Remove offers.adwingate.com Pop Up Ads Caused By Adware

pop-ups

Does this sound like what you are seeing right now? You see pop up ads from offers.adwingate.com while browsing on web sites that normally don’t advertise in pop-up windows. The pop-ups manage to escape the built-in pop-up blockers in Chrome, Firefox, Internet Explorer or Safari. Perhaps the offers.adwingate.com pop-ups appear when clicking search results from Google? Or does the pop-ups appear even when you’re not browsing?

Here is how the offers.adwingate.com ad looked like on my machine:

offers.adwingate.com pop up

Does this sound like what you see your machine, you probably have some adware installed on your machine that pops up the offers.adwingate.com ads. Don’t send angry emails to the site you were browsing, the ads are almost certainly not coming from them, but from the adware on your system. I’ll do my best to help you remove the offers.adwingate.com pop-up in this blog post.

If you have been following this blog already know this, but if you are new: Not long ago I dedicated a few of my lab systems and intentionally installed some adware programs on them. I’ve been tracking the behaviour on these machines to see what kinds of advertisements that are displayed. I’m also looking on other interesting things such as if the adware updates itself, or if it installs additional unwanted software on the systems. I first observed the offers.adwingate.com pop-up on one of these lab computers.

offers.adwingate.com resolves to 95.85.43.136.

So, how do you remove the offers.adwingate.com pop-up ads? On the machine where I got the offers.adwingate.com ads I had TinyWallet, BlockAndSurf and BrowserWarden installed. I removed them with FreeFixer and that stopped the offers.adwingate.com pop-ups and all the other ads I was getting in Mozilla Firefox.

The problem with pop-ups such as this one is that it can be initiated by many variants of adware, not just the adware running on my computer. This makes it impossible to say exactly what you need to remove to stop the pop-ups.

So, what should done to solve the problem? To remove the offers.adwingate.com pop-up ads you need to check your computer for adware or other types of unwanted software and uninstall it. Here’s my suggested removal procedure:

The first thing I would do to remove the offers.adwingate.com pop-ups is to examine the programs installed on the machine, by opening the “Uninstall programs” dialog. You can open this dialog from the Windows Control Panel. If you are using one of the more recent versions of Windows you can just type in “uninstall” in the Control Panel’s search field to find that dialog:
Uninstall a program search

Click on the “Uninstall a program” link and the Uninstall programs dialog will open up:
Uninstall a program dialog

Do you see something suspicious in there or something that you don’t remember installing? Tip: Sort on the “Installed On” column to see if some program was installed about the same time as you started seeing the offers.adwingate.com pop-ups.

Then you can examine you browser add-ons. Adware often appear under the add-ons menu in Google Chrome, Mozilla Firefox, Internet Explorer, Safari or Opera. Is there anything that looks suspicious? Anything that you don’t remember installing?
Firefox add-ons manager

I think most users will be able to identify and remove the adware with the steps outlined above, but in case that did not work you can try the FreeFixer removal tool to identify and remove the adware. FreeFixer is a freeware tool that I started develop many years ago. Freefixer is a tool built to manually track down and uninstall unwanted software. When you’ve tracked down the unwanted files you can simply tick a checkbox and click on the Fix button to remove the unwanted file.

FreeFixer’s removal feature is not locked down like many other removal tools out there. It won’t require you to purchase the program just when you are about to remove the unwanted files.

And if you’re having problems determining if a file is safe or malware in FreeFixer’s scan result, click on the More Info link for the file. That will open up your web browser with a page which contains additional details about the file. On that web page, check out the VirusTotal report which can be quite useful:

FreeFixer More Info link example
An example of FreeFixer’s “More Info” links. Click for full size.

Here’s a video tutorial showing FreeFixer in action removing pop-up ads:

Did this blog post help you to remove the offers.adwingate.com pop-up ads? Please let me know or how I can improve this blog post.

Thank you!

Remove i_crbfjs_info.tlscdn.com from Firefox, Chrome and Internet Explorer

browser status bar

This page shows how to remove i_crbfjs_info.tlscdn.com from Mozilla Firefox, Google Chrome and Internet Explorer.

Having a mess with i_crbfjs_info.tlscdn.com showing up in the lower left corner of your web browser? If that is the case, you might have some potentially unwanted program installed on your machine. I noticed i_crbfjs_info.tlscdn.com in Mozilla Firefox’s status bar when doing a search at Google, but I guess i_crbfjs_info.tlscdn.com can show up if you are using Chrome, Internet Explorer, Safari or Opera too.

Here is how the i_crbfjs_info.tlscdn.com status bar message looked like on my computer:

i_crbfjs_info.tlscdn.com status bar

Here are some of the status bar messages you may see in your browser’s statusbar:

  • Waiting for i_crbfjs_info.tlscdn.com…
  • Transferring data from i_crbfjs_info.tlscdn.com…
  • Looking up i_crbfjs_info.tlscdn.com…
  • Read i_crbfjs_info.tlscdn.com
  • Connected to i_crbfjs_info.tlscdn.com…

If this sounds like what you are seeing on your computer, you presumably have some potentially unwanted program installed on your computer that makes the i_crbfjs_info.tlscdn.com domain appear in your browser. Don’t send angry emails to the site you were browsing, they are most likely not responsible for the i_crbfjs_info.tlscdn.com status bar messages. The potentially unwanted program on your machine is. I’ll do my best to help you remove the i_crbfjs_info.tlscdn.com message in this blog post.

If you have been following this blog already know this, but if you are new: Recently I dedicated a few of my lab machines and intentionally installed a few potentially unwanted programs on them. I have been observing the actions on these machines to see what kinds of advertisements that are displayed. I’m also looking on other interesting things such as if the potentially unwanted program auto-updates, or if it downloads additional potentially unwanted programs on the systems. I first observed the i_crbfjs_info.tlscdn.com in Mozilla Firefox’s status bar on one of these lab computers.

i_crbfjs_info.tlscdn.com resolves to the 108.59.4.164 IP address.

So, how do you remove i_crbfjs_info.tlscdn.com from your browser? On the machine where i_crbfjs_info.tlscdn.com showed up in the status bar I had TornTV installed. I removed it with FreeFixer and that stopped the browser from loading data from i_crbfjs_info.tlscdn.com.

The issue with status bar messages like the one described in this blog post is that it can be caused by many variants of potentially unwanted programs, not just the potentially unwanted program that’s installed on my machine. This makes it impossible to say exactly what you need to remove to stop the status bar messages.

Anyway, here’s my suggestion for the i_crbfjs_info.tlscdn.com removal:

The first thing I would do to remove i_crbfjs_info.tlscdn.com is to examine the programs installed on the machine, by opening the “Uninstall programs” dialog. You can find this dialog from the Windows Control Panel. If you are using one of the more recent versions of Windows OS you can just type in “uninstall” in the Control Panel’s search field to find that dialog:
Uninstall a program search

Click on the “Uninstall a program” link and the Uninstall programs dialog will open up:
Uninstall a program dialog

Do you see something suspect listed there or something that you don’t remember installing? Tip: Sort on the “Installed On” column to see if some program was installed about the same time as you started seeing the i_crbfjs_info.tlscdn.com statusbar messages.

The next thing to check would be your browser’s add-ons. Potentially unwanted program often appear under the add-ons dialog in Mozilla Firefox, Google Chrome, Internet Explorer or Safari. Is there anything that looks suspicious? Something that you don’t remember installing?
Firefox add-ons manager

I think most users will be able to identify and remove the potentially unwanted program with the steps outlined above, but in case that did not work you can try the FreeFixer removal tool to identify and remove the potentially unwanted program. FreeFixer is a freeware tool that I started develop many years ago. It’s a tool built to manually identify and remove unwanted software. When you’ve tracked down the unwanted files you can simply tick a checkbox and click on the Fix button to remove the unwanted file.

FreeFixer’s removal feature is not crippled like many other removal tools out there. It will not require you to pay for the program just when you are about to remove the unwanted files.

And if you’re having problems determining if a file is legitimate or potentially unwanted in FreeFixer’s scan report, click on the More Info link for the file. That will open up your browser with a page which contains additional details about the file. On that web page, check out the VirusTotal report which can be very useful:

FreeFixer More Info link example
An example of FreeFixer’s “More Info” links. Click for full size.

Did this blog post help you to remove i_crbfjs_info.tlscdn.com? Please let me know or how I can improve this blog post.

Thank you!

LLC “HALKON PLYUS” – 4% Anti-Virus Detection Rate

digital signature,

Hello! If you’ve been following my recent posts here on the FreeFixer blog, you know that I’ve been looking at files that have a valid digital signature and bundle various types of potentially unwanted programs. A few days ago I found another publisher named LLC “HALKON PLYUS”.

LLC HALKON PLYUS

If you have a LLC HALKON PLYUS file on your computer you may have noticed that LLC HALKON PLYUS pops up as the publisher in the User Account Control dialog when running the file. To get more details on the publisher, you can view the certificate by right-clicking on the file, and looking under the Digital Signatures tab. According to the embedded certificate we can see that LLC “HALKON PLYUS” is located in Ternopil, Ukraine and that the certificate is issued by COMODO RSA Code Signing CA.

LLC HALKON PLYUS certificate

The reason for posting about LLC “HALKON PLYUS” is that the file is detected by a few of the anti-virus programs. Avast classifies MediaPlayer__6741_i1484416138_il59937.exe as Win32:Malware-gen and Avira detects it as ADWARE/Adware.Gen4.

LLC HALKON PLYUS anti-virus report

To see more in details what changes the LLC “HALKON PLYUS” file would do on a user’s computer I decided to run the file on my lab machine. The installer bundled some additional software such as Wajam, PriceLess, TabNav and AnySend.

Did you also find a download that was signed by LLC “HALKON PLYUS”? What kind of download was it and was it detected by the anti-malwares at VirusTotal? Please share in posting comments below.

Thanks for reading.

Tiki Taka – 25% Anti-Virus Detection – OutBrowse / Revenyou

digital signature, ,

Welcome! Just a short post before I call it a day. I found yet another interesting file. It was  was signed by Tiki Taka.

Tiki Taka uac

You may see Tiki Taka appear as the publisher when double-clicking on the Player.exe file. Viewing the certificate information is also possible by looking under the digital signature tab for the file. Here the certificate says that Tiki Taka is located in Dublin, Ireland.

Tiki Taka certificate

I decided to upload the Tiki Taka file to VirusTotal. 25% of the scanners detected the file. PUA/Outbrowse.Gen, Trojan.OutBrowse.68, Win32/OutBrowse.BU potentially unwanted, PUP.Optional.OutBrowse and OutBrowse Revenyou are some of the detection names.

Tiki Taka anti-virus report

Did you also find an Tiki Taka? Do you remember the download link? Please post it in the comments below and I’ll upload it to VirusTotal to see if that one is also detected.

Thank you for reading.

Remove jsl.infostatsvc.com From Firefox, Chrome and Internet Explorer

browser status bar,

This page shows how to remove jsl.infostatsvc.com from Mozilla Firefox, Google Chrome and Internet Explorer.

Does this sound like what you are seeing right now? You see jsl.infostatsvc.com in your browser’s status bar while browsing web sites that generally don’t load any content from third party domains. Maybe the jsl.infostatsvc.com domain show up when performing a search at the Google.com search engine?

Here is how the jsl.infostatsvc.com status bar message looked like on my computer while searching at my favourite search engine Google:

jsl.infostatsvc.com status bar

The following are some of the statusbar messages you may see in your browser’s status bar:

  • Waiting for jsl.infostatsvc.com…
  • Transferring data from jsl.infostatsvc.com…
  • Looking up jsl.infostatsvc.com…
  • Read jsl.infostatsvc.com
  • Connected to jsl.infostatsvc.com…

If this description sounds like your computer, you probably have some potentially unwanted program installed on your machine that makes the jsl.infostatsvc.com domain appear in your browser. So there’s no idea contacting the owner of the web site you were browsing. The jsl.infostatsvc.com statusbar messages are not coming from them. I’ll do my best to help you with the jsl.infostatsvc.com removal in this blog post.

I found jsl.infostatsvc.com on one of the lab computers where I have some potentially unwanted programs running. I’ve talked about this in some of the previous blog posts. The potentially unwanted programs was installed on purpose, and from time to time I check if something new has appeared, such as pop-up windows, new tabs in the browsers, injected ads on website that usually don’t show ads, or if some new files have been saved to the hard-drive.

jsl.infostatsvc.com was created on 2013-07-23. jsl.infostatsvc.com resolves to the 70.186.131.246 IP address. The domain is protected by Domains By Proxy LLC.

If you are wondering if there are many others out seeing jsl.infostatsvc.com in the browser, the answer is probably yes. Check out the traffic rank from Alexa:

infostatsvc.com traffic

The bad news with this type of status bar message is that it can probably be caused by many variants of potentially unwanted programs. This makes it impossible to say exactly what you need to remove to stop the status bar messages.

So, what can be done? To remove jsl.infostatsvc.com you need to examine your computer for potentially unwanted programs and uninstall them. Here’s my suggested removal procedure:

The first thing I would do to remove jsl.infostatsvc.com is to examine the programs installed on the machine, by opening the “Uninstall programs” dialog. You can open this dialog from the Windows Control Panel. If you are using one of the more recent versions of Windows you can just type in “uninstall” in the Control Panel’s search field to find that dialog:
Uninstall a program search

Click on the “Uninstall a program” link and the Uninstall programs dialog will open up:
Uninstall a program dialog

Do you see something shady in there or something that you don’t remember installing? Tip: Sort on the “Installed On” column to see if something was installed approximately about the same time as you started seeing the jsl.infostatsvc.com status bar messages.

Then you can examine you browser add-ons. Potentially unwanted program often show up under the add-ons dialog in Mozilla Firefox, Google Chrome, Internet Explorer or Safari. Is there something that looks suspicious? Anything that you don’t remember installing?
Firefox add-ons manager

I think most users will be able to track down and uninstall the potentially unwanted program with the steps outlined above, but in case that did not work you can try the FreeFixer removal tool to identify and remove the potentially unwanted program. FreeFixer is a freeware tool that I started develop about 8 years ago. Freefixer is a tool built to manually find and uninstall unwanted software. When you’ve found the unwanted files you can simply tick a checkbox and click on the Fix button to remove the unwanted file.

FreeFixer’s removal feature is not locked down like many other removal tools out there. It won’t require you to pay for the program just when you are about to remove the unwanted files.

And if you’re having difficulties determining if a file is clean or potentially unwanted in FreeFixer’s scan result, click on the More Info link for the file. That will open up your browser with a page which contains more details about the file. On that web page, check out the VirusTotal report which can be quite useful:

FreeFixer More Info link example
An example of FreeFixer’s “More Info” links. Click for full size.

Did you find any potentially unwanted program on your machine? Did that stop jsl.infostatsvc.com? Please post the name of the potentially unwanted program you uninstalled from your machine in the comment below.

Thank you!

Remove “Ads by SalePlus” and “Ad by SalePlus”

adware

Hello there guys and gals. This saturday night I wanted to talk about an adware called SalePlus and give you some removal instructions. This seems to be a variant of UniSales that I’ve previously blogged about. If you got SalePlus running on your machine, you will notice ads labeled “Ads by SalePlus” or “Ads by SalePlus” inserted into web pages and new add-ons installed into Chrome, Firefox and Internet Explorer. I’ll show how to remove SalePlus in this blog post with the FreeFixer removal tool.

Ads by SalePlus on Google

Ads by SalePlus Ad by SalePlus

Removing SalePlus is pretty easy with FreeFixer. Just select the SalePlus files for removal and then click the Fix button and the problem will be solved.

Remove SalePlus Internet Explorer Remove SalePlus Firefox

You’ll need to remove the Chrome extensions manually from the Chrome settings page.

Hope that helped you to figure out how to do the removal.

Any idea how you got SalePlus on your computer? Please let me and the readers know by posting a comments. Thank you!

Thank you for reading.

SpeeditApp Ads Removal Instructions

adware,

Hi there. Found an adware called SpeeditApp tonight and wanted give you some removal instructions. SpeeditApp appears to be a variant of Graftor. If SpeeditApp is running on your machine, you will see ads labeled SpeeditApp Ads appearing while searching at Google.

SpeeditApp ads google

I’ll show how to remove SpeeditApp in this blog post with the FreeFixer removal tool.

SpeeditApp is distributed by a method called bundling. Bundling means that a piece of software is included in other software’s installers. This is how SpeeditApp was disclosed in the installer when I found it.

SpeeditApp by Revizer

As always when I run into some new bundled software I uploaded it to VirusTotal to check if the anti-malware programs there detect anything interesting. Of the 57 scanners, 16 detected the file. The SpeeditApp files are detected as AddLyrics_r.ME by AVG, a variant of Win32/Adware.AddLyrics.DW by ESET-NOD32, Gen:Variant.Graftor.179236 by GData, Trj/Genetic.gen by Panda and Adware.AddLyrics/Variant by SUPERAntiSpyware.

You probably want to remove SpeeditApp. You can just select the SpeeditApp files in FreeFixer for removal. A restart of your computer may be required to complete the removal. Problem taken care of.

remove speeditapp ie

Hope that helped you with the removal.

Did you also find SpeeditApp on your computer? Any idea how it installed? Please share by posting a comment. Thank you!

Thanks for reading!

TAIMED LLC – 2% Anti-Virus Detection Rate – Trojan.Win32.Qudamah

Uncategorized, , ,

Hi there! Hope you are having a good saturday night. Just wanted to give you the heads up on files digitally signed by TAIMED LLC.

TAIMED LLC uac

Windows will display TAIMED LLC as the publisher when running the file. The certificate information can also be viewed from Windows Explorer. According to the certificate we can see that TAIMED LLC appears to be located in Lubertsy, Russia and that the certificate is issued by COMODO Code Signing CA 2.

TAIMED LLC certificate

So, why did I put up this blog post? Well, the thing is that the TAIMED LLC file is detected by a few of the antimalware scanners, according to VirusTotal. Tencent classifies Game_of_Thrones_S04E02_HDTV_x264-2HD[ettv].exe as Trojan.Win32.Qudamah.Gen.3

TAIMED LLC anti-virus report

In addition to that, if you run the file, it will install the Jelbrus Secure Web adware. I’m sure the other anti-virus program will detect this in a few days.

Did you also find a file digitally signed by TAIMED LLC? Where did you find it and are the anti-virus programs detecting it? I found it at The Pirate Bay. Please share in the comments below.

Thank you for reading.

Remove asrv-a.akamaihd.net from Firefox, Chrome and Internet Explorer

browser status bar,

This page shows how to remove asrv-a.akamaihd.net from Mozilla Firefox, Google Chrome and Internet Explorer.

Did you just see asrv-a.akamaihd.net in the status bar of your browser and ask yourself where it came from? Or did asrv-a.akamaihd.net show up while you search for something on one of the major search engines, such as the Google.com search engine?

Here is how the asrv-a.akamaihd.net connection looked like in my network log. The connection was made when I searched at Google.

asrv-a.akamaihd.net

The actual url is https://asrv-a.akamaihd.net/sd/9717/1001.js. When loaded, a code snippet is returned, that mentions the gal.adviceoncarsse.com (37.58.102.34) domain.

Here are some of the status bar messages you may see in your browser’s status bar:

  • Waiting for asrv-a.akamaihd.net…
  • Transferring data from asrv-a.akamaihd.net…
  • Looking up asrv-a.akamaihd.net…
  • Read asrv-a.akamaihd.net
  • Connected to asrv-a.akamaihd.net…

If this description sounds like your story, you almost certainly have some potentially unwanted program installed on your computer that makes the asrv-a.akamaihd.net domain appear in your browser. So don’t write angry emails to the website you were browsing, they are almost certainly not responsible for the asrv-a.akamaihd.net status bar messages. The potentially unwanted program on your machine is. I’ll do my best to help you with the asrv-a.akamaihd.net removal in this blog post.

If you have been spending some time on this blog already know this, but if you are new: A little while back I dedicated some of my lab machines and knowingly installed some potentially unwanted programs on them. Since then I have been tracking the behaviour on these machines to see what kinds of advertisements that are displayed. I’m also looking on other interesting things such as if the potentially unwanted program auto-updates, or if it installs additional potentially unwanted programs on the computers. I first noticed the asrv-a.akamaihd.net in Mozilla Firefox’s status bar on one of these lab computers.

asrv-a.akamaihd.net resolves to the 23.62.6.72 address.

So, how do you remove asrv-a.akamaihd.net from your browser? On the machine where asrv-a.akamaihd.net showed up in the status bar I had PriceFountain, WebWaltz, SpeedChecker and YTDownloader installed. I removed them with FreeFixer and that stopped the browser from loading data from asrv-a.akamaihd.net.

The bad news with status bar messages such as this one is that it can be caused by many variants of potentially unwanted programs, not just the potentially unwanted program that’s installed on my system. This makes it impossible to say exactly what you need to remove to stop the statusbar messages.

Anyway, here’s my suggestion for the asrv-a.akamaihd.net removal:

The first thing I would do to remove asrv-a.akamaihd.net is to examine the programs installed on the machine, by opening the “Uninstall programs” dialog. You can open this dialog from the Windows Control Panel. If you are using one of the more recent versions of Windows you can just type in “uninstall” in the Control Panel’s search field to find that dialog:
Uninstall a program search

Click on the “Uninstall a program” link and the Uninstall programs dialog will open up:
Uninstall a program dialog

Do you see something suspicious listed there or something that you don’t remember installing? Tip: Sort on the “Installed On” column to see if some program was installed about the same time as you started observing the asrv-a.akamaihd.net status bar messages.

The next thing to check would be your browser’s add-ons. Potentially unwanted program often appear under the add-ons dialog in Firefox, Chrome, Internet Explorer or Safari. Is there anything that looks suspicious? Something that you don’t remember installing?
Firefox add-ons manager

I think most users will be able to identify and uninstall the potentially unwanted program with the steps outlined above, but in case that did not work you can try the FreeFixer removal tool to identify and remove the potentially unwanted program. FreeFixer is a freeware tool that I started develop many years ago. It’s a tool designed to manually find and uninstall unwanted software. When you’ve found the unwanted files you can simply tick a checkbox and click on the Fix button to remove the unwanted file.

FreeFixer’s removal feature is not locked like many other removal tools out there. It won’t require you to pay a fee just when you are about to remove the unwanted files.

And if you’re having a hard time determining if a file is legitimate or potentially unwanted in FreeFixer’s scan report, click on the More Info link for the file. That will open up your web browser with a page which contains additional information about the file. On that web page, check out the VirusTotal report which can be very useful:

FreeFixer More Info link example
An example of FreeFixer’s “More Info” links. Click for full size.

Did this blog post help you to remove asrv-a.akamaihd.net? Please let me know or how I can improve this blog post.

Thank you!

fhr.data.mozilla.com – Firefox Sends Data To Health Report Server

Uncategorized

I was examining a network log this morning and found that Mozilla Firefox makes a connection to fhr.data.mozilla.com:

fhr.data.mozilla.com connection in Mozilla Firefox

Why is Firefox sending data to fhr.data.mozilla.com? The answer is a feature called Firefox Health Report (FHR) that sends metrics to the Mozilla servers. The FAQ explains what data kind of data is sent, and what’s not sent:

For example, FHR sends data to Mozilla on things like: operating system, PC/Mac, number of processors, Firefox version, the number and type of add-ons. The data collected by FHR is tied to a Document ID that corresponds to a browser installation (explained above in question #4) so that the data can be correlated across a limited window of time.

FHR does not collect email addresses or track website visits, which services users are logged into, downloads, or search details, nor does it collect other information which directly identifies you as a user.

If you’d like to view the health report for your browser, type in about:healthreport in the address bar and the health report should appear:

firefox health report

According to the report, I should be able to see more interesting data the more I use the browser. That seems a bit strange, since I’ve been using the browser A LOT. But I’ll check back later on to see if something more interesting appears. If so, I’ll add some more screenshots.