Monthly Archives: July 2015

Roman Ershov – 18% Detection Rate Says VirusTotal

Welcome! Just wanted to give you the heads up on files digitally signed by Roman Ershov.

Roman Ershov pop up

The certificate is issued by Certum Code Signing CA. Mr Ershov appears to be located in Russia.

Roman Ershov certificate

The reason I’m writing this blog post is that the Roman Ershov file is detected by many of the anti-malware progams at VirusTotal. Avast classifies Download.exe as Win32:FakeDownload-G [PUP], Avira names it TR/Crypt.XPACK.Gen, Microsoft classifies it as SoftwareBundler:Win32/InstalleRex and VIPRE classifies it as MultiPlug (v).

Roman Ershov anti-virus report

Did you also find a Roman Ershov file? What kind of download was it?

Thanks for reading.

Ostap Hohlov – 39% Detection Rate – MultiPlug / MPlug / InstalleRex

Hello! Just wanted to give you the heads up on files digitally signed by Ostap Hohlov.

Ostap Hohlov publisher

It is also possible to check a digital signature by looking at a file’s properties. Here’s a screenshot of the Ostap Hohlov certificate.

Ostap Hohlov certificate

The problem with the Ostap Hohlov file is that it is detected by many of the anti-malware progams. Here are some of the detection names: Win32:FakeDownload-G [PUP], Gen:Variant.Adware.MPlug.62, PUP.Optional.MultiPlug, SoftwareBundler:Win32/InstalleRex and MultiPlug (v).

Ostap Hohlov anti-virus report

Did you also run into a download that was digitally signed by Ostap Hohlov? What kind of download was it and was it detected by the anti-malwares at VirusTotal? Please share by posting a comment.

Thank you for reading.

Remove ib.adnxs.com from Firefox, Chrome and Internet Explorer

This page shows how to remove ib.adnxs.com from Mozilla Firefox, Google Chrome and Internet Explorer.

Does this sound familiar? You see ib.adnxs.com in your browser’s status bar while browsing web sites that generally don’t load any content from third party domains. Perhaps the ib.adnxs.com domain appear when performing a search at the Google search engine?

Here’s a screenshot of ib.adnxs.com when it showed up on my computer:

ib.adnxs.com

(I know, lots of watermarks. Have to do it to stop the copy-cats.)

The following are some of the status bar messages you may see in your browser’s status bar:

  • Waiting for ib.adnxs.com…
  • Transferring data from ib.adnxs.com…
  • Looking up ib.adnxs.com…
  • Read ib.adnxs.com
  • Connected to ib.adnxs.com…

If this description sounds like what you are seeing, you presumably have some potentially unwanted program installed on your system that makes the ib.adnxs.com domain appear in your browser. Contacting the owner for the site you were at would be a waste of time. The ib.adnxs.com statusbar messages are not coming from them. I’ll do my best to help you with the ib.adnxs.com removal in this blog post.

I found ib.adnxs.com on one of the lab systems where I have some potentially unwanted programs running. I’ve talked about this in some of the previous blog posts. The potentially unwanted programs was installed on purpose, and from time to time I check if something new has appeared, such as pop-up windows, new tabs in the browsers, injected ads on web site that usually don’t show ads, or if some new files have been saved to the hard-drive.

ib.adnxs.com was registered on 2008-05-27. ib.adnxs.com resolves to the 68.67.153.211 address. adnxs.net is located on the same IP.

So, how do you remove ib.adnxs.com from your browser? On the machine where ib.adnxs.com showed up in the status bar I had YouTubeAdBlocke, SalePlus and IStart 5.3.7 installed. I removed them with FreeFixer and that stopped the browser from loading data from ib.adnxs.com.

Judging from Alexa’s traffic rank, ib.adnxs.com is getting quite a lot of traffic:

adnxs.com traffic

The bad news with this type of status bar message is that it can be caused by many variants of potentially unwanted programs, not just the potentially unwanted program that’s installed on my system. This makes it impossible to say exactly what you need to remove to stop the status bar messages.

Anyway, here’s my suggestion for the ib.adnxs.com removal:

The first thing I would do to remove ib.adnxs.com is to examine the programs installed on the machine, by opening the “Uninstall programs” dialog. You can open this dialog from the Windows Control Panel. If you are using one of the more recent versions of Windows OS you can just type in “uninstall” in the Control Panel’s search field to find that dialog:
Uninstall a program search

Click on the “Uninstall a program” link and the Uninstall programs dialog will open up:
Uninstall a program dialog

Do you see something suspicious in there or something that you don’t remember installing? Tip: Sort on the “Installed On” column to see if something was installed approximately about the same time as you started seeing the ib.adnxs.com statusbar messages.

Then I would check the web browser add-ons. Potentially unwanted programs often show up under the add-ons menu in Google Chrome, Mozilla Firefox, Internet Explorer, Safari or Opera. Is there something that looks suspicious? Something that you don’t remember installing?
Firefox add-ons manager

I think you will be able to identify and uninstall the potentially unwanted program with the steps outlined above, but in case that did not work you can try the FreeFixer removal tool to identify and remove the potentially unwanted program. FreeFixer is a freeware tool that I started develop many years ago. Freefixer is a tool built to manually track down and uninstall unwanted software. When you’ve identified the unwanted files you can simply tick a checkbox and click on the Fix button to remove the unwanted file.

FreeFixer’s removal feature is not crippled like many other removal tools out there. It will not require you to purchase the program just when you are about to remove the unwanted files.

And if you’re having a hard time determining if a file is safe or potentially unwanted in the FreeFixer scan result, click on the More Info link for the file. That will open up your browser with a page which contains additional information about the file. On that web page, check out the VirusTotal report which can be very useful:

FreeFixer More Info link example
An example of FreeFixer’s “More Info” links. Click for full size.

Did this blog post help you to remove ib.adnxs.com? Please let me know or how I can improve this blog post.

Thank you!

Oleg Odincov – VirusTotal Reports “MultiPlug”

Hello readers! Just a quick post on a publisher called Oleg Odincov that I found while running some tests for the upcoming FreeFixer release.

Here how Oleg Odincov appears in the UAC dialog when double-clicking on the file:

Oleg Odincov publisher

I’m still waiting on the results from VirusTotal, but it sure looks like another variant of the unwanted MultiPlug software.

Oleg Odincov certificate

Did you also find an Oleg Odincov? Do you remember the download link? Please post it in the comments below and I’ll upload it to VirusTotal to see if that one is also detected.

Thanks for reading.

Random Pop-Ups and Domains – July 2015

Sorry for the lack of post lately. I’m still short on time here, so I’ll just summarise some stuff I found lately:

Pop-ups from lp.leveltrade.com:

lp.leveltrade.com

Pops ups from bbcc-news.com:

bbcc-news.com

And pop-ups from vinnarum.com:

vinnarum.com

Here’s a few domains you may see in the browser’s status bar or in the network log if you have adware or other types of potentially unwanted software installed on your machine:

  • xlj.candlespeediest.com
  • js.neoprodevsrv.com
  • logs.neoprodevsrv.com
  • app.neoprodevsrv.com
  • js.keybufferbox.com
  • app.keybufferbox.com
  • logs.keybufferbox.com
  • zpn.gobetweenwhere.com
  • xao.ribaldcruciate.com
  • static.icmwebserv.com
  • search.gogorithm.com
  • zff.attitudespoliceman.com
  • fwa.gasketcobwebs.com
  • igf.allegingmemorandum.com
  • app.globalnodemax.com
  • logs.globalnodemax.com

Normands, LLC – Detected as Terkcop and MultiPlug

Hello readers! I was playing around and testing some downloads when I found a file signed by Normands, LLC.

This is how Normands, LLC appears when running the file:

Normands LLC publisher

The certificate is issued by GlobalSign CodeSigning CA – SHA256 – G2. Normands seems to be located in Ukraine.

Normands, LLC certificate

21 of the scanners detected the file. The Download Uc Browser V Handler Zip.exe file is detected as Win32:FakeDownload-G [PUP] by Avast, Gen:Variant.Adware.Terkcop.32 by BitDefender, HW32.Packed.D625 by Bkav, a variant of Win32/Adware.MultiPlug.NI by ESET-NOD32, W32/S-a467db7e!Eldorado by F-Prot, Gen:Variant.Adware.Terkcop by F-Secure and Trojan.Win32.WebPick.dujvsa by NANO-Antivirus.

Normands, LLC anti-virus report

Did you also find an Normands, LLC? Do you remember the download link? Please post it in the comments below and I’ll upload it to VirusTotal to see if that one is also detected.

Thanks for reading.

Vladislav Mastenko – 38% Detection – Terkcop / MultiPlug

Welcome! Just a short note on a publisher called Vladislav Mastenko.

Vladislav Mastenko publisher

If you have a Vladislav Mastenko file on your computer you may have noticed that Vladislav Mastenko pops up as the publisher in the User Account Control dialog when running the file. To view more information about the embedded certificate you can right-click on the file, then choose Properties and then select the Digital Signatures tab. According to the certificate we can see that Vladislav Mastenko seems to be located in Ukraine and that the certificate is issued by DigiCert Assured ID Code Signing CA-1.

Vladislav Mastenko cert

I decided to upload the Vladislav Mastenko file to VirusTotal. Currently, the detection rate is 21/56. Gen:Variant.Adware.Terkcop.32, Win32:FakeDownload-G [PUP], Gen:Variant.Adware.Terkcop.32 and a variant of Win32/Adware.MultiPlug.NI are some of the detection names.

Vladislav Mastenko virustotal

Did you also find a file digitally signed by Vladislav Mastenko? What kind of download was it and where did you find it?

Thanks for reading.

SAfe downlOAd gtL – 52% Detection Rate – Outbrowse

Hello readers! Just wanted to let you know about a publisher called SAfe downlOAd gtL before going back to writing some code for FreeFixer.

The following screenshot shows the User Account Control dialog when running the SAfe downlOAd gtL file:

SAfe downlOAd gtL publisher

By examining the certificate, we can see that SAfe downlOAd gtL is located in Dublin, Ireland. The certificate is issued by thawte SHA256 Code Signing CA.

SAfe downlOAd gtL cert

The reason I’m writing this blog post is that the SAfe downlOAd gtL file is detected by many of the anti-malwares at VirusTotal. ESET-NOD32 classifies Player.exe as a variant of Win32/OutBrowse.CB potentially unwanted, Malwarebytes detects it as PUP.Optional.Outbrowse and Sophos calls it Generic PUA OC.

SAfe downlOAd gtL anti-virus report

Did you also find an SAfe downlOAd gtL? Do you remember the download link? Please post it in the comments below and I’ll upload it to VirusTotal to see if that one is also detected.

Thank you for reading.

VLADIMIR MASLOV – 54% Detection Rate – Adware.Terkcop / MultiPlug / Graftor / Eldorado

Hello readers! If you’ve been following me for the last year you know that I’ve been examining many software publishers that put a digital signature on their downloads. Today I found another publisher called VLADIMIR MASLOV.

VLADIMIR MASLOV publisher

If you have a VLADIMIR MASLOV file on your computer you may have noticed that VLADIMIR MASLOV pops up as the publisher in the User Account Control dialog when running the file. The certificate information can also be viewed from Windows Explorer. The screenshot below shows the VLADIMIR MASLOV certificate. From the certificate info we can see that VLADIMIR MASLOV appears to be located in Minsk, Belarus.

VLADIMIR MASLOV cert

If you are considering to run the VLADIMIR MASLOV signed file, I’ll advice you not to. Delete it instead. Just check out detection list by some of the anti-virus program:

ClamAV classifies Download Uc Browser V Handler Zip.exe as Win.Adware.Graftor-1196, F-Prot calls it W32/S-bb33fd8b!Eldorado, F-Secure detects it as Gen:Variant.Adware.Terkcop, Microsoft classifies it as SoftwareBundler:Win32/InstalleRex and Sophos detects it as MultiPlug.

VLADIMIR MASLOV virus total

Did you also find a VLADIMIR MASLOV file? Do you remember where you downloaded it?

Thank you for reading.

DMN Partners SRL – 30% Detection Rate – GetNow / LiveSoftAction / Downware

Hello readers! Just a quick post today, since I’m busy working with the next release of FreeFixer. Did you see a file, such as provided through Diplodocs.exe, on your system digitally signed by DMN Partners SRL? Then read on..

DMN Partners SRL publisher

You can look at the DMN Partners SRL certificate and digital signature by looking under the Digital Signatures tab on the file’s properties. According to the certificate, DMN Partners SRL is located in Bucharest, Romania.

DMN Partners SRL cert

The reason I’m writing this blog post is that the DMN Partners SRL file is detected by many of the anti-malware software at VirusTotal. Avira reports provided through Diplodocs.exe as PUA/GetNow.Gen, ESET-NOD32 names it a variant of Win32/GetNow.I potentially unwanted, McAfee-GW-Edition detects it as BehavesLike.Win32.LiveSoftAction.jc and NANO-Antivirus reports Riskware.Win32.Downware.duemgn.

DMN Partners SRL virustotal

Since you probably came here after finding a download that was digitally signed by DMN Partners SRL, please share what kind of download it was and if it was reported by the anti-malwares at VirusTotal.

Thanks for reading.