Tag Archives: MultiPlug

Igor Menyalo – 41% Detection Rate – MultiPlug / Qudamah / Kazy

May 13, 2015digital signatureKazy, MultiPlug, Qudamah, RussiaRoger Karlsson

Hi there! Just a note on a publisher called Igor Menyalo. The Igor Menyalo download was detected when I uploaded it to VirusTotal. Did you also find a download by Igor Menyalo? Was it also detected when you uploaded it to VirusTotal?

That’s how it looks when double-clicking on the file and Igor Menyalo appears as the publisher. It is also possible to check a digital signature by looking at a file’s properties. Here’s a screenshot of the Igor Menyalo certificate.

Igor Menyalo appears to be located in Russia.

TR/Crypt.XPACK.Gen, Gen:Variant.Adware.Kazy.611186, W32/S-0625bdde!Eldorado, PUP.Optional.MultiPlug and Trojan.Win32.Qudamah.Gen.0 are some detection names according to VirusTotal:

I decided to run the Igor Menyalo signed file, and it offered three additional programs called PriceMinus, BestAdBlocker and MyPC Backup in the installer.

Did you also find an Igor Menyalo? Do you remember the download link? Please post it in the comments below and I’ll upload it to VirusTotal to see if that one is also detected.

Thank you for reading.

Rubin Sister – 16% Detection Rate – MultiPlug / Qudamah / Badur

May 9, 2015digital signatureBadur, Israel, MultiPlug, QudamahRoger Karlsson

Hello! I was playing around and testing some downloads when I found a file digitally signed by Rubin Sister.

If you have a Rubin Sister file on your computer you may have noticed that Rubin Sister pops up as the publisher in the User Account Control dialog when running the file. The certificate is issued by Certum Code Signing CA.

A variant of Win32/Adware.MultiPlug.JZ, Riskware/Badur, Trojan.Win32.Qudamah.Gen.7 and suspected of Heur.Malware-Cryptor.Multiplug are some detection names according to VirusTotal:

Did you also find an Rubin Sister? Do you remember the download link? Please post it in the comments below and I’ll upload it to VirusTotal to see if that one is also detected.

Thanks for reading.

Remove PriceMinus – “Ads by PriceMinus” Removal

May 7, 2015adwareMultiPlug, ZusyRoger Karlsson

Welcome! Just a quick post on the PriceMinus adware. PriceMinus seems to be a variant of SalePlus that I blogged about some time ago. If PriceMinus is running on your computer, you will notice ads labeled “Ads by PriceMinus” inserted into Google search results and on other web sites.

You will also see new add-ons installed into Firefox and Internet Explorer. In my case, it was called PriceMinus 2.0.

In my specific case, the installer file was digitally signed by Rodion Veresev. I’ve also seen Saul Perec signing PriceMinus installer files.

I’ll show how to remove PriceMinus in this blog post with the FreeFixer removal tool.

PriceMinus is bundled in other software’s installers. Here’s how it appeared in the installer:

Generally, you can avoid bundled software such as PriceMinus by being careful when installing software and declining the bundled offers in the installer.

Here’s a screenshot of the adware’s web site, priceminus.info:

Another program, called BestAdBlocker was also bundled side by side with PriceMinus. You probably want to remove BestAdBlocker too.

When I run into some new bundled software I always upload it to VirusTotal to see if the anti-malware programs there detect something suspicious. 36 of the 56 scanners detected the file. ClamAV classifies PriceMinus as Win.Trojan.Multiplug-3213, F-Secure calls it Gen:Variant.Application.Zusy, GData detects it as Gen:Variant.Application.Zusy.139555, Malwarebytes calls it PUP.Optional.MultiPlug.A and TrendMicro reports TROJ_GEN.R08NC0EE515.

All you need to do to remove PriceMinus is to check the PriceMinus files in the scan result and click the Fix button. You may have to restart your machine to complete the removal. Just select the PriceMinus files as shown in the screenshots below.

Hope this helped you remove the PriceMinus adware.

Do you also have PriceMinus on your computer? Any idea how it was installed? Please let me and the readers know by posting a comments. Thank you!

Thanks for reading. Welcome back!

Stepan Rybin – 44% Detection Rate – MultiPlug / Adware.Mikey

February 22, 2015digital signatureAdware.Mikey, Eldorado, MultiPlugRoger Karlsson

Hello! Did you see a file, such as WhatsApp.exe, on your system signed by Stepan Rybin? Then read on..

I found this Stepan Rybin file while reviewing some of the submissions to the FreeFixer web site. I thought it looked a little bit like a typical “MultiPlug” adware file and the VirusTotal scan result showed that was the case. Ad-Aware reports WhatsApp.exe as Gen:Variant.Adware.Mikey.7658, Avast calls it Win32:MultiPlug-TP [PUP], Cyren names it W32/S-05e718fa!Eldorado, F-Prot calls it W32/S-05e718fa!Eldorado and Sophos detects it as MultiPlug.

Did you also find a Stepan Rybin download? Do you remember where you downloaded it? Please post the URL in the comments below. I’d like to install this download on my lab machine to have a closer look at it.

Thank you for reading.

Ronen Kvurt – Anti-Virus Detection Rate: 37% – MultiPlug / Mikey

February 19, 2015digital signatureMultiPlugRoger Karlsson

Hi there! Just wanted to give you the heads up on a publisher called Ronen Kvurt that I found right now while examining the latest submissions to FreeFixer’s database. The file name seems to suggest that the download is the “The Legend of Zelda: The Wind Waker” computer game.

Avira reports Legend_of_Zelda_The_Wind_Waker_U_STARCUBE.exe as Adware/MPlug.trov, F-Secure detects it as Gen:Variant.Adware.Mikey.7658, McAfee-GW-Edition detects it as BehavesLike.Win32.SoftPulse.tc and Sophos detects it as MultiPlug.

Did you also find a Ronen Kvurt download? Do you remember the download link? Please post it the comments. I’d like to test it myself.

There’s a bunch of other developers that signs files often detected as MultiPlug, such as Edward Kosar, Andrey Hmelnikov and Oleh Aleksyuk.

Thanks for reading.

Edward Kosar – 39% Detection Rate – Adware.MultiPlug

January 5, 2015digital signatureMultiPlugRoger Karlsson

Welcome! Just a quick post on a publisher called Edward Kosar that I found while running some tests for the upcoming FreeFixer release. The suspicious file is named “How I Met Your Mother S09E22 HDTV x264-KILLERS[ettv].exe”.

The certificate is issued by Certum Code Signing CA. According to the cert, Edward Kosar is located in Ukraine.

So, why did I put up this blog post? Well, the thing is that the Edward Kosar file is detected by many of the scanners, according to VirusTotal. F-Prot classifies How I Met Your Mother S09E22 HDTV x264-KILLERS[ettv].exe as W32/S-e70371e2!Eldorado, Kaspersky reports not-a-virus:AdWare.Win32.MultiPlug.oaqy, McAfee detects it as MultiPlug-FTW, Panda classifies it as Trj/Genetic.gen and VBA32 reports suspected of Heur.Malware-Cryptor.Multiplug.

Did you also run into a file that was digitally signed by Edward Kosar? What kind of download was it and was it detected by the anti-viruses at VirusTotal? Please share in posting comments below.

Thank you for reading.

Andrey Hmelnikov – 35% Detection Rate – Kazy/MultiPlug

November 4, 2014digital signatureKazy, MultiPlugRoger Karlsson

Hi there! Just wanted to give you the heads up on files digitally signed by Andrey Hmelnikov.

It is also possible to check a digital signature by looking at a file’s properties. Here’s a screenshot of the Andrey Hmelnikov certificate. He’s located in Russia.

So, what does the anti-virus programs say about the Andrey Hmelnikov file? No problem, I just uploaded the file to VirusTotal and it turned out that many of the anti-virus programs detects the Andrey Hmelnikov file, with names such as Gen:Variant.Adware.Kazy, and MultiPlug.

To see more in details what changes the Andrey Hmelnikov file would do on a user’s computer I decided to run the file on my lab machine. The installer bundled some additional software such as GoSave and YoutubeAdBlocke.

Did you also find an Andrey Hmelnikov file? Do you remember the download link? Please post it in the comments below and I’ll upload it to VirusTotal to see if that one is also detected.

Thank you for reading.

Remove “powered by SmartOnes” Ads

October 23, 2014adware, freefixerMultiPlugRoger Karlsson

Hello guys and gals. As usual I was looking around on the Internet to see what is being bundled with some software downloads. This time I found something called SmartOnes. If you have SmartOnes on your computer, you’ll find new add-ons installed in Chrome, Internet Explorer and Mozilla Firefox and ads labeled powered by SmartOnes while browsing the web. I’ll show how to remove SmartOnes in this blog post with the FreeFixer removal tool.

Here’s how SmartOnes appears in Firefox and Internet Explorer:

SmartOnes is distributed by a strategy called bundling. Bundling means that a piece of software is included in other software’s installers. When I first found SmartOnes, it was bundled with a download called a download claiming to be an episode of the Game of Thrones TV serie. Here’s how it appeared in the installer where I found it:

Generally, you can avoid bundled software such as SmartOnes by being careful when installing software and declining the bundled offers in the installer.

As always when I test some new bundled software I uploaded it to VirusTotal to see if the anti-viruses there detect anything. 4 of the scanners detected the file. MultiPlug seems to be the common detection name.

The SmartOnes removal with FreeFixer is straightforward. Check all the SmartOnes items for removal and click fix. Here’s a few screenshots from the removal that should help you:

To remove the Chrome extension, type in chrome://extensions/ in Chrome’s address bar.

Hope this helped you remove the SmartOnes adware.

Any idea how SmartOnes was installed on your computer? Please share by posting a comment. Thanks a bunch!

Thank you for reading and welcome back.

Remove GoSave – Ads by GoSave Removal Instructions

September 11, 2014adware, freefixerMultiPlugRoger Karlsson

Morning readers! I just found a new adware called GoSave. This appears to be a variant of the GoSaveNow adware that I wrote about yesterday. If you got GoSave on your machine, you will see ads labeled Ad by GoSave, Ads by GoSave or Brought by GoSave. Here’s a few examples of the ads I noticed when GoSave was installed on my machine:

You can also see GoSave in your web browser’s add-on menu:

GoSave is currently bundled with a large number of downloads. Here’s how it was disclosed in one of the installers:

If you’d like to remove GoSave you can do so with the freeware FreeFixer tool. Selected the GoSave files for removal in FreeFixer, click Fix, reboot your machine and the ad problem will be gone. Here’s a few screenshots to point you in the right direction:

GoSave is often installed with three other unwanted programs called GS_Booster, GS_Sustainer 1.80 and YoutubeAdBlocke, that you probably want to remove too.

Hope you found this useful.

Any idea how GoSave was installed on your machine? Please share in the comments below.

GS_Booster and GS_Sustainer 1.80 – Removal Instructions

September 10, 2014freefixerMultiPlugRoger Karlsson

Did something called GS_Booster and GS_Sustainer 1.80 appear on your machine? These two programs often appear with an adware called Gosavenow which I’ve written about earlier today. Here’s the scan result from VirusTotal for the file:

You can remove GS_Booster and GS_Sustainer 1.80 with the FreeFixer removal tool. All you need to do is to check the GS_Booster and GS_Sustainer 1.80 files in the scan result and click the Fix button. Here’s a few screenshots that should help you along the way:

Hope that helped you with the removal.

Any idea how you got GS_Booster and GS_Sustainer 1.80 on your machine? Please share by posting a comment.