Welcome! Just wanted to give you the heads up on files digitally signed by Roman Ershov.
The certificate is issued by Certum Code Signing CA. Mr Ershov appears to be located in Russia.
The reason I’m writing this blog post is that the Roman Ershov file is detected by many of the anti-malware progams at VirusTotal. Avast classifies Download.exe as Win32:FakeDownload-G [PUP], Avira names it TR/Crypt.XPACK.Gen, Microsoft classifies it as SoftwareBundler:Win32/InstalleRex and VIPRE classifies it as MultiPlug (v).
Did you also find a Roman Ershov file? What kind of download was it?
Hello! Just wanted to give you the heads up on files digitally signed by Ostap Hohlov.
It is also possible to check a digital signature by looking at a file’s properties. Here’s a screenshot of the Ostap Hohlov certificate.
The problem with the Ostap Hohlov file is that it is detected by many of the anti-malware progams. Here are some of the detection names: Win32:FakeDownload-G [PUP], Gen:Variant.Adware.MPlug.62, PUP.Optional.MultiPlug, SoftwareBundler:Win32/InstalleRex and MultiPlug (v).
Did you also run into a download that was digitally signed by Ostap Hohlov? What kind of download was it and was it detected by the anti-malwares at VirusTotal? Please share by posting a comment.
This page shows how to remove ib.adnxs.com from Mozilla Firefox, Google Chrome and Internet Explorer.
Does this sound familiar? You see ib.adnxs.com in your browser’s status bar while browsing web sites that generally don’t load any content from third party domains. Perhaps the ib.adnxs.com domain appear when performing a search at the Google search engine?
Here’s a screenshot of ib.adnxs.com when it showed up on my computer:
(I know, lots of watermarks. Have to do it to stop the copy-cats.)
The following are some of the status bar messages you may see in your browser’s status bar:
Waiting for ib.adnxs.com…
Transferring data from ib.adnxs.com…
Looking up ib.adnxs.com…
Connected to ib.adnxs.com…
If this description sounds like what you are seeing, you presumably have some potentially unwanted program installed on your system that makes the ib.adnxs.com domain appear in your browser. Contacting the owner for the site you were at would be a waste of time. The ib.adnxs.com statusbar messages are not coming from them. I’ll do my best to help you with the ib.adnxs.com removal in this blog post.
I found ib.adnxs.com on one of the lab systems where I have some potentially unwanted programs running. I’ve talked about this in some of the previous blog posts. The potentially unwanted programs was installed on purpose, and from time to time I check if something new has appeared, such as pop-up windows, new tabs in the browsers, injected ads on web site that usually don’t show ads, or if some new files have been saved to the hard-drive.
ib.adnxs.com was registered on 2008-05-27. ib.adnxs.com resolves to the 220.127.116.11 address. adnxs.net is located on the same IP.
So, how do you remove ib.adnxs.com from your browser? On the machine where ib.adnxs.com showed up in the status bar I had YouTubeAdBlocke, SalePlus and IStart 5.3.7 installed. I removed them with FreeFixer and that stopped the browser from loading data from ib.adnxs.com.
Judging from Alexa’s traffic rank, ib.adnxs.com is getting quite a lot of traffic:
The bad news with this type of status bar message is that it can be caused by many variants of potentially unwanted programs, not just the potentially unwanted program that’s installed on my system. This makes it impossible to say exactly what you need to remove to stop the status bar messages.
Anyway, here’s my suggestion for the ib.adnxs.com removal:
The first thing I would do to remove ib.adnxs.com is to examine the programs installed on the machine, by opening the “Uninstall programs” dialog. You can open this dialog from the Windows Control Panel. If you are using one of the more recent versions of Windows OS you can just type in “uninstall” in the Control Panel’s search field to find that dialog:
Click on the “Uninstall a program” link and the Uninstall programs dialog will open up:
Do you see something suspicious in there or something that you don’t remember installing? Tip: Sort on the “Installed On” column to see if something was installed approximately about the same time as you started seeing the ib.adnxs.com statusbar messages.
Then I would check the web browser add-ons. Potentially unwanted programs often show up under the add-ons menu in Google Chrome, Mozilla Firefox, Internet Explorer, Safari or Opera. Is there something that looks suspicious? Something that you don’t remember installing?
I think you will be able to identify and uninstall the potentially unwanted program with the steps outlined above, but in case that did not work you can try the FreeFixer removal tool to identify and remove the potentially unwanted program. FreeFixer is a freeware tool that I started develop many years ago. Freefixer is a tool built to manually track down and uninstall unwanted software. When you’ve identified the unwanted files you can simply tick a checkbox and click on the Fix button to remove the unwanted file.
FreeFixer’s removal feature is not crippled like many other removal tools out there. It will not require you to purchase the program just when you are about to remove the unwanted files.
And if you’re having a hard time determining if a file is safe or potentially unwanted in the FreeFixer scan result, click on the More Info link for the file. That will open up your browser with a page which contains additional information about the file. On that web page, check out the VirusTotal report which can be very useful:
Did this blog post help you to remove ib.adnxs.com? Please let me know or how I can improve this blog post.
Hello readers! I was playing around and testing some downloads when I found a file signed by Normands, LLC.
This is how Normands, LLC appears when running the file:
The certificate is issued by GlobalSign CodeSigning CA – SHA256 – G2. Normands seems to be located in Ukraine.
21 of the scanners detected the file. The Download Uc Browser V Handler Zip.exe file is detected as Win32:FakeDownload-G [PUP] by Avast, Gen:Variant.Adware.Terkcop.32 by BitDefender, HW32.Packed.D625 by Bkav, a variant of Win32/Adware.MultiPlug.NI by ESET-NOD32, W32/S-a467db7e!Eldorado by F-Prot, Gen:Variant.Adware.Terkcop by F-Secure and Trojan.Win32.WebPick.dujvsa by NANO-Antivirus.
Did you also find an Normands, LLC? Do you remember the download link? Please post it in the comments below and I’ll upload it to VirusTotal to see if that one is also detected.
Welcome! Just a short note on a publisher called Vladislav Mastenko.
If you have a Vladislav Mastenko file on your computer you may have noticed that Vladislav Mastenko pops up as the publisher in the User Account Control dialog when running the file. To view more information about the embedded certificate you can right-click on the file, then choose Properties and then select the Digital Signatures tab. According to the certificate we can see that Vladislav Mastenko seems to be located in Ukraine and that the certificate is issued by DigiCert Assured ID Code Signing CA-1.
I decided to upload the Vladislav Mastenko file to VirusTotal. Currently, the detection rate is 21/56. Gen:Variant.Adware.Terkcop.32, Win32:FakeDownload-G [PUP], Gen:Variant.Adware.Terkcop.32 and a variant of Win32/Adware.MultiPlug.NI are some of the detection names.
Did you also find a file digitally signed by Vladislav Mastenko? What kind of download was it and where did you find it?
Hello readers! Just wanted to let you know about a publisher called SAfe downlOAd gtL before going back to writing some code for FreeFixer.
The following screenshot shows the User Account Control dialog when running the SAfe downlOAd gtL file:
By examining the certificate, we can see that SAfe downlOAd gtL is located in Dublin, Ireland. The certificate is issued by thawte SHA256 Code Signing CA.
The reason I’m writing this blog post is that the SAfe downlOAd gtL file is detected by many of the anti-malwares at VirusTotal. ESET-NOD32 classifies Player.exe as a variant of Win32/OutBrowse.CB potentially unwanted, Malwarebytes detects it as PUP.Optional.Outbrowse and Sophos calls it Generic PUA OC.
Did you also find an SAfe downlOAd gtL? Do you remember the download link? Please post it in the comments below and I’ll upload it to VirusTotal to see if that one is also detected.
Hello readers! If you’ve been following me for the last year you know that I’ve been examining many software publishers that put a digital signature on their downloads. Today I found another publisher called VLADIMIR MASLOV.
If you have a VLADIMIR MASLOV file on your computer you may have noticed that VLADIMIR MASLOV pops up as the publisher in the User Account Control dialog when running the file. The certificate information can also be viewed from Windows Explorer. The screenshot below shows the VLADIMIR MASLOV certificate. From the certificate info we can see that VLADIMIR MASLOV appears to be located in Minsk, Belarus.
If you are considering to run the VLADIMIR MASLOV signed file, I’ll advice you not to. Delete it instead. Just check out detection list by some of the anti-virus program:
ClamAV classifies Download Uc Browser V Handler Zip.exe as Win.Adware.Graftor-1196, F-Prot calls it W32/S-bb33fd8b!Eldorado, F-Secure detects it as Gen:Variant.Adware.Terkcop, Microsoft classifies it as SoftwareBundler:Win32/InstalleRex and Sophos detects it as MultiPlug.
Did you also find a VLADIMIR MASLOV file? Do you remember where you downloaded it?
Hello readers! Just a quick post today, since I’m busy working with the next release of FreeFixer. Did you see a file, such as provided through Diplodocs.exe, on your system digitally signed by DMN Partners SRL? Then read on..
You can look at the DMN Partners SRL certificate and digital signature by looking under the Digital Signatures tab on the file’s properties. According to the certificate, DMN Partners SRL is located in Bucharest, Romania.
The reason I’m writing this blog post is that the DMN Partners SRL file is detected by many of the anti-malware software at VirusTotal. Avira reports provided through Diplodocs.exe as PUA/GetNow.Gen, ESET-NOD32 names it a variant of Win32/GetNow.I potentially unwanted, McAfee-GW-Edition detects it as BehavesLike.Win32.LiveSoftAction.jc and NANO-Antivirus reports Riskware.Win32.Downware.duemgn.
Since you probably came here after finding a download that was digitally signed by DMN Partners SRL, please share what kind of download it was and if it was reported by the anti-malwares at VirusTotal.