Monthly Archives: May 2014

Norpalla Adware Removal Instructions

adware, freefixer

Found another adware this morning. It’s called Norpalla, and it adds itself in your web browsers. Here you can see Norpalla in the Mozilla Firefox browser:

norpalla-firefox

I found Norpalla in a download that claimed to be an episode of the Game of Thrones tv-series. That download was digitally signed by “New IT Limited“.

Norpalla is an easy match for FreeFixer. Just select the norpallabho.dll file and the Norpalla Firefox Extension for removal and the problem is solved.

norpalla-firefox-extension norpalla-internet-explorer

Where did you find the Norpalla adware? Was it also bundled with a movie or tv-series download?

InstallVibes Digital Signature – Bundling, VirusTotal detections and Promotions

digital signature, ,

I just found a file digitally signed by InstallVibes. You might have noticed that InstallVibes appears as the publisher in the User Account Control dialog that pops up when double-clicking on the file and came here to find more about it.

InstallVibes Publisher

Information about a digital signature and the certificate can also be found under the Digital Signature tab. The two screenshots below shows the InstallVibes certificate and that the “Subject” is located in Tel Aviv, Israel.

InstallVibes Digital Signature

InstallVibes Certificate TelAviv Israel

I decided to upload the InstallVibes file to VirusTotal. The file was detected by some of the anti-virus programs, with names such as: TR/Dropper.GenPUP.Optional.Bundlore and Bundlore.

InstallVibes scan result from Virus Total

Since some of the anti-virus programs detected the InstallVibes file, I got curious and decided to test it to see what it installed. The following software is bundled and disclosed in the InstallVibes installer:

  • Qone8
  • ProductivityPro
  • Optimizer Pro
  • Wajam
  • BestMarkit
  • MoboGenies
  • PriceMeter
  • OMG (OnlineMusicGroove)
  • ClipHD
  • MyPcBackup

This is how the web page looked like when I found the InstallVibes file. It appeared in a few variants:

InstallVibes Video Downloader InstallVibes "Highly Recommened" InstallVibes "Download Ready" using user interface that looks like the Windows 7 user interface style.

Did you also find an InstallVibes file? What kind of download was it?

If you also have a file digitally signed by InstallVibes, please upload at www.virustotal.com to see if anything is detected or if it comes up clean. I’d be very interested to see the scan result. Please post the link to the scan result in the comments field below. Thank you!

Wifi Protector is Adware – How To Remove It

adware

Did a program called Wifi Protector by Optimal Software s.r.o. appear on your computer and you are wondering what it is? If Wifi Protector popped up unexpectedly on your machine, you may have received it when installing some other software that bundled Wifi Protector.

wifiprotector

By looking at the Wifi Protector’s main screen and in the terms and conditions we can see that WifiProtector is adware:

wifiprotector-adware

“Browser extension may also serve advertising during your browser sessions.”

“Free version of Wifi Protector is ad-supported.”

If you don’t want software that serves ads on your computer, you can uninstall  Wifi Protector form the Programs and Features dialog:

wifi-protector-uninstall

Majestic Savings Adware Removal

adware, freefixer

Found a new adware called Majestic Savings this morning. If you have Majestic Savings on your machine, you may have noticed additional links with a green arrow appearing, with a tool-tip saying “Click to Continue -> by Majestic Savings“.

Click to Continue - ads by Majestic Savings

Majestic Savings also modifies Google search results by inserting ads. The ads are labeled Ads by Majestic Savings.

Ads by Majestic Savings in Google search results

You may also see Majestic Savings popping up a dialog saying that it has upgraded itself by installation something called Browser Guardian:

Majestic Savings - Browser Guardian

Majestic Savings is added as an add-on in your web browsers. Here’s how it looks in Firefox:

Majestic Savings 1.0 appears as a Firefox Add-on

Removing Majestic Savings is easy, just select the Majestic Savings files in FreeFixer and the adware problem is solved:

majestic-savings-internet-explorer majestic-savings-firefox-extension

How did you get Majestic Savings on your machine? Please share by posting a comment. I found it while testing a software download, where Majestic Savings was offered during the installation, however, the installer referred to it as Majestic Coupons:

Majestic Coupons

 

Hope you found this useful.

Artur Kozak Publisher – Digital Signature Warning!

digital signature, , ,

Lately I’ve been looking on the digital signatures on those files that push various types of unwanted programs. This morning I found a new file in the FreeFixer database called digital-photo-2013-11-nov.pdf.exe, digitally signed by Artur Kozak.

You can see who the signer is when double-clicking on an executable file. Artur Kozak appears in the publisher field in the dialog that pops up. You can also see the Artur Kozak certificate under the digital signature tab.

So, why am I warning you about the Artur Kozak file? Check out what the anti-virus programs report about the file:

artur-kozak

TSULoader, InstalleRex, Win32.Adload and Adware.Downware are some of the detection names reported by the anti-virus scanners.

Hope this helped you avoid getting some unwanted programs on your machine.

Where did you find the Artur Kozak file? What was the file called?

SuperCool Applications Publisher – Warning

digital signature, , ,

This night I found a file claiming to be an installer for Adobe’s Flash Player. However, the file was not signed by Adobe as it should be. Instead SuperCool Applications appeared as the publisher:

SuperCool Applications Publisher

SuperCool Applications also appears under the digital signature tab. SuperCool Applications is located in Tel Aviv, Israel.

SuperCool Applications Digital Signature

Supercool Applications certificate says Tel Aviv, Israel

So, why should you avoid the SuperCool Applications “Flash Player” and instead download Flash from the official site? The anti-virus scanners should convince you:

SuperCool Applications virus total scan result.

Seven of the anti-virus programs detects the the SuperCool Applications file, and refers to it as Max Setup, InstallCore, Install Core Click run Software and PUP.Optional.InstallCore.

Hope this helped you to get the official Flash Player and skip the SuperCool Applications download.

Please let me know if you found this blog post useful.

GetMyFilesNow – How To Remove

adware, freefixer, , , ,

Stumbled upon an adware called GetMyFilesNow the other day. Here’s how its installer looks like:

getmyfilesnow installer

Once installed it will appear as an add-on in Mozilla Firefox:

getmyfilesnow addon 1.0 in Firefox

So, what kind of advertising does GetMyFilesNow show? After installation the well-known Nav-Links type of ads started to appear, but when I tested it GetMyFilesNow also replaced Google Adsense ads on the web sites that I visited.

getmyfilesnow nav-link popup

 

GetMyFilesNow may also insert ads into Google search results. They ads are labeled “Powered by GetMyFilesNow“:

Powered by GetMyFilesNow ads

Many of the anti-virus programs are obviously aware of GetMyFilesNow. When I scanned getmyfilesnow.exe, 14 of the 53 anti-virus programs flagged the file. Most of them report it as KillFiles, Linkular and Linkun.

getmyfilesnow.exe virus total scan

You can remove GetMyFilesNow by simply removing the Firefox Extension, either directly in Firefox or by checking the extension for removal in FreeFixer:

getmyfilesnow-firefox-ext

Hope this helped you figure out what GetMyFilesNow is and how to remove it.

How did you get this adware on your machine? Please share by posting a comment.

 

Stas Kosmov Publisher – Digital Signature Warning!

digital signature

For some unknown reason I had trouble sleeping this night, so instead I spent a few hours hunting some adware installers. I found a file digitally signed by Stas Kosmov that bundled lots of unwanted software. Stas Kosmov will appear as the publisher when double-clicking on the file and in the file’s digital signature tab. According to the certificate Stas Kosmov is located in Kiev, Ukraine.

Stas Kosmov Publisher - Installer for TopApp soft

Stas Kosmov Digital Signature

Stas Kosmov Kiev Ukraine

So, what does the anti-virus scanners say about this file? The following scan result should convince you to not run the Stas Kosmov file:

stas kosmov virus total

Did you also find a file signed by Stas Kosmov? Where did you find it?

Coupigo Adware Removal Instructions

Uncategorized,

Seems like there’s a lot of new adware variants popping up right now. Found a new one called Coupigo this morning. Coupigo adds itself into Firefox and Internet Explorer. Here’s how it appears in Firefox:

Coupigo Adware in Mozilla Firefox Add-ons Manager

FreeFixer can remove Coupigo with a few clicks. Just select the Coupigo files in the scan result and then hit the Fix button. Problem solved.

Coupigo Adware in Internet Explorer Coupigo Adware listed as a Firefox Extension

The anti-virus programs are clearly aware of the Coupigo adware. Just check out the detection result from VirusTotal. Graftor and MultiPlug seems to be the most common detection names. I’d say 33/53 is pretty good:

Coupigo detections at virus total - Graftor - MultiPlug

How did you get the Coupigo adware on your machine?

GreatSaver Adware Removal Instructions

Uncategorized

Seems like there’s no end to the adware variants out there. Found something called GreatSaver right now. It will install itself as an add-on in the web browser. Here’s GreatSaver in the Firefox add-ons list:

greatsaver 2.7 adware firefox addon

So, how can you remove GreatSaver? Easy peasy with FreeFixer, just select the GreatSaver files for removal. That’s all it takes 🙂

greatsaver adware internet explorer greatsaver adware firefox extension

How did GreatSaver find its way onto your machine? Please let me know by posting a comment.