Tag Archives: Graftor

Egor Klochko – 34% Detection Rate – MultiPlug / Graftor

June 27, 2015digital signatureGraftor, MultiPlug, UkraineRoger Karlsson

Welcome! Just a note on a publisher called Egor Klochko. The Egor Klochko download – Download Uc Browser V Handler Zip.exe – was detected when I uploaded it to VirusTotal. Did you also find a download by Egor Klochko? Was it also detected when you uploaded it to VirusTotal?

Typically you’d see the Egor Klochko publisher name appear when double-clicking on the Download Uc Browser V Handler Zip.exe file: It is also possible to check a digital signature by looking at a file’s properties. Here’s a screenshot of the Egor Klochko certificate.

The VirusTotal report shows that the Egor Klochko file should be avoided, since Download Uc Browser V Handler Zip.exe is detected as Trojan.Adware.Graftor.D31885 by Arcabit, Gen:Variant.Adware.Graftor.202885 by BitDefender and PUP.Optional.Multiplug by Malwarebytes.

Did you also find a Egor Klochko file? Do you remember where you downloaded it?

Thank you for reading.

SERGEY NIKITIN – Detected as MultiPlug, Graftor, Qudamah etc

June 19, 2015digital signatureGraftor, MultiPlug, Ukraine, ZaporizhiaRoger Karlsson

Hello! Just a short post on a publisher called SERGEY NIKITIN. I just found a download named Download.exe that was digitally signed by this publisher, and it turns out that it is detected by some anti-virus programs.

You can also look at the SERGEY NIKITIN certificate and digital signature by looking under the Digital Signatures tab on the file’s properties. According to the certificate, SERGEY NIKITIN is located in Zaporizhia, Zaporizhska in Ukraine.

The VirusTotal report shows that the SERGEY NIKITIN file should be avoided, since Download.exe is detected as Gen:Variant.Adware.Graftor.198034 by BitDefender, PUP.Optional.MultiPlug by Malwarebytes, Suspicious.Cloud.5 by Symantec and Trojan.Win32.Qudamah.Gen.4 by Tencent.

Did you also find a SERGEY NIKITIN file?

Thanks for reading.

IGOR MIHAYLOV – 35% Detection Rate at VirusTotal

June 19, 2015digital signatureGraftor, InstalleRex, MultiPlug, RussiaRoger Karlsson

Hello! Just wanted to give you the heads up on files digitally signed by IGOR MIHAYLOV.

It is also possible to check a digital signature by looking at a file’s properties. Here’s a screenshot of the IGOR MIHAYLOV certificate. It seems Igor is located in Russia.

These are the current VirusTotal detections for the file. Trojan.Adware.Graftor.D30592, Generic6.BBOM, a variant of Win32/Adware.MultiPlug.MN, Gen:Variant.Adware.Graftor and SoftwareBundler:Win32/InstalleRex as a few of the detection names for the file I found.

Did you also find a IGOR MIHAYLOV file? Do you remember where you downloaded it?

Hope this blog post helped you avoid some unwanted software on your machine.

Thanks for reading.

SpeeditApp Ads Removal Instructions

March 21, 2015adwareAddLyrics, GraftorRoger Karlsson

Hi there. Found an adware called SpeeditApp tonight and wanted give you some removal instructions. SpeeditApp appears to be a variant of Graftor. If SpeeditApp is running on your machine, you will see ads labeled SpeeditApp Ads appearing while searching at Google.

I’ll show how to remove SpeeditApp in this blog post with the FreeFixer removal tool.

SpeeditApp is distributed by a method called bundling. Bundling means that a piece of software is included in other software’s installers. This is how SpeeditApp was disclosed in the installer when I found it.

As always when I run into some new bundled software I uploaded it to VirusTotal to check if the anti-malware programs there detect anything interesting. Of the 57 scanners, 16 detected the file. The SpeeditApp files are detected as AddLyrics_r.ME by AVG, a variant of Win32/Adware.AddLyrics.DW by ESET-NOD32, Gen:Variant.Graftor.179236 by GData, Trj/Genetic.gen by Panda and Adware.AddLyrics/Variant by SUPERAntiSpyware.

You probably want to remove SpeeditApp. You can just select the SpeeditApp files in FreeFixer for removal. A restart of your computer may be required to complete the removal. Problem taken care of.

Hope that helped you with the removal.

Did you also find SpeeditApp on your computer? Any idea how it installed? Please share by posting a comment. Thank you!

Thanks for reading!

Remove PriceFountain Ads

November 1, 2014adware, freefixerDealPly, GraftorRoger Karlsson

Hello there. Today I wanted to talk about an adware called PriceFountain and give you some removal instructions. This seems to be a variant of PennyBee that I’ve previously written about. If PriceFountain is running on your computer, you will see ads labeled brought by PriceFountain while browsing the web and pricefountain.exe and pricefountainw.exe running in the Windows Task Manager. You will also see PriceFountain in your browser’s add-on menu. I’ll show how to remove PriceFountain in this blog post with the FreeFixer removal tool.

PriceFountain is bundled with other software. Bundled means that it is included in another software’s installer.

As usual when I test some new bundled software I uploaded it to VirusTotal to test if the anti-virus scanners there detect anything interesting. 19 of the antivirus scanners detected the file. AegisLab reports PriceFountain as Troj.NSIS.GoogUpdate, Avira detects it as Adware/DealPly.1257472, F-Secure calls it Gen:Variant.Graftor.162003, Fortinet names it Riskware/DealPly and McAfee reports Artemis!AD168966F8B7.

You probably came here looking for removal instructions for PriceFountain and you can do so with the FreeFixer removal tool. Just select the PriceFountain files as shown in the screen-caps below. A restart of your machine might be required to complete the removal.

Hope that helped you to figure out how to do the removal.

I stumbled upon PriceFountain while testing out some downloads that are known to bundled lots of unwanted software. Any idea how PriceFountain was installed on your computer? Please share your story the comments below. Thank you very much!

Thanks for reading. Welcome back!

Shetef Solutions & Consulting (1998) Ltd. – 25% Detection Rate

October 27, 2014digital signatureAmonetize, Downware, GraftorRoger Karlsson

Good evening! Lately I’ve been looking on the digital signatures on those files that push various types of unwanted programs. Right now I found a new file called FlashPlayer__6741_i1387048386_il2537.exe, digitally signed by Shetef Solutions & Consulting (1998) Ltd..

You can also look at the Shetef Solutions & Consulting (1998) Ltd. certificate and digital signature by looking under the Digital Signatures tab on the file’s properties. According to the certificate, Shetef Solutions & Consulting (1998) Ltd. is located in Rannana, Israel. The certificate appears to relatively new. Its validity began on the 13th of October.

The issue here is that if FlashPlayer__6741_i1387048386_il2537.exe really was an installer file for Flash Player, it should have been digitally signed by Adobe System Incorporated and not by some unknown company. This looks suspicious.

The VirusTotal report shows that the Shetef Solutions & Consulting (1998) Ltd. file should be avoided, since FlashPlayer__6741_i1387048386_il2537.exe is detected as Adware.Downware.8876 by DrWeb, Gen:Variant.Graftor.161610 by F-Secure and PUP.Optional.Amonetize by Malwarebytes.

Since the download was detected I decided to give it a try to see what it installed. During my test I could see Wajam, Salus – Net Protector and My Start Search install on my lab machine.

Did you also find a file digitally signed by Shetef Solutions & Consulting (1998) Ltd.? What kind of download was it and where did you find it?

Thanks for reading.

Saul Perec VirusTotal Report – 38% Detection Rate

July 13, 2014digital signatureGraftor, InstalleRexRoger Karlsson

Just found a download digitally signed by Saul Perec. I’d recommend being careful if you also have downloaded a file signed by Saul Perec. This the the VirusTotal scan for the Saul Perec file:

Luckily Windows warns when launching a downloaded file and shows the publisher information.

You can also view the Saul Perec certificate by right-clicking on the file, and looking under the Digital Signature tab:

Did you also find a file signed by Saul Perec? Where did you find it and what kind of download was it?

Coupigo Adware Removal Instructions

May 27, 2014UncategorizedGraftor, MultiPlugRoger Karlsson

Seems like there’s a lot of new adware variants popping up right now. Found a new one called Coupigo this morning. Coupigo adds itself into Firefox and Internet Explorer. Here’s how it appears in Firefox:

FreeFixer can remove Coupigo with a few clicks. Just select the Coupigo files in the scan result and then hit the Fix button. Problem solved.

The anti-virus programs are clearly aware of the Coupigo adware. Just check out the detection result from VirusTotal. Graftor and MultiPlug seems to be the most common detection names. I’d say 33/53 is pretty good:

How did you get the Coupigo adware on your machine?

Daneil Jemoch Publisher – WARNING!

May 26, 2014digital signatureGraftor, InstalleRex, MultiPlugRoger Karlsson

Just a quick post before starting todays programming on the FreeFixer tool. This is the second time I spot a file digitally signed by Daneil Jemoch that bundles lots of unwanted programs. Though I should warn you and hopefully save you from some unnecessary adware cleaning. You can see Daneil Jemoch appear as the publisher when running the file as shown below.

You can also check who signed a file by checking the digital signature tab. The screenshot below shows the Daneil Jemoch certificate. From the certificate info we can see that Daneil Jemoch appears to be located in Kiev, Ukraine.

The anti-virus programs have a decent detection rate for the Daneil Jemoch file:

The anti-virus scanners refers to the file as Graftor, MultiPlug and InstalleRex.

Where did you find the Daneil Jemoch signed file?

Hope you found this post useful. Please let me know by posting a comment.