Category Archives: adware

Remove “Ad by AdSupply” from Google’s Search Results

June 10, 2015adwareRoger Karlsson

Getting ads labelled Ad by AdSupply while searching at Google? No problem, I just removed Jelbrus Secure Web and NetMon from my machine with FreeFixer and the ad problem was gone. Here’s how the Ad by AdSupply advertisement looked on my machine:

I’ve zoomed in to show the ad more clearly.

Hope this helped you solve the problem. Thanks for reading.

Remove Fruit Basket – FruitBasket Removal Instructions

May 25, 2015adwareAdware.Mikey, BrowseFoxRoger Karlsson

Just wanted to write a short blog post before going back to programming. As usual I was looking around on the Internet to see what is being bundled with some software downloads. This time I found something called Fruit Basket. Fruit Basket seems to be a variant of BrowseFox that I blogged about previously. If Fruit Basket is installed and running on your computer, you will see a new add-on called FruitBasket added into Firefox and Internet Explorer.

I didn’t see anything added into Google Chrome. Did FruitBasket install into Chrome on your machine?

I’ll show how to remove Fruit Basket in this blog post with the FreeFixer removal tool.

Fruit Basket is bundled in other software’s installers.

When I stumble upon some new bundled software I normally upload it to VirusTotal to verify if the anti-malware scanners there detect anything interesting. 20 of the scanners detected the file. Some of the detection names for Fruit Basket are ADWARE/BrowseFox.Gen2, W32/S-f64f6ec1!Eldorado, Gen:Variant.Adware.Mikey, Gen:Variant.Adware.Mikey.11547 and AdWare.MSIL.Agent.

Removing Fruit Basket is straightforward with FreeFixer. Just select the Fruit Basket files/settings for removal and then click the Fix button and the problem will be solved.

Hope this helped you remove the Fruit Basket adware.

Do you also have Fruit Basket on your machine? Any idea how it installed? Please let me and the readers know by posting a comments. Thank you very much!

Thank you for reading and welcome back.

Remove PriceMinus – “Ads by PriceMinus” Removal

May 7, 2015adwareMultiPlug, ZusyRoger Karlsson

Welcome! Just a quick post on the PriceMinus adware. PriceMinus seems to be a variant of SalePlus that I blogged about some time ago. If PriceMinus is running on your computer, you will notice ads labeled “Ads by PriceMinus” inserted into Google search results and on other web sites.

You will also see new add-ons installed into Firefox and Internet Explorer. In my case, it was called PriceMinus 2.0.

In my specific case, the installer file was digitally signed by Rodion Veresev. I’ve also seen Saul Perec signing PriceMinus installer files.

I’ll show how to remove PriceMinus in this blog post with the FreeFixer removal tool.

PriceMinus is bundled in other software’s installers. Here’s how it appeared in the installer:

Generally, you can avoid bundled software such as PriceMinus by being careful when installing software and declining the bundled offers in the installer.

Here’s a screenshot of the adware’s web site, priceminus.info:

Another program, called BestAdBlocker was also bundled side by side with PriceMinus. You probably want to remove BestAdBlocker too.

When I run into some new bundled software I always upload it to VirusTotal to see if the anti-malware programs there detect something suspicious. 36 of the 56 scanners detected the file. ClamAV classifies PriceMinus as Win.Trojan.Multiplug-3213, F-Secure calls it Gen:Variant.Application.Zusy, GData detects it as Gen:Variant.Application.Zusy.139555, Malwarebytes calls it PUP.Optional.MultiPlug.A and TrendMicro reports TROJ_GEN.R08NC0EE515.

All you need to do to remove PriceMinus is to check the PriceMinus files in the scan result and click the Fix button. You may have to restart your machine to complete the removal. Just select the PriceMinus files as shown in the screenshots below.

Hope this helped you remove the PriceMinus adware.

Do you also have PriceMinus on your computer? Any idea how it was installed? Please let me and the readers know by posting a comments. Thank you!

Thanks for reading. Welcome back!

How To Remove consumer-responses.com Pop-Up Surveys

March 23, 2015adware, pop-ups, survey8.29.137.208Roger Karlsson

Are you getting pop-up surveys from consumer-responses.com while browsing on sites that typically don’t advertise in pop-up windows or by opening new tabs. Do the pop-ups manage to escape the built-in pop-up blockers in Google Chrome, Mozilla Firefox, Internet Explorer or Safari.

Here’s how the consumer-responses.com survey looked like when I got it on my computer:

Does this sounds like your experience, you probably have some adware installed on your system that pop up the consumer-responses.com surveys. I’ll try help you to remove the consumer-responses.com in this blog post.

If you have been visiting this blog already know this, but if you are new: Some time ago I dedicated some of my lab machines and deliberately installed some adware programs on them. I’ve been monitoring the behaviour on these machines to see what kinds of advertisements that are displayed. I’m also looking on other interesting things such as if the adware auto-updates, or if it downloads additional unwanted software on the computers. I first found the consumer-responses.com pop-up on one of these lab computers.

Generally these survey pop-ups claim that they are “official” surveys from the web site you were currently browsing and that you will get a reward or have a chance of winning a price by completing the survey. Sometimes they also claim that your feedback will be used to improve the web site you were visiting. Since I own the freefixer.com web site, I know the survey is 100% fake.

So, how do you remove the consumer-responses.com pop-up ads? On the machine where I got the consumer-responses.com ads I had GoSave, CheckMeUp and PennyBee installed. I removed them with FreeFixer and that stopped the consumer-responses.com pop-ups and all the other ads I was getting in Mozilla Firefox.

It seems as consumer-responses.com is getting quite a lot of traffic, based on Alexa’s traffic rank:

From the traffic graph we can see that the traffic has booming since in the beginning of November. consumer-responses.com was registered in July 2014, and the domain resolves to 8.29.137.208.

The issue with this type of pop-up is that it can be launched by many variants of adware. This makes it impossible to say exactly what you need to remove to stop the pop-ups.

Anyway, here’s my suggestion for the consumer-responses.com ads removal:

The first thing I would do to remove the consumer-responses.com pop-ups is to examine the software installed on the machine, by opening the “Uninstall programs” dialog. You can reach this dialog from the Windows Control Panel. If you are using one of the more recent versions of Windows OS you can just type in “uninstall” in the Control Panel’s search field to find that dialog:

Click on the “Uninstall a program” link and the Uninstall programs dialog will open up:

Do you see something suspect listed there or something that you don’t remember installing? Tip: Sort on the “Installed On” column to see if something was installed approximately about the same time as you started seeing the consumer-responses.com pop-ups.

The next thing to check would be your browser’s add-ons. Adware often show up under the add-ons dialog in Mozilla Firefox, Google Chrome, Internet Explorer or Safari. Is there anything that looks suspicious? Anything that you don’t remember installing?

I think you will be able to track down and remove the adware with the two steps outlined above, but in case that did not work you can try the FreeFixer removal tool to identify and remove the adware. FreeFixer is a freeware tool that I started develop many years ago. It’s a tool built to manually identify and uninstall unwanted software. When you’ve identified the unwanted files you can simply tick a checkbox and click on the Fix button to remove the unwanted file.

FreeFixer’s removal feature is not crippled like many other removal tools out there. It won’t require you to purchase the program just when you are about to remove the unwanted files.

And if you’re having difficulties determining if a file is clean or malware in FreeFixer’s scan report, click on the More Info link for the file. That will open up your browser with a page which contains more information about the file. On that web page, check out the VirusTotal report which can be quite useful:

FreeFixer More Info link example — An example of FreeFixer’s “More Info” links. Click for full size.

Are you a Mac or Linux user and get the consumer-responses.com pop-ups? What did you do to stop the pop-up in your browser? Please share in the comments below. Thank you!

Did this blog post help you to remove the consumer-responses.com pop-ups ads? Please let me know or how I can improve this blog post.

Thank you!

Remove “Ads by SalePlus” and “Ad by SalePlus”

March 21, 2015adwareRoger Karlsson

Hello there guys and gals. This saturday night I wanted to talk about an adware called SalePlus and give you some removal instructions. This seems to be a variant of UniSales that I’ve previously blogged about. If you got SalePlus running on your machine, you will notice ads labeled “Ads by SalePlus” or “Ads by SalePlus” inserted into web pages and new add-ons installed into Chrome, Firefox and Internet Explorer. I’ll show how to remove SalePlus in this blog post with the FreeFixer removal tool.

Removing SalePlus is pretty easy with FreeFixer. Just select the SalePlus files for removal and then click the Fix button and the problem will be solved.

You’ll need to remove the Chrome extensions manually from the Chrome settings page.

Hope that helped you to figure out how to do the removal.

Any idea how you got SalePlus on your computer? Please let me and the readers know by posting a comments. Thank you!

Thank you for reading.

SpeeditApp Ads Removal Instructions

March 21, 2015adwareAddLyrics, GraftorRoger Karlsson

Hi there. Found an adware called SpeeditApp tonight and wanted give you some removal instructions. SpeeditApp appears to be a variant of Graftor. If SpeeditApp is running on your machine, you will see ads labeled SpeeditApp Ads appearing while searching at Google.

I’ll show how to remove SpeeditApp in this blog post with the FreeFixer removal tool.

SpeeditApp is distributed by a method called bundling. Bundling means that a piece of software is included in other software’s installers. This is how SpeeditApp was disclosed in the installer when I found it.

As always when I run into some new bundled software I uploaded it to VirusTotal to check if the anti-malware programs there detect anything interesting. Of the 57 scanners, 16 detected the file. The SpeeditApp files are detected as AddLyrics_r.ME by AVG, a variant of Win32/Adware.AddLyrics.DW by ESET-NOD32, Gen:Variant.Graftor.179236 by GData, Trj/Genetic.gen by Panda and Adware.AddLyrics/Variant by SUPERAntiSpyware.

You probably want to remove SpeeditApp. You can just select the SpeeditApp files in FreeFixer for removal. A restart of your computer may be required to complete the removal. Problem taken care of.

Hope that helped you with the removal.

Did you also find SpeeditApp on your computer? Any idea how it installed? Please share by posting a comment. Thank you!

Thanks for reading!

What is Primary Result? – 40% Anti-Virus Detection Rate

March 17, 2015adwareBrowseFoxRoger Karlsson

Hello guys and gals. Just a short post on an adware called Primary Result. Found this while reviewing some of the files recently submitted to FreeFixer. This is a BrowseFox variant.

Of the 57 anti-virus scanners at VirusTotal, 23 detected the file. The Primary Result files are detected as Adware.SwiftBrowse.CH by BitDefender, Tool.NetFilter.313 by DrWeb, W64/A-59c9c70a!Eldorado by F-Prot, HS_BROWSEFOX.SM by TrendMicro and HS_BROWSEFOX.SM by TrendMicro-HouseCall.

If you are using FreeFixer to remove Primary Result, just look for files digitally signed by Primary Result.

Do you also have Primary Result on your system? Any idea how it was installed? Please share your story the comments below. Thank you very much!

Thank you for reading and welcome back.

Techsnab LLC – 16% Anti-Virus Detection Rate

March 10, 2015adwareHfsAdware, Moscow, Russia, TechsnabRoger Karlsson

Welcome! If you are a regular here on the FreeFixer blog, you know that I’ve been examining files that have a digital signature and bundle various types of potentially unwanted software. Today I found another publisher named Techsnab LLC that bundles some software.

To get more details on the publisher, you can view the certificate by right-clicking on the file, and looking under the Digital Signatures tab. According to the embedded certificate we can see that Techsnab LLC is located in Moscow, Russia and that the certificate is issued by COMODO Code Signing CA 2. This Techsnab certificate has been revoked:

16% of the scanners detected the file. The Game_of_Thrones_S04E02_HDTV_x264-2HD[ettv].exe file is detected as APPL/Techsnab.onemb by Avira, W32.HfsAdware.894E by Bkav, Trojan ( 004b5df41 ) by K7GW, Trojan.Win32.Techsnab.dossoy by NANO-Antivirus and GetPrivate (fs) by VIPRE.

Did you also find a Techsnab LLC file? What kind of download was it? If you remember the download link, please post it in the comments below.

Thanks for reading.

Jelbrus LLC from The Pirate Bay – 23% Anti-Virus Detection Rate – Strictor / Techsnab / HfsAdware

March 7, 2015adware, digital signatureCouponDropDown, HfsAdware, Jelbrus, Moscow, Russia, Strictor, TechsnabRoger Karlsson

Welcome! Saturday night post this time 😉 Just wanted to let you know about a publisher called Jelbrus LLC. You may run into this download if you are visiting sites such as The Pirate Bay.

Information about a digital signature and the certificate can also be found under the Digital Signature tab. According to the embedded certificate we can see that Jelbrus LLC seems to be located in Moscow in Russia and that the certificate is issued by Thawte Code Signing CA – G2.

So what’s up with Jelbrus? The file I found is, named Breaking_Bad_Season_1_Complete_720p.BRrip.Sujaidr_(pimprg)_.exe, so you might get the impression that this is a download for the famous TV-Series called Breaking Bad. It’s not.

Here’s how the Jelbrus installer looks like if you run the file:

When clicking the Next button a bunch settings are changed and some files are added on your computer. Here’s the interesting stuff from a FreeFixer log:

FreeFixer v1.13 log
http://www.freefixer.com/

Scheduled tasks (39 whitelisted)
================================
Great Performance Ultimate, C:\Program Files (x86)\PrivateVPN\gpup.exe , signer: [unsigned]
Jelbrus Secure Web Task, C:\Program Files (x86)\Jelbrus Secure Web\jswtask.exe , signer: [unsigned]
Malware Cleaner, C:\Users\honeypotter\AppData\Roaming\1265.tmp.exe (file is missing)

Processes (42 whitelisted)
==========================
C:\Windows\mlwps.exe, signer: [unsigned]
C:\Users\HONEYP~1\AppData\Local\Temp\92.tmp.exe, signer: [unsigned]
C:\Program Files (x86)\Jelbrus Secure Web\privoxy.exe, signer: [unsigned]

Services (47 whitelisted)
=========================
Live Malware Protection, Live Malware Protection, c:\windows\mlwps.exe, signer: [unsigned]
PrivoxyService, Privoxy (PrivoxyService), c:\program files (x86)\jelbrus secure web\privoxy.exe, signer: [unsigned]

Recently created/modified files
===============================
20 minutes, c:\Program Files (x86)\Jelbrus Secure Web\mgwz.dll, signer: [unsigned]
20 minutes, c:\Program Files (x86)\Jelbrus Secure Web\privoxy.exe, signer: [unsigned]
20 minutes, c:\Program Files (x86)\Jelbrus Secure Web\jsie.dll, signer: [unsigned]
20 minutes, c:\Program Files (x86)\Jelbrus Secure Web\jswff.exe, signer: Jelbrus LLC [valid]
20 minutes, c:\Program Files (x86)\Jelbrus Secure Web\jsweb64.dll, signer: [unsigned]
20 minutes, c:\Program Files (x86)\Jelbrus Secure Web\jswchromium64.exe, signer: [unsigned]
20 minutes, c:\Program Files (x86)\Jelbrus Secure Web\jsweb.dll, signer: [unsigned]
20 minutes, c:\Program Files (x86)\Jelbrus Secure Web\jswchromium.exe, signer: [unsigned]
20 minutes, c:\Program Files (x86)\Jelbrus Secure Web\jswtask.exe, signer: [unsigned]
20 minutes, c:\Users\honeypotter\AppData\Local\Temp\92.tmp.exe, signer: [unsigned]
21 minutes, c:\Program Files (x86)\PrivateVPN\tasks.dll, signer: [unsigned]
21 minutes, c:\Users\honeypotter\AppData\Local\Temp\tasks.dll, signer: [unsigned]
21 minutes, c:\Program Files (x86)\PrivateVPN\gpup.exe, signer: [unsigned]
21 minutes, c:\Users\honeypotter\AppData\Local\Temp\580C.tmp.exe, signer: [unsigned]
23 minutes, c:\Users\honeypotter\AppData\Local\Temp\1716.tmp.exe, signer: [unsigned]
24 minutes, c:\Users\honeypotter\AppData\Local\Temp\6E23.tmp.exe, signer: [unsigned]

LAN Proxy Settings
==================
*=127.0.0.1:8118

You will also see advertisements while browsing the web labelled “Ad by CouponDropDown“. Here’s the “Ad by CouponDropDown” ads on Google:

So what does the anti-virus scanners at VirusTotal say about Jelbrus’ “Breaking Bad” file? The detection rate is 13/57. Gen:Variant.Strictor.75172, Jelbrus.3C0, Adware/Techsnab.9058, Jelbrus LLC (fs), W32.HfsAdware.307F and Gen:Variant.Strictor.75172 were some of the detection names.

Did you also find an Jelbrus LLC? Did you also find it at The Pirate Bay?

Thank you for reading.

Remove SpadeCast Adware

February 20, 2015adwareRoger Karlsson

Hello readers. Another day, another blog post. Did you just see something called SpadeCast on your machine? I just spotted SpadeCast while reviewing some of the latest submissions to FreeFixer’s database.

I first thought that this was a BrowseFox variant, based on how it named its filename. But the VirusTotal and the anti-virus programs there detect it as “Adware.SpadeCast“. The detection rate is 9/53. Some of the detection names for SpadeCast are Adware.SpadeCast.A and Trojan.Win32.Generic!BT. I guess it could still be a BrowseFox variant.

So, how about the removal? If you’d like to remove SpadeCast you can do so with the FreeFixer removal tool. Just select the files digitally signed by “SpadeCast”, click the Fix, reboot, and the problem should be solved.

Hope that helped you with the removal.

Did you also find SpadeCast on your computer? Any idea how it installed? Please share by posting a comment. I’d like to install and test this on my lab machine.

Hope you found this useful. Thanks for reading.