Remove TornPlusTV Adware – TornPlusTV_version1.11 Removal Guide

November 19, 2014adware, freefixerArmageddon Labs (BrightCircle Investments Limited), Arod Group (BrightCircle Investments Limited), Aussie Labs (BrightCircle Investments Limited), BadFinger Project (BrightCircle Investments Limited), Berta Dress Apps (Bright Circle Investments Ltd), Bright Circle Investments Ltd, Cyprus, Nicosia, Selecao Technologies (Bright Circle Investments Ltd).Roger Karlsson

Hi there. Today I wanted to talk about an adware named TornPlusTV or TornPlusTV_version1.11 and thought I should give you some removal instructions. TornPlusTV_version1.11 appears to be a variant of CrossRider that I’ve blogged about before.

If TornPlusTV is installed on your system, you will find new the TornPlusTV add-ons installed in Firefox and Internet Explorer, TornPlusTV_version1.11-bg.exe running in the Windows Task Manager and many new scheduled tasks installed. The Chrome browser seems to stay unaffected. I’ll show how to remove TornPlusTV_version1.11 in this blog post with the FreeFixer removal tool.

Here’s the TornPlusTV add-on in Internet Explorer:

And the TornPlusTV_version1.11 add-on in Firefox:

You might also spot the TornPlusTV_version1.11-bg.exe in the Task Manager:

When I mess around with some new software I always upload it to VirusTotal to verify if the anti-malware progams there find something. Of the 55 scanners, 15 detected the file. The TornPlusTV_version1.11 files are detected as DLOADER.Trojan by DrWeb, W32/A-ee826839!Eldorado by F-Prot, Gen:Application.Heur.Ky9@ky9OVaii by F-Secure and Crossrider (fs) by VIPRE.

The files are digitally signed by Arod Group (BrightCircle Investments Limited): The certificated is quite new, it’s valid from the 17th of November 2014.

I’m sure you’d like to remove TornPlusTV_version1.11, and that’s pretty easy with FreeFixer. Select the TornPlusTV_version1.11 items, as shown in the screenshots below, click Fix, and reboot your machine and the problem should be gone.

The TornTVPlus process:

And the DLL loaded into Internet Explorer:

The scheduled tasks for TornPlusTV:

And last, the add-ons in Internet Explorer and Firefox:

Hope this helped you solved the TornPlusTV_version1.11 problem.

Do you also have TornPlusTV_version1.11 on your machine? Any idea how it installed? Please share your story the comments below. Thank you!

Thanks for reading!

Update 2014-11-26: Now the files are signed by Aussie Labs (BrightCircle Investments Limited):

Update 2014-12-04: Now the files are signed by “BadFinger Project (BrightCircle Investments Limited)”.

Update 2014-12-19: Files now signed by Armageddon Labs (BrightCircle Investments Limited).

Update 2015-01-15: The files are now digitally signed by Berta Dress Apps (Bright Circle Investments Ltd).

Update 2015-01-20: Now they are signed by Selecao Technologies (Bright Circle Investments Ltd).

How To Remove gov-surveys.com Pop-Up Survey Ads

November 19, 2014pop-ups, survey209.126.106.182Roger Karlsson

Do you see pop-up surveys from gov-surveys.com while browsing sites that generally don’t advertise in pop-up windows. The pop-ups manage to circumvent the built-in pop-up blockers in Mozilla Firefox, Google Chrome, Internet Explorer or Safari.

Here’s how the gov-surveys.com pop-up survey looked like when I got it on my machine yesterday. I’ve framed some of the interesting properties of the screenshot.

Does this sounds like your story, you apparently have some adware installed on your machine that pop up the gov-surveys.com surveys. So don’t send angry emails to the website you were browsing, the ads are presumably not coming from them, but from the adware on your system. I’ll try help you to remove the gov-surveys.com in this blog post.

Generally this type of survey tries to make the impression that it came from the web site you where browsing, that you will get some sort of compensation for completing the survey, that your feedback will be used to improve the web site. More often that not, the survey is also translated into you language, often poorly translated. Since I own the www.freefixer.com web site, I know the survey is fake.

For those that are new to the blog: A little while back I dedicated some of my lab machines and intentionally installed some adware programs on them. Since then I have been following the actions on these computers to see what kinds of advertisements that are displayed. I’m also looking on other interesting things such as if the adware auto-updates, or if it installs additional unwanted software on the machines. I first noticed the gov-surveys.com pop-up survey on one of these lab machines.

So, how do you remove the gov-surveys.com pop-up survey ads? On the machine where I got the gov-surveys.com ads I had PriceHorse, SaferSurf and CheckMeUp installed. I removed them with FreeFixer and that stopped the gov-surveys.com pop-ups and all the other ads I was getting in Firefox. Sorry, I don’t know which of them was responsible for the pop-up.

Judging from Alexa’s traffic rank, gov-surveys.com is getting quite a lot of traffic. From the diagram, we can see that the traffic started booming in the middle of October.

The gov-surveys.com domain was also registered in the middle of October 2014. It’s hosted on 209.126.106.182 which appears to be a dedicated server.

The issue with this type of pop-up survey is that it can probably be launched by many variants of adware. This makes it impossible to say exactly what you need to remove to stop the pop-ups.

Anyway, here’s my suggestion for the gov-surveys.com ads removal:

The first thing I would do to remove the gov-surveys.com pop-ups is to examine the software installed on the machine, by opening the “Uninstall programs” dialog. You can reach this dialog from the Windows Control Panel. If you are using one of the more recent versions of Windows OS you can just type in “uninstall” in the Control Panel’s search field to find that dialog:

Click on the “Uninstall a program” link and the Uninstall programs dialog will open up:

Do you see something dubious in there or something that you don’t remember installing? Tip: Sort on the “Installed On” column to see if something was installed approximately about the same time as you started seeing the gov-surveys.com pop-ups.

I think you will be able to find and uninstall the adware with the steps outlined above, but in case that did not work you can try the FreeFixer removal tool to identify and remove the adware. FreeFixer is a freeware tool that I started develop many years ago. It’s a tool designed to manually track down and remove unwanted software. When you’ve found the unwanted files you can simply tick a checkbox and click on the Fix button to remove the unwanted file.

FreeFixer’s removal feature is not crippled like many other removal tools out there. It won’t require you to pay for the program just when you are about to remove the unwanted files.

And if you’re having problems determining if a file is safe or malware in FreeFixer’s scan report, click on the More Info link for the file. That will open up your web browser with a page which contains additional information about the file. On that web page, check out the VirusTotal report which can be quite useful:

FreeFixer More Info link example — An example of FreeFixer’s “More Info” links. Click for full size.

Are you a Mac or Linux user and get the gov-surveys.com pop-ups? What did you do to stop the pop-up in your browser? Please share in the comments below. Thank you!

Did this blog post help you to remove the gov-surveys.com pop-ups ads? Please let me know or how I can improve this blog post.

Thank you!

Remove qiip.net Pop-Up Ad Surveys

November 19, 2014pop-ups, survey178.62.243.117, otx.fr, zpz.frRoger Karlsson

Does this sound familiar? You see pop-up surveys from qiip.net while browsing sites that commonly don’t advertise in pop-up windows. The pop-ups manage to get round the built-in pop-up blockers in Google Chrome, Mozilla Firefox, Internet Explorer or Safari.

Here’s how the qiip.net survey looked like when I got it on my machine:

If this description sounds like your story, you probably have some adware installed on your computer that pop up the qiip.net surveys. I’ll do my best to help you remove the qiip.net in this blog post.

Generally this type of surveys often try to make it appear that they are initiated from the web site you currently were visiting, often by quoting the domain name. In my case, it talks about google.se. The surveys often claim that you will get some reward from the web site you were browsing. Sometimes the surveys are localised to your language, but often its poorly translated. This is also true for the qiip.net survey.

Those that have been reading this blog already know this, but for new visitors: Not long ago I dedicated a few of my lab systems and intentionally installed some adware programs on them. Since then I have been following the actions on these computers to see what kinds of adverts that are displayed. I’m also looking on other interesting things such as if the adware auto-updates, or if it downloads additional unwanted software on the computers. I first found the qiip.net survey on one of these lab computers.

qiip.net was registered in the end of October 2014. otx.fr and zpz.fr are two domains hosted on the same IP (178.62.243.117) as qiip.net.

So, how do you remove the qiip.net pop-up survey? On the machine where I got the qiip.net ads I had TinyWallet and PriceHorse installed. I removed them with FreeFixer and that stopped the qiip.net pop-ups and all the other ads I was getting in Firefox.

TinyWallet was the adware that caused the pop-ups in my case. The pop-up was labelled “Ad by TinyWallet” in the bottom right corner of the browser, as shown in the screenshot:

What label did your pop-up ad have? Please share by posting a comment below.

The issue with this type of survey is that it can be launched by many variants of adware. This makes it impossible to say exactly what you need to remove to stop the pop-ups.

Anyway, here’s my suggestion for the qiip.net ads removal:

The first thing I would do to remove the qiip.net pop-up survey is to examine the programs installed on the machine, by opening the “Uninstall programs” dialog. You can open this dialog from the Windows Control Panel. If you are using one of the more recent versions of Windows you can just type in “uninstall” in the Control Panel’s search field to find that dialog:

Click on the “Uninstall a program” link and the Uninstall programs dialog will open up:

Do you see something suspicious listed there or something that you don’t remember installing? Do you see TinyWallet? Tip: Sort on the “Installed On” column to see if something was installed about the same time as you started seeing the qiip.net pop-ups.

I think you will be able to track down and remove the adware with the steps outlined above, but in case that did not work you can try the FreeFixer removal tool to identify and remove the adware. FreeFixer is a freeware tool that I’ve developed since 2006. It’s a tool designed to manually identify and uninstall unwanted software. When you’ve found the unwanted files you can simply tick a checkbox and click on the Fix button to remove the unwanted file.

FreeFixer’s removal feature is not locked like many other removal tools out there. It won’t require you to pay a fee just when you are about to remove the unwanted files.

And if you’re having problems figuring out if a file is clean or malware in FreeFixer’s scan report, click on the More Info link for the file. That will open up a web page which contains additional information about the file. On that web page, check out the VirusTotal report which can be very useful:

Are you a Mac or Linux user and get the qiip.net pop-ups? What did you do to stop the pop-up in your browser? Please share in the comments below. Thank you!

Did this blog post help you to remove the qiip.net pop-up surveys? Please let me know or how I can improve this blog post.

Thank you!

Remove ash.coupbat.com Pop-Ups Ads

November 19, 2014adware, pop-upsCoup Pop-UpRoger Karlsson

Does this sound like your story? You see pop-up ads from ash.coupbat.com while browsing sites that generally don’t advertise in pop-up windows. The pop-ups manage to circumvent the built-in pop-up blockers in Google Chrome, Mozilla Firefox, Internet Explorer or Safari. Perhaps the ash.coupbat.com pop-ups appear when clicking search results from Google? Or does the pop-ups appear even when you’re not browsing?

Here’s how the ash.coupbat.com pop-up looked like when I got it on my computer:

(Sorry for the ridiculous use of watermarking. If I don’t add them my screenshots always show up at some copy-cat blogs.)

If this description sounds like what you are seeing, you almost certainly have some adware installed on your machine that pop up the ash.coupbat.com ads. So don’t send angry emails to the site you were browsing, the ads are presumably not coming from them, but from the adware on your machine. I’ll try help you to remove the ash.coupbat.com in this blog post.

If you have been spending some time on this blog already know this, but if you are new: Recently I dedicated a few of my lab machines and purposely installed a few adware programs on them. I’ve been monitoring the actions on these systems to see what kinds of advertisements that are displayed. I’m also looking on other interesting things such as if the adware updates itself, or if it installs additional unwanted software on the systems. I first noticed the ash.coupbat.com pop-up on one of these lab machines.

So, how do you remove the ash.coupbat.com pop-up ads? On the machine where I got the ash.coupbat.com ads I had TinyWallet, BrowserWarden and BlockAndSurf installed. I removed them with FreeFixer and that stopped the ash.coupbat.com pop-ups and all the other ads I was getting in Firefox.

BlockAndSurf was the adware that caused the pop-ups in my case. I could see this since it was kind enough to label the pop-up ad with “Ads by BlockAndSurf“:

What label did your pop-up ad have? Please share in the comments area.

The issue with this type of pop-up is that it can be launched by many variants of adware. I think that adware such as NewPlayer, CheckMeUp, Salus and SaferSurf can also be responsible for the ash.coupbat.com popups. And there are probably other variants too. This makes it impossible to say exactly what you need to remove to stop the pop-ups.

Anyway, here’s my suggestion for the ash.coupbat.com ads removal:

The first thing I would do to remove the ash.coupbat.com pop-ups is to examine the software installed on the machine, by opening the “Uninstall programs” dialog. You can find this dialog from the Windows Control Panel. If you are using one of the more recent versions of Windows Operating System you can just type in “uninstall” in the Control Panel’s search field to find that dialog:

Click on the “Uninstall a program” link and the Uninstall programs dialog will open up:

Do you see something strange-looking in there or something that you don’t remember installing? Tip: Sort on the “Installed On” column to see if some program was installed about the same time as you started observing the ash.coupbat.com pop-ups.

The next thing to check would be your browser’s add-ons. Adware often appear under the add-ons menu in Google Chrome, Mozilla Firefox, Internet Explorer, Safari or Opera. Is there something that looks suspicious? Anything that you don’t remember installing?

I think most users will be able to identify and remove the adware with the two steps outlined above, but in case that did not work you can try the FreeFixer removal tool to identify and remove the adware. FreeFixer is a freeware tool that I’ve developed since 2006. It’s a tool designed to manually identify and uninstall unwanted software. When you’ve found the unwanted files you can simply tick a checkbox and click on the Fix button to remove the unwanted file.

FreeFixer’s removal feature is not locked like many other removal tools out there. It won’t ask pay a fee just when you are about to remove the unwanted files.

And if you’re having difficulties determining if a file is clean or unsafe in the FreeFixer scan report, click on the More Info link for the file. That will open up your web browser with a page which contains more details about the file. On that web page, check out the VirusTotal report which can be quite useful:

Are you a Mac or Linux user and get the ash.coupbat.com pop-ups? What did you do to stop the pop-up in your browser? Please share in the comments below. Thanks!

Did this blog post help you to remove the ash.coupbat.com pop-ups ads? Please let me know or how I can improve this blog post.

Thank you!

Remove aff.couploss.com Pop-Up Ads

November 18, 2014pop-upsCoup Pop-UpRoger Karlsson

Did you just get a pop-up from aff.couploss.com and wonder where it came from? Did the aff.couploss.com ad appear to have been initiated from a web site that under normal circumstances don’t use aggressive adverting such as pop-up windows? Or did the aff.couploss.com popup show up while you clicked a link on one of the major search engines, such as Google, Bing or Yahoo?

If this sounds like your story, it’s very likely that you have some unwanted advertising software on your computer. This type of software is often called adware. I’ll try to give you some advice on how to remove the aff.couploss.com pop-ups in this blog post which hopefully will help you to completely stop the popups.

In my case I had an adware called BlockAndSurf installed on my machine which I remove with FreeFixer. Problem solved. As a matter of fact, the pop-up was actually labeled with the adware name. What label did your pop-up have?

But the problem is that this type of pop-up is popped up by other adware too, which makes it difficult to say exactly what should be removed.

I would start checking in the Add/Remove programs dialog for something suspicious, then check the browser’s add-on menu.

If you don’t find the adware there, try the FreeFixer removal tool. It’s a free tool that can help you track down and remove the adware. If you find something that looks suspicious in the scan result, click the More Info link to the a VirusTotal report.

What adware did you find on your machine? When you removed them, did that stop the aff.couploss.com pop-up ads?

Fileadventure – Fake Java Update – 38% Detection Rate

November 18, 2014digital signatureAdKnowledge, Eldorado, iBryteRoger Karlsson

Hello! Just a short note on a publisher called Fileadventure.

If you have a Fileadventure file on your machine you may have noticed that Fileadventure is displayed as the publisher in the UAC dialog when double-clicking on the file. You can also look at the Fileadventure certificate and digital signature by looking under the Digital Signatures tab on the file’s properties. According to the certificate, Fileadventure is located in Kansas City, USA.

The problem here is that if setup.exe really was an installer file for Java, it would be digitally signed by Oracle America Inc. and not by some unknown company.

The Fileadventure file was promoted by adware that showed a pop-up in the browser saying “Your Java Version is Outdated“. The pop-up opened up a faked Java update site.

When I uploaded the Fileadventure file to VirusTotal, it came up with a 38% detection rate. The file is detected as Win32:IBryte-HL [PUP] by Avast, W32/A-138dbbfa!Eldorado by F-Prot, PUP.Optional.iBryte by Malwarebytes and AdKnowledge (fs) by VIPRE.

Did you also find a Fileadventure file? Was it also promoted as a “Java Update”?

Thanks for reading.

CloudScout and CloudGuard.exe Removal Instructions

November 17, 2014adware, freefixer31.168.224.100, 31.168.224.106, 5.135.12.52, 5.135.12.56Roger Karlsson

Just wanted to put up a short blog post before calling it a day. The post is about an adware called CloudGuard or CloudScout. If the CloudGuard adware is running on your system, you will see CloudGuard.exe in the Windows Task Manager, a new service called CloudScout starting the CloudGuard.exe process and name servers changed to 31.168.224.100 and 5.135.12.56. The software appears as CloudScout Parental Control in the Add/Remove programs dialog.

I’ll show how to remove CloudGuard in this blog post with the FreeFixer removal tool.

I’ve upload CloudGuard.exe to VirusTotal, but it was not detected by any of the scanners there. They probably will in the future.

CloudGuard is distributed by a strategy called bundling. Bundling means that a piece of software is included in other software’s installers. When I first found CloudGuard, it was bundled with a software download called FastPlayerPro. Here’s a screenshot from the cloudguard.me web site which shows the software is adware:

Generally, you can avoid bundled software such as CloudScout / CloudGuard by being careful when installing software and declining the bundled offers in the installer.

I’m sure you’d like to remove CloudScout, and that’s straightforward with FreeFixer. Select the CloudGuard files and settings, as shown in the screen dumps below, click Fix, and reboot your computer and the problem should be gone.

Check the CloudScout/CloudGuard.exe service for removal:

and the CloudGuard.exe process:

And restore your name server:

Hope that helped you with the removal.

Any idea how you got CloudGuard on your machine? Please share in the comments below. Thanks!

Hope you found this useful. Thanks for reading.

Update 2014-11-19: Now the DNS is changed to 31.168.224.106 and 5.135.12.52.

Remove Browser Guard – Uninstall Guide

November 17, 2014adware, freefixerGratifying AppsRoger Karlsson

Hello guys and gals. Did you just notice something called Browser Guard on your computer? If Browser Guard is installed on your computer, you will spot new add-ons installed in Mozilla Firefox and Internet Explorer called “Browser Guard 1.0” and “Browser Guard BHO” as shown in the screenshots below. Chrome seems to be unaffected by the adware 🙂 I’ll show how to remove Browser Guard in this blog post with the FreeFixer removal tool.

Here’s the add-on in Firefox:

And here’s the Browser Guard add-on in Internet Explorer. The publisher says “Gratifying Apps“.

BrowserGuard is bundled in other software’s installers. When I first found Browser Guard, it was bundled with an annoying piece of software called FastPlayerPro. It bundles a ton of unwanted programs. Generally, you can avoid bundled software such as Browser Guard by being careful when installing software and declining the bundled offers in the installer.

When I run into some new bundled software I always upload it to VirusTotal to check if the anti-viruses there find something. Of the 54 scanners, only 6 detected the file. Agnitum detects Browser Guard as PUA.SmartApps!, Antiy-AVL calls it GrayWare[AdWare:not-a-virus]/Win32.Agent and ESET-NOD32 detects it as a variant of Win32/AdWare.SmartApps.H.

Since you probably want to remove Browser Guard, these are the files you should check for removal if you want to remove it with FreeFixer. You may have to reboot your computer to complete the removal.

Hope that helped you with the removal.

Do you also have Browser Guard on your system? Any idea how it was installed? Please share in the comments below. Thank you!

Hope you found this useful. Thanks for reading.

Remove tikotin.com from Chrome

November 17, 2014adware, freefixerRoger Karlsson

Are having problems that tikotin.com appears as the start page in Google Chrome when you start it from the desktop icon?

Here’s how tikotin.com showed up in my Chrome browser:

You can easily remove tikotin.com from Chrome with FreeFixer. Just select the following item in the scan result:

If you are having the same problem, but in Internet Explorer or Mozilla Firefox, FreeFixer can fix that problem as well.

Thanks for reading. Any idea how you got tikotin.com on your machine?

Remove sendapplicationget.com from Google, Bing and Yahoo Search Results

November 16, 2014search engine adsRoger Karlsson

If you hover the mouse over the links on the Google, Yahoo and Bing search results, does sendapplicationget.com appear in the status area of the browser as shown in the screenshots below? Then you have some adware installed on your machine. I’ll show how to remove the sendapplicationget.com links in this blog post.

I got the sendapplicationget.com in Firefox, but they can appear if you are browsing with Chrome and Internet Explorer too.

I’ve seen s2.sendapplicationget.com, s3.sendapplicationget.com and s4.sendapplicationget.com show up, but I guess you might spot the following too:

s1.sendapplicationget.com
s5.sendapplicationget.com
s6.sendapplicationget.com
s7.sendapplicationget.com
s8.sendapplicationget.com

On the machine where I got the sendapplicationget.com links, I had the TinyWallet and BlockAndSurf adware installed. I removed these two with the FreeFixer removal tool, and the problem was solved.

I think that the sendapplicationget.com links can appear due to other adwares as well.

If you like you can use FreeFixer to track down the unwanted software on your machine. If you are having difficulties when determining if a file is safe or malware in FreeFixer’s scan result, please try the More Info links that appears for each file. That will open up a web page with some additional information that can be useful, such as a scan report from VirusTotal:

freefixer-more-info-skype_setup — FreeFixer’s More Info links – Click for full size.

What adware did you remove to stop the sendapplicationget.com links?

It seems as the sendapplicationget.com web site received quite a lot of clicks starting from August. Just check out the traffic rank: