Tag Archives: Cyprus

Remove TornPlusTV Adware – TornPlusTV_version1.11 Removal Guide

November 19, 2014adware, freefixerArmageddon Labs (BrightCircle Investments Limited), Arod Group (BrightCircle Investments Limited), Aussie Labs (BrightCircle Investments Limited), BadFinger Project (BrightCircle Investments Limited), Berta Dress Apps (Bright Circle Investments Ltd), Bright Circle Investments Ltd, Cyprus, Nicosia, Selecao Technologies (Bright Circle Investments Ltd).Roger Karlsson

Hi there. Today I wanted to talk about an adware named TornPlusTV or TornPlusTV_version1.11 and thought I should give you some removal instructions. TornPlusTV_version1.11 appears to be a variant of CrossRider that I’ve blogged about before.

If TornPlusTV is installed on your system, you will find new the TornPlusTV add-ons installed in Firefox and Internet Explorer, TornPlusTV_version1.11-bg.exe running in the Windows Task Manager and many new scheduled tasks installed. The Chrome browser seems to stay unaffected. I’ll show how to remove TornPlusTV_version1.11 in this blog post with the FreeFixer removal tool.

Here’s the TornPlusTV add-on in Internet Explorer:

And the TornPlusTV_version1.11 add-on in Firefox:

You might also spot the TornPlusTV_version1.11-bg.exe in the Task Manager:

When I mess around with some new software I always upload it to VirusTotal to verify if the anti-malware progams there find something. Of the 55 scanners, 15 detected the file. The TornPlusTV_version1.11 files are detected as DLOADER.Trojan by DrWeb, W32/A-ee826839!Eldorado by F-Prot, Gen:Application.Heur.Ky9@ky9OVaii by F-Secure and Crossrider (fs) by VIPRE.

The files are digitally signed by Arod Group (BrightCircle Investments Limited): The certificated is quite new, it’s valid from the 17th of November 2014.

I’m sure you’d like to remove TornPlusTV_version1.11, and that’s pretty easy with FreeFixer. Select the TornPlusTV_version1.11 items, as shown in the screenshots below, click Fix, and reboot your machine and the problem should be gone.

The TornTVPlus process:

And the DLL loaded into Internet Explorer:

The scheduled tasks for TornPlusTV:

And last, the add-ons in Internet Explorer and Firefox:

Hope this helped you solved the TornPlusTV_version1.11 problem.

Do you also have TornPlusTV_version1.11 on your machine? Any idea how it installed? Please share your story the comments below. Thank you!

Thanks for reading!

Update 2014-11-26: Now the files are signed by Aussie Labs (BrightCircle Investments Limited):

Update 2014-12-04: Now the files are signed by “BadFinger Project (BrightCircle Investments Limited)”.

Update 2014-12-19: Files now signed by Armageddon Labs (BrightCircle Investments Limited).

Update 2015-01-15: The files are now digitally signed by Berta Dress Apps (Bright Circle Investments Ltd).

Update 2015-01-20: Now they are signed by Selecao Technologies (Bright Circle Investments Ltd).

Remove HQ-Video-Pro-2.1cV02.11 Ads

November 3, 2014adware, freefixerCrossRider, Cyprus, Nicosia, Radon Battery Technologies, Space Battleship Creative, Winston ProjectRoger Karlsson

Hello readers. Hope you are doing ok. Did you just spot something called HQ-Video-Pro-2.1cV02.11 on your system? HQ-Video-Pro-2.1cV02.11 appears to be a variant of CrossRider that I’ve written about before. If the HQ-Video-Pro-2.1cV02.11 adware is installed on your machine, you will notice ads labeled Visual Search Results and Powered by HQ-Video-Pro-2.1cV02.11 in Google’s search results. I’ll show how to remove HQ-Video-Pro-2.1cV02.11 in this blog post with the FreeFixer removal tool.

Here it is in Firefox’ add-on menu:

HQ-Video-Pro-2.1cV02.11 is distributed by a tactic called bundling. Bundling means that a piece of software is included in other software’s installers. When I first found HQ-Video-Pro-2.1cV02.11, it was bundled with a piece of software called FastPlayer.

Generally, you can avoid bundled software such as HQ-Video-Pro-2.1cV02.11 by being careful when installing software and declining the bundled offers in the installer.

When I find some new bundled software I always upload it to VirusTotal to verify if the anti-malware software there detect anything suspicious. The detection rate is 7/54. Some of the detection names for HQ-Video-Pro-2.1cV02.11 are Trojan.NSIS.GoogUpdate.dt, PUP.Optional.HQVideo.A and Crossrider (fs). The files are signed by “Radon Battery Technologies“.

Removing HQ-Video-Pro-2.1cV02.11 is pretty easy with FreeFixer. The screen capture that should help you along the way: You might have to restart your machine to complete the removal.

Hope that helped you to figure out how to do the removal.

Any idea how HQ-Video-Pro-2.1cV02.11 was installed on your computer? Please let me and the readers know by posting a comments. Thanks!

Hope you found this useful and thanks you for reading.

Update 2014-11-04: Today another variant was released called HQ-Video-Pro-2.1cV03.11. I guess we will see more variants where just the version number is increased:

HQ-Video-Pro-2.1cV04.11 (Yeah, found 5th Nov 2014)
HQ-Video-Pro-2.1cV05.11 (Found on the 6th of November)
HQ-Video-Pro-2.1cV06.11
HQ-Video-Pro-2.1cV07.11 (Found 13th of November)
HQ-Video-Pro-2.1cV08.11
HQ-Video-Pro-2.1cV09.11
HQ-Video-Pro-2.1cV10.11 (Found 13th of November)
HQ-Video-Pro-2.1cV11.11
HQ-Video-Pro-2.1cV12.11
HQ-Video-Pro-2.1cV13.11
HQ-Video-Pro-2.1cV14.11 (Found 15th of Nov)
HQ-Video-Pro-2.1cV15.11 (Found 16th of Nov)
HQ-Video-Pro-2.1cV16.11 (Found 16th Nov)
HQ-Video-Pro-2.1cV17.11 (Found 17th Nov)
HQ-Video-Pro-2.1cV18.11 (Found 19th Nov)
HQ-Video-Pro-2.1cV19.11 (Found 20th Nov)
HQ-Video-Pro-2.1cV20.11
HQ-Video-Pro-2.1cV21.11
HQ-Video-Pro-2.1cV22.11
HQ-Video-Pro-2.1cV23.11 (Found 23 Nov)
HQ-Video-Pro-2.1cV24.11 (Found 24 Nov)
HQ-Video-Pro-2.1cV25.11
HQ-Video-Pro-2.1cV26.11
HQ-Video-Pro-2.1cV27.11
HQ-Video-Pro-2.1cV28.11 (Found 28 Nov)
HQ-Video-Pro-2.1cV29.11
HQ-Video-Pro-2.1cV30.11

Update 2014-11-13: Now the files are signed by Space Battleship Creative. They seems to be located in Nicosia, Cyprus.

Update 2014-11-19: Now the files are signed by Winston Project:

Update 2014-12-02: New naming convention:

HQ-Video-Pro-2.1cV01.12
HQ-Video-Pro-2.1cV02.12
HQ-Video-Pro-2.1cV03.12
HQ-Video-Pro-2.1cV04.12
HQ-Video-Pro-2.1cV05.12
HQ-Video-Pro-2.1cV06.12
HQ-Video-Pro-2.1cV07.12
HQ-Video-Pro-2.1cV08.12
HQ-Video-Pro-2.1cV09.12

(Found 9 Dec 2014)

HQ-Video-Pro-2.1cV10.12
HQ-Video-Pro-2.1cV11.12
HQ-Video-Pro-2.1cV12.12
HQ-Video-Pro-2.1cV13.12
HQ-Video-Pro-2.1cV14.12
HQ-Video-Pro-2.1cV15.12
HQ-Video-Pro-2.1cV16.12
HQ-Video-Pro-2.1cV17.12
HQ-Video-Pro-2.1cV18.12
HQ-Video-Pro-2.1cV19.12
HQ-Video-Pro-2.1cV20.12
HQ-Video-Pro-2.1cV21.12
HQ-Video-Pro-2.1cV22.12
HQ-Video-Pro-2.1cV23.12
HQ-Video-Pro-2.1cV24.12
HQ-Video-Pro-2.1cV25.12
HQ-Video-Pro-2.1cV26.12
HQ-Video-Pro-2.1cV27.12

Remove videosMediaPlayersversion2.1 and videosMediaPlayersv2.2 Ads

November 1, 2014adware, freefixerCrossRider, Cyprus, Nicosia, Railroad Party AppsRoger Karlsson

Hello guys and gals. I just found another bundled adware named videosMediaPlayersversion2.1 and videosMediaPlayersv2.2 and thought I should give you some removal instructions. videosMediaPlayersversion2.1 and videosMediaPlayersv2.2 seems to be a variant of CrossRider that I wrote about previously. If the videosMediaPlayersversion2.1 and videosMediaPlayerv2.2 adware is running on your machine, you will find new add-ons called videosMediaPlayers installed in Firefox and Internet Explorer. I’ll show how to remove videosMediaPlayersversion2.1 and videosMediaPlayersv2.2 in this blog post with the FreeFixer removal tool in case the removal from the Control Panel fails.

videosMediaPlayersversion2.1 and videosMediaPlayerv2.2 is distributed by a tactic called bundling. Bundling means that a piece of software is included in other software’s installers. I found these two programs bundled with a download called FastPlayer.

Following the standard procedure when I test some new bundled software I uploaded it to VirusTotal to check if the anti-virus progams there find anything suspicious. 13% of the scanners detected the file. Kaspersky names videosMediaPlayersversion2.1 and videosMediaPlayervs2.2 as Trojan.NSIS.GoogUpdate.dp, Malwarebytes reports PUP.Optional.VideosMediaPlayer.A and VIPRE detects it as Crossrider (fs). The file was digitally signed by Railroad Party Apps.

According to the certificate, Railroad Party Apps is located in the city of Nicosia on Cyprus.

Removing videosMediaPlayersversion2.1 and videosMediaPlayerv2.2 is pretty easy with FreeFixer. Here’s a few screen dumps from the removal that should help you. All files are located under the “videosMediaPlayers..” folder. You may have to restart your machine to complete the removal.

Hope that helped you to figure out how to do the removal.

Did you also find videosMediaPlayersversion2.1 and videosMediaPlayerv2.2 on your system? Any idea how it installed? Please share your story the comments below. Thanks!

Hope you found this useful and thanks you for reading.

How To Remove BrowsersApp_Pro_v1.1

October 9, 2014adware, freefixerCrossRider, Cyprus, Nicosia, Numlock Apps, Railroad Party AppsRoger Karlsson

Hello there and welcome to the FreeFixer blog. Just a quick post on the BrowsersApp_Pro_v1.1 adware. This appears to be a variant of CrossRider that I’ve previously written about. If the BrowsersApp_Pro_v1.1 adware is installed on your computer, you will find ads labeled Ad by BrowsersApp_Pro_v1.1 while browsing the web, new add-ons added in your web browsers and new files, digitally signed by Numlock Apps, on the hard-drive. I’ll show how to remove BrowsersApp_Pro_v1.1 in this blog post with the FreeFixer removal tool.

BrowsersApp_Pro_v1.1 is bundled with other software. Bundled means that it is included in another software’s installer.

Generally, you can avoid bundled software such as BrowsersApp_Pro_v1.1 by being careful when installing software and declining the bundled offers in the installer.

When I play around with some new bundled software I always upload it to VirusTotal to check if the anti-malware scanners there find anything suspicious. 6 of the 54 scanners detected the file. The BrowsersApp_Pro_v1.1 files are detected as PUP/Win32.CrossRider by AhnLab-V3, PUP.Optional.BrowserApp.A by Malwarebytes and Crossrider (fs) by VIPRE.

Since you probably want to remove BrowsersApp_Pro_v1.1, these are the files you should check for removal if you want to remove it with FreeFixer. A restart of your computer might be required to complete the removal.

Hope this helped you remove the BrowsersApp_Pro_v1.1 adware.

Did you also find BrowsersApp_Pro_v1.1 on your computer? Any idea how it was installed? Please let me and the readers know by posting a comments. Thank you!

Thanks for reading. Welcome back!

Update 2014-11-05: The BrowsersApp_Pro_v1.1 adware is still distributed through bundling. The files are now signed by Railroad Party Apps as you can see in the screenshot below. The Railroad Party Apps company appears to be located in Nicosia, Cyprus.

“Ads by Sense” – Sense Adware Removal Instructions

October 1, 2014adware, freefixerCrossRider, Cyprus, Krance Development, Ni, Nicosia, Porter Studio Plus, Sara Kodama Project, Tita-nium Great MindsRoger Karlsson

Hello readers. Another day, another blog post. As usual I was looking around on the Internet to see what is being bundled with some software downloads. This time I found something called Sense. This appears to be a variant of CrossRider that I’ve previously written about.

If the Sense adware is installed on your computer, you will find banners labeled “Ads by Sense“, “Ad by Sense1“, green links added to web pages, saying “Click to Continue -> by Sense“, new add-ons added into Internet Explorer and Firefox and new processes running in the Task Manager. You’ll also see some files on your hard-drive that are digitally signed by Krance Development. I’ll show how to remove Sense in this blog post with the FreeFixer removal tool.

Sense is bundled with other software. Bundled means that it is included in another software’s installer. When I first found Sense, it was bundled with a piece of software called Free Download Manager.

As usual when I find some new bundled software I uploaded it to VirusTotal to test if the anti-viruses there find anything suspicious. CrossRider seems to be the common detection name.

The file is digitally signed by a company called Krance Development.

Removing Sense is straightforward with FreeFixer. Just select the Sense files for removal and then click the Fix button and the problem will be solved.

Hope that helped you with the removal.

Any idea how Sense was installed on your system? Please let me and the readers know by posting a comments. Thanks!

Thank you for reading.

Update 5 November 2014: The Sense adware is still being distributed. Now the files are signed by Porter Studio Plus as you can see in the screenshot from the Digital Signatures tab for the Sense-bg.exe file. According to the information in the certificate, Porter Studio Plus is located in Nicosia, Cyprus.

Update 7 Nov 2014: Now the files are signed by Sara Kodama Project. They seem to change the certificate quite often.

Update 2014-11-19: Now the files are signed by Tita-nium Great Minds. They are located in Nicosia, Cyprus.

Remove Videos+Media+Players – Adware Removal Instructions

September 23, 2014UncategorizedCrossRider, Cyprus, Nicosia, Xenon Play CenterRoger Karlsson

Did you just spot something called Videos+Media+Players on your machine or in your browsers?

No problem, you can remove it with the freeware tool FreeFixer. Just select the Videos+Media+Players files for removal in FreeFixer and click the Fix button. Problem solved.

Did you also find Videos+Media+Players on your machine? Any idea how it was installed?

Update 2014-11-17: Found a new variant called “VideoMedia+Player_v2.3“. Do you think there will be variants called VideoMedia+Player_v2.4 and VideoMedia+Player_v2.5 coming soon? If you have this variant you may see ads labeled “Powered by VideoMedia+Player_v2.3”:

Update 2014-11-19: Now the files are digitally signed by Xenon Play Center.

iWeBar – Removal Instruction

December 12, 2013adware, freefixerCyprus, iWeBar, NicosiaRoger Karlsson

Just a quick update. I’ve just uploaded a small removal tutorial for the iWeBar software.

If you have the iWeBar installed on your machine, you’ll probably see iWebar-bg.exe running in the Windows Task Manager and ads labeled “Powered by iwebar” in Chrome, Firefox and Internet Explorer.

There’s also a bunch of other iWeBar files that will be run by the Windows Task Scheduler that appears in FreeFixer’s scan result.

iWebar-bho.dll
iWebar-chromeinstaller.exe
iWebar-codedownloader.exe
iWebar-enabler.exe
iWebar-firefoxinstaller.exe
iWebar-updater.exe
iwebar.exe

Here’s the video:

Update 5th November: The iWebar adware is still distributed. Now the iWebar files are digitally signed by Gogo Network Club. According to the embedded certificate Gogo Network Club is located in Nicosia, Cyprus.

Powered by Object Browser and Brought by Object Browser Ads and Coupons – How To Remove

December 12, 2013adware, freefixerArmageddon Labs (BrightCircle Investments Limited), Bright Circle Investments Ltd, Cyprus, Nicosia, object browser, Sara Kodama Project, Tita-nium Great MindsRoger Karlsson

Are you getting ads labeled “Powered by Object Browser” or “Brought by Object Browser” while browsing sites such as BestBuy, E-Bay, Walmart or Amazon?

If so, you have the ObjectBrowser adware installed on your machine. Here’s a tutorial on how to remove Object Browser:

Update 2014-11-13: Now the Object Browser files are digitally signed by “Sara Kodama Project“.

Update 2014-11-19: Now the files are signed by Tita-nium Great Minds. Titanium is also located in Nicosia, Cyprus.

Update 2014-12-19: Now the files are signed by Armageddon Labs (BrightCircle Investments Limited).