Found another adware this morning. It’s called Norpalla, and it adds itself in your web browsers. Here you can see Norpalla in the Mozilla Firefox browser:
I found Norpalla in a download that claimed to be an episode of the Game of Thrones tv-series. That download was digitally signed by “New IT Limited“.
Norpalla is an easy match for FreeFixer. Just select the norpallabho.dll file and the Norpalla Firefox Extension for removal and the problem is solved.
Where did you find the Norpalla adware? Was it also bundled with a movie or tv-series download?
I just found a file digitally signed by InstallVibes. You might have noticed that InstallVibes appears as the publisher in the User Account Control dialog that pops up when double-clicking on the file and came here to find more about it.
Information about a digital signature and the certificate can also be found under the Digital Signature tab. The two screenshots below shows the InstallVibes certificate and that the “Subject” is located in Tel Aviv, Israel.
I decided to upload the InstallVibes file to VirusTotal. The file was detected by some of the anti-virus programs, with names such as: TR/Dropper.Gen, PUP.Optional.Bundlore and Bundlore.
Since some of the anti-virus programs detected the InstallVibes file, I got curious and decided to test it to see what it installed. The following software is bundled and disclosed in the InstallVibes installer:
- Optimizer Pro
- OMG (OnlineMusicGroove)
This is how the web page looked like when I found the InstallVibes file. It appeared in a few variants:
Did you also find an InstallVibes file? What kind of download was it?
If you also have a file digitally signed by InstallVibes, please upload at www.virustotal.com to see if anything is detected or if it comes up clean. I’d be very interested to see the scan result. Please post the link to the scan result in the comments field below. Thank you!
Did a program called Wifi Protector by Optimal Software s.r.o. appear on your computer and you are wondering what it is? If Wifi Protector popped up unexpectedly on your machine, you may have received it when installing some other software that bundled Wifi Protector.
By looking at the Wifi Protector’s main screen and in the terms and conditions we can see that WifiProtector is adware:
“Browser extension may also serve advertising during your browser sessions.”
“Free version of Wifi Protector is ad-supported.”
If you don’t want software that serves ads on your computer, you can uninstall Wifi Protector form the Programs and Features dialog:
Found a new adware called Majestic Savings this morning. If you have Majestic Savings on your machine, you may have noticed additional links with a green arrow appearing, with a tool-tip saying “Click to Continue -> by Majestic Savings“.
Majestic Savings also modifies Google search results by inserting ads. The ads are labeled Ads by Majestic Savings.
You may also see Majestic Savings popping up a dialog saying that it has upgraded itself by installation something called Browser Guardian:
Majestic Savings is added as an add-on in your web browsers. Here’s how it looks in Firefox:
Removing Majestic Savings is easy, just select the Majestic Savings files in FreeFixer and the adware problem is solved:
How did you get Majestic Savings on your machine? Please share by posting a comment. I found it while testing a software download, where Majestic Savings was offered during the installation, however, the installer referred to it as Majestic Coupons:
Hope you found this useful.
Lately I’ve been looking on the digital signatures on those files that push various types of unwanted programs. This morning I found a new file in the FreeFixer database called digital-photo-2013-11-nov.pdf.exe, digitally signed by Artur Kozak.
You can see who the signer is when double-clicking on an executable file. Artur Kozak appears in the publisher field in the dialog that pops up. You can also see the Artur Kozak certificate under the digital signature tab.
So, why am I warning you about the Artur Kozak file? Check out what the anti-virus programs report about the file:
TSULoader, InstalleRex, Win32.Adload and Adware.Downware are some of the detection names reported by the anti-virus scanners.
Hope this helped you avoid getting some unwanted programs on your machine.
Where did you find the Artur Kozak file? What was the file called?
This night I found a file claiming to be an installer for Adobe’s Flash Player. However, the file was not signed by Adobe as it should be. Instead SuperCool Applications appeared as the publisher:
SuperCool Applications also appears under the digital signature tab. SuperCool Applications is located in Tel Aviv, Israel.
So, why should you avoid the SuperCool Applications “Flash Player” and instead download Flash from the official site? The anti-virus scanners should convince you:
Seven of the anti-virus programs detects the the SuperCool Applications file, and refers to it as Max Setup, InstallCore, Install Core Click run Software and PUP.Optional.InstallCore.
Hope this helped you to get the official Flash Player and skip the SuperCool Applications download.
Please let me know if you found this blog post useful.
Stumbled upon an adware called GetMyFilesNow the other day. Here’s how its installer looks like:
Once installed it will appear as an add-on in Mozilla Firefox:
So, what kind of advertising does GetMyFilesNow show? After installation the well-known Nav-Links type of ads started to appear, but when I tested it GetMyFilesNow also replaced Google Adsense ads on the web sites that I visited.
GetMyFilesNow may also insert ads into Google search results. They ads are labeled “Powered by GetMyFilesNow“:
Many of the anti-virus programs are obviously aware of GetMyFilesNow. When I scanned getmyfilesnow.exe, 14 of the 53 anti-virus programs flagged the file. Most of them report it as KillFiles, Linkular and Linkun.
You can remove GetMyFilesNow by simply removing the Firefox Extension, either directly in Firefox or by checking the extension for removal in FreeFixer:
Hope this helped you figure out what GetMyFilesNow is and how to remove it.
How did you get this adware on your machine? Please share by posting a comment.
For some unknown reason I had trouble sleeping this night, so instead I spent a few hours hunting some adware installers. I found a file digitally signed by Stas Kosmov that bundled lots of unwanted software. Stas Kosmov will appear as the publisher when double-clicking on the file and in the file’s digital signature tab. According to the certificate Stas Kosmov is located in Kiev, Ukraine.
So, what does the anti-virus scanners say about this file? The following scan result should convince you to not run the Stas Kosmov file:
Did you also find a file signed by Stas Kosmov? Where did you find it?
Seems like there’s a lot of new adware variants popping up right now. Found a new one called Coupigo this morning. Coupigo adds itself into Firefox and Internet Explorer. Here’s how it appears in Firefox:
FreeFixer can remove Coupigo with a few clicks. Just select the Coupigo files in the scan result and then hit the Fix button. Problem solved.
The anti-virus programs are clearly aware of the Coupigo adware. Just check out the detection result from VirusTotal. Graftor and MultiPlug seems to be the most common detection names. I’d say 33/53 is pretty good:
How did you get the Coupigo adware on your machine?
Seems like there’s no end to the adware variants out there. Found something called GreatSaver right now. It will install itself as an add-on in the web browser. Here’s GreatSaver in the Firefox add-ons list:
So, how can you remove GreatSaver? Easy peasy with FreeFixer, just select the GreatSaver files for removal. That’s all it takes 🙂
How did GreatSaver find its way onto your machine? Please let me know by posting a comment.