Wednesday 30 January 2013

Remove the "Ads not by this site" Browser Hijacker

If your web browser suddenly behaves in undesirable way, for example, you see ads on websites that normally do not serve them then your computer may have been infected with either malicious software or potentially unwanted application. For instance, if you get annoying banners that say "Ads not by this site" underneath them, then I bet your web browser has been hijacked by a malicious browser helper object (BHO). BHO isn't technically malware. In fact, there are many useful browser helper objects, even you can create one if you wish to expand certain web browser's features. That's why antivirus programs, with maybe a few rare exceptions, usually do not detect malicious web browser extensions or BHOs. Therefore cyber criminals create malicious extensions and use them to promote their own website or abuse ad networks and steal money from them. The scheme might be indeed very profitable. Take a look at this one:



An advertisement displayed on Yahoo! front page that leads to 'work at home' scam page even though it mentions Google, the ad redirects users to a rogue website. I'm sure ads on Yahoo! front page are very expensive even if they are served for a short period of time. However, apparently cyber criminals decided to invest money into malicious web browser extensions instead of spending them on expensive ads.

Here's another example, Ads not by this site ads are pushing Google search results and paid ads below the fold. They even use the same colors and text size to mislead users into thinking that these are Google ads. Since most users use and trust Google search engine I truly believe that click through rate is fairly high.



I saved the best example for last. Here it is, an ad displayed on Google search front page, claiming that you are missing a plug-in. No comment needed :)



Web browser extensions that inject "Ads not by this site" advertisements are very often distributed through various deceptive practices. BHOs can take a form of browser toolbars but from what I've seen so far they just take over your web browser homepage and default search engine. Such malicious extensions or so-called web browser hijackers come bundled with other software. There's even a term foistware which is used to describe software that is installed on your computer without your knowledge. Cyber criminals use silent and delayed installers as well as Trojan downloaders to install malicious software on your computer. Besides, even if they add checkboxes and ostensibly allow you to skip toolbar installation, there are many not so technically savvy users who do not understand that a "recommended" toolbar isn't that great after all. Or that it will even inject ads on websites that do not serve them, for example Wikipedia.

Cyber criminals simply want to turn visitors into customers. They could even serve malicious ads that might lead to infected websites and exploit kits. So, it's not only unethical but also very dangerous. That's why I highly recommend you to remove malicious web browser extensions and BHOs that cause Ads not by this site banners to show up on your computer screen. There are numerous Ads not by this site associated programs and extensions. I listed them below and I promise to update the list whenever I find something new. In short, remove all recently installed applications and web browser extensions or those that were installed without your knowledge. Some of them may be protected; the Remove button is simply grayed out. In such case, uninstall the application that installed the malicious web browser extension. For example, CouponDropDown, I want This!, BCool App, SaveAs, Vid Saver, Save Now 3.5 or Coupon Companion. Find the complete list below. This web page contains a step-by-step guide on how to remove "Ads not by this site" virus from Internet Explorer, Mozilla Firefox, Google Chrome and Apple Safari.

And finally, to avoid web browser hijacking, use real-time anti-malware software and don't give unknown websites permission to install such toolbars and extensions as "Ads not by this site". Post your comment or question below. Good luck and be safe online!


Remove Ads not by this site associated applications:

1. First of all, download recommended anti-malware software and run a full system scan. It will detect and remove this infection from your computer. You may then follow the manual removal instructions below to remove the leftover traces of this browser hijacker. Hopefully you won't have to do that.





2. Remove "Ads not by this site" from your computer using the Add/Remove Programs control panel (Windows XP) or Uninstall a program control panel (Windows 7 and Windows 8).

Go to the Start Menu. Select Control PanelAdd/Remove Programs.
If you are using Windows Vista or Windows 7, select Control PanelUninstall a Program.



If you are using Windows 8, simply drag your mouse pointer to the right edge of the screen, select Search from the list and search for "control panel".



Or you can right-click on a bottom left hot corner (formerly known as the Start button) and select Control panel from there.



3. When the Add/Remove Programs or the Uninstall a Program screen is displayed, scroll through the list of currently installed programs and remove the following entries (if exist):
  • 1 Click Downloader
  • Best Youtube Downloader 1.0.26
  • BeCool
  • Better Links
  • Bflix1.0
  • Browser Enhancements 1.0
  • Click 2 Save
  • CodecC
  • CodecM
  • Coupon Dropdown
  • Coupon Companion
  • Deals Plugin
  • Download Help
  • Extension
  • Facebook Dislike
  • Facetheme
  • Fantapper
  • Fast save
  • Freemind
  • Game Play Labs
  • I-livid
  • Installation Assistant 1.20.12
  • I Want This
  • Iminent
  • Installed Class
  • With Java plug-ins
  • Jlmp3
  • Media Plugin
  • Pando Media Enhancer
  • Premiumplay Codec
  • Privacy SafeGuard
  • Protector by IB
  • Rewardsarcade
  • SaveAs
  • Save-It
  • Adobe Flash Player 11 activeX
  • Search-newTab
  • TheBflix5.0
  • TheBflix Class
  • VDownloader
  • Vid-Saver
  • Video File Download
  • Vuze
  • Widgi
  • Windows Live mesh activeX
  • Yontoo
  • YouTube Plus
  • ZoomEx
  • ZoomIt


Simply select each application and click Remove. If you are using Windows Vista, Windows7 or Windows 8, click Uninstall up near the top of that window. When you're done, please close the Control Panel screen.


Remove Ads not by this site from Google Chrome:

1. Click on Chrome menu button. Go to ToolsExtensions.



2. Click on the trashcan icon and remove the extensions listed above if they are present:



Once you have found and removed all of the above extensions that were installed on your computer, you can close Google Chrome. Please note, that some extensions might be locked (remove option is disabled). In such case, you have to remove those extensions manually. Enable Developer Mode to find extension's name that go to Google Chrome extension folder and delete it. Google Chrome extension folder placed in the following directory:

Windows 7 → C:\Users\[UserName]\AppData\Local\Google\Chrome\User Data\Default\Extensions

Windows XP → C:\Documents and Settings\[UserName]\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions


Remove Ads not by this site from Mozilla Firefox:

1. Open Mozilla Firefox. Go to ToolsAdd-ons.



2. Select Extensions. If any of the extensions listed above exist, click on the Remove button next to each one. If you can't find the Remove button, then simply click on the Disable button.



Once you have found and removed all of the above extensions that were installed on your computer, you can close Mozilla Firefox. Disabling a web browser extension might also help, however, it still exists on your PC. Some extensions might be blocked or only have an option to disable them. In such case, I recommend you to delete extensions manually.


Remove Ads not by this site from Internet Explorer:

1. Open Internet Explorer. Go to ToolsManage Add-ons. If you have the latest version, simply click on the Settings button.



2. Select Toolbars and Extensions. If any of the extensions listed above exist, select it and then click on the Remove/Disable button to remove it from Internet Explorer.

Once you have removed/disabled all of the above extensions (if existed), you can close Internet Explorer.




Remove Ads not by this site from Apple Safari:

1. Open Safari. Go to Preferences.



2. Select the Extensions tab. If any of the extensions listed above exist, select it and then click on the Uninstall button to remove it from Apple Safari.



Once you have removed all of the above extensions (if existed), you can close Apple Safari.

Tell your friends:

Saturday 26 January 2013

Remove Smart Security (Uninstall Guide)

Smart Security is a rogue anti-malware program (generically referred to as a virus) that may wreak havoc on your computer. Once installed, it blocks legitimate security software and most of the Windows utilities that can be really helpful when your computer gets infected. It's a new variant of an old scam, a rather clever one. This 'lovely' little piece of malware suddenly pop ups on your computer screen and purposely displays completely bogus infection warnings and balloon notifications claiming that your computer is completely riddled with viruses. Needless to say, your computer is not infected with W32/Blaster.worm and 20+ other widely spread or already forgotten malware. The only problem is Smart Security 2013 and nothing else, unless it came bundled with some other malicious software, for example rootkits and even password stealing Trojan horses. In such case, you will have to rely on your antivirus program and hope that it will detect all strains of the infection.



When running, Smart Security - designed to protect, pretends to scan your computer for malicious software. PRETENDS, it doesn't actually scan your computer. Nothing new really, just a very very typical approach to scare you into thinking that your machine is indeed infected with malware, spyware, adware and and who knows what else. When the scan is complete, the rogue application displays scary notification saying that you should buy a 'full' version of this program to remove found malware from your computer. It costs around $100. Pricey as hell, isn't it? You can get a top-notch antivirus protection for as low as $50 per year. So, do not follow on-screen Smart Security instructions and do not attempt to remove so-called infections manually. Otherwise, you can seriously mess up your computer because this nasty little piece of malware is cleaver enough to flag genuine Windows files as malware.

Smart Security is a 'drive-by' malware; it’s downloaded secretly to your web browser after visiting an infected website. Cyber criminals use exploit kits to distribute this malware. They infect websites and simply wait for visitors who do not update their software, especially Java and Adobe Flash. Any website could host Smart Security malware code, not just rogue ones as we use to think. Cyber criminals also use fake online virus scanners and sometimes rely on social engineering.

Smart Security can be easy to remove in some cases or extremely difficult. Usually, it blocks pretty much everything on your computer and displays the following warning:
[program] can not start
File [program] is infected by W32/Blaster.worm. Please activate Smart Security to protect your computer.
It blocks malware removal software, Task Manager, web browsers, Windows registry editor and other system utilities. Many people panic and buy a full version of Smart Security virus just to make the problem go away. But it doesn't go away; it only gets worse. Malware stays active and you may expect more demands for payment very soon.

Please follow the removal instructions below to remove Smart Security and associated malware from your computer. If you have something to say about this malware or you need help removing it, please post comments and questions below. Good luck and be safe oneline!


Manual activation and Smart Security malware removal:

1. Choose to remove supposedly found infections and manually activate the rogue security program. Enter one of the following codes and fake email address to activate Smart Security.

Y86REW-T75FD5-U9VBF4A 

Y76REW-T65FD5-U7VBF5A

Y86REW-T75FD5-9VB4A

2. Then download recommended anti-malware software (Spyware Doctor) and run a full system scan to remove Smart Security from your computer.


Smart Security removal instructions in Safe Mode with Networking:

1. Please reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key.


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Open Internet Explorer and download TDSSKiller. Run the utility and click Start Scan to anti-rootkit scan.

3. Then download recommended anti-malware software (Spyware Doctor) and run a full system scan to remove the rogue security program from your computer.


Manual Smart Security removal instructions:

1. Right click on the Smart Security icon, click Properties in the drop-down menu, then click the Shortcut tab. In the Target box there is a path to the malicious file. Please na

NOTE: by default, Application Data folder is hidden. Malware files are hidden as well. To see hidden files and folders, please read Show Hidden Files and Folders in Windows.

Under the Hidden files and folders section, click Show hidden files and folders, and remove the checkmark from the checkbox labeled:

- Hide extensions for known file types
- Hide protected operating system files

Click OK to save the changes. Now you will be able to see all files and folders in the Application Data/Program Data directory.

2. Rename the malicious process.

File location, Windows XP:
C:\Documents and Settings\All Users\Application Data\smart.exe

File location, Windows Vista/7:
C:\ProgramData\smart.exe



Rename smart to virus or whatever you like. Example:



3. Restart your computer. The malware should be inactive after the restart.

4. Open Internet Explorer and download TDSSKiller. This malware usually (but not always) comes bundled with TDSS rootkit. Removing this rootkit from your computer is very important (if exists). Run TDSSKiller and remove the rootkit.



5. Download recommended anti-malware software (Spyware Doctor) and run a full system scan to remove Smart Security virus from your computer. That's it!


Smart Security associated files and registry values:

Files:
  • C:\ProgramData\smart.exe (Win Vista/7)
  • C:\Documents and Settings\All Users\Application Data\smart.exe (Win XP)
Registry values:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Smart Security"
Share this information:

Friday 25 January 2013

Remove Snap.do

A concerned reader asks: 'Snap.do has hijacked my web browser. Is it safe? How do I get rid of it?' Here's what you need to know about this so-called Snap.do hijacker malware.

Snap.do is a browser help object. Authors of this web browser plug-in say that they want to enhance your web browser and simplify the way you search the web, share favorite information, work or even play. Sounds good, right? It seems that they really care and want to help you. But hold your horses, Jack! :) Things are often not what they seem to be and that's particularly true for snap.do web browser hijacker. It comes with a cost and the main question is: are you willing to pay the price?



First of all, snap.do and some other Resoft products are considered to be potentially harmful or even malicious, not to mention how annoying they can be. For example, TrendMicro, an antivirus company, classifies snap.do toolbar as spyware and web browser hijacker and they have a good reason for that. According to Resoft privacy policy, their products, including snap.do collect the following information:
1. The Internet domain and IP address from which you access the Resoft Products;
2. Screen resolution of your monitor;
3. The date and time you access the Resoft Products;
4. The page you are visiting with the Resoft Products
5. If you linked to a Resoft website from another referring website, the address of that website.
By using the Resoft Products, you are consenting to have your personal data transferred to and processed both within and without the United States of America
Typically, snap.do installs itself as a web browser toolbar (BHO) but it may be installed with additional functionalities as well. This browser helper object can be downloaded from its official website and may also arrive bundled with other software, usually freeware. We haven't seen any questionable routines or drive-by downloads that might be related to malicious software and snap.do. What's interesting, though, installers downloaded from free video streaming sites and other shady or rogue websites are very aggressive and even if users made sure that the check boxes asking to install add-ons were disabled, snap.do virus was still installed on their computers.

Snap.do works on all major web browsers: Google Chrome, Mozilla Firefox and Internet Explorer. It doesn't work on Windows XP. Installer simply fails to initialize properly. So, XP users are safe. Once installed, Snap.do hijacker modified various web browsers' settings. It changes home page to http://feed.helperbar.com and adds additional search engine provider which redirects users to http://search.snap.do. Each time user opens a new tab the web browser goes to http://search.snap.do instead of blank page, Google or any other website of your choice.

Snap.do removal can be a really challenging task, especially when it comes bundled with other software. Even though, snap.do authors ensure that it can be uninstall from a computer very easily, using the program's own normal uninstallation process, but that's not quite true. It leaves so many modified web browser settings and Windows registry keys and you can't ignore them because they simply change the way you use your web browser. For example, even if you removed Snap.do via Control Panel, modified search engine settings remain untouched. As a result, searching directly from web browser address bar returns results from http://search.snap.do rather than Google. By the way, the plug-in modifies Windows registry and enables its automatic execution at every system start-up. What is more, snap.do infection may cause your web browser to stop working.

To remove snap.do from your computer, please follow the removal instructions below. It will show you how to remove this browser hijacker in Mozilla Firefox, Google Chrome and Internet Explorer. Make sure to uninstall snap.do via Control Panel first and only then proceed to the next steps, unless of course it's not listed there. Have you been hijacked by Snap.do? Post your comment or question below. Good luck and be save online!


Snap.do removal instructions:

1. First of all, download recommended anti-malware software and run a full system scan. It will detect and remove this infection from your computer. You may then follow the manual removal instructions below to remove the leftover traces of this browser hijacker. Hopefully you won't have to do that.





2. Go to the Start Menu. Select Control PanelUninstall a Program.





3. Search for Snap.do in the list. Select the program and click Uninstall button to uninstall it.



It will prompt you to close all web browsers before uninstalling Snap.do. Please click Yes to continue.

Then, it will ask you if you want to change your home page and default search provider to the old settings. Please click Yes.


Remove Snap.do in Google Chrome:

1. Click on Customize and control Google Chrome icon. Go to ToolsSettings.



2. Click Set pages under the On startup.


Remove feed.snap.do by clicking the "X" mark as shown in the image below.



3. Click Show Home button under Appearance. Then click Change.



Enter http://www.google.com instead of feed.snap.do and click OK to save changes.



4. Click Manager search engines button under Search.



Select Google or any other search engine you like from the list and make it your default search engine provider.



Select Web (search.snap.do) from the list and remove it by clicking the "X" mark as shown in the image below.



That's it!


Remove Snap.do in Mozilla Firefox:

1. Open Mozilla Firefox. Go to ToolsAdd-ons.



2. Select Extensions. Remove Snap.do extension. Close the window.



3. Click on the Snap.do search icon as shown in the image below and select Manage Search Engines....



4. Choose Web Search (Snap.do) from the list and click Remove to remove it. Click OK to save changes.



5. Go to ToolsOptions. Under the General tab reset the startup homepage or change it to google.com, etc.



6. In the URL address bar, type about:config and hit Enter.



Click I'll be careful, I promise! to continue.



In the filter at the top, type: snap.do



Now, you should see all the preferences that were changed by Snap.do extension. Right-click on the preference and select Reset to restore default value. Reset all found preferences!



That's it!


Remove Snap.do in Internet Explorer:

1. Open Internet Explorer. Go to ToolsManage Add-ons.



2. Select Search Providers. First of all, choose Bing or Live Search search engine and make it your default web search provider (Set as default).



3. Select Web Search (search.snap.do) and click Remove to remove it. Close the window.



4. Go to ToolsInternet Options. Select General tab and click Use default button or enter your own website, e.g. google.com instead of http://feed.snap.do. Click OK to save the changes. And that's about it for Internet Explorer.



If you did everything correctly, the Snap.do search hijacker should be completely uninstalled from your computer. However, if it still shows up, you will have to modify or remove certain Windows registry keys. They are listed below.

First, you have to open Windows Registry Editor. Simply search for regedit and run it as administrator.

Once there, navigate to, and delete the following Windows registry keys:
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main → delete "Search Bar"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search → delete "Default_Search_URL"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search → delete "SearchAssistant"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchUrl → delete "Default"
Then, navigate to, and modify the following Windows registry keys:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

Right-click the "Search Page" key and select Modify. Change key value data to: http://go.microsoft.com/fwlink/?LinkId=54896

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}

Right-click the "URL" key and select Modify. Change key value data to:
http://www.bing.com/search?q={searchTerms}

Share this information:

How to Remove Security Defender (Uninstall Guide)

Security Defender is a rogue anti-spyware program that uses deceptive tactics to drive up sales from confused or inexperienced computer users. This fake security product pretends to find malicious software on your computer. It also pretends to protect your PC against misleading pop-ups and security threats caused by spyware, adware, Trojans and other viruses. What is more, Security Defender impersonates Windows Defender which is a perfectly legitimate anti-spyware product from Microsoft. I have to admit that this time scam artists made a quite legitimate looking rogue application which may actually mislead many computer users into paying for the fake removal of malware. Security Defender may be downloaded silently by Trojan horses or installed when the fake alert is clicked. Hopefully, you can use real anti-malware applications to remove Security Defender malware from your computer. To remove this fake security program and any related malware for free, please follow the steps in the removal guide below.

New GUI of Security Defender malware:


Old GUI which is probably not used anymore.


Due to the fact that Security Defender was made to scare you into thinking your computer has many critical security problems it displays numerous fake firewall alerts and notifications from the Windows taskbar.
Security Defender Firewall Alert
Harmful software detected
Security Defender has detected malicious software that may cause crash of your computer.
Security Defender
Viruses have been found in your system.
We highly recommend you to get license for


Security Defender may also hijack Internet Explorer and block other programs on your computer. If you somehow ended up with this rogue program, please follow the removal instructions below to remove Security Defender and related malware. If you need help removing this little bugger from your computer, please leave a comment. Good luck and be safe online!

Guide update:
01/25/13 - Updated removal instructions, new activation key, GUI.


Quick removal guide:

1. Open Security Defender. Click the "Activate" button and select Manual Activation. Enter one of these debugged registration key to register this rogue application. Don't worry, this is completely legal.

xOxZxLxWxIxTxFxQxCxNxYxKxVxHxSxE (new code)

D13F-3B7D-B3C5-BD84 (old code, may still work with some variants)

Once this is done, you are free to install anti-malware software and remove the rogue anti-virus program from your computer properly.

2. Download recommended anti-malware software and run a full system scan to remove this virus from your computer.







Security Defender removal instructions (Safe Mode):

Download recommended recommended anti-malware software (direct download) to remove this virus from your computer.

NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

If you can't download it, please reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Open Internet Explorer and download Spyware Doctor. Once finished, run setup. That's It!


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.


Alternate Security Defender removal instructions:

1. Download iexplore.exe (NOTE: iexplore.exe file is renamed HijackThis tool from TrendMicro).
Launch the iexplore.exe and click "Do a system scan only" button.
If you can't open iexplore.exe file then download explorer.scr and run it.

2. Search for such entry in the scan results:
O4 - HKCU\..\Run: [pcdfsvc] C:\ProgramData\pcdfdata\[random_characters].exe /min

Select all similar entries and click once on the "Fix checked" button. Close HijackThis tool.
    3. Download recommended recommended anti-malware software to remove this virus from your computer.





    NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.


    Associated Security Defender files and registry values:

    Files:
    • C:\Documents and Settings\All Users\Application Data\[SET OF RANDOM CHARACTERS]_.mkv
    • C:\Documents and Settings\All Users\Application Data\[SET OF RANDOM CHARACTERS].avi
    • C:\Documents and Settings\All Users\Application Data\[SET OF RANDOM CHARACTERS].ico
    • C:\Documents and Settings\All Users\Start Menu\Programs\Startup\[SET OF RANDOM CHARACTERS].lnk
    • C:\Program Files\Security Defender
    • C:\Program Files\Security Defender\Security Defender.dll
    • %Temp%\[SET OF RANDOM CHARACTERS].dll
    %Temp% refers to:
    C:\Documents and Settings\[UserName]\Local Settings\Temp (in Windows 2000/XP)
    C:\Users\[UserName]\AppData\Local\Temp (in Windows Vista & Windows 7)

    Registry values:
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS]"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS]"
    Share the knowledge: