Monthly Archives: March 2015

Remove iam.avafymm.com fromFirefox, Chrome and Internet Explorer

This page shows how to remove iam.avafymm.com from Mozilla Firefox, Google Chrome and Internet Explorer.

iam.avafymm.com connection

Did you just see iam.avafymm.com in the statusbar of your browser and ask yourself where it came from? Or did iam.avafymm.com show up while you search for something on one of the big search engines, such as the Google search engine?

The screenshot above is from my network log. https://iam.avafymm.com/kerr/?d?=… appeared there when I did a Google search.

Here are some of the status bar messages you may see in your browser’s status bar:

  • Waiting for iam.avafymm.com…
  • Transferring data from iam.avafymm.com…
  • Looking up iam.avafymm.com…
  • Read iam.avafymm.com
  • Connected to iam.avafymm.com…

If this sounds like what you are seeing on your computer, you almost certainly have some potentially unwanted program installed on your computer that makes the iam.avafymm.com domain appear in your web browser. Don’t flame the people that owns the website you were at when you first spotted iam.avafymm.com in the status bar. They are most likely not responsible, but from the potentially unwanted program that’s installed on your computer. I’ll do my best to help you remove the iam.avafymm.com message in this blog post.

Those that have been spending some time on this blog already know this, but here we go: Recently I dedicated some of my lab computers and intentionally installed some potentially unwanted programs on them. I’ve been monitoring the actions on these machines to see what kinds of adverts that are displayed. I’m also looking on other interesting things such as if the potentially unwanted program updates itself, or if it downloads additional potentially unwanted programs on the systems. I first observed the iam.avafymm.com in Mozilla Firefox’s status bar on one of these lab machines.

iam.avafymm.com resolves to the 5.153.38.133 address. iam.avafymm.com was created on 2015-01-05.

So, how do you remove iam.avafymm.com from your web browser? On the machine where iam.avafymm.com showed up in the status bar I had TinyWallet, BlockAndSurf and BrowserWarden installed. I removed them with FreeFixer and that stopped the web browser from loading data from iam.avafymm.com.

The issue with status bar messages such as this one is that it can be caused by many variants of potentially unwanted programs, not just the potentially unwanted program running on my computer. This makes it impossible to say exactly what you need to remove to stop the status bar messages.

Anyway, here’s my suggestion for the iam.avafymm.com removal:

  1. Check what programs you have installed in the Add/Remove programs dialog in the Windows Control Panel. Do you see something that you don’t remember installing or that was recently installed?
  2. How about your add-ons you installed in Mozilla Firefox, Google Chrome, Internet Explorer or Safari. Anything in the list that you don’t remember installing?
  3. If that did not help, I’d recommend a scan with FreeFixer to manually track down the potentially unwanted program. FreeFixer is a freeware tool that I’m working on that scans your computer at lots of locations, such as browser add-ons, processes, Windows services, recently modified files, etc. If you want to get additional details about a file in the scan result, you can click the More Info link for that file and a web page will open up with a VirusTotal report which will be very useful to determine if the file is safe or malware:

    FreeFixer More Info link example
    An example of FreeFixer’s “More Info” links. Click for full size.

Did this blog post help you to remove iam.avafymm.com? Please let me know or how I can improve this blog post.

Thank you!

id.google.com – What’s the purpose of this connection?

Recently I’ve been examining a lot network logs. A connection that often appears is to id.google.com when visiting the Google search engine. Sometimes you can see the status bar showing “Waiting for id.google.com

id.google.com waiting

Here’s the id.google.com screenshot from the network log:

id.google.com connection

In some cases the request is for a .gif image:

http://id.google.com/verify/EAAAAJPGOkdVdwuY72Nn4-GBxGU.gif

Perhaps it is a Web Bug, but those are traditionally used by third parties.

I have not found any reliable information about the purpose of these connections. Do you have some input on why these connections are triggered when searching at Google?

The id subdomain seems to be available on each of Google’s top domains. Thanks to VirusTotal for allowing me to find these:

id.google.se
id.google.com.my
id.google.mu
id.google.co.in
id.google.rs
id.google.com.gh
id.google.at
id.google.com.ua
id.google.bj
id.google.de
id.google.com.pe
id.google.fr
id.google.com.mt
id.l.google.com
id.google.com.ng
id.google.com.eg
id.google.pl
id.google.ps
id.google.co.uk
id.google.iq
id.google.com.tj
ww.google.it
id.google.co.ma
id.google.com.mm
id.google.hu
id.google.sn
id.google.sc
id.google.com.iq
id.google.be
id.google.com.ph
id.google.gr
id.google.ga
id.google.es
id.google.co.cr
id.google.co.il
id.google.co.kr
id.google.co.tz
id.google.com.au
id.google.com.eg
id.google.dz
id.google.fi
id.google.ad
id.google.im
id.google.lk
id.google.sk
id.google.co.za
id.google.com.pg
id.google.ch
id.google.com.gi
id.google.com.np
id.google.gp
id.google.al
id.google.co.id
id.google.com.pe
id.google.com.pr
id.google.la
id.google.ne
id.google.bi
id.google.com.bd
id.google.com.ng
id.google.hr
id.google.mu
id.google.ro
id.google.tn
id.google.com.pa
id.google.com.pk
id.google.mw
id.google.sr
id.google.co.in
id.google.com.hk
id.google.nl
id.google.st
id.google.com.uy
id.google.ee
id.google.fr
id.google.cz
id.google.co.mz
id.google.az
id.google.bg
id.google.by
id.google.com.cy
id.google.com.kw
id.google.pt
id.google.ba
id.google.com.co
id.google.com.om
id.google.dk
id.google.at
id.google.com
id.google.lu
id.google.bj
id.google.bs
id.google.ca
id.google.com.ua
id.google.nu
id.google.it
id.google.je
id.google.jo
id.google.pl
id.google.com.sv
id.google.com.vn
id.google.kz
id.google.me
id.google.co.zm
id.google.com.br
id.google.com.mt
id.google.com.my
id.google.ie
id.google.tt
id.google.cg
id.google.co.nz
id.google.co.th
id.google.de
id.google.ge
id.google.tg
id.google.cl
id.google.cn
id.google.com.bh
id.google.com.ec
id.google.com.mx
id.google.li

Remove checksoft.safesystemupgrade.org Pop Up Ads

Did you just get a pop-up from checksoft.safesystemupgrade.org and wonder where it came from? Did the checksoft.safesystemupgrade.org ad appear to have been popped up from a web site that under normal circumstances don’t use aggressive advertising such as popup windows? Or did the checksoft.safesystemupgrade.org pop-up show up while you clicked a link on one of the big search engines, such as Google, Bing or Yahoo?

Here’s a screenshot of the checksoft.safesystemupgrade.org pop-up ad when it showed up on my machine:

checksoft.safesystemupgrade.org pop up

If you also see this on your system, you almost certainly have some adware installed on your computer that pops up the checksoft.safesystemupgrade.org ads. So don’t write angry emails to the website you were browsing, the ads are probably not coming from them, but from the adware on your computer. I’ll try help you with the checksoft.safesystemupgrade.org removal in this blog post.

Those that have been visiting this blog already know this, but here we go: Not long ago I dedicated some of my lab machines and deliberately installed a few adware programs on them. Since then I have been tracking the behaviour on these computers to see what kinds of advertisements that are displayed. I’m also looking on other interesting things such as if the adware auto-updates, or if it downloads additional unwanted software on the computers. I first found the checksoft.safesystemupgrade.org pop-up on one of these lab computers.

checksoft.safesystemupgrade.org resolves to the 207.244.83.9 IP address. checksoft.safesystemupgrade.org was created on 2015-02-20.

Update 2015-05-04: I’ve also see the getupgrade.safesystemupgrade.org (62.210.93.163) in use:

getupgrade.safesystemupgrade.org pop up

So, how do you remove the checksoft.safesystemupgrade.org pop-up ads? On the machine where I got the checksoft.safesystemupgrade.org ads I had TinyWallet, BlockAndSurf and BrowserWarden installed. I removed them with FreeFixer and that stopped the checksoft.safesystemupgrade.org pop-ups and all the other ads I was getting in Mozilla Firefox.

If you are wonder if there are many others out there also getting the checksoft.safesystemupgrade.org ads, the answer is probably yes. Check out the traffic rank from Alexa:

safesystemupgrade.org traffic

The issue with this type of pop-up is that it can be launched by many variants of adware. This makes it impossible to say exactly what you need to remove to stop the pop-ups.

So, what should done to solve the problem? To remove the checksoft.safesystemupgrade.org pop-up ads you need to examine your computer for adware or other types of unwanted software and uninstall it. Here’s my suggested removal procedure:

The first thing I would do to remove the checksoft.safesystemupgrade.org pop-ups is to examine the programs installed on the machine, by opening the “Uninstall programs” dialog. You can find this dialog from the Windows Control Panel. If you are using one of the more recent versions of Windows Operating System you can just type in “uninstall” in the Control Panel’s search field to find that dialog:
Uninstall a program search

Click on the “Uninstall a program” link and the Uninstall programs dialog will open up:
Uninstall a program dialog

Do you see something strange-looking listed there or something that you don’t remember installing? Tip: Sort on the “Installed On” column to see if something was installed about the same time as you started seeing the checksoft.safesystemupgrade.org pop-ups.

The next thing to check would be your browser’s add-ons. Adware often appear under the add-ons menu in Google Chrome, Mozilla Firefox, Internet Explorer or Safari. Is there anything that looks suspicious? Something that you don’t remember installing?
Firefox add-ons manager

I think most users will be able to find and remove the adware with the steps outlined above, but in case that did not work you can try the FreeFixer removal tool to identify and remove the adware. FreeFixer is a freeware tool that I’ve developed since 2006. It’s a tool designed to manually identify and uninstall unwanted software. When you’ve tracked down the unwanted files you can simply tick a checkbox and click on the Fix button to remove the unwanted file.

FreeFixer’s removal feature is not crippled like many other removal tools out there. It won’t require you to pay a fee just when you are about to remove the unwanted files.

And if you’re having difficulties determining if a file is safe or adware in FreeFixer’s scan result, click on the More Info link for the file. That will open up a web page which contains additional information about the file. On that web page, check out the VirusTotal report which can be very useful:

FreeFixer More Info link example
An example of FreeFixer’s “More Info” links. Click for full size.

Here’s a video tutorial on how to remove the pop-ups with FreeFixer:

Did you find any adware on your machine? Did that stop the checksoft.safesystemupgrade.org ads? Please post the name of the adware you uninstalled from your machine in the comment below.

Thank you!

Remove lko.jafyzfyu.com from Firefox, Chrome and Internet Explorer

This page shows how to remove lko.jafyzfyu.com from Mozilla Firefox, Google Chrome and Internet Explorer.

Does this sound familiar? You see lko.jafyzfyu.com in your web browser’s statusbar while browsing sites that normally don’t load any content from third party domains. Perhaps the lko.jafyzfyu.com domain appear when performing a search at the Google search engine?

Here’s a screen capture of lko.jafyzfyu.com when it showed up on my machine in the network log:

lko.jafyzfyu.com connection

The following are some of the status bar messages you may see in your browser’s statusbar:

  • Waiting for lko.jafyzfyu.com…
  • Transferring data from lko.jafyzfyu.com…
  • Looking up lko.jafyzfyu.com…
  • Read lko.jafyzfyu.com
  • Connected to lko.jafyzfyu.com…

Does this sound like your story, you probably have some potentially unwanted program installed on your machine that makes the lko.jafyzfyu.com domain appear in your browser. So don’t send angry emails to the web site you were browsing, they are presumably not responsible for the lko.jafyzfyu.com status bar messages. The potentially unwanted program on your system is. I’ll do my best to help you remove the lko.jafyzfyu.com message in this blog post.

For those that are new to the blog: Some time ago I dedicated some of my lab computers and knowingly installed some potentially unwanted programs on them. Since then I have been following the behaviour on these computers to see what kinds of advertisements that are displayed. I’m also looking on other interesting things such as if the potentially unwanted program auto-updates, or if it downloads and installs additional potentially unwanted programs on the machines. I first found the lko.jafyzfyu.com in Mozilla Firefox’s status bar on one of these lab computers.

lko.jafyzfyu.com resolves to the 81.95.152.220 IP address.

So, how do you remove lko.jafyzfyu.com from your browser? On the machine where lko.jafyzfyu.com showed up in the status bar I had installed. I removed them with FreeFixer and that stopped the browser from loading data from lko.jafyzfyu.com.

The problem with status bar messages such as this one is that it can be caused by many variants of potentially unwanted programs, not just the potentially unwanted program that’s installed on my system. I think that potentially unwanted programs such as SpeedChecker, WebWaltz, PriceFountain and YTDownloader can also be responsible for lko.jafyzfyu.com appearing in the browser. And there are probably other variants too. This makes it impossible to say exactly what you need to remove to stop the status bar messages.

Anyway, here’s my suggestion for the lko.jafyzfyu.com removal:

The first thing I would do to remove lko.jafyzfyu.com is to examine the programs installed on the machine, by opening the “Uninstall programs” dialog. You can reach this dialog from the Windows Control Panel. If you are using one of the more recent versions of Windows you can just type in “uninstall” in the Control Panel’s search field to find that dialog:
Uninstall a program search

Click on the “Uninstall a program” link and the Uninstall programs dialog will open up:
Uninstall a program dialog

Do you see something strange-looking listed there or something that you don’t remember installing? Tip: Sort on the “Installed On” column to see if something was installed about the same time as you started getting the lko.jafyzfyu.com status bar messages.

Then you can examine you browser add-ons. Potentially unwanted program often show up under the add-ons menu in Firefox, Chrome, Internet Explorer or Safari. Is there anything that looks suspicious? Something that you don’t remember installing?
Firefox add-ons manager

I think you will be able to find and uninstall the potentially unwanted program with the steps outlined above, but in case that did not work you can try the FreeFixer removal tool to identify and remove the potentially unwanted program. FreeFixer is a freeware tool that I’ve developed since 2006. Freefixer is a tool designed to manually identify and uninstall unwanted software. When you’ve tracked down the unwanted files you can simply tick a checkbox and click on the Fix button to remove the unwanted file.

FreeFixer’s removal feature is not locked like many other removal tools out there. It won’t require you to pay for the program just when you are about to remove the unwanted files.

And if you’re having a hard time deciding if a file is legit or potentially unwanted in the FreeFixer scan result, click on the More Info link for the file. That will open up a web page which contains more details about the file. On that web page, check out the VirusTotal report which can be very useful:

FreeFixer More Info link example
An example of FreeFixer’s “More Info” links. Click for full size.

Did you find any potentially unwanted program on your machine? Did that stop lko.jafyzfyu.com? Please post the name of the potentially unwanted program you uninstalled from your machine in the comment below.

Thank you!

Remove smartprofits.org Pop Up Ads Caused By Adware

Does this sound like what you are seeing right now? You see pop-up ads from smartprofits.org while browsing sites that usually don’t advertise in pop-up windows. The pop-ups manage to circumvent the built-in pop-up blockers in Chrome, Firefox, Internet Explorer or Safari. Perhaps the smartprofits.org pop-ups appear when clicking search results from Google? Or does the pop-ups appear even when you’re not browsing?

Here is how the smartprofits.org ad looked like on my system:

smartprofits.org pop up

Does this sound like what you see your computer, you presumably have some adware installed on your machine that pops up the smartprofits.org ads. Contacting the site owner would be a waste of time. The adverts are not coming from them. I’ll try help you to remove the smartprofits.org pop ups in this blog post. This is done by removing unwanted adware from your machine.

If you have been reading this blog already know this, but if you are new: Recently I dedicated a few of my lab systems and intentionally installed some adware programs on them. Since then I have been observing the behaviour on these computers to see what kinds of advertisements that are displayed. I’m also looking on other interesting things such as if the adware auto-updates, or if it installs additional unwanted software on the machines. I first found the smartprofits.org pop-up on one of these lab systems.

smartprofits.org was registered on 2014-03-18. smartprofits.org resolves to 88.85.68.248.

So, how do you remove the smartprofits.org pop-up ads? On the machine where I got the smartprofits.org ads I had installed. I removed them with FreeFixer and that stopped the smartprofits.org pop-ups and all the other ads I was getting in Mozilla Firefox.

Judging from Alexa’s traffic rank, smartprofits.org is getting quite a lot of traffic:

smartprofits.org traffic rank

The issue with pop-ups such as this one is that it can be launched by many variants of adware, not just the adware that’s installed on my computer. I think that adware such as PriceFountain, YTDownloader, WebWaltz, Movie Wizard and MedPlayerNewVersion can also be responsible for the smartprofits.org popups. And there are probably other variants too. This makes it impossible to say exactly what you need to remove to stop the pop-ups.

Anyway, here’s my suggestion for the smartprofits.org ads removal:

The first thing I would do to remove the smartprofits.org pop-ups is to examine the programs installed on the machine, by opening the “Uninstall programs” dialog. You can open this dialog from the Windows Control Panel. If you are using one of the more recent versions of Windows OS you can just type in “uninstall” in the Control Panel’s search field to find that dialog:
Uninstall a program search

Click on the “Uninstall a program” link and the Uninstall programs dialog will open up:
Uninstall a program dialog

Do you see something strange-looking in there or something that you don’t remember installing? Tip: Sort on the “Installed On” column to see if something was installed about the same time as you started getting the smartprofits.org pop-ups.

The next thing to check would be your browser’s add-ons. Adware often appear under the add-ons menu in Mozilla Firefox, Google Chrome, Internet Explorer or Safari. Is there anything that looks suspicious? Something that you don’t remember installing?
Firefox add-ons manager

I think you will be able to find and remove the adware with the steps outlined above, but in case that did not work you can try the FreeFixer removal tool to identify and remove the adware. FreeFixer is a freeware tool that I’ve developed since 2006. Freefixer is a tool built to manually find and uninstall unwanted software. When you’ve tracked down the unwanted files you can simply tick a checkbox and click on the Fix button to remove the unwanted file.

FreeFixer’s removal feature is not crippled like many other removal tools out there. It will not require you to pay for the program just when you are about to remove the unwanted files.

And if you’re having problems determining if a file is clean or unsafe in the FreeFixer scan result, click on the More Info link for the file. That will open up your web browser with a page which contains more details about the file. On that web page, check out the VirusTotal report which can be very useful:

FreeFixer More Info link example
An example of FreeFixer’s “More Info” links. Click for full size.

Here’s a video tutorial which shows FreeFixer in action removing adware that caused pop-up ads:

Did you find any adware on your machine? Did that stop the smartprofits.org ads? Please post the name of the adware you uninstalled from your machine in the comment below.

Thank you!

NEXT-POINT (OOO Next-Point) – 7% Anti-Virus Detection Rate – InstallCore

Hi there! Just a short post on a publisher called NEXT-POINT (OOO Next-Point). I just found a download named adobe_flash_setup.exe that was digitally by this publisher, and it turns out that it is detected by some anti-virus programs.

NEXT-POINT OOO Next-Point UAC

You can also check the digital signature under the file’s properties. According to the certificate we can see that NEXT-POINT (OOO Next-Point) seems to be located in Moscow, Russia and that the certificate is issued by COMODO RSA Code Signing CA.

NEXT-POINT (OOO Next-Point) certificate

The problem is that adobe_flash_setup.exe is not an official Adobe Flash Player download. If it was, it would have been digitally signed by Adobe Systems Incorporated. Here’s how the authentic Adobe Flash Player looks like when you double click on it. Notice that the “Verified publisher” says “Adobe Systems Incorporated”.
Adobe Systems Incorporated - Adobe Flashplayer Installer

The current detection rate is 4/57, that is 7%. Avira reports adobe_flash_setup.exe as Adware/InstallCore.A.499, ESET-NOD32 detects it as a variant of Win32/InstallCore.XP potentially unwanted and K7AntiVirus reports Trojan ( 004b75ec1 ).

NEXT-POINT anti-virus report

When I tested the NEXT-POINT (OOO Next-Point) file it installed StormFall and MyPC backup on some product from Symantec. Don’t remember the name. Perhaps it was Norton 360.

Did you also find a file signed by NEXT-POINT (OOO Next-Point)? What kind of download was it and where did you find it?

Hope this blog post helped you avoid some unwanted software on your machine.

Thanks for reading.

Remove futureupdates.theperfectupdate.net Pop Up Ads

Sound familiar? You see pop-up ads from futureupdates.theperfectupdate.net while browsing web sites that in general don’t advertise in pop-up windows. The pop-ups manage to find a way round the built-in pop-up blockers in Mozilla Firefox, Google Chrome, Internet Explorer or Safari. Maybe the futureupdates.theperfectupdate.net pop-ups appear when clicking search results from Google? Or does the pop-ups appear even when you’re not browsing?

Here is a screenshot on the futureupdates.theperfectupdate.net pop-up from my machine:

futureupdates.theperfectupdate.net

Does this sound like your experience, you apparently have some adware installed on your computer that pops up the futureupdates.theperfectupdate.net ads. So there’s no use contacting the site owner. The ads are not coming from them. I’ll do my best to help you with the futureupdates.theperfectupdate.net removal in this blog post.

For those that are new to the blog: Some time ago I dedicated a few of my lab machines and deliberately installed a few adware programs on them. I have been monitoring the behaviour on these machines to see what kinds of adverts that are displayed. I’m also looking on other interesting things such as if the adware updates itself, or if it downloads and installs additional unwanted software on the machines. I first noticed the futureupdates.theperfectupdate.net pop-up on one of these lab systems.

futureupdates.theperfectupdate.net was registered on 2015-02-20. The domain is protected by PrivacyProtect.org. futureupdates.theperfectupdate.net resolves to the 199.115.114.52 address.

YouGetSignal’s reverse WHOIS states that s.system-update.net resolves to the same IP.

According to Alexa, theperfectupdate.net is getting quite a lot of traffic:

theperfectupdate.net

So, how do you remove the futureupdates.theperfectupdate.net pop-up ads? On the machine where I got the futureupdates.theperfectupdate.net ads I had BlockAndSurf, TinyWallet and BrowserWarden installed. I removed them with FreeFixer and that stopped the futureupdates.theperfectupdate.net pop-ups and all the other ads I was getting in Mozilla Firefox.

The problem with pop-ups such as this one is that it can be launched by many variants of adware. This makes it impossible to say exactly what you need to remove to stop the pop-ups.

Anyway, here’s my suggestion for the futureupdates.theperfectupdate.net ads removal:

  1. What software do you have installed if you look in the Add/Remove programs dialog in the Windows Control Panel? Something that you don’t remember installing yourself or that was recently installed?
  2. You can also review the add-ons you have in your browsers. Same thing here, do you see something that you don’t remember installing?
  3. If that didn’t help, I’d recommend a scan with FreeFixer to manually track down the adware. FreeFixer is a freeware tool that I’m working on that scans your computer at lots of locations, such as browser add-ons, processes, Windows services, recently modified files, etc. If you want to get additional details about a file in the scan result, you can click the More Info link for that file and a web page will open up with a VirusTotal report which will be very useful to determine if the file is safe or malware:

    FreeFixer More Info link example
    An example of FreeFixer’s “More Info” links. Click for full size.

Here’s a video tutorial showing FreeFixer in action removing pop-up ads:

Did you find any adware on your machine? Did that stop the futureupdates.theperfectupdate.net ads? Please post the name of the adware you uninstalled from your machine in the comment below.

Thank you!

Techsnab LLC – 16% Anti-Virus Detection Rate

Welcome! If you are a regular here on the FreeFixer blog, you know that I’ve been examining files that have a digital signature and bundle various types of potentially unwanted software. Today I found another publisher named Techsnab LLC that bundles some software.

Techsnab LLC certificate

To get more details on the publisher, you can view the certificate by right-clicking on the file, and looking under the Digital Signatures tab. According to the embedded certificate we can see that Techsnab LLC is located in Moscow, Russia and that the certificate is issued by COMODO Code Signing CA 2. This Techsnab certificate has been revoked:

Techsnab LLC revoked

16% of the scanners detected the file. The Game_of_Thrones_S04E02_HDTV_x264-2HD[ettv].exe file is detected as APPL/Techsnab.onemb by Avira, W32.HfsAdware.894E by Bkav, Trojan ( 004b5df41 ) by K7GW, Trojan.Win32.Techsnab.dossoy by NANO-Antivirus and GetPrivate (fs) by VIPRE.

Techsnab LLC anti-virus report

Did you also find a Techsnab LLC file? What kind of download was it? If you remember the download link, please post it in the comments below.

Thanks for reading.

Jelbrus LLC from The Pirate Bay – 23% Anti-Virus Detection Rate – Strictor / Techsnab / HfsAdware

Welcome! Saturday night post this time 😉 Just wanted to let you know about a publisher called Jelbrus LLC. You may run into this download if you are visiting sites such as The Pirate Bay.

Jelbrus LLC make changes

Information about a digital signature and the certificate can also be found under the Digital Signature tab. According to the embedded certificate we can see that Jelbrus LLC seems to be located in Moscow in Russia and that the certificate is issued by Thawte Code Signing CA – G2.

Jelbrus LLC certificate

So what’s up with Jelbrus? The file I found is, named Breaking_Bad_Season_1_Complete_720p.BRrip.Sujaidr_(pimprg)_.exe, so you might get the impression that this is a download for the famous TV-Series called Breaking Bad. It’s not.

Here’s how the Jelbrus installer looks like if you run the file:

Jelbrus LLC installer

When clicking the Next button a bunch settings are changed and some files are added on your computer. Here’s the interesting stuff from a FreeFixer log:

FreeFixer v1.13 log
http://www.freefixer.com/

Scheduled tasks (39 whitelisted)
================================
Great Performance Ultimate, C:\Program Files (x86)\PrivateVPN\gpup.exe , signer: [unsigned]
Jelbrus Secure Web Task, C:\Program Files (x86)\Jelbrus Secure Web\jswtask.exe , signer: [unsigned]
Malware Cleaner, C:\Users\honeypotter\AppData\Roaming\1265.tmp.exe (file is missing)

Processes (42 whitelisted)
==========================
C:\Windows\mlwps.exe, signer: [unsigned]
C:\Users\HONEYP~1\AppData\Local\Temp\92.tmp.exe, signer: [unsigned]
C:\Program Files (x86)\Jelbrus Secure Web\privoxy.exe, signer: [unsigned]

Services (47 whitelisted)
=========================
Live Malware Protection, Live Malware Protection, c:\windows\mlwps.exe, signer: [unsigned]
PrivoxyService, Privoxy (PrivoxyService), c:\program files (x86)\jelbrus secure web\privoxy.exe, signer: [unsigned]

Recently created/modified files
===============================
20 minutes, c:\Program Files (x86)\Jelbrus Secure Web\mgwz.dll, signer: [unsigned]
20 minutes, c:\Program Files (x86)\Jelbrus Secure Web\privoxy.exe, signer: [unsigned]
20 minutes, c:\Program Files (x86)\Jelbrus Secure Web\jsie.dll, signer: [unsigned]
20 minutes, c:\Program Files (x86)\Jelbrus Secure Web\jswff.exe, signer: Jelbrus LLC [valid]
20 minutes, c:\Program Files (x86)\Jelbrus Secure Web\jsweb64.dll, signer: [unsigned]
20 minutes, c:\Program Files (x86)\Jelbrus Secure Web\jswchromium64.exe, signer: [unsigned]
20 minutes, c:\Program Files (x86)\Jelbrus Secure Web\jsweb.dll, signer: [unsigned]
20 minutes, c:\Program Files (x86)\Jelbrus Secure Web\jswchromium.exe, signer: [unsigned]
20 minutes, c:\Program Files (x86)\Jelbrus Secure Web\jswtask.exe, signer: [unsigned]
20 minutes, c:\Users\honeypotter\AppData\Local\Temp\92.tmp.exe, signer: [unsigned]
21 minutes, c:\Program Files (x86)\PrivateVPN\tasks.dll, signer: [unsigned]
21 minutes, c:\Users\honeypotter\AppData\Local\Temp\tasks.dll, signer: [unsigned]
21 minutes, c:\Program Files (x86)\PrivateVPN\gpup.exe, signer: [unsigned]
21 minutes, c:\Users\honeypotter\AppData\Local\Temp\580C.tmp.exe, signer: [unsigned]
23 minutes, c:\Users\honeypotter\AppData\Local\Temp\1716.tmp.exe, signer: [unsigned]
24 minutes, c:\Users\honeypotter\AppData\Local\Temp\6E23.tmp.exe, signer: [unsigned]

LAN Proxy Settings
==================
*=127.0.0.1:8118

You will also see advertisements while browsing the web labelled “Ad by CouponDropDown“. Here’s the “Ad by CouponDropDown” ads on Google:

Ad by CouponDropDown

So what does the anti-virus scanners at VirusTotal say about Jelbrus’ “Breaking Bad” file? The detection rate is 13/57. Gen:Variant.Strictor.75172, Jelbrus.3C0, Adware/Techsnab.9058, Jelbrus LLC (fs), W32.HfsAdware.307F and Gen:Variant.Strictor.75172 were some of the detection names.

Jelbrus LLC anti-virus report

Did you also find an Jelbrus LLC? Did you also find it at The Pirate Bay?

Thank you for reading.

Remove i_crbsjs_info.tlscdn.com from Mozilla Firefox, Google Chrome and Internet Explorer

This page shows how to remove i_crbsjs_info.tlscdn.com from Mozilla Firefox, Google Chrome and Internet Explorer.

Sound familiar? You see i_crbsjs_info.tlscdn.com in your browser’s status bar while browsing on websites that typically don’t load any content from third party domains. Maybe the i_crbsjs_info.tlscdn.com domain appear when performing a search at the Google.com search engine?

Here is how the i_crbsjs_info.tlscdn.com status bar message looked like on my computer:

i_crbsjs_info.tlscdn.com status bar

It appeared while I did a search at Google.

The following are some of the status bar messages you may see in your browser’s status bar:

  • Waiting for i_crbsjs_info.tlscdn.com…
  • Transferring data from i_crbsjs_info.tlscdn.com…
  • Looking up i_crbsjs_info.tlscdn.com…
  • Read i_crbsjs_info.tlscdn.com
  • Connected to i_crbsjs_info.tlscdn.com…

If this description sounds like your computer, you probably have some potentially unwanted program installed on your machine that makes the i_crbsjs_info.tlscdn.com domain appear in your browser. Contacting the owner for the site you were at would be a waste of time. The i_crbsjs_info.tlscdn.com status bar messages are not coming from them. I’ll try help you with the i_crbsjs_info.tlscdn.com removal in this blog post.

If you have been visiting this blog already know this, but if you are new: A little while back I dedicated a few of my lab computers and deliberately installed some potentially unwanted programs on them. Since then I have been following the behaviour on these computers to see what kinds of advertisements that are displayed. I’m also looking on other interesting things such as if the potentially unwanted program auto-updates, or if it installs additional potentially unwanted programs on the computers. I first spotted the i_crbsjs_info.tlscdn.com in Mozilla Firefox’s status bar on one of these lab computers.

i_crbsjs_info.tlscdn.com resolves to the 207.244.65.148 IP address.

So, how do you remove i_crbsjs_info.tlscdn.com from your browser? On the machine where i_crbsjs_info.tlscdn.com showed up in the status bar I had TornTV installed. I removed it with FreeFixer and that stopped the web browser from loading data from i_crbsjs_info.tlscdn.com.

The issue with status bar messages such as this one is that it can be caused by many variants of potentially unwanted programs, not just the potentially unwanted program running on my computer. This makes it impossible to say exactly what you need to remove to stop the status bar messages.

Anyway, here’s my suggestion for the i_crbsjs_info.tlscdn.com removal:

The first thing I would do to remove i_crbsjs_info.tlscdn.com is to examine the software installed on the machine, by opening the “Uninstall programs” dialog. You can find this dialog from the Windows Control Panel. If you are using one of the more recent versions of Windows you can just type in “uninstall” in the Control Panel’s search field to find that dialog:
Uninstall a program search

Click on the “Uninstall a program” link and the Uninstall programs dialog will open up:
Uninstall a program dialog

Do you see something suspicious listed there or something that you don’t remember installing? Tip: Sort on the “Installed On” column to see if something was installed approximately about the same time as you started observing the i_crbsjs_info.tlscdn.com statusbar messages. Does TornTV appear there?

Then I would check the browser add-ons. Potentially unwanted program often show up under the add-ons menu in Google Chrome, Mozilla Firefox, Internet Explorer or Safari. Is there anything that looks suspicious? Anything that you don’t remember installing? Is TornTV in the list?
Firefox add-ons manager

I think most users will be able to identify and remove the potentially unwanted program with the steps outlined above, but in case that did not work you can try the FreeFixer removal tool to identify and remove the potentially unwanted program. FreeFixer is a freeware tool that I started develop about 8 years ago. It’s a tool built to manually identify and uninstall unwanted software. When you’ve found the unwanted files you can simply tick a checkbox and click on the Fix button to remove the unwanted file.

FreeFixer’s removal feature is not locked like many other removal tools out there. It won’t require you to pay for the program just when you are about to remove the unwanted files.

And if you’re having a hard time figuring out if a file is clean or potentially unwanted in FreeFixer’s scan report, click on the More Info link for the file. That will open up a web page which contains more details about the file. On that web page, check out the VirusTotal report which can be quite useful:

FreeFixer More Info link example
An example of FreeFixer’s “More Info” links. Click for full size.

Did you find any potentially unwanted program on your machine? Did that stop i_crbsjs_info.tlscdn.com? Please post the name of the potentially unwanted program you uninstalled from your machine in the comment below.

Thank you!