Monthly Archives: February 2015

Remove api.crtinv.com From Chrome, Firefox and Internet Explorer

browser status bar,

This page shows how to remove api.crtinv.com from Mozilla Firefox, Google Chrome and Internet Explorer.

Did you just interrupt your work because you noticed a connection api.crtinv.com in your browser?

Here is how the api.crtinv.com showed up in my network log on my computer:

api.crtinv.com connection

The crtinv.com connection appeared while I did a Google search.

Here are some of the status bar messages you may see in your browser’s status bar:

  • Waiting for api.crtinv.com…
  • Transferring data from api.crtinv.com…
  • Looking up api.crtinv.com…
  • Read api.crtinv.com
  • Connected to api.crtinv.com…

Does this sound like what you see your system, you almost certainly have some adware installed on your computer that makes the api.crtinv.com domain appear in your web browser. So there’s no idea contacting the owner of the site you currently were browsing. The api.crtinv.com status bar notifications are not coming from them. I’ll do my best to help you remove the api.crtinv.com message in this blog post.

I found api.crtinv.com on one of the lab computers where I have some adware running. I’ve talked about this in some of the previous blog posts. The adware was installed on purpose, and from time to time I check if something new has appeared, such as pop-up windows, new tabs in the browsers, injected ads on website that usually don’t show ads, or if some new files have been saved to the hard-drive.

Both api.crtinv.com and crtinv.com resolve to the 8.25.35.149 IP address. Domains By Proxy LLC protects the information about the owner.

So, how do you remove api.crtinv.com from your web browser? On the machine where api.crtinv.com showed up in the status bar I had Taplika and Clock Hand installed. I removed them with FreeFixer and that stopped the browser from loading data from api.crtinv.com.

The problem with this type of status bar message is that it can be caused by many variants of adware. This makes it impossible to say exactly what you need to remove to stop the status bar messages.

Anyway, here’s my suggestion for the api.crtinv.com removal:

The first thing I would do to remove api.crtinv.com is to examine the programs installed on the machine, by opening the “Uninstall programs” dialog. You can open this dialog from the Windows Control Panel. If you are using one of the more recent versions of Windows you can just type in “uninstall” in the Control Panel’s search field to find that dialog:
Uninstall a program search

Click on the “Uninstall a program” link and the Uninstall programs dialog will open up:
Uninstall a program dialog

Do you see something suspicious in there or something that you don’t remember installing? Tip: Sort on the “Installed On” column to see if something was installed approximately about the same time as you started observing the api.crtinv.com status bar messages.

The next thing to check would be your browser’s add-ons. Adware often appear under the add-ons dialog in Mozilla Firefox, Google Chrome, Internet Explorer or Safari. Is there anything that looks suspicious? Something that you don’t remember installing?
Firefox add-ons manager

I think you will be able to track down and uninstall the adware with the steps outlined above, but in case that did not work you can try the FreeFixer removal tool to identify and remove the adware. FreeFixer is a freeware tool that I started develop about 8 years ago. Freefixer is a tool built to manually find and remove unwanted software. When you’ve found the unwanted files you can simply tick a checkbox and click on the Fix button to remove the unwanted file.

FreeFixer’s removal feature is not locked like many other removal tools out there. It won’t require you to pay a fee just when you are about to remove the unwanted files.

And if you’re having issues deciding if a file is legit or adware in the FreeFixer scan report, click on the More Info link for the file. That will open up a web page which contains more details about the file. On that web page, check out the VirusTotal report which can be quite useful:

FreeFixer More Info link example
An example of FreeFixer’s “More Info” links. Click for full size.

Did this blog post help you to remove api.crtinv.com? Please let me know or how I can improve this blog post.

Thank you!

Remove foxi180_c.tlscdn.com from Firefox, Chrome and Internet Explorer

Uncategorized

This page shows how to remove foxi180_c.tlscdn.com from Mozilla Firefox, Google Chrome and Internet Explorer.

Did you just see foxi180_c.tlscdn.com in the status bar of your web browser and ask yourself where it came from? Or did foxi180_c.tlscdn.com show up while you search for something on one of the major search engines, such as the Google search engine?

The following are some of the status bar messages you may see in your browser’s status bar:

  • Waiting for foxi180_c.tlscdn.com…
  • Transferring data from foxi180_c.tlscdn.com…
  • Looking up foxi180_c.tlscdn.com…
  • Read foxi180_c.tlscdn.com
  • Connected to foxi180_c.tlscdn.com…

If this description sounds like what you are seeing, you almost certainly have some adware installed on your system that makes the foxi180_c.tlscdn.com domain appear in your browser. Contacting the site owner would be a waste of time. The foxi180_c.tlscdn.com status bar messages are not coming from them. I’ll try help you to remove the foxi180_c.tlscdn.com status bar messages in this blog post.

Those that have been spending some time on this blog already know this, but here we go: Some time ago I dedicated some of my lab machines and deliberately installed a few adware programs on them. I have been tracking the behaviour on these computers to see what kinds of advertisements that are displayed. I’m also looking on other interesting things such as if the adware auto-updates, or if it downloads additional unwanted software on the computers. I first noticed the foxi180_c.tlscdn.com in Mozilla Firefox’s status bar on one of these lab computers.

foxi180_c.tlscdn.com resolves to the 199.115.115.77 IP address. I’ve also seen a similar domain names such as foxi180_f.tlscdn.com and foxi180_c0.tlscdn.com in use.

So, how do you remove foxi180_c.tlscdn.com from your browser? On the machine where foxi180_c.tlscdn.com showed up in the status bar I had CheckMeUp installed. I removed it with FreeFixer and that stopped the browser from loading data from foxi180_c.tlscdn.com.

The problem with status bar messages such as this one is that it can be caused by many variants of adware, not just the adware running on my computer. I think that adware such as NewPlayer, BlockAndSurf, SaferSurf and SpeedCheck can also be responsible for foxi180_c.tlscdn.com appearing in the web browser. And there are probably other variants too. This makes it impossible to say exactly what you need to remove to stop the status bar messages.

Anyway, here’s my suggestion for the foxi180_c.tlscdn.com removal:

  1. What software do you have installed if you look in the Add/Remove programs dialog in the Windows Control Panel? Something that you don’t remember installing yourself or that was recently installed?
  2. You can also check the browser add-ons. Same thing here, do you see something that you don’t remember installing?
  3. If that didn’t solve the problem, I’d recommend a scan with FreeFixer to manually track down the adware. FreeFixer is a freeware tool that I’m working on that scans your computer at lots of locations, such as browser add-ons, processes, Windows services, recently modified files, etc. If you want to get additional details about a file in the scan result, you can click the More Info link for that file and a web page will open up with a VirusTotal report which will be very useful to determine if the file is safe or malware:

    FreeFixer More Info link example
    An example of FreeFixer’s “More Info” links. Click for full size.

Did you find any adware on your machine? Did that stop foxi180_c.tlscdn.com? Please post the name of the adware you uninstalled from your machine in the comment below.

Thank you!

Avitzur Efrati Management Initiatives Ltd – 4% Anti-Virus Detection Rate – InstallCore

digital signature,

Hello! Hope you are doing well. I’m working from the local library today. Was looking for some downloads to play around with last night and found one, signed by Avitzur Efrati Management Initiatives Ltd. The file is named mozilla_firefox.exe.

Avitzur Efrati Management Initiatives Ltd

The Avitzur Efrati Management Initiatives Ltd certificate shows that the publisher is located in Petah Tikva, Israel.

The problem here is that if mozilla_firefox.exe really was an installer file for Mozilla Firefox, it would have been signed by Mozilla Corporation and not by some unknown company. Here’s how the authentic Mozilla Firefox looks like when you double click on it. Notice that the “Verified publisher” says “Mozilla Corporation”.
Mozilla Corporation publisher

When I uploaded the file to VirusTotal – as I usually do when I find something that looks suspicious – Only 4% of the scanners detected the file. The file is detected as Generic.C83 by AVG and a variant of Win32/InstallCore.WT potentially unwanted by ESET-NOD32.

Did you also find a Avitzur Efrati Management Initiatives Ltd file? What kind of download was it?

Thank you for reading.

Best Service (Fried Cookie Ltd) – Detected by 9% of the Anti-Virus Scanners

digital signature, ,

Hello readers! Bugging you with another of those Fried Cookie posts 🙂 This publisher is called Best Service (Fried Cookie Ltd). The suspicious file is was named FlvPlayerSetup.exe.

Best Service Fried Cookie Ltd certificate

You can see the Best Service (Fried Cookie Ltd) certificate by looking under the Digital Signature tab on the file’s properties. According to the certificate, Best Service (Fried Cookie Ltd) is located in Tel Aviv in Israel.

So, why did I put up this blog post? Well, the thing is that the Best Service (Fried Cookie Ltd) file is detected by some of the anti-malware scanners, according to VirusTotal. Avira classifies FlvPlayerSetup.exe as ADWARE/InstallCore.Gen, ESET-NOD32 reports a variant of Win32/InstallCore.WI potentially unwanted and VIPRE classifies it as InstallCore.b (fs).

Best Service virustotal

Did you also find a Best Service (Fried Cookie Ltd) file?

Thank you for reading.

Leading Funnel (Fried Cookie Ltd.) – 16% Detection Rate – InstallCore

digital signature, , ,

Heya! I was playing around and testing some downloads last night and found a file digitally signed by Leading Funnel (Fried Cookie Ltd.).

Leading Funnel Fried Cookie Ltd certificate

To view more information about the certificate you can right-click on the file, then choose Properties and then select the Digital Signatures tab. According to the certificate we can see that Leading Funnel (Fried Cookie Ltd.) appears to be located in Tel Aviv and that the certificate is issued by GlobalSign CodeSigning CA – G2.

When I uploaded the file to VirusTotal – as I usually do when I find something that looks suspicious – 16% of the antivirus scanners detected the file. The file is detected as Application.Win32.FriedCookie.CIRK by Comodo, Trojan.InstallCore.53 by DrWeb, a variant of Win32/InstallCore.VM potentially unwanted by ESET-NOD32 and InstallCore (fs) by VIPRE.

Leading Funnel Fried Cookie Ltd. virustotal

Did you also find a Leading Funnel (Fried Cookie Ltd.) file? Do you remember where you downloaded it?

Thanks for reading.

Domains and hosting LLC – 35% Detection Rate – Amonetize / Strictor

digital signature

Welcome! Just a short post on a publisher called Domains and hosting LLC.

Domains and hosting LLC pop up

If you have a Domains and hosting LLC file on your machine you may have noticed that Domains and hosting LLC is displayed as the publisher in the UAC dialog when double-clicking on the file.

Domains and hosting LLC certificate

It’s possible to view additional information about the certificate by right-clicking on the file, choosing properties and then clicking on the Digital Signatures tab. According to the certificate we can see that Domains and hosting LLC is located in Vinnycya/Vinnycka, Ukraine and that the certificate is issued by COMODO RSA Code Signing CA.

35% of the scanners detected the file. Some of the detection names for the MediaPlayer__6741_i1466276160_il50790.exe file are Gen:Variant.Adware.Strictor.77177, PUA.Amonetize!, Trojan.Amonetize.441, not-a-virus:AdWare.Win32.Amonetize.zzl and PUP.Optional.Amonetize.

Domains and hosting LLC anti-virus report

Did you also find a file digitally signed by Domains and hosting LLC? What kind of download was it and where did you find it?

Thanks for reading.

How To Remove UniDeals Adware – Ads by UniDeals Removal

adware

Just wanted to put up a short post before going to bed. I just found a new adware named UniDeals and wanted to give you some removal instructions. UniDeals appears to be a variant of UniSales that I’ve blogged about before. If UniDeals is installed on your computer, you’ll notice new add-ons installed into Firefox and Internet Explorer, called UniSales and YouTubeAdBlocker and a new extension installed into Chrome, with a name that appears to change with each install. I’ll show how to remove UniDeals in this blog post with the FreeFixer removal tool.

UniDeals firefox

I didn’t see any UniDeals ads on the machine, but if it uses the same labelling as UniSales, the ads will say “Ads by UniDeals“.

UniDeals is bundled with a number of downloads. Bundling means that software is included in other software’s installers. This is how UniDeals was disclosed in the installer when I found it.

UniDeals installer

Generally, you can avoid bundled software such as UniDeals by being careful when installing software and declining the bundled offers in the installer.

As usual when I stumble upon some new bundled software I uploaded it to VirusTotal to verify if the anti-virus scanners there find anything suspicious. Only 2 of the anti-malware scanners detected the UniDeals file. Avira reports UniDeals as ADWARE/MultiPlug.Gen4 and ESET-NOD32 calls it a variant of Win64/Adware.MultiPlug.F.

UniDeals VirusTotal

Hopefully the others will catch up in the next days.

All you need to do to remove UniDeals is to check the UniDeals files in the scan result and click the Fix button. A reboot of your machine may be required to complete the removal. Here’s a few screenshots that should help you along the way:

UniDeals wunderlist chrome UniDeals remove internet explorer UniDeals remove firefox

Hope this helped you remove the UniDeals adware.

Do you also have UniDeals on your machine? Any idea how it was installed? Please share by posting a comment. Thank you very much!

Hope you found this useful and thanks you for reading.

Remove .country “2015 Browser Survey” Pop Up Ads From Chrome, Firefox and Internet Explorer

pop-ups, survey

Do you see a “2015 Browser Survey” survey from a .country domain while browsing websites that usually don’t advertise in pop-up windows? Do the survey pop-ups manage to bypass the built-in pop-up blockers in Chrome, Firefox, Internet Explorer or Safari. Perhaps the .country pop-ups appear when clicking search results from Google? Or does the surveys appear even when you’re not browsing?

Here an example on how the “2015 browser survey” at a .country domain can look like:.country 2015 browser survey pop-up ad

Typically, the web page appears in a new tab and shows a “2015 Browser Survey” and claims to give you chance of winning something by completing the survey. In this case, it tempts you with Apple’s iMac, iPhone 6 or an iPad Air. The survey is also localised, poorly, which is good since it makes it easier to dismiss it. In my case, the survey is localised to swedish. The above survey is from the lamptiger.country domain, but I’ve seen the same type of survey pop up from other domains. Here’s a few:

etc.. What .country-domain did you see in the survey that popped up on your machine? Please let me and the readers know by posting a comment.

If you also see this on your machine, you probably have some adware installed on your computer that pops up the .country ads. So don’t write angry emails to the web site you were browsing, the ads are almost certainly not coming from them, but from the adware on your machine. I’ll try help you with the .country survey removal in this blog post.

Those that have been following this blog already know this, but here we go: Not long ago I dedicated some of my lab machines and deliberately installed some adware programs on them. I’ve been tracking the behaviour on these computers to see what kinds of advertisements that are displayed. I’m also looking on other interesting things such as if the adware updates itself automatically, or if it installs additional unwanted software on the computers. I first noticed the .country pop-up survey on one of these lab machines.

Who owns these .country domains? I don’t know. This is the registrant info from the WHOIS database:

Registrant ID: 283612-MMd1
Registrant Name: PrivacyDotLink Customer 302315
Registrant Organization: 
Registrant Street: PO Box 30485
Registrant City: Seven Mile Beach
Registrant State/Province: Grand Cayman
Registrant Postal Code: KY1-1202
Registrant Country: KY
Registrant Phone: +1.3457495465

So, how do you remove the .country pop-up surveys? On the machine where I got the .country ads I had TinyWallet, BlockAndSurf and BrowserWarden installed. I removed them with FreeFixer and that stopped the .country pop-ups and all the other ads I was getting in Mozilla Firefox.

The issue with pop-ups such as this one is that it can be popped up by many variants of adware. This makes it impossible to say exactly what you need to remove to stop the surveys.

So, what should done to solve the problem? To remove the .country pop-up surveys you need to examine your system for adware or other types of unwanted software and uninstall it. Here’s my suggested removal procedure:

The first thing I would do to remove the .country pop-up surveys is to examine the software installed on the machine, by opening the “Uninstall programs” dialog. You can reach this dialog from the Windows Control Panel. If you are using one of the more recent versions of Windows Operating System you can just type in “uninstall” in the Control Panel’s search field to find that dialog:
Uninstall a program search

Click on the “Uninstall a program” link and the Uninstall programs dialog will open up:
Uninstall a program dialog

Do you see something dubious listed there or something that you don’t remember installing? Tip: Sort on the “Installed On” column to see if some program was installed approximately about the same time as you started seeing the .country pop-ups.

Then you can examine you browser add-ons. Adware often appear under the add-ons dialog in Firefox, Chrome, Internet Explorer or Safari. Is there anything that looks suspicious? Something that you don’t remember installing?
Firefox add-ons manager

I think you will be able to identify and remove the adware with the steps outlined above, but in case that did not work you can try the FreeFixer removal tool to identify and remove the adware. FreeFixer is a freeware tool that I started develop many years ago. It’s a tool designed to manually track down and uninstall unwanted software. When you’ve identified the unwanted files you can simply tick a checkbox and click on the Fix button to remove the unwanted file.

FreeFixer’s removal feature is not locked down like many other removal tools out there. It will not require you to pay for the program just when you are about to remove the unwanted files.

And if you’re having a hard time figuring out if a file is legit or malware in FreeFixer’s scan report, click on the More Info link for the file. That will open up a web page which contains more details about the file. On that web page, check out the VirusTotal report which can be very useful:

FreeFixer More Info link example
An example of FreeFixer’s “More Info” links. Click for full size.

Here’s a video guide showing how to remove pop-up ads with FreeFixer:

Did this blog post help you to remove the .country pop-up ads? Please let me know or how I can improve this blog post.

Thank you!

Remove selectgo.net Pop Up Windows

pop-ups, ,

Did you just get a pop-up from selectgo.net and wonder where it came from? Did the selectgo.net ad appear to have been initiated from a web site that under normal circumstances don’t use aggressive advertising such as pop-up windows? Or did the selectgo.net pop-up show up while you clicked a link on one of the major search engines, such as Google, Bing or Yahoo?

Here’s a screenshot of the selectgo.net pop-up ad when it showed up on my machine:

selectgo.net pop up

I had some problems capturing a screenshot since the pop-up usually appeared quickly and then disappeared. At times, selectgo.net can also be seen in the status bar of the browser, saying “Waiting for static.selectgo00.selectgo.net“:

selectgo.net

Here’s a screenshot from when I captured selectgo.net in a network monitor:

static.selectgo00.selectgo.net

 

I’ve also spotted ad.selectgo00.selectgo.net in the network log.

Does this sound like what you see your system, you most likely have some adware installed on your computer that pops up the selectgo.net ads. Contacting the owner of the web site would be a waste of time. They are not responsible for the ads. I’ll do my best to help you with the selectgo.net removal in this blog post.

I found the selectgo.net pop-up on one of the lab computers where I have some adware running. I’ve talked about this in some of the previous blog posts. The adware was installed on purpose, and from time to time I check if anything new has appeared, such as pop-up windows, new tabs in the browsers, injected ads on site that usually don’t show ads, or if some new files have been saved to the hard-drive.

selectgo.net was registered on 2013-08-06. selectgo.net resolves to the 108.174.149.154 IP address and static.selectgo00.selectgo.net to 54.230.193.85.

I’ve also seen the ad.selectgo00.selectgo.net (54.192.98.188) subdomain in use.

So, how do you remove the selectgo.net pop-up ads? On the machine where I got the selectgo.net ads I had TinyWallet, BlockAndSurf and BrowserWarden installed. I removed them with FreeFixer and that stopped the selectgo.net pop-ups and all the other ads I was getting in Mozilla Firefox.

The issue with pop-ups like this one is that it can be initiated by many variants of adware, not just the adware that’s installed on my computer. This makes it impossible to say exactly what you need to remove to stop the pop-ups.

So, what can be done to solve the problem? To remove the selectgo.net pop-up ads you need to review your system for adware or other types of unwanted software and uninstall it. Here’s my suggested removal procedure:

  1. Examine what programs you have installed in the Add/Remove programs dialog in the Windows Control Panel. Do you see something that you don’t remember installing or that was recently installed?
  2. How about your browser add-ons. Anything in the list that you don’t remember installing?
  3. If that didn’t solve the problem, I’d recommend a scan with FreeFixer to manually track down the adware. FreeFixer is a freeware tool that I’m working on that scans your computer at lots of locations, such as browser add-ons, processes, Windows services, recently modified files, etc. If you want to get additional details about a file in the scan result, you can click the More Info link for that file and a web page will open up with a VirusTotal report which will be very useful to determine if the file is safe or malware:

    FreeFixer More Info link example
    An example of FreeFixer’s “More Info” links. Click for full size.

Here’s a video tutorial on how to remove the pop-ups with FreeFixer:

Did this blog post help you to remove the selectgo.net pop-up ads? Please let me know or how I can improve this blog post.

Thank you!

Remove superiends.org Pop Up Ads

pop-ups

Did you just get a pop-up from superiends.org and wonder where it came from? Did the superiends.org ad appear to have been popped up from a web site that under normal circumstances don’t use aggressive advertising such as pop-up ads? Or did the superiends.org pop-up show up while you clicked a link on one of the big search engines, such as Google, Bing or Yahoo?

Here’s how the superiends.org pop-up looked like when I got it on my machine:

superiends.org pop-up

If you also see this on your computer, you probably have some adware installed on your computer that pops up the superiends.org ads. So there’s no idea contacting the owner of the web site you currently were browsing. The ads are not coming from them. I’ll do my best to help you remove the superiends.org pop-up in this blog post.

I found the superiends.org pop-up on one of the lab machines where I have some adware running. I’ve talked about this in some of the previous blog posts. The adware was installed on purpose, and from time to time I check if something new has appeared, such as pop-up windows, new tabs in the browsers, injected ads on web site that usually don’t show ads, or if some new files have been saved to the hard-drive.

superiends.org was created on 2014-08-20. superiends.org resolves to the 104.28.6.50 IP address.

So, how do you remove the superiends.org pop-up ads? On the machine where I got the superiends.org ads I had TinyWallet, BrowserWarden and BlockAndSurf installed. I removed them with FreeFixer and that stopped the superiends.org pop-ups and all the other ads I was getting in Mozilla Firefox.

It seems as superiends.org is getting quite a lot of traffic, based on Alexa’s traffic rank:

superiends.org traffic rank

The issue with pop-ups like this one is that it can be initiated by many variants of adware, not just the adware running on my machine. This makes it impossible to say exactly what you need to remove to stop the pop-ups.

To remove the superiends.org pop-up ads you need to review your machine for adware or other types of unwanted software and uninstall it. Here’s my suggested removal procedure:

The first thing I would do to remove the superiends.org pop-ups is to examine the programs installed on the machine, by opening the “Uninstall programs” dialog. You can open this dialog from the Windows Control Panel. If you are using one of the more recent versions of Windows you can just type in “uninstall” in the Control Panel’s search field to find that dialog:
Uninstall a program search

Click on the “Uninstall a program” link and the Uninstall programs dialog will open up:
Uninstall a program dialog

Do you see something suspicious listed there or something that you don’t remember installing? Tip: Sort on the “Installed On” column to see if something was installed approximately about the same time as you started seeing the superiends.org pop-ups.

Then I would check the browser add-ons. Adware often show up under the add-ons dialog in Google Chrome, Mozilla Firefox, Internet Explorer, Safari or Opera. Is there something that looks suspicious? Something that you don’t remember installing?
Firefox add-ons manager

I think you will be able to find and uninstall the adware with the steps outlined above, but in case that did not work you can try the FreeFixer removal tool to identify and remove the adware. FreeFixer is a freeware tool that I started develop many years ago. It’s a tool designed to manually identify and remove unwanted software. When you’ve found the unwanted files you can simply tick a checkbox and click on the Fix button to remove the unwanted file.

FreeFixer’s removal feature is not locked like many other removal tools out there. It won’t require you to pay for the program just when you are about to remove the unwanted files.

And if you’re having troubles determining if a file is legitimate or adware in FreeFixer’s scan report, click on the More Info link for the file. That will open up a web page which contains additional information about the file. On that web page, check out the VirusTotal report which can be quite useful:

FreeFixer More Info link example
An example of FreeFixer’s “More Info” links. Click for full size.

Here’s a video tutorial which shows FreeFixer in action removing adware that caused pop-up ads:

Did this blog post help you to remove the superiends.org pop-up ads? Please let me know  how I can improve this blog post.

Thank you!