Tag Archives: MultiPlug

Remove Ads By GoSaveNow – Adware Removal Instructions

Are you seeing ads labelled Ads By GoSaveNowAd By GoSaveNow or Brought by GosaveNow? Do you also see links inserted into the web page that have a small green icon and says “Click to Continue > by Gosavenow“? If so, you have the GosaveNow adware installed on your machine. I’ll show how to remove Gosavenow in this blog post with the FreeFixer removal tool.

I’ve also found a variant of this adware called GoSave.

Here are a few examples on how the Gosavenow ads looks like:

Ad by Browser Shop Ad by Gosavenow

The Gosavenow ads also appears on search engines such as Google:

Ad by Gosavenow on the Google search engine ads by gosavenow

The following Gosavenow ad was inserted on Wikipedia.org:

brought by GoSaveNow Click to continue by Gosavenow

Gosavenow installs itself in Internet Explorer, Mozilla Firefox and Google Chrome. You can spot it if you open up the add-ons manager in the web browsers.

Gosavenow 1.8 chrome browser extensionGosavenow 1.8 in Firefox

Some of the antivirus programs are detecting the GosaveNow adware, but the detection rate is rather low. Only 4 of the 55 anti-virus scanners at VirusTotal detected it. That’s a 7% detection rate. MultiPlug seems to be the common detection name:

gosavenow virustotal report: MultiPlug

So, the GosaveNow removal. You can easily remove GosaveNow with FreeFixer. Just select the Gosavenow files for removal and click the Fix button. You may have to reboot your machine to complete the removal:

gsbooster.exe process gosavenow firefox extension GosaveNow chrome extension gosavenow bho

That’s it. Hope that helped you unistall GosaveNow.

Did you also get GosaveNow on your machine? Any idea how it was installed? Please share by posting a comment below.

Thank you for reading!

Oleh Aleksyuk – Stay away from files signed this publisher!

Hello readers, just wanted to warn you about a publisher called Oleh Aleksyuk. I downloaded a file that claimed to be an e-book, but instead the file had an .exe extension and was digitally signed by someone named Oleh Aleksyuk. When launching the file, a bunch of bundled programs was offered in the installer. EZDownloader, SW-Booster and Adblocker were some of the programs that appeared after running the file.

Oleh Aleksyuk

The digital certificate appears to be rather new. It’s valid from the 24th of June, 2014. According to the certificate, Oleh Aleksyuk is located in Russia.

Oleh Aleksyuk certificate. Valid from 24 june 2014.

Currently the detection rate for the Oleh Alexsyuk file is very low. When I uploaded the file to VirusTotal, only MalwareBytes detected the file. The detection name is PUP.Optional.MultiPlug. It will be interesting to see if the other anti-virus programs will detect it in the future.

Oleh Aleksyok virustotal report

Did you also find a file digitally signed by Oleh Aleksyuk? Do you remember where you downloaded it? Please share by posting a comment.

TinyWallet – Removal Instructions

Yesterday I was playing around with one of those installers that usually bundles a bunch of adwares. Found a new one called TinyWallet. TinyWallet installs itself as an add-on in Firefox, Internet Explorer and Chrome. If you got this on your machine, you will see ads labeled “Ad by TinyWallet” and “Powered by TinyWallet“.

Powered by TinyWallet

 

Ad by TinyWallet

Here’s how TinyWallet appears in Firefox’s add-ons menu:

TinyWallet firefox add-on

Tiny Wallet appears to be brand new. The tinywallet.net domain was registered 6 days ago, on the 4th of August, 2014.

tinywallet.net web site

According to the web site, TinyWallet will:

offer you the best deals with the lowest prices, from coupons, to discounts and the hottest sales. .. It shall offer you suitable coupons and discounts whilst you are shopping

Some of the anti-virus scanners are already picking up the TinyWallet files according to VirusTotal. Preloader, PreLoad and MultiPlug are some of the detection names.

tinywallet virustotal

Removing TinyWallet is easy. Just uninstall it from the Add/Remove programs dialog, or select the TinyWallet files for removal in FreeFixer.

TinyWallet uninstall

TinyWallet browser helper object TinyWallet firefox extension

Did you also have TinyWallet on your machine? Any idea how it got there?

Update 2014-09-22: Here’s how TinyWallet is disclosed in one of the installers that bundled it:

tinywallet installer

CouponSupport – Removal Instructions

Just found another adware, called CouponSupport. As usual with this type of software, it was bundled with another software download. If you have this little CouponSupport bugger running on your machine, you’ll see couponsupport.exe running in the background  in the Windows Task Manager.

The detection rate for couponsupport.exe is impressive. 41 of 50 anti-virus programs detected it. Trojan.Cafelom, Gen:Variant.Symmi, PUP.Optional.MultiPlug.A and ZBot are some of the detection names.

Regarding the removal, there is an entry in the Add/Remove programs dialog, but I have not tried it. Notice the faked “Installed On” date in the screenshot. It was installed today, the 8th of August 2014, not in 2012.

couponsupport uninstall

You can also remove it with FreeFixer with a few clicks. Select the couponsupport.exe file and scheduled task for removal as shown in the screenshots below. You may have to restart your machine to complete the removal.

couponsupport.exe file couponsupport.exe process

Did you also get CouponSupport on your machine? Any idea how you got it?

Igor Kramoren – Warning for files signed by this publisher!

Stumbled on a file this morning, digitally signed by Igor Kramoren.

Igor Kramoren Certificate Igor Kramoren publisher

The issue with the Igor Kramoren file is that it is detected by many of the anti-virus programs. Here are some of the detection names:

  • BitDefender Gen:Variant.Zusy.100672
  • DrWeb Trojan.Siggen6.21336
  • ESET-NOD32 a variant of Win32/AdWare.MultiPlug.AQ
  • F-Secure Gen:Variant.Zusy.100672
  • Ikarus AdWare.Graftor
  • Malwarebytes PUP.Optional.InstallRex
  • McAfee PUP-FMH
  • Panda Trj/Kazy.AS

Did you also find a file digitally signed by Igor Kramoren? What kind of download was it and where did you find it?

 

Coupigo Adware Removal Instructions

Seems like there’s a lot of new adware variants popping up right now. Found a new one called Coupigo this morning. Coupigo adds itself into Firefox and Internet Explorer. Here’s how it appears in Firefox:

Coupigo Adware in Mozilla Firefox Add-ons Manager

FreeFixer can remove Coupigo with a few clicks. Just select the Coupigo files in the scan result and then hit the Fix button. Problem solved.

Coupigo Adware in Internet Explorer Coupigo Adware listed as a Firefox Extension

The anti-virus programs are clearly aware of the Coupigo adware. Just check out the detection result from VirusTotal. Graftor and MultiPlug seems to be the most common detection names. I’d say 33/53 is pretty good:

Coupigo detections at virus total - Graftor - MultiPlug

How did you get the Coupigo adware on your machine?

Daneil Jemoch Publisher – WARNING!

Just a quick post before starting todays programming on the FreeFixer tool. This is the second time I spot a file digitally signed by Daneil Jemoch that bundles lots of unwanted programs. Though I should warn you and hopefully save you from some unnecessary adware cleaning. You can see Daneil Jemoch appear as the publisher when running the file as shown below.

Daneil Jemoch Publisher - Excellent4App Daneil Jemoch publisher

You can also check who signed a file by checking the digital signature tab. The screenshot below shows the Daneil Jemoch certificate. From the certificate info we can see that Daneil Jemoch appears to be located in Kiev, Ukraine.

daniel-jemoch-digital-signature

Daneil Jemoch, Kiev, Ukraine

The anti-virus programs have a decent detection rate for the Daneil Jemoch file:

Daneil Jemoch virus total

The anti-virus scanners refers to the file as Graftor, MultiPlug and InstalleRex.

Where did you find the  Daneil Jemoch signed file?

Hope you found this post useful. Please let me know by posting a comment.