware variants by installing them on a few of my lab machines and monitoring their behaviours. That’s where I found the mwl.petuniasaucecockup.com pop-up. On the machine where I found the pop-up I had installed the BlockAndSurf adware, so if you also have it on your computer, uninstall it and the mwl.petuniasaucecockup.com problems should be gone. As usual I tested to remove mwl.petuniasaucecockup.com with FreeFixer which worked without any hiccups. I always do that to make sure FreeFixer successfully removes the adware.

The problem with the mwl.petuniasaucecockup.com pop-ups is they can be caused by other adware variants, which makes it impossible to say exactly what should be removed on your computer to stop the popups.

To remove the mwl.petuniasaucecockup.com pop-ups I’d start looking in the “Uninstall Programs” dialog which can be found in the Windows Control Panel. Do you see something that you don’t remember installing? Do you see something that was installed about the same time as the mwl.petuniasaucecockup.com ads started to pop up? Tip: Sort on the “Installed On” column. You might need to do a few Google searches on the program names you find.

If that did not help, I would look in the add-ons menu in the browser to see if something suspicious is found. Do you also see something that you don’t remember installing?

If that still did not help you can try FreeFixer, which is a tool that I’ve developed for some time now. It’s a freeware tool that will help you identify and remove unwanted software from your computer. Basically, it scans lots of locations on your machine, such browser add-ons, drivers, processes, search settings, etc. Then it removes safe items by using a whitelist, to reduce the number of items in the scan result. Sometimes it can be difficult to determine if an item FreeFixer has found is safe or malware, but the “More Info” links can most likely help you there. The More Info links in the scan result will, as the screenshot shows, open up a web page, which contains a VirusTotal report for the file you just clicked. That should probably help you sort the goodies from the baddies.

Hope this helped you remove the mwl.petuniasaucecockup.com pop-ups ads. What adware did you remove to stop the mwl.petuniasaucecockup.com ads? Please share in the comment.

How To Remove Sup-SW 0.22

November 4, 2014UncategorizedRoger Karlsson

Found a Firefox add-on called Sup-SW 0.22 yesterday. It was bundled with another download. You can remove Sup-SW manually in Firefox or with FreeFixer.

Did you also get Sup-SW on your machine? Any idea how it installed?

Remove dvj.eggnogthrushdeemster.com Pop-Up Ads

November 4, 2014pop-upsRoger Karlsson

Did you just get pop-up ads from dvj.eggnogthrushdeemster.com? Did these pop-ups appear when browsing web sites that normally don’t show any pop-ups? Did the dvj.eggnogthrushdeemster.com pop-ups also managed to pass the pop-up killers that are built into Chrome, Firefox and Internet Explorer?

If so, I would say that the probability is high that you have some software installed on your machine that opens these pop-ups rather than that the pop-ups are initiated from the web site you were browsing. This type of software is often called adware. And adware was the reason I was getting the dvj.eggnogthrushdeemster.com pop-up ads. I’ll show how I removed the dvj.eggnogthrushdeemster.com pop-ups ads in this this blog post. Hopefully it will help you to stop the eggnogthrushdeemster.com ads too.

If you’ve been visiting this blog for the last two three weeks or so, you are aware of how I catch these pop-up ads. If not, just a short recap: I’ve deliberately installed some adware on a few of my lab machines. From time to time I check what kinds of advertising that the adware show on the machine. That’s how I found the eggnogthrushdeemster.com pop-up.

On the lab machine where I was getting the dvj.eggnogthrushdeemster.com pop-up, I had installed the Safer-Surf and SmartOnes adware. After removing these adwares with FreeFixer, the dvj.eggnogthrushdeemster.com pop-up ads stopped. So, if you got any of these, removing them might solve the pop-up problem. But unfortunately, it may not, and the reason for that is that I think the dvj.eggnogthrushdeemster.com pop-up ads are opened by other adware variants too.

Here’s my suggested removal procedure for the dvj.eggnogthrushdeemster.com pop-ups:

Open up the Uninstall Programs dialog from the Windows Control Panel. Do you see something suspicious there, that perhaps was installed about the same time as you started seeing the dvj.eggnogthrushdeemster.com pop-ups ads? Do you see something that you don’t remember installing. Look into these to figure out if they should be removed.
Check which add-ons you have installed in your browser. If you see something that you don’t remember that you installed, research it to see if it should be removed.
If that did not solve the problem, you can try FreeFixer. It’s a tool that I’ve been working on for many years now, designed to help users manually track down and remove unwanted software. It’s a freeware tool and its features are not crippled like many other anti-malware tools that required you to pay for the program just when you are about to remove some unwanted files or settings. If you find FreeFixer useful, please help me spread the word by letting your friends know about it.

Tip: If you are having problems to determine if a file in FreeFixer’s scan result is safe or if it should be removed, please test the More Info link to find out more about the file. The information page that is opened up in your web browser when clicking the link contains a VirusTotal report for the file, which can be very useful:

Hope you found this useful.

What adware did you uninstall from your machine to stop the dvj.eggnogthrushdeemster.com pop-up ads?

Thanks for reading.

Remove HQ-Video-Pro-2.1cV02.11 Ads

November 3, 2014adware, freefixerCrossRider, Cyprus, Nicosia, Radon Battery Technologies, Space Battleship Creative, Winston ProjectRoger Karlsson

Hello readers. Hope you are doing ok. Did you just spot something called HQ-Video-Pro-2.1cV02.11 on your system? HQ-Video-Pro-2.1cV02.11 appears to be a variant of CrossRider that I’ve written about before. If the HQ-Video-Pro-2.1cV02.11 adware is installed on your machine, you will notice ads labeled Visual Search Results and Powered by HQ-Video-Pro-2.1cV02.11 in Google’s search results. I’ll show how to remove HQ-Video-Pro-2.1cV02.11 in this blog post with the FreeFixer removal tool.

Here it is in Firefox’ add-on menu:

HQ-Video-Pro-2.1cV02.11 is distributed by a tactic called bundling. Bundling means that a piece of software is included in other software’s installers. When I first found HQ-Video-Pro-2.1cV02.11, it was bundled with a piece of software called FastPlayer.

Generally, you can avoid bundled software such as HQ-Video-Pro-2.1cV02.11 by being careful when installing software and declining the bundled offers in the installer.

When I find some new bundled software I always upload it to VirusTotal to verify if the anti-malware software there detect anything suspicious. The detection rate is 7/54. Some of the detection names for HQ-Video-Pro-2.1cV02.11 are Trojan.NSIS.GoogUpdate.dt, PUP.Optional.HQVideo.A and Crossrider (fs). The files are signed by “Radon Battery Technologies“.

Removing HQ-Video-Pro-2.1cV02.11 is pretty easy with FreeFixer. The screen capture that should help you along the way: You might have to restart your machine to complete the removal.

Hope that helped you to figure out how to do the removal.

Any idea how HQ-Video-Pro-2.1cV02.11 was installed on your computer? Please let me and the readers know by posting a comments. Thanks!

Hope you found this useful and thanks you for reading.

Update 2014-11-04: Today another variant was released called HQ-Video-Pro-2.1cV03.11. I guess we will see more variants where just the version number is increased:

HQ-Video-Pro-2.1cV04.11 (Yeah, found 5th Nov 2014)
HQ-Video-Pro-2.1cV05.11 (Found on the 6th of November)
HQ-Video-Pro-2.1cV06.11
HQ-Video-Pro-2.1cV07.11 (Found 13th of November)
HQ-Video-Pro-2.1cV08.11
HQ-Video-Pro-2.1cV09.11
HQ-Video-Pro-2.1cV10.11 (Found 13th of November)
HQ-Video-Pro-2.1cV11.11
HQ-Video-Pro-2.1cV12.11
HQ-Video-Pro-2.1cV13.11
HQ-Video-Pro-2.1cV14.11 (Found 15th of Nov)
HQ-Video-Pro-2.1cV15.11 (Found 16th of Nov)
HQ-Video-Pro-2.1cV16.11 (Found 16th Nov)
HQ-Video-Pro-2.1cV17.11 (Found 17th Nov)
HQ-Video-Pro-2.1cV18.11 (Found 19th Nov)
HQ-Video-Pro-2.1cV19.11 (Found 20th Nov)
HQ-Video-Pro-2.1cV20.11
HQ-Video-Pro-2.1cV21.11
HQ-Video-Pro-2.1cV22.11
HQ-Video-Pro-2.1cV23.11 (Found 23 Nov)
HQ-Video-Pro-2.1cV24.11 (Found 24 Nov)
HQ-Video-Pro-2.1cV25.11
HQ-Video-Pro-2.1cV26.11
HQ-Video-Pro-2.1cV27.11
HQ-Video-Pro-2.1cV28.11 (Found 28 Nov)
HQ-Video-Pro-2.1cV29.11
HQ-Video-Pro-2.1cV30.11

Update 2014-11-13: Now the files are signed by Space Battleship Creative. They seems to be located in Nicosia, Cyprus.

Update 2014-11-19: Now the files are signed by Winston Project:

Update 2014-12-02: New naming convention:

HQ-Video-Pro-2.1cV01.12
HQ-Video-Pro-2.1cV02.12
HQ-Video-Pro-2.1cV03.12
HQ-Video-Pro-2.1cV04.12
HQ-Video-Pro-2.1cV05.12
HQ-Video-Pro-2.1cV06.12
HQ-Video-Pro-2.1cV07.12
HQ-Video-Pro-2.1cV08.12
HQ-Video-Pro-2.1cV09.12

(Found 9 Dec 2014)

HQ-Video-Pro-2.1cV10.12
HQ-Video-Pro-2.1cV11.12
HQ-Video-Pro-2.1cV12.12
HQ-Video-Pro-2.1cV13.12
HQ-Video-Pro-2.1cV14.12
HQ-Video-Pro-2.1cV15.12
HQ-Video-Pro-2.1cV16.12
HQ-Video-Pro-2.1cV17.12
HQ-Video-Pro-2.1cV18.12
HQ-Video-Pro-2.1cV19.12
HQ-Video-Pro-2.1cV20.12
HQ-Video-Pro-2.1cV21.12
HQ-Video-Pro-2.1cV22.12
HQ-Video-Pro-2.1cV23.12
HQ-Video-Pro-2.1cV24.12
HQ-Video-Pro-2.1cV25.12
HQ-Video-Pro-2.1cV26.12
HQ-Video-Pro-2.1cV27.12

Remove bxh.mulctsamsaracorbel.com Pop-Up Ads

November 2, 2014adware, freefixer, pop-upsAddLyricsRoger Karlsson

Are you getting pop-ups from bxh.mulctsamsaracorbel.com while browsing in Chrome, Firefox or Internet Explorer? Do the pop-ups appear even though the built-in pop-up blocker in your browser is enabled? If that is the case, you probably have some sort of adware installed on your machine. This blog post will hopefully help you remove the bxh.mulctsamsaracorbel.com pop-ups ads.

If you have been following me here on the blog you know that I’ve installed some adware on purpose on my lab machines and that I’m currently monitoring what kind of advertisements that appears, the domain names of the pop-ups and other actions that the adware performs. The adware I have installed on this lab machines are TinyWallet, Browser Warden and BlockAndSurf. As you you can see in the screenshot below, the bxh.mulctsamsaracorbel.com pop-up is labeled BlockAndSurf, so there we have the adware that was responsible for the pop-up on my machine. So, in my case, the BlockAndSurf removal stopped the bxh.mulctsamsaracorbel.com pop-ups.

bxh.mulctsamsaracorbel.com ads by BlockAndSurf

There’s a problem though. BlockAndSurf is not the only adware that launch the bxh.mulctsamsaracorbel.com pop-ups. If your pop-up also is labeled with the adware name, go ahead and uninstall it, that should solve the problem.

However, the pop-ups are not always nicely labeled like that, so you might have to get your hands dirty to track down the adware that pop up the ads. The Add/Remove programs dialog in the Windows Control Panel and you browser’s add-on menu is a good start to search for suspicious software.

BlockAndSurf is variant of an adware family, often referred to as “AddLyrics” by the anti-virus programs. I think that the pop-ups are opened by some of the other variants too, not just BlockAndSurf. I’ve seen the following labels on the bxh.mulctsamsaracorbel.com pop-up type: Salus, CheckMeUp, Safer-Surf and NewPlayer.

I did a search in FreeFixer’s library of files to dig up a few more AddLyrics variants. It’s possible that one of these could be responsible for the bxh.mulctsamsaracorbel.com ads:

TubeSaver
SuperLyrics
LyricXeeker
MarkKit
PassShow
PassWidget
Plus-HD
Re-markit
ViewPassword
Re-Markable
Better Mark-it

If that does not help, you can try FreeFixer, a tool that I’m working on that assists users to track down and remove unwanted software. It’s a freeware tool. Tip, if you have difficulties determining if a file in FreeFixer’s scan result is legitimate or malware, click on the More Info links. That will bring up the file information page, which contains useful information about the file, such as a VirusTotal report for the file.

Screenshot showing how FreeFixer's "More Info" links opens up the file information page with a VirusTotal report. — FreeFixer’s More Info links. Click for full size.

Please let me know if you managed to track down what caused the bxh.mulctsamsaracorbel.com pop-ups in your case. What adware did you uninstall from your machine? Your comment will help other users in the same situation.

Thanks for reading, and welcome back to the blog.

FRGSmartBar bundled in fake Flash Player

November 2, 2014UncategorizedRoger Karlsson

If you found something called FRGSmartBar and wonder where it came from, you might have got it bundled with another download. I found FRGSmartBar bundled in a fake Flash Player download.

You can remove FRGSmartBar with FreeFixer. The files that you need to check for removal contains “FRG” or “Smartbar”, so they are pretty easy to locate.

Liquidbuild detected as Kazy, iBryte and Optimum Installer

November 2, 2014digital signatureiBryte, Kazy, OptimunInstallerRoger Karlsson

Hi there! Just a quick Sunday post on a file named flashplayerpro_Setup.exe signed by Liquidbuild that I found while reviewing some files submitted to the FreeFixer database of files. The problem is that flashplayerpro_Setup.exe is not an official Flash Player download. If it was, it should be digitally signed by Adobe Systems Incorporated.

When I uploaded the Liquidbuild file to VirusTotal, it came up with a 28% detection rate. The file is detected as Adware/iBryte.bxow by Avira, Gen:Variant.Kazy.466717 by BitDefender, Gen:Variant.Kazy.466717 by F-Secure and Optimum Installer (fs) by VIPRE. It’s probably better to stay away from this file.

Did you also find a Liquidbuild file?

Thanks for reading.

How To Remove SitezExpert

November 1, 2014adware, freefixerRoger Karlsson

Just found another bundled Firefox add-on called SitezExpert 2.4.

If you’d like to remove SitezExpert, you can do so from Firefox’ add-on menu or use FreeFixer to remove it.

The SitezExpert add-on has recently been added to Firefox’ block list:

https://bugzilla.mozilla.org/show_bug.cgi?id=1073810

According to the bug database, all the following add-ons are variants of the same adware:

Website Xplorer
Site Counselor
Web Counselor
Sites Pro
ProfSites

Have a nice day!