Remove go.1800option.com and promotions.1800option.com Pop Up Ads

June 23, 2015browser status bar, pop-ups199.83.129.86, 92.222.66.143Roger Karlsson

Did you just get a pop-up from go.1800option.com or promotions.1800option.com and ponder where it came from? Did the go.1800option.com ad appear to have been initiated from a web site that under normal circumstances don’t use advertising such as pop-up windows? Or did the go.1800option.com pop-up show up while you clicked a link on one of the major search engines, such as Google, Bing or Yahoo?

Here is how the go.1800option.com ad looked like on my machine:

And here’s promotions.1800option.com in the status bar:

If this sounds like what you are seeing on your computer, you most likely have some adware installed on your computer that pops up the go.1800option.com ads. There’s no use contacting the owners of the site you currently were browsing. The ads are not coming from them. I’ll try help you to remove the go.1800option.com pop-ups in this blog post.

For those that are new to the blog: Recently I dedicated some of my lab computers and deliberately installed a few adware programs on them. Since then I’ve been monitoring the behaviour on these computers to see what kinds of advertisements that are displayed. I’m also looking on other interesting things such as if the adware updates itself automatically, or if it installs additional unwanted software on the machines. I first found the go.1800option.com pop-up on one of these lab computers.

go.1800option.com was registered on 2014-08-13. promotions.1800option.com resolves to 199.83.129.86 and go.1800option.com to the 92.222.66.143 IP address.

So, how do you remove the go.1800option.com pop-up ads? On the machine where I got the go.1800option.com ads I had istartsurf, MedPlayerNewVersion and Movie Wizard installed. I removed them with FreeFixer and that stopped the go.1800option.com pop-ups and all the other ads I was getting in Mozilla Firefox.

If you are wonder if there are many others out there also getting the go.1800option.com ads, the answer is probably yes. Check out the traffic rank from Alexa:

The problem with pop-ups like this one is that it can be popped up by many variants of adware, not just the adware running on my system. This makes it impossible to say exactly what you need to remove to stop the pop-ups.

So, what can be done to solve the problem? To remove the go.1800option.com pop-up ads you need to review your system for adware or other types of unwanted software and uninstall it. Here’s my suggested removal procedure:

The first thing I would do to remove the go.1800option.com pop-ups is to examine the programs installed on the machine, by opening the “Uninstall programs” dialog. You can reach this dialog from the Windows Control Panel. If you are using one of the more recent versions of Windows Operating System you can just type in “uninstall” in the Control Panel’s search field to find that dialog:

Click on the “Uninstall a program” link and the Uninstall programs dialog will open up:

Do you see something strange-looking in there or something that you don’t remember installing? Tip: Sort on the “Installed On” column to see if some program was installed approximately about the same time as you started getting the go.1800option.com pop-ups.

The next thing to check would be your browser’s add-ons. Adware often appear under the add-ons menu in Google Chrome, Mozilla Firefox, Internet Explorer, Safari or Opera. Is there anything that looks suspicious? Something that you don’t remember installing?

I think most users will be able to find and uninstall the adware with the steps outlined above, but in case that did not work you can try the FreeFixer removal tool to identify and remove the adware. FreeFixer is a freeware tool that I started develop many years ago. It’s a tool designed to manually find and remove unwanted software. When you’ve identified the unwanted files you can simply tick a checkbox and click on the Fix button to remove the unwanted file.

FreeFixer’s removal feature is not crippled like many other removal tools out there. It won’t require you to purchase the program just when you are about to remove the unwanted files.

And if you’re having difficulties figuring out if a file is safe or unsafe in FreeFixer’s scan result, click on the More Info link for the file. That will open up a web page which contains additional information about the file. On that web page, check out the VirusTotal report which can be very useful:

FreeFixer More Info link example — An example of FreeFixer’s “More Info” links. Click for full size.

Here you can see FreeFixer in action removing pop-up ads:

Did you find any adware on your machine? Did that stop the go.1800option.com ads? Please post the name of the adware you uninstalled from your machine in the comment below.

Thank you!

ALEKSANDR MOROZOV – 14% Detection Rate At VirusTotal

June 22, 2015digital signatureRoger Karlsson

Hello! Just wanted to give you the heads up on files digitally signed by ALEKSANDR MOROZOV.

You will also see ALEKSANDR MOROZOV listed as the verified publisher in the User Account Control dialog that pops up if you try to run the file: It is also possible to check a digital signature by looking at a file’s properties. Here’s a screenshot of the ALEKSANDR MOROZOV certificate.

Win32:MultiPlug-AAE [PUP], a variant of Win32/Adware.MultiPlug.MO, Unwanted-Program ( 0040f9681 ) and Suspicious.Cloud.5 are some detection names according to VirusTotal:

Did you also find a file digitally signed by ALEKSANDR MOROZOV? What kind of download was it and where did you find it?

Thanks for reading.

SERGEY NIKITIN – Detected as MultiPlug, Graftor, Qudamah etc

June 19, 2015digital signatureGraftor, MultiPlug, Ukraine, ZaporizhiaRoger Karlsson

Hello! Just a short post on a publisher called SERGEY NIKITIN. I just found a download named Download.exe that was digitally signed by this publisher, and it turns out that it is detected by some anti-virus programs.

You can also look at the SERGEY NIKITIN certificate and digital signature by looking under the Digital Signatures tab on the file’s properties. According to the certificate, SERGEY NIKITIN is located in Zaporizhia, Zaporizhska in Ukraine.

The VirusTotal report shows that the SERGEY NIKITIN file should be avoided, since Download.exe is detected as Gen:Variant.Adware.Graftor.198034 by BitDefender, PUP.Optional.MultiPlug by Malwarebytes, Suspicious.Cloud.5 by Symantec and Trojan.Win32.Qudamah.Gen.4 by Tencent.

Did you also find a SERGEY NIKITIN file?

Thanks for reading.

OtOPIa Soft – 25% Detection Rate – OutBrowse / Artemis

June 19, 2015digital signatureOutBrowseRoger Karlsson

Hi there! Just wanted to give you the heads up on a publisher called OtOPIa SOft

You can see who the signer is when double-clicking on an executable file. OtOPIa SOft appears in the publisher field in the dialog that pops up. To view more information about the certificate you can right-click on the file, then choose Properties and then select the Digital Signatures tab. According to the certificate we can see that OtOPIa SOft is located in Dublin, Ireland and that the certificate is issued by thawte SHA256 Code Signing CA.

So, why did I put up this blog post? Well, the thing is that the OtOPIa SOft file is detected by many of the anti-malware scanners, according to VirusTotal. AVG names Player.exe as Downloader.KAM, Malwarebytes calls it Trojan.Inject, McAfee-GW-Edition detects it as Artemis and VIPRE detects it as OutBrowse (fs)

Did you also find a file signed by OtOPIa SOft? What kind of download was it and where did you find it?

Thanks for reading.

IGOR MIHAYLOV – 35% Detection Rate at VirusTotal

June 19, 2015digital signatureGraftor, InstalleRex, MultiPlug, RussiaRoger Karlsson

Hello! Just wanted to give you the heads up on files digitally signed by IGOR MIHAYLOV.

It is also possible to check a digital signature by looking at a file’s properties. Here’s a screenshot of the IGOR MIHAYLOV certificate. It seems Igor is located in Russia.

These are the current VirusTotal detections for the file. Trojan.Adware.Graftor.D30592, Generic6.BBOM, a variant of Win32/Adware.MultiPlug.MN, Gen:Variant.Adware.Graftor and SoftwareBundler:Win32/InstalleRex as a few of the detection names for the file I found.

Did you also find a IGOR MIHAYLOV file? Do you remember where you downloaded it?

Hope this blog post helped you avoid some unwanted software on your machine.

Thanks for reading.

PlatformMax (Fried Cookie Ltd) – 9% Detection Rate – InstallCore

June 13, 2015UncategorizedInstallCore, Israel, Tel AvivRoger Karlsson

Welcome! Just wanted to give you heads-up on suspicious file I found right now. The file is named vlc-media-player_setup.exe and digitally signed by PlatformMax (Fried Cookie Ltd).

If you have a PlatformMax (Fried Cookie Ltd) file on your machine you may have noticed that PlatformMax (Fried Cookie Ltd) is displayed as the publisher in the UAC dialog when double-clicking on the file. The certificate is issued by GlobalSign CodeSigning CA – G2.

If you are considering to run the PlatformMax (Fried Cookie Ltd) signed file, please check out detection list by some of the anti-virus programs:

AVG detects vlc-media-player_setup.exe as Generic.7D6, Comodo classifies it as Application.Win32.InstallCore.DXC, DrWeb detects it as Trojan.InstallCore.890 and Malwarebytes reports PUP.Optional.InstallCore.SID.C.

Did you also find an PlatformMax (Fried Cookie Ltd)? Do you remember the download link? Please post it in the comments below and I’ll upload it to VirusTotal to see if that one is also detected.

Thanks for reading.

Rodion Bordin – 33% Anti-Virus Detection Rate

June 13, 2015digital signatureMultiPlugRoger Karlsson

Hello readers! Just a short note on a publisher called Rodion Bordin.

This is how it looks when double-clicking on the file and Rodion Bordin appears as the publisher. The certificate is issued by Certum Code Signing CA.

So, why did I put up this blog post? Well, the thing is that the Rodion Bordin file is detected by many of the anti-malware scanners, according to VirusTotal. Ad-Aware detects the file as Trojan.Agent.BKMF, DrWeb names it Trojan.PWS.Qqpass.11207, Malwarebytes names it PUP.Optional.MultiPlug and Tencent classifies it as Trojan.Win32.Qudamah.Gen.0

Did you also find a Rodion Bordin file? What kind of download was it? If you remember the download link, please post it in the comments below.

Thanks for reading.

Danil Vlasov – 40% Detection at VirusTotal

June 11, 2015digital signatureUkraineRoger Karlsson

Hi there! Just a quick post on a file named Moborobo.exe signed by Danil Vlasov.

It is also possible to check a digital signature by looking at a file’s properties. Here’s a screenshot of the Danil Vlasov certificate.

The reason I’m writing this blog post is that the Danil Vlasov file is detected by many of the anti-malwares at VirusTotal. Avira reports Moborobo.exe as TR/Crypt.XPACK.Gen, BitDefender detects it as Gen:Variant.Strictor.88461, Fortinet detects it as Riskware/Generic.AC.4386 and Sophos detects it as MultiPlug.

Did you also find a Danil Vlasov file?

Thank you for reading.

Kiril Semyakov – 46% Detection Rate – Adware.Agent.PQH / Win32:FakeDownload-F

June 11, 2015digital signatureMultiPlug, UkraineRoger Karlsson

Hello readers! Just a quick post today, since I’m busy working with the next release of FreeFixer. Did you see a file on your system digitally signed by Kiril Semyakov? Then read on..

Windows will display Kiril Semyakov as the publisher when running the file. It is also possible to check a digital signature by looking at a file’s properties. Here’s a screenshot of the Kiril Semyakov certificate.

According to this, Kiril is located in Ukraine.

The reason I’m writing this blog post is that the Kiril Semyakov file is detected by many of the anti-malwares at VirusTotal. Avast classifies the file as Win32:FakeDownload-F [PUP], F-Secure reports Adware.Agent.PQH, Ikarus detects it as PUA.Win32.InstalleRex, McAfee-GW-Edition detects it as MultiPlug-FYT and Sophos reports MultiPlug.

Did you also find a Kiril Semyakov file? What kind of download was it? If you remember the download link, please post it in the comments below.

Thank you for reading.

Remove “Ad by AdSupply” from Google’s Search Results

June 10, 2015adwareRoger Karlsson

Getting ads labelled Ad by AdSupply while searching at Google? No problem, I just removed Jelbrus Secure Web and NetMon from my machine with FreeFixer and the ad problem was gone. Here’s how the Ad by AdSupply advertisement looked on my machine:

I’ve zoomed in to show the ad more clearly.

Hope this helped you solve the problem. Thanks for reading.