Remove cr.install-daddy.com from Firefox, Chrome and Internet Explorer

January 23, 2015browser status bar192.31.186.37, 69.16.175.10, WhoisGuard IncRoger Karlsson

This page shows how to remove cr.install-daddy.com from Mozilla Firefox, Google Chrome and Internet Explorer.

Does this sound like your story? You see cr.install-daddy.com in your browser’s status bar or in your network log while browsing at websites that mostly don’t load any content from third party domains. Perhaps the cr.install-daddy.com domain show up when performing a search at the Google.com search engine?

Here’s a screen capture of cr.install-daddy.com when it showed up on my system:

The following are some of the status bar notifications you may see in your browser’s status bar:

Waiting for cr.install-daddy.com…
Transferring data from cr.install-daddy.com…
Looking up cr.install-daddy.com…
Read cr.install-daddy.com
Connected to cr.install-daddy.com…

If this sounds like what you are seeing on your machine, you almost certainly have some adware installed on your machine that makes the cr.install-daddy.com domain appear in your browser. So there’s no use contacting the owner of the site you were browsing. The cr.install-daddy.com statusbar messages are not coming from them. I’ll do my best to help you remove the cr.install-daddy.com message in this blog post.

If you have been reading this blog already know this, but if you are new: Some time ago I dedicated a few of my lab machines and knowingly installed a few adware programs on them. Since then I have been monitoring the behaviour on these machines to see what kinds of advertisements that are displayed. I’m also looking on other interesting things such as if the adware updates itself automatically, or if it downloads additional unwanted software on the machines. I first noticed the cr.install-daddy.com in Mozilla Firefox’s statusbar on one of these lab computers.

install-daddy.com resolves to 192.31.186.37 and cr.install-daddy.com to the 69.16.175.10 IP address. cr.install-daddy.com was registered on 2013-06-13. Unfortunately I cannot see the WHOIS info, since it is protected by WHOISGUARD, INC.

So, how do you remove cr.install-daddy.com from your web browser? On the machine where cr.install-daddy.com showed up in the status bar I had TornTV installed. I removed it with FreeFixer and that stopped the web browser from loading data from cr.install-daddy.com.

The problem with this type of status bar message is that, or at least I think so, it can be caused by many variants of adware, not just TornTV. This makes it impossible to say exactly what you need to remove to stop the status bar messages.

Anyway, here’s my suggestion for the cr.install-daddy.com removal:

The first thing I would do to remove cr.install-daddy.com is to examine the software installed on the machine, by opening the “Uninstall programs” dialog. You can open this dialog from the Windows Control Panel. If you are using one of the more recent versions of Windows you can just type in “uninstall” in the Control Panel’s search field to find that dialog:

Click on the “Uninstall a program” link and the Uninstall programs dialog will open up:

Do you see something strange-looking in there or something that you don’t remember installing? Tip: Sort on the “Installed On” column to see if some program was installed about the same time as you started observing the cr.install-daddy.com status bar messages. Do you see TornTV listed there?

Then I would check the browser add-ons. Adware often appear under the add-ons dialog in Google Chrome, Mozilla Firefox, Internet Explorer, Safari or Opera. Is there anything that looks suspicious? Something that you don’t remember installing? TornTV in the list?

I think you will be able to track down and uninstall the adware with the steps outlined above, but in case that did not work you can try the FreeFixer removal tool to identify and remove the adware. FreeFixer is a freeware tool that I’ve developed since 2006. Freefixer is a tool designed to manually identify and remove unwanted software. When you’ve tracked down the unwanted files you can simply tick a checkbox and click on the Fix button to remove the unwanted file.

FreeFixer’s removal feature is not locked down like many other removal tools out there. It will not require you to pay for the program just when you are about to remove the unwanted files.

And if you’re having problems determining if a file is legitimate or adware in the FreeFixer scan result, click on the More Info link for the file. That will open up a web page which contains additional information about the file. On that web page, check out the VirusTotal report which can be very useful:

FreeFixer More Info link example — An example of FreeFixer’s “More Info” links. Click for full size.

Did this blog post help you to remove cr.install-daddy.com? Please let me know or how I can improve this blog post.

Thank you!

Mari Mara – 20% Detection Rate – PUP.Optional.Maru / OutBrowse Revenyou

January 21, 2015digital signatureDublin, Ireland, OutBrowseRoger Karlsson

Hello! Just wanted to let you know about a publisher called Mari Mara that I found earlier today. Here’s how the UAC dialog looks like when running the file:

You can also check the digital signature under the file’s properties. According to the certificate we can see that Mari Mara appears to be located in Dublin, Ireland and that the certificate is issued by GlobalSign CodeSigning CA – G2.

The VirusTotal report shows that the Mari Mara file should probably be avoided, since setup.exe is detected as Win-PUP/OutBrowse by AhnLab-V3, Mari.668 by AVG, PUA.OutBrowse by Ikarus, PUP.Optional.Maru by Malwarebytes and OutBrowse Revenyou by Sophos.

Did you also find a Mari Mara file? What kind of download was it? If you remember the download link, please post it in the comments below.

Thank you for reading.

Remove SettingsGuard – Sg.exe and SettingsGuard.exe Removal Instructions

January 21, 2015UncategorizedElephant Tech Software LLCRoger Karlsson

Hello there. I just found another bundled program called SettingsGuard and wanted give you some removal instructions. SettingsGuard seems to be a variant of BitGuard that I’ve written about before. If SettingsGuard is running on your computer, you will see SettingsGuard.exe and sg.exe running in the Windows Task Manager:

You will also see loader.dll and ld64.dll registered as APPInit_Dlls. I’ll show how to remove SettingsGuard in this blog post with the FreeFixer removal tool.

So, how did SettingsGuard install on your machine? It was probably bundled with some download that you installed recently. Bundling means that software is included in other software’s installers. When I first found SettingsGuard, it was bundled with a download called Codec Perforer. Guess that is typo and it should be Codec Performer. This is how SettingsGuard was disclosed in Codec Perforer’s installer when I found it:

The installer file is digitally signed by Elephant Tech Software LLC.

Generally, you can avoid bundled software such as SettingsGuard by being careful when installing software and declining the bundled offers in the installer.

When I mess around with some new bundled software I usually upload it to VirusTotal to test if the anti-virus tools there find something. 35% of the antimalware scanners detected the sg.exe file. The SettingsGuard files are detected as Gen:Variant.Strictor.73974 by Ad-Aware, Riskware.Agent! by Agnitum and a variant of Win32/SmartCyberTech.A by ESET-NOD32.

If you would like to remove SettingsGuard you can do so with the freeware FreeFixer tool. Select the SettingsGuard items for removal in FreeFixer, click Fix, restart your machine and the problem will be gone. Here’s a few screenshots to point you in the right direction:

Hope that helped you to figure out how to do the removal.

Did you also find SettingsGuard on your system? Any idea how it installed? Please share in the comments below. Thank you very much!

Hope you found this useful. Thanks for reading.

Remove 12softlive12.newupdateweb.com Pop Up About Outdated Flash Player

January 19, 2015pop-ups198.7.56.99Roger Karlsson

Does this sound like your story? You see pop-up ads from 12softlive12.newupdateweb.com while browsing at websites that mostl of the time don’t advertise in pop-up windows. The pop-ups manage to find a way round the built-in pop-up blockers in Mozilla Firefox, Google Chrome, Internet Explorer or Safari. Maybe the newupdateweb.com popups appear when clicking search results from Google? Or does the pop-ups appear even when you’re not browsing?

Here’s how the 12softlive12.newupdateweb.com pop-up looked like when I got it on my system:

If this sounds like what you are seeing on your system, you probably have some adware installed on your system that pops up the 12softlive12.newupdateweb.com ads. There’s no use contacting the owners of the site you currently were browsing. The ads are not coming from them. I’ll try help you with the 12softlive12.newupdateweb.com removal in this blog post.

Those that have been visiting this blog already know this, but for new visitors: A little while back I dedicated some of my lab machines and purposely installed a few adware programs on them. I’ve been observing the behaviour on these machines to see what kinds of adverts that are displayed. I’m also looking on other interesting things such as if the adware updates itself automatically, or if it installs additional unwanted software on the systems. I first spotted the 12softlive12.newupdateweb.com pop-up on one of these lab systems.

12softlive12.newupdateweb.com was created on 2015-01-14. 12softlive12.newupdateweb.com resolves to the 198.7.56.99 IP address.

So, how do you remove the 12softlive12.newupdateweb.com pop-up ads? On the machine where I got the 12softlive12.newupdateweb.com ads I had PriceLess, PriceHorse, OfferBoulevard and SpeedCheck installed. I removed them with FreeFixer and that stopped the 12softlive12.newupdateweb.com pop-ups and all the other ads I was getting in Mozilla Firefox.

The issue with pop-ups such as this one is that it can be initiated by many variants of adware. This makes it impossible to say exactly what you need to remove to stop the pop-ups.

So, what should done to solve the problem? To remove the 12softlive12.newupdateweb.com pop-up ads you need to review your computer for adware or other types of unwanted software and uninstall it. Here’s my suggested removal procedure:

The first thing I would do to remove the 12softlive12.newupdateweb.com pop-ups is to examine the programs installed on the machine, by opening the “Uninstall programs” dialog. You can open this dialog from the Windows Control Panel. If you are using one of the more recent versions of Windows Operating System you can just type in “uninstall” in the Control Panel’s search field to find that dialog:

Click on the “Uninstall a program” link and the Uninstall programs dialog will open up:

Do you see something strange-looking listed there or something that you don’t remember installing? Tip: Sort on the “Installed On” column to see if something was installed about the same time as you started seeing the 12softlive12.newupdateweb.com pop-ups.

Then you can examine you browser add-ons. Adware often appear under the add-ons menu in Google Chrome, Mozilla Firefox, Internet Explorer or Safari. Is there anything that looks suspicious? Something that you don’t remember installing?

I think most users will be able to identify and remove the adware with the steps outlined above, but in case that did not work you can try the FreeFixer removal tool to identify and remove the adware. FreeFixer is a freeware tool that I started develop many years ago. It’s a tool built to manually identify and remove unwanted software. When you’ve identified the unwanted files you can simply tick a checkbox and click on the Fix button to remove the unwanted file.

FreeFixer’s removal feature is not locked like many other removal tools out there. It won’t require you to pay for the program just when you are about to remove the unwanted files.

And if you’re having issues determining if a file is clean or adware in FreeFixer’s scan report, click on the More Info link for the file. That will open up a web page which contains more details about the file. On that web page, check out the VirusTotal report which can be very useful:

Here’s a video tutorial on how to remove the pop-ups with FreeFixer:

Did you find any adware on your machine? Did that stop the 12softlive12.newupdateweb.com ads? Please post the name of the adware you uninstalled from your machine in the comment below.

Thank you!

Remove MPlayerPlusvideo4 Adware Ads

January 18, 2015adwareRoger Karlsson

Last post for today. Got problems with ads from MPlayerPlusvideo4? No problem, just uninstall it from the Windows Control Panel:

Or if that does not work, you can remove MPlayerPlusvideo4 with FreeFixer.

Thanks for reading. Good night!

Wecan Software – 39% Detection – Verti / PUP.Optional.WeCan.A / NextUp / Rocketfuel Installer

January 18, 2015digital signatureRoger Karlsson

Hi there! A short post on a publisher called Wecan Software that I found this morning while downloading some software. According to the certificate, Wecan Software is located in Bellevue, Washington in the United States of America.

Right now, 22 of the 57 anti-virus scanners detected the file. AVG reports MediaPlayerClassicInstaller.exe as Wecan.80E, Fortinet classifies it as Adware/Verti, Malwarebytes names it PUP.Optional.WeCan.A, Sophos classifies it as NextUp and VIPRE reports Rocketfuel Installer (fs).

Did you also find a file digitally signed by Wecan Software? Where did you find it and are the anti-virus programs detecting it? Please share in the comments below.

Hope this blog post helped you avoid some unwanted software on your machine.

Thanks for reading.

Dove Source (Fried Cooke Ltd.) – 4% Detection Rate – InstallCore

January 17, 2015digital signatureInstallCore, Israel, Tel AvivRoger Karlsson

Hello readers! Short on time today this weekend, but I just wanted to give you the heads up on a publisher called Dove Source (Fried Cooke Ltd.). The signed file was named Skype_Setup.exe.

The certificate is rather new. It is valid from the 5th of January 2015. According to the cert, the company is located in Tel Aviv, Israel.

The problem here is that if Skype_Setup.exe really was an installer for Skype, it should be digitally signed by Skype Software Sarl and not by some unknown company. Here’s how the authentic Skype looks like when you double click on it. Notice that the “Verified publisher” says “Skype Software Sarl”.

The issue with the Dove Source (Fried Cooke Ltd.) file, in addition to using Skype’s name, is that it is detected by a few of the anti-malware scanners. Here are some of the detection names: ADWARE/InstallCore.Gen9 and a variant of Win32/InstallCore.UN.

Did you also find a Dove Source (Fried Cooke Ltd.) file? What kind of download was it?

Thanks for reading.

Small Island Development – Detection Rate: 18% – Smallis / PullUpdate / TVWizard

January 17, 2015adware, digital signaturePullUpdateRoger Karlsson

Welcome! Another quick post on a publisher called Small Island Development. I noticed that many FreeFixer users are submitting files digitally signed by this publisher, so I though I should write a few lines about them.

There seems to be many variants of the Small Islands files, and many of them seems to have a randomly generated filename. The file I’m currently looking on is detected by 10 of the scanners scanners at VirusTotal. The majority of the scanners classify the file as adware. AVG reports NXtcFoMlakD.dll as Smallis.5E4, Baidu-International names it Adware.MSIL.PullUpdate.BK, Comodo names it ApplicUnwnt, Panda reports Adware/TVWizard and Symantec calls it Yontoo.C.

Did you also find a Small Island Development file? What kind of download was it?

Thanks for reading.

Acute Angle Solutions Ltd – 18% Detection Rate -PullUpdate / AcuteAngle / Injekt

January 17, 2015adware, digital signatureRoger Karlsson

Welcome! If you are a regular here on the FreeFixer blog you know that I’ve been looking on the certificates used to sign files that bundled various types of unwanted software. Today I found another certificate, while reviewing files submitted to the FreeFixer database, used by a publisher called Acute Angle Solutions Ltd..

You may see Acute Angle Solutions Ltd. appear as the publisher when checking the digital signature under the file’s properties.

It seems as the filename for this file is randomly generated: yzmHYl.dll.

Anyway, the reason I’m writing this blog post is that the Acute Angle Solutions Ltd. file is detected by many of the anti-malware scanners at VirusTotal. Antiy-AVL names yzmHYl.dll as Trojan/Win32.TSGeneric, AVG reports Acute.A40, Avira calls it Adware/PullUpdate.AQ, GData calls it Win32.Adware.AcuteAngle.B, Sophos classifies it as Pull Update and VIPRE detects it as Injekt (fs).

Did you also find a Acute Angle Solutions Ltd. download? What kind of download was it?

Thank you for reading.

Rational Thought Solutions – 18% Detection Rate – MSIL.Adware.PullUpdate

January 15, 2015digital signaturePullUpdateRoger Karlsson

Found another publisher that appears to be signing adware related files while checking out the new files added to FreeFixer’s database. The publisher is called Rational Thought Solutions.

When I uploaded the Rational Thought Solutions file to VirusTotal, it came up with a 18% detection rate. The file is detected as Downloader.CBD by AVG, a variant of MSIL/Adware.PullUpdate.G.gen by ESET-NOD32, PUP.Optional.StormAlert.A by Malwarebytes, Artemis!707FECAF8B22 by McAfee and MSIL.Adware.PullUpdate by VIPRE.

From what I can tell from the Rational Thought Solutions files added to the FreeFixer database, the file names seems to be randomly generated. The files are located at C:\ProgramData\%random%\%random%.exe.

Did you also stumble upon a download that was signed by Rational Thought Solutions? What kind of download was it and was it reported by the anti-virus scanners at VirusTotal? Please share in posting comments below.

Thanks for reading.