What is Site Matcher Pro? – Removal Instructions

adware, freefixer

Did you just find something called Site Matcher Pro in Mozilla Firefox’ Add-on dialog? site-matcher-pro-1.0

Site Matcher Pro is a piece of software that suggests similar web site based on the sites that you are currently browsing.

How did you get Site Matcher Pro on your computer? I found it bundled with an unofficial Adobe Flash Player download. The Flash download was signed by the SuperCool Applications publisher. Here’s a screenshot of Site Matcher Pro appearing in the installer:

Site Matcher Pro is bundled with an unofficial Adobe Flash Player download.

If you’d like to remove Site Matcher Pro, you can do so from inside Firefox, or by selecting the Site Matcher Pro extension for removal in FreeFixer:

Site Matcher Pro appears in FreeFixer's scan result

Hope this helped you to figure out what Site Matcher Pro is and how to remove it.

Update 2014-10-06: Found Site Matcher Pro in another installer:

site matcher pro

Greener Web – Adware Removal Instructions

Uncategorized

Another adware find this morning. This one is called Greener Web. You might have noticed Greener Web when starting up Firefox and being asked to install Greener Web, or in Mozilla’s and Internet Explorer’s add-on dialog:

Greener Web 1.0.1 in Firefox Greener Web appears an Internet Explorer Add-On Greener Web 1.0.1 Firefox Addon

Many of the  anti-virus programs over at VirusTotal  detects the Greener Web adware as you can see in the scan result for GreenerWebbho.dll:

greener-web-virustotal

I found GreenerWeb bundled in an unofficial Adobe Flash Player download. The installer file, AdobeFlashPlayer.exe was digitally signed by SuperCool Applications. Here’s how GreenerWeb was disclosed in the installer:

GreenerWeb installer disclosure

How did you get Greener Web on your computer? Please let me and the readers know by posting a comment.

You can remove Greener Web with FreeFixer. Just select the Greener Web files for removal and click the Fix button and Greener Web will not bother you any more:

Greener Web Firefox Ext in FreeFixer greenerwebbho.dll in FreeFixer

Hope this helped you figure out what Greener Web  is and how it is distributed.

Media_Play_AIR+ – Removal Instructions

adware, freefixer, ,

Just wanted to let you know about a new adware variant called Media_Play_AIR+ that I found tonight. 8 of the 50 anti-virus scanners at VirusTotal detects the Media_Play_AIR_1.1-bg.exe file, which you may see in the Windows Task Manager: media_play_air+-virustotal Some of the anti-virus program calls Media_Play_AIR+ Artemis, CrossRider and AppRider.

These are the variants I’ve found so far:

  • Media_Play_AIR+_1.1
  • Mediaa_Play_AIR_1.4

I found Media_Play_AIR+ bundled with a Zip/Unzip utility. The setup file was digitally signed by CloverMedia SL. How did you get Media_Play_AIR on your computer? The Media_Play_AIR+ files are digitally signed by individual developer SIMONA-VIORICA MARIN, which according to the certificate is located in Bucharest, Romania. Media_Play_AIR+_1.1-bg.exe certificate You can remove Media_Play_AIR+ with FreeFixer. Just select the Media_Play_AIR+ files as shown in the screenshots. Most of the files are located in c:\Program Files \Media_Play_AIR+_1.1 or c:\Program Files (x86)\Media_Play_AIR+_1.1 on 64-bit Windows. media_player_air+ in Firefox media_play_air+-bho media_play_air+ Media_Play_AIR+ is a variant of MPlayerPlus. Since the removal procedure is the same I’ll link that removal video where you can see FreeFixer in action removing the adware: Hope you found this useful.

How To Remove NewPlayer Ads

adware, freefixer

Did you see a new type of ads labeled Ads by NewPlayer popping up recently on your computer, even on web sites that normally don’t show any ads? Then you have the NewPlayer adware on your machine. The two types of NewPlayer ads that I’ve seen is a standard banner (to the left), and the Nav-Links roll-over ad type (to the right), as shown in the screenshot below.Ads by NewPlayer

Removing NewPlayer a one minute job with FreeFixer. All you need to do is to selected the NewPlayer files for removal, and then hit the Fix button. The filenames for NewPlayer can vary somewhat. In my case they were called NewPlayerFT171.exeNewPlayerV40.exe and NewPlayerLwruQw.exe. I’m sure you can identify them on your computer. Here’s the NewPlayer files in the FreeFixer scan result:

NewPlayer.exe Service NewPlayer Scheduled Tasks

Newplayer Process in FreeFixer

The detection rate for the NewPlayer adware appears to be pretty low. 3 of the 52 anti-virus scanners at VirusTotal detected the NewPlayer file. Avast refers to it as Win32:Adware-BQV and Baidu and ESET-NOD32 calls it AddLyrics.

newplayer-virus-total

How did you get NewPlayer on your computer?

New IT Limited Digital Signature – What does it bundle?

digital signature

I was playing around and testing some downloads when I found a file signed by New IT Limited. This is how it looks when double-clicking on the file and New IT Limited appears as the publisher.

new it limited publisher

It is also possible to check a digital signature by looking at a file’s properties.  Here’s a screenshot of the New IT Limited certificate:

The New I Lmited certificate

New IT Limited appears to be located in Nicosia, Cyprus.

new it limited subject

What initially caught my interest was that the file was named Game of Thrones HDTV.. after the the famous TV-series Game of Thrones from HBO. 2 the 51 scanners over at VirusTotal detected the New IT Limited file. Win32:FourShared-D [PUP] and a variant of Win32/4Shared.S where the detection names:

New IT Limited VirusTotal scan FourShared/4Shared

Since the ESET-NOD32 and Avast detected the file I got curious and decided to run the file. Turns out the installer bundled the Qone8 search engine:

new-it-limited-installer

Did you also find a download that was digitally signed by New IT Limited? What kind of download was it?

Thanks for reading!

 

Save On, SO.Booster and SO.Sustainer 1.80 – Removal Instructions

Uncategorized

Found a few new variants of SaveNet this morning. The new variant appear as Save On, SO.Booster and SO.Sustainer 1.80 in the Add/Remove programs dialog. These where found in a camera related software, and the setup file was digitally signed by Daneil Jemoch. Save On inserts ad links while you browse. The links are underlined with a green small arrow and are labeled “Click to Continue > by save on” as shown in the screenshot below:

Click to Continue by save on

These are the detection results from VirusTotal for SO.Booster.exe:

so.booster.exe virustotal scan result

If you have Save On, SO.Booster and SO.Sustainer 1.80 on your machine, you may have noticed a file called SO.Booster.exe or SO;Booster.exe running on your computer at startup or that new add-ons have appeared in your browser. Here’s a screenshot from Firefox that shows the SaveOn add-on:

save on 2.14 in Firefox

The removal is pretty straightforward with the FreeFixer removal tool. Simply check the SaveOn, SO.Booster and SO.Sustainer files, as shown in the screenshots:

so.booster.exe scheduled task save-on firefox extension so.booster.exe process SaveOn hook up in the system as an AppInit_DLL save-on-internet-explorer

How did you get SaveOn on your machine?

 

Norpalla Adware Removal Instructions

adware, freefixer

Found another adware this morning. It’s called Norpalla, and it adds itself in your web browsers. Here you can see Norpalla in the Mozilla Firefox browser:

norpalla-firefox

I found Norpalla in a download that claimed to be an episode of the Game of Thrones tv-series. That download was digitally signed by “New IT Limited“.

Norpalla is an easy match for FreeFixer. Just select the norpallabho.dll file and the Norpalla Firefox Extension for removal and the problem is solved.

norpalla-firefox-extension norpalla-internet-explorer

Where did you find the Norpalla adware? Was it also bundled with a movie or tv-series download?

InstallVibes Digital Signature – Bundling, VirusTotal detections and Promotions

digital signature, ,

I just found a file digitally signed by InstallVibes. You might have noticed that InstallVibes appears as the publisher in the User Account Control dialog that pops up when double-clicking on the file and came here to find more about it.

InstallVibes Publisher

Information about a digital signature and the certificate can also be found under the Digital Signature tab. The two screenshots below shows the InstallVibes certificate and that the “Subject” is located in Tel Aviv, Israel.

InstallVibes Digital Signature

InstallVibes Certificate TelAviv Israel

I decided to upload the InstallVibes file to VirusTotal. The file was detected by some of the anti-virus programs, with names such as: TR/Dropper.GenPUP.Optional.Bundlore and Bundlore.

InstallVibes scan result from Virus Total

Since some of the anti-virus programs detected the InstallVibes file, I got curious and decided to test it to see what it installed. The following software is bundled and disclosed in the InstallVibes installer:

  • Qone8
  • ProductivityPro
  • Optimizer Pro
  • Wajam
  • BestMarkit
  • MoboGenies
  • PriceMeter
  • OMG (OnlineMusicGroove)
  • ClipHD
  • MyPcBackup

This is how the web page looked like when I found the InstallVibes file. It appeared in a few variants:

InstallVibes Video Downloader InstallVibes "Highly Recommened" InstallVibes "Download Ready" using user interface that looks like the Windows 7 user interface style.

Did you also find an InstallVibes file? What kind of download was it?

If you also have a file digitally signed by InstallVibes, please upload at www.virustotal.com to see if anything is detected or if it comes up clean. I’d be very interested to see the scan result. Please post the link to the scan result in the comments field below. Thank you!

Wifi Protector is Adware – How To Remove It

adware

Did a program called Wifi Protector by Optimal Software s.r.o. appear on your computer and you are wondering what it is? If Wifi Protector popped up unexpectedly on your machine, you may have received it when installing some other software that bundled Wifi Protector.

wifiprotector

By looking at the Wifi Protector’s main screen and in the terms and conditions we can see that WifiProtector is adware:

wifiprotector-adware

“Browser extension may also serve advertising during your browser sessions.”

“Free version of Wifi Protector is ad-supported.”

If you don’t want software that serves ads on your computer, you can uninstall  Wifi Protector form the Programs and Features dialog:

wifi-protector-uninstall

Majestic Savings Adware Removal

adware, freefixer

Found a new adware called Majestic Savings this morning. If you have Majestic Savings on your machine, you may have noticed additional links with a green arrow appearing, with a tool-tip saying “Click to Continue -> by Majestic Savings“.

Click to Continue - ads by Majestic Savings

Majestic Savings also modifies Google search results by inserting ads. The ads are labeled Ads by Majestic Savings.

Ads by Majestic Savings in Google search results

You may also see Majestic Savings popping up a dialog saying that it has upgraded itself by installation something called Browser Guardian:

Majestic Savings - Browser Guardian

Majestic Savings is added as an add-on in your web browsers. Here’s how it looks in Firefox:

Majestic Savings 1.0 appears as a Firefox Add-on

Removing Majestic Savings is easy, just select the Majestic Savings files in FreeFixer and the adware problem is solved:

majestic-savings-internet-explorer majestic-savings-firefox-extension

How did you get Majestic Savings on your machine? Please share by posting a comment. I found it while testing a software download, where Majestic Savings was offered during the installation, however, the installer referred to it as Majestic Coupons:

Majestic Coupons

 

Hope you found this useful.