Monthly Archives: April 2015

Purpose of gexperiments1.com, gexperiments2.com and gexperiments3.com Domains?

Was checking out the network log while doing a search at Google. Found a request to a domain named gexperiments2.com:

gexperiments2.com connection

The Google search was done on one of my lab machines where I have some malware installed, so I first thought the connection was malware related, but it’s not. The gexperiments2.com domain is registered by Google as you can see in the WHOIS database:

Registrant Name: DNS Admin
Registrant Organization: Google Inc.
Registrant Street: 1600 Amphitheatre Parkway, 
Registrant City: Mountain View
Registrant State/Province: CA
Registrant Postal Code: 94043
Registrant Country: US

So, you have nothing to worry about  if you see connections to gexperiments2.com in your browser.

Google Inc. also owns gexperiments1.com and gexperiments3.com.

But I’m curious what the purpose of the connections are. Does anyone have some more info on Google’s purpose with the gexperiments2.com domain?

Thanks for reading.

FASt download got – 18% Anti-Virus Detection – OutBrowse

Welcome! I was playing around and testing some downloads when I found a file digitally signed by FASt download got.

FASt download got publisher

If you have a FASt download got file on your computer you may have noticed that FASt download got pops up as the publisher in the User Account Control dialog when running the file. You can also see the FASt download got certificate by looking under the Digital Signature tab on the file’s properties. According to the certificate, FASt download got is located in Dublin in Ireland.

FASt download got certificate

The problem is that installer_adobe_flash_player_English.exe is not an official Adobe Flash Player download. If it was, it should be digitally signed by Adobe Systems Incorporated. Here’s how the authentic Adobe Flash Player looks like when you double click on it. Notice that the “Verified publisher” says “Adobe Systems Incorporated”.
Adobe Systems Incorporated - Adobe Flashplayer Installer

If you are considering to run the FASt download got signed file, I’ll advice you not to. Delete it instead. Just check out detection list by some of the anti-virus program:

FASt download got anti virus

Avast reports installer_adobe_flash_player_English.exe as Win32:PUP-gen [PUP], AVG names it Downloader.FFH, CAT-QuickHeal reports Adware.NSIS.OutBrowse.A, DrWeb calls it Trojan.OutBrowse.263, ESET-NOD32 reports Win32/OutBrowse.BU potentially unwanted and McAfee-GW-Edition calls it BehavesLike.Win32.Suspicious.hc.

Did you also find a file digitally signed by FASt download got? What kind of download was it and where did you find it?

Thanks for reading.

Remove fkv.kaeygmagba.com from Chrome, Firefox and Internet Explorer

This page shows how to remove fkv.kaeygmagba.com from Mozilla Firefox, Google Chrome and Internet Explorer.

Does this sound like your story? You see fkv.kaeygmagba.com in your browser’s status bar while browsing on sites that typically don’t load any content from third party domains. Perhaps the fkv.kaeygmagba.com domain appear when performing a search at the Google search engine?

Here is a screenshot on fkv.kaeygmagba.com in the network log from my computer:

fkv.kaeygmagba.com connection

The following are some of the status bar messages you may see in your browser’s status bar:

  • Waiting for fkv.kaeygmagba.com…
  • Transferring data from fkv.kaeygmagba.com…
  • Looking up fkv.kaeygmagba.com…
  • Read fkv.kaeygmagba.com
  • Connected to fkv.kaeygmagba.com…

Does this sound like what you are seeing, you presumably have some potentially unwanted program installed on your computer that makes the fkv.kaeygmagba.com domain appear in your browser. Contacting the owner of the web site you were browsing would be a waste of time. They are not responsible for the fkv.kaeygmagba.com status bar messages. I’ll do my best to help you remove the fkv.kaeygmagba.com message in this blog post.

If you have been spending some time on this blog already know this, but if you are new: Some time ago I dedicated some of my lab systems and intentionally installed a few potentially unwanted programs on them. Since then I’ve been following the behaviour on these computers to see what kinds of advertisements that are displayed. I’m also looking on other interesting things such as if the potentially unwanted program updates itself automatically, or if it downloads and installs additional potentially unwanted programs on the computers. I first found the fkv.kaeygmagba.com in Mozilla Firefox’s status bar on one of these lab systems.

fkv.kaeygmagba.com resolves to 5.153.38.133. fkv.kaeygmagba.com was registered on 2015-03-18.

So, how do you remove fkv.kaeygmagba.com from your web browser? On the machine where fkv.kaeygmagba.com showed up in the status bar I had TinyWallet, BlockAndSurf and BrowserWarden installed. I removed them with FreeFixer and that stopped the browser from loading data from fkv.kaeygmagba.com.

The problem with this type of status bar message is that it can be caused by many variants of potentially unwanted programs, not just the potentially unwanted program running on my machine. This makes it impossible to say exactly what you need to remove to stop the status bar messages.

Anyway, here’s my suggestion for the fkv.kaeygmagba.com removal:

The first thing I would do to remove fkv.kaeygmagba.com is to examine the programs installed on the machine, by opening the “Uninstall programs” dialog. You can open this dialog from the Windows Control Panel. If you are using one of the more recent versions of Windows you can just type in “uninstall” in the Control Panel’s search field to find that dialog:
Uninstall a program search

Click on the “Uninstall a program” link and the Uninstall programs dialog will open up:
Uninstall a program dialog

Do you see something shady listed there or something that you don’t remember installing? Tip: Sort on the “Installed On” column to see if some program was installed approximately about the same time as you started getting the fkv.kaeygmagba.com status bar messages.

Then I would check the browser add-ons. Potentially unwanted program often appear under the add-ons menu in Mozilla Firefox, Google Chrome, Internet Explorer or Safari. Is there anything that looks suspicious? Something that you don’t remember installing?
Firefox add-ons manager

I think you will be able to track down and remove the potentially unwanted program with the steps outlined above, but in case that did not work you can try the FreeFixer removal tool to identify and remove the potentially unwanted program. FreeFixer is a freeware tool that I started develop about 8 years ago. It’s a tool designed to manually track down and remove unwanted software. When you’ve tracked down the unwanted files you can simply tick a checkbox and click on the Fix button to remove the unwanted file.

FreeFixer’s removal feature is not locked down like many other removal tools out there. It won’t require you to purchase the program just when you are about to remove the unwanted files.

And if you’re having issues figuring out if a file is clean or potentially unwanted in FreeFixer’s scan report, click on the More Info link for the file. That will open up a web page which contains more information about the file. On that web page, check out the VirusTotal report which can be very useful:

FreeFixer More Info link example
An example of FreeFixer’s “More Info” links. Click for full size.

Did this blog post help you to remove fkv.kaeygmagba.com? Please let me know or how I can improve this blog post.

Thank you!

Premium Platform (Fried Cookie Ltd.) – 12% Detection Rate

Hello readers! Just a quick post on a file named FinalTorrentSetup.exe signed by Premium Platform (Fried Cookie Ltd.).

Premium Platform Fried Cookie publisher

Windows will display Premium Platform (Fried Cookie Ltd.) as the publisher when running the file. Viewing the certificate information is also possible by looking under the digital signature tab for the file. Here the certificate says that Premium Platform (Fried Cookie Ltd.) is located in Tel Aviv, Israel.

Premium Platform Fried Cookie Ltd certificate

Win32:Malware-gen, Application.Win32.InstallCore.DI, a variant of Win32/InstallCore.YH potentially unwanted and InstallCore (fs) are some detection names according to VirusTotal:

Premium Platform anti-virus report

Did you also find a Premium Platform (Fried Cookie Ltd.) file? What kind of download was it? If you remember the download link, please post it in the comments below.

Thank you for reading.