Category Archives: browser status bar

LLC “DIVAROS SOFT” – 9% Detection Rate – PUP.Optional.LoadMoney

browser status bar, ,

Hello! Having a quick break from the programming I’m doing right now. I’m doing some work on the freefixer.com web site. Just wanted to give you the heads up on a publisher called LLC “DIVAROS SOFT” that I ran into this morning:

LLC DIVAROS SOFT publisher

You will also see LLC “DIVAROS SOFT” listed as the verified publisher in the User Account Control dialog that pops up if you try to run the file: It is also possible to check a digital signature by looking at a file’s properties. Here’s a screenshot of the LLC “DIVAROS SOFT” certificate. As you can see LLC DIVAROS SOFT is located in Kiev, Ukraine.

LLC DIVAROS SOFT certificate

Comodo has issued the certificate.

So, why am I writing about the LLC “DIVAROS SOFT” file? Check out what the anti-virus software report about the file:

LLC DIVAROS SOFT anti-virus report

Avira calls it ADWARE/Amonetize.Gen7, AVG names it as Generic.A6F, VBA32 calls it SScope.Downware.Amonetize and Malwarebytes calls it PUP.Optional.LoadMoney are a few of the detection names for the file.

Did you also find a LLC “DIVAROS SOFT” file?

Thanks for reading. Now, back to coding…

Pop Up Ads and Status Bar Messages – October 2015

browser status bar, pop-ups

If you have been following me on the blog for the last six months you know that I often write about how to remove pop up ads and how to remove unwanted sites showing up in the browser’s status bar. In those blog posts, I show how to track down and remove unwanted software by using the 1) Windows Control Panel, 2) the browser’s add-on dialog or 3) with the FreeFixer removal tool.

I often write a new blog post for each site that I find, which is quite time-consuming. The upcoming months I’ll be focusing on developing some back-end stuff for FreeFixer so I can’t be as active as I use to be on the blog. But I will at least summarise the finds that I do, with a screenshot, and post them here.

A pop up from se-arlig-undersokning.xyz:

se-arlig-undersokning.xyz

spartoo.se pop up:

spartoo.se pop up

barnebys.se pop up:

barnebys.se pop up

us.fps-pb.com pop up:

us.fps-pb.com pop up

and a pop up ad from luxuryslotonline.com:

luxuryslotonline.com pop up

A pop up from d31f5ec245utk2.cloudfront.net:

d31f5ec245utk2.cloudfront.net pop up

go.leguide.com pop up:

go.leguide.com pop up

dream-marriage.com pop up:

dream-marriage.com pop up

tracking.tfxiq.net in the status bar:

tracking.tfxiq.net

Pop up from machine.billionoptions.net:

machine.billionoptions.net

Pop up from aftonbladet.se.05b.xyz:

aftonbladet.se.05b.xyz pop up

kds.adspirit.de pop up:

kds.adspirit.de pop up

A pop up from chachagong23.com:

chachagong23.com pop up

dry.papaerleaf.com in the status bar:

dry.papaerleaf.com

super-promo.guqu.info pop up:

super-promo.guqu.info

rqf.receptorirrigated.com in the status bar:

rqf.receptorirrigated.com

A pop up ad from 123mymovies.com:

123mymovies.com pop up

adss.comeadvertisewithus.com in Firefox’ status bar:

adss.comeadvertisewithus.com

A pop up from static.millionairetruth.com:

static.millionairetruth.com pop up

gets.attracteffectclub.info in the status bar:

gets.attracteffectclub.info

A pop-up ad from super-promo.gufu.info:

super-promo.gufu.info pop up

While doing at search at Google, ads.egrana.com.br showed up in the status bar:

ads.egrana.com.br status bar

pinsght.com in the status bar:

pinsght.com

super-promo.goas.info pop up:

super-promo.goas.info pop up

A pop-up from cnn.officialreport.info:cnn.officialreport.info pop up

While searching at Google’s search engine, cdn1.clktag.com popped up in the status bar:

cdn1.clktag.com status bar

karriar-magazine.com pop up ad:

karriar-magazine.com pop up

Pop-up ad from super-promo.gipi.info:

super-promo.gipi.info

api.pixelcloudhit.com  in the status bar:

api.pixelcloudhit.com status bar

And a pop up from scanscasino.com:

scanscasino.com pop up

Pop up ad from super-promo.giiy.info:

super-promo.giiy.info

swf.chequebooksbruising.com in the browser’s status bar:

swf.chequebooksbruising.com

A pop up from super-promo.giip.info:

super-promo.giip.info

and cdn3.org showed up in the network log:

cdn3.org

bcp.crwdcntrl.net loaded from google:

bcp.crwdcntrl.net

anddogen.com in the status bar:

anddogen.com

A pop up from super-promo.gurs.info.

A pop up ad about oil-trading from preg.conquer-media.com:

preg.conquer-media.com pop up

i_sbitinbsjs_info.tlscdn.com showed up in the status bar of Mozilla Firefox while searching at Google. Here’s a dump from the network log.

i_sbitinbsjs_info.tlscdn.com

technologiestuart.com also showed up in the status bar while doing the Google search:

www.technologiestuart.com

The Wajam adware is responsible for that connection.

A bunch of netdna-ssl.com domains showing up in the Firefox status bar, while searching at Google. The domains were:

  • 4x3zy4ql-l8bu4n1j.netdna-ssl.com
  • 5k9v3bc1-enehfzfv.netdna-ssl.com
  • d13j8bqw-l8bu4n1j.netdna-ssl.com
  • j9bruvxk-l8bu4n1j.netdna-ssl.com

4x3zy4ql-l8bu4n1j.netdna-ssl.com   5k9v3bc1-enehfzfv.netdna-ssl.com

A pop-up ad from super-promo.gazy.info:

super-promo.gazy.info pop up

A survey pop-up ad from super-promo.gaol.info:

super-promo.gaol.info pop up

jscdnbox.com loading while searching at Google:

jscdnbox.com

s.tlscdn.com in Firefox’ status bar:

s.tlscdn.com

Here’s isi.envelopspunnet.com in the status bar:

isi.envelopspunnet.com

Pop up ad from super-promo.gaah.info:

super-promo.gaah.info pop up

stat.vidcore.tv in the status bar:

stat.vidcore.tv

A pop-up from nordicslabel.com:

nordicslabel.com pop up

Adsvids.com in the status bar:

adsvids.com

A pop-up ad from super-promo.fuvu.info:

super-promo.fuvu.info pop up

The 8casino-x.com pop up ad:

8casino-x.com pop up

omq.relievingdungeons.com may show up in your browser’s status bar:

omq.relievingdungeons.com

go.herdailyvideos.com in Firefox’ status bar:

go.herdailyvideos.com

bit-search.com in the status bar:

bit-search.com

search.smartshopping.com also in the status bar:

search.smartshopping.com

tracking.audience.media in the status bar, while searching at Google:

tracking.audience.media

And here’s a pop up from super-promo.grav.info:super-promo.grav.info pop up

cf.vsavr.com in the network log:

cf.vsavr.com

prod.vsearchr.com, also in the network log:

prod.vsearchr.com

A popup ad from super-promo.geew.info:

super-promo.geew.info pop up

A pop up from financialsecrets.info.

Other sites that showed up in the network log while doing a search at Google:

  • uhl.outspokentameness.com
  • foi.slynessduplicating.com
  • duu.ragsmarmoset.com
  • opl.speculationsanorak.com
  • vrr.unfamiliarcartographer.com
  • nex.encirclelargish.com
  • hev.sedentaryprosecutor.com
  • drm.polysyllabicsurrounds.com
  • ryz.affiliatedstammer.com
  • monetserv.info
  • nwv.vicescappuccino.com
  • a.global-cdn.co
  • pki.dowagersinimitable.com
  • vmx.pukingtwirled.com
  • yqg.employscitrate.com
  • hzm.maximumfireplaces.com
  • app.keymaxbit.com
  • logs.keymaxbit.com
  • ezl.allegesmourns.com
  • tki.chimpanzeepooling.com
  • www.unionismstream.com
  • eam.duchessestallying.com
  • ech.parallaxindecision.com
  • www.physicianapologises.com
  • www.decomposeselbows.com
  • www.centrifugescompletions.com
  • www.riderdismantled.com
  • vsb.tatlocalisation.com
  • yfv.humpstows.com
  • dfe.contributorymethods.com
  • hql.flirtationafricans.com
  • sgn.egyptianobservably.com
  • arj.keelconjectured.com
  • t1.extreme-dm.com
  • xhd.handbagoverturn.com
  • yze.farcataclysm.com
  • app.pricemoon.co
  • jsgnr.pricemoon.co
  • cwbl.pricemoon.co
  • horusjs.s3.amazonaws.com
  • i_crbfmcjs_info.tlscdn.com
  • cdn.gosignserv.com
  • c.crbsjs.info
  • q.megainbsjs.info
  • r6.kelkoo.com
  • r.kelkoo.com
  • m.megainbsjs.info
  • adsroute.adk2x.com
  • connect.facebook.net
  • d2nq0f8d9ofdwv.cloudfront.net
  • cdn.adpdx.com
  • p.adpdx.com
  • wcp.commonwealthprussia.com
  • qzd.haemophiliacontextualisation.com

A few other sites that appeared in my network log:

  • js.bitgenmax.com
  • app.newcloudrack.com
  • logs.newcloudrack.com
  • js.newcloudrack.com
  • js.keymaxbit.com
  • m2.macutnova.com
  • app.bitgenmax.com
  • logs.bitgenmax.com
  • c.megainbsjs.info
  • f.asdfzxcv1312.com
  • s.megainbsjs.info
  • f.megainbsjs.info
  • app.cloudmaxbox.com
  • logs.cloudmaxbox.com
  • d2avx7g1ttwebd.cloudfront.net
  • d21r4q0rdzodf.cloudfront.net
  • js.cloudmaxbox.com
  • app.devgokey.com
  • logs.devgokey.com
  • js.devgokey.com
  • danv01ao0kdr2.cloudfront.net
  • portal.brandlock.io

Ran into a file signed by BoxI DJV.

BoxI DJV file

Ran into a file signed by Media Theory (Fried Cookie Ltd):

Media Theory (Fried Cookie Ltd)

Somewhat unrelated, but I’ve also run into a add-on called FirefixTab 0.1.13:

FirefixTab 0.1.13

 

Remove ert.fearfromnone.com From Your Browser

browser status bar

This page shows how to remove ert.fearfromnone.com from Mozilla Firefox, Google Chrome and Internet Explorer.

Does this sound like your story? You see ert.fearfromnone.com in your browser’s status bar while browsing on sites that usually don’t load any content from third party domains. Maybe the ert.fearfromnone.com domain show up when performing a search at the Google search engine?

Here’s a screenshot of ert.fearfromnone.com when it showed up on my system:

ert.fearfromnone.com

(Sorry for the large number of watermarks. If I don’t add them, the screenshot will be used without attribution at some other blogs)

Here are some of the status bar messages you may see in your browser’s status bar:

  • Waiting for ert.fearfromnone.com…
  • Transferring data from ert.fearfromnone.com…
  • Looking up ert.fearfromnone.com…
  • Read ert.fearfromnone.com
  • Connected to ert.fearfromnone.com…

If this description sounds like your machine, you probably have some potentially unwanted program installed on your computer that makes the ert.fearfromnone.com domain appear in your web browser. So there’s no idea contacting the owner of the website you were browsing. The ert.fearfromnone.com status bar messages are not coming from them. I’ll try help you with the ert.fearfromnone.com removal in this blog post.

For those that are new to the blog: Not long ago I dedicated some of my lab computers and intentionally installed some potentially unwanted programs on them. I have been monitoring the behaviour on these computers to see what kinds of advertisements, if any, that are displayed. I’m also looking on other interesting things such as if the potentially unwanted program updates itself automatically, or if it downloads additional software on the computers. I first spotted ert.fearfromnone.com in Mozilla Firefox’s statusbar on one of these lab machines.

ert.fearfromnone.com resolves to the 8.34.112.226 IP address. ert.fearfromnone.com was registered on 2015-01-05.

So, how do you remove ert.fearfromnone.com from your browser? On the machine where ert.fearfromnone.com showed up in the status bar I had WNet, CashReminder, PlainSavings and ActSys installed. I removed them with FreeFixer and that stopped the web browser from loading data from ert.fearfromnone.com.

If you are wondering if there are many others out seeing ert.fearfromnone.com in the browser, the answer is probably yes. Check out the traffic rank from Alexa:

The problem with status bar messages like this one is that it can be caused by many variants of potentially unwanted programs, not just the potentially unwanted program that’s installed on my machine. This makes it impossible to say exactly what you need to remove to stop the status bar messages.

Anyway, here’s my suggestion for the ert.fearfromnone.com removal:

  1. What software do you have installed if you look in the Add/Remove programs dialog in the Windows Control Panel? Something that you don’t remember installing yourself or that was recently installed?
  2. How about your add-ons you have in your web browsers. Anything in the list that you don’t remember installing?
  3. If that didn’t help, I’d recommend a scan with FreeFixer to manually track down the potentially unwanted program. FreeFixer is a freeware tool that I’m working on that scans your computer at lots of locations, such as browser add-ons, processes, Windows services, recently modified files, etc. If you want to get additional details about a file in the scan result, you can click the More Info link for that file and a web page will open up with a VirusTotal report which will be very useful to determine if the file is safe or malware:

    FreeFixer More Info link example
    An example of FreeFixer’s “More Info” links. Click for full size.

Did you find any potentially unwanted program on your machine? Did that stop ert.fearfromnone.com? Please post the name of the potentially unwanted program you uninstalled from your machine in the comment below.

Thank you!

Remove tradeadexchange.com from Firefox, Chrome and Internet Explorer.

browser status bar

This page shows how to remove tradeadexchange.com from Mozilla Firefox, Google Chrome and Internet Explorer.

Did you just see tradeadexchange.com in the status bar of your web browser and wonder where it came from? Or did tradeadexchange.com show up while you searched for something on one of the major search engines, such as the Google search engine?

Here is how the tradeadexchange.com status bar message looked like on my computer:

tradeadexchange.com

The following are some of the status bar messages you may see in your browser’s statusbar:

  • Waiting for tradeadexchange.com…
  • Transferring data from tradeadexchange.com…
  • Looking up tradeadexchange.com…
  • Read tradeadexchange.com
  • Connected to tradeadexchange.com…

If this sounds like what you are seeing on your computer, you almost certainly have some potentially unwanted program installed on your system that makes the tradeadexchange.com domain appear in your browser. Don’t write angry emails to the site you were browsing, they are most likely not responsible for the tradeadexchange.com status bar messages. The potentially unwanted program on your system is. I’ll do my best to help you remove the tradeadexchange.com message in this blog post.

Those that have been spending some time on this blog already know this, but here we go: Not long ago I dedicated a few of my lab machines and intentionally installed a few potentially unwanted programs on them. I have been tracking the behaviour on these systems to see what kinds of advertisements, if any, that are displayed. I’m also looking on other interesting things such as if the potentially unwanted program auto-updates, or if it installs additional software on the machines. I first found tradeadexchange.com in Mozilla Firefox’s statusbar on one of these lab computers.

tradeadexchange.com was registered on 2015-04-27. www.tradeadexchange.com resolves to the 104.197.47.161 IP address and tradeadexchange.com to 104.197.47.161. It seems the site is getting quite a lot of traffic:

tradeadexchange.com traffic

So, how do you remove tradeadexchange.com from your browser? On the machine where tradeadexchange.com showed up in the status bar I had WNet, ActSys, PlainSavings and CashReminder installed. I removed them with FreeFixer and that stopped the browser from loading data from tradeadexchange.com.

The issue with status bar messages like this one is that it can be caused by many variants of potentially unwanted programs. This makes it impossible to say exactly what you need to remove to stop the status bar messages.

So, what can be done to solve the problem? To remove tradeadexchange.com you need to review your machine for potentially unwanted programs and uninstall them. Here’s my suggested removal procedure:

  1. Review what programs you have installed in the Add/Remove programs dialog in the Windows Control Panel. Do you see something that you don’t remember installing or that was recently installed?
  2. How about your add-ons you have in your browsers. Anything in the list that you don’t remember installing?
  3. If that didn’t solve the problem, I’d recommend a scan with FreeFixer to manually track down the potentially unwanted program. FreeFixer is a freeware tool that I’m working on that scans your computer at lots of locations, such as browser add-ons, processes, Windows services, recently modified files, etc. If you want to get additional details about a file in the scan result, you can click the More Info link for that file and a web page will open up with a VirusTotal report which will be very useful to determine if the file is safe or malware:

    FreeFixer More Info link example
    An example of FreeFixer’s “More Info” links. Click for full size.

Did you find any potentially unwanted program on your machine? Did that stop tradeadexchange.com? Please post the name of the potentially unwanted program you uninstalled from your machine in the comment below.

Thank you!

Remove pstatic.pricemoon.co and istatic.pricemoon.co

browser status bar

This page shows how to remove pstatic.pricemoon.co and istatic.pricemoon.co from Mozilla Firefox, Google Chrome and Internet Explorer.

Did you just see pstatic.pricemoon.co in the status bar of your browser and wonder where it came from? Or did pstatic.pricemoon.co show up while you searched for something on one of the major search engines, such as the Google search engine?

Here is how the pstatic.pricemoon.co status bar message looked like on my system:

pstatic.pricemoon.co

The following are some of the status bar messages you may see in your browser’s status bar:

  • Waiting for pstatic.pricemoon.co…
  • Transferring data from pstatic.pricemoon.co…
  • Looking up pstatic.pricemoon.co…
  • Read pstatic.pricemoon.co
  • Connected to pstatic.pricemoon.co…

Does this sound like what you are seeing, you most likely have some potentially unwanted program installed on your computer that makes the pstatic.pricemoon.co domain appear in your browser. So there’s no idea contacting the owner of the web site you currently were browsing. The pstatic.pricemoon.co status bar messages are not coming from them. I’ll try help you to remove the pstatic.pricemoon.co status bar messages in this blog post.

Those that have been visiting this blog already know this, but here we go: A little while back I dedicated some of my lab machines and knowingly installed a few potentially unwanted programs on them. I’ve been observing the behaviour on these computers to see what kinds of advertisements, if any, that are displayed. I’m also looking on other interesting things such as if the potentially unwanted program updates itself, or if it installs additional software on the computers. I first spotted pstatic.pricemoon.co in Mozilla Firefox’s status bar on one of these lab systems.

pstatic.pricemoon.co was registered on 2015-05-27. istatic.pricemoon.co resolves to the 104.31.65.182 address and so does pstatic.pricemoon.co.

So, how do you remove pstatic.pricemoon.co and istatic.pricemoon.co from your browser? On the machine where pstatic.pricemoon.co showed up in the status bar I had ActSys, WNet, PlainSavings and CashReminder installed. I removed them with FreeFixer and that stopped the browser from loading data from pstatic.pricemoon.co.

The problem with status bar messages like the one described in this blog post is that it can be caused by many variants of potentially unwanted programs. This makes it impossible to say exactly what you need to remove to stop the status bar messages.

Anyway, here’s my suggestion for the pstatic.pricemoon.co removal:

  1. What software do you have installed if you look in the Add/Remove programs dialog in the Windows Control Panel? Something that you don’t remember installing yourself or that was recently installed?
  2. You can also examine the add-ons you installed in Mozilla Firefox, Google Chrome, Internet Explorer or Safari. Same thing here, do you see something that you don’t remember installing?
  3. If that did not help, you can give FreeFixer a try. FreeFixer is built to assist users when manually tracking down potentially unwanted programs. It is a freeware utility that I’ve been working since 2006 and it scans your machine at lots of locations where unwanted software is known to hook into your system. If you would like to get additional details about a file in FreeFixer’s scan result, you can just click the More Info link for that file and a web page with a VirusTotal report will open up, which can be very useful to determine if the file is safe or malware:

    FreeFixer More Info link example
    An example of FreeFixer’s “More Info” links. Click for full size.

Did you find any potentially unwanted program on your machine? Did that stop pstatic.pricemoon.co? Please post the name of the potentially unwanted program you uninstalled from your machine in the comment below.

Thank you!

Remove pesquisa.ninja from Firefox, Chrome and Internet Explorer

browser status bar

This page shows how to remove pesquisa.ninja from Mozilla Firefox, Google Chrome and Internet Explorer.

pesquisa.ninja

Did you just see pesquisa.ninja in the status bar of your browser and ask yourself where it came from? Or did pesquisa.ninja show up while you searched for something on one of the major search engines, such as the Google.com search engine?

(Sorry for the watermarks. Need to add them to prevent the most blatant attempts of other bloggers using my screenshots without attribution)

In my case, pesquisa.ninjam showed up in the status bar while I was doing a search at Google.

The following are some of the status bar messages you may see in your browser’s status bar:

  • Waiting for pesquisa.ninja…
  • Transferring data from pesquisa.ninja…
  • Looking up pesquisa.ninja…
  • Read pesquisa.ninja
  • Connected to pesquisa.ninja…

Does this sound like your experience, you probably have some potentially unwanted program installed on your system that makes the pesquisa.ninja domain appear in your web browser. Contacting the owner for the site you were at would be a waste of time. The pesquisa.ninja status bar messages are not coming from them. I’ll try help you to remove the pesquisa.ninja status bar messages in this blog post.

Those that have been following this blog already know this, but here we go: A little while back I dedicated some of my lab systems and deliberately installed some potentially unwanted programs on them. I have been observing the behaviour on these computers to see what kinds of advertisements, if any, that are displayed. I’m also looking on other interesting things such as if the potentially unwanted program updates itself, or if it downloads and installs additional software on the systems. I first noticed pesquisa.ninja in Mozilla Firefox’s status bar on one of these lab computers.

pesquisa.ninja resolves to the 89.30.141.30 address. pesquisa.ninja was registered on 2014-09-22.

According to DomainTools and YouGetSignal’s reverse lookup, the following domains also resolve to the same IP address:

  • bogots.com
  • dounty.com
  • pesquisa.ninja
  • pesquisa.gratis
  • vancouver.craigslist.ca
  • www.safesearch.co
  • zwiiky.com

So, how do you remove pesquisa.ninja from your browser? On the machine where pesquisa.ninja showed up in the status bar I had WNet, CashReminder, ActSys and Plain Savings installed. I removed them with FreeFixer and that stopped the browser from loading data from pesquisa.ninja.

Judging from Alexa’s traffic rank, pesquisa.ninja is getting quite a lot of traffic:

pesquisa.ninja

The bad news with status bar notifications such as this one is that it can be caused by many variants of potentially unwanted programs, not just the potentially unwanted program that’s installed on my system. This makes it impossible to say exactly what you need to remove to stop the statusbar messages.

Anyway, here’s my suggestion for the pesquisa.ninja removal:

  1. What software do you have installed if you look in the Add/Remove programs dialog in the Windows Control Panel? Something that you don’t remember installing yourself or that was recently installed?
  2. You can also check the web browser add-ons. Same thing here, do you see something that you don’t remember installing?
  3. If that did not help, I’d recommend a scan with FreeFixer to manually track down the potentially unwanted program. FreeFixer is a freeware tool that I’m working on that scans your computer at lots of locations, such as browser add-ons, processes, Windows services, recently modified files, etc. If you want to get additional details about a file in the scan result, you can click the More Info link for that file and a web page will open up with a VirusTotal report which will be very useful to determine if the file is safe or malware:

    FreeFixer More Info link example
    An example of FreeFixer’s “More Info” links. Click for full size.

Did you find any potentially unwanted program on your machine? Did that stop pesquisa.ninja? Please post the name of the potentially unwanted program you uninstalled from your machine in the comment below.

Thank you!

TEA TIME BISCUITS – 21% Detection Rate – DownloadAdmin / Jaik

browser status bar, , ,

Welcome! Just wanted to give you the heads up on a file called “additionaloffers-setup[1].exe” that’s digitally signed by TEA TIME BISCUITS.

TEA TIME BISCUITS certificate

 

I found this file on my lab machine after trying out a download from CNet’s Download.com site.

You can view the certificate shown above by right-clicking on the file, choosing properties and then clicking on the Digital Signatures tab. According to the embedded certificate we can see that TEA TIME BISCUITS seems to be located in San Fransisco, California, US and that the certificate is issued by VeriSign Class 3 Code Signing 2010 CA.

So, what the issue with the TEA TIME BISCUITS file? Just check out detection list by some of the anti-virus program:

F-Secure reports additionaloffers-setup[1].exe as Gen:Variant.Application.Jaik, GData detects it as Gen:Variant.Application.Jaik.8223 and Malwarebytes calls it PUP.Optional.DownloadAdmin.

TEA TIME BISCUITS anti-virus report

Did you also find a TEA TIME BISCUITS file? Do you remember where you downloaded it?

Thank you for reading.

Remove ib.adnxs.com from Firefox, Chrome and Internet Explorer

browser status bar

This page shows how to remove ib.adnxs.com from Mozilla Firefox, Google Chrome and Internet Explorer.

Does this sound familiar? You see ib.adnxs.com in your browser’s status bar while browsing web sites that generally don’t load any content from third party domains. Perhaps the ib.adnxs.com domain appear when performing a search at the Google search engine?

Here’s a screenshot of ib.adnxs.com when it showed up on my computer:

ib.adnxs.com

(I know, lots of watermarks. Have to do it to stop the copy-cats.)

The following are some of the status bar messages you may see in your browser’s status bar:

  • Waiting for ib.adnxs.com…
  • Transferring data from ib.adnxs.com…
  • Looking up ib.adnxs.com…
  • Read ib.adnxs.com
  • Connected to ib.adnxs.com…

If this description sounds like what you are seeing, you presumably have some potentially unwanted program installed on your system that makes the ib.adnxs.com domain appear in your browser. Contacting the owner for the site you were at would be a waste of time. The ib.adnxs.com statusbar messages are not coming from them. I’ll do my best to help you with the ib.adnxs.com removal in this blog post.

I found ib.adnxs.com on one of the lab systems where I have some potentially unwanted programs running. I’ve talked about this in some of the previous blog posts. The potentially unwanted programs was installed on purpose, and from time to time I check if something new has appeared, such as pop-up windows, new tabs in the browsers, injected ads on web site that usually don’t show ads, or if some new files have been saved to the hard-drive.

ib.adnxs.com was registered on 2008-05-27. ib.adnxs.com resolves to the 68.67.153.211 address. adnxs.net is located on the same IP.

So, how do you remove ib.adnxs.com from your browser? On the machine where ib.adnxs.com showed up in the status bar I had YouTubeAdBlocke, SalePlus and IStart 5.3.7 installed. I removed them with FreeFixer and that stopped the browser from loading data from ib.adnxs.com.

Judging from Alexa’s traffic rank, ib.adnxs.com is getting quite a lot of traffic:

adnxs.com traffic

The bad news with this type of status bar message is that it can be caused by many variants of potentially unwanted programs, not just the potentially unwanted program that’s installed on my system. This makes it impossible to say exactly what you need to remove to stop the status bar messages.

Anyway, here’s my suggestion for the ib.adnxs.com removal:

The first thing I would do to remove ib.adnxs.com is to examine the programs installed on the machine, by opening the “Uninstall programs” dialog. You can open this dialog from the Windows Control Panel. If you are using one of the more recent versions of Windows OS you can just type in “uninstall” in the Control Panel’s search field to find that dialog:
Uninstall a program search

Click on the “Uninstall a program” link and the Uninstall programs dialog will open up:
Uninstall a program dialog

Do you see something suspicious in there or something that you don’t remember installing? Tip: Sort on the “Installed On” column to see if something was installed approximately about the same time as you started seeing the ib.adnxs.com statusbar messages.

Then I would check the web browser add-ons. Potentially unwanted programs often show up under the add-ons menu in Google Chrome, Mozilla Firefox, Internet Explorer, Safari or Opera. Is there something that looks suspicious? Something that you don’t remember installing?
Firefox add-ons manager

I think you will be able to identify and uninstall the potentially unwanted program with the steps outlined above, but in case that did not work you can try the FreeFixer removal tool to identify and remove the potentially unwanted program. FreeFixer is a freeware tool that I started develop many years ago. Freefixer is a tool built to manually track down and uninstall unwanted software. When you’ve identified the unwanted files you can simply tick a checkbox and click on the Fix button to remove the unwanted file.

FreeFixer’s removal feature is not crippled like many other removal tools out there. It will not require you to purchase the program just when you are about to remove the unwanted files.

And if you’re having a hard time determining if a file is safe or potentially unwanted in the FreeFixer scan result, click on the More Info link for the file. That will open up your browser with a page which contains additional information about the file. On that web page, check out the VirusTotal report which can be very useful:

FreeFixer More Info link example
An example of FreeFixer’s “More Info” links. Click for full size.

Did this blog post help you to remove ib.adnxs.com? Please let me know or how I can improve this blog post.

Thank you!

Remove buzzdock.com from Firefox, Chrome and Internet Explorer

browser status bar

This page shows how to remove buzzdock.com from Mozilla Firefox, Google Chrome and Internet Explorer.

Did you just see buzzdock.com in the status bar of your browser and ponder where it came from? Or did buzzdock.com show up while you searched for something on one of the major search engines, such as the Google search engine?

Here’s a screen dump of buzzdock.com when it showed up on my machine:

buzzdock.com status bar

As you can see, it appeared while I did a search at Google.

The following are some of the statusbar messages you may see in your browser’s status bar:

  • Waiting for buzzdock.com…
  • Transferring data from buzzdock.com…
  • Looking up buzzdock.com…
  • Read buzzdock.com
  • Connected to buzzdock.com…

Does this sound like what you see your computer, you apparently have some potentially unwanted program installed on your machine that makes the buzzdock.com domain appear in your browser. So don’t flame the people that runs the web site you were at when you first spotted buzzdock.com in the statusbar. They are apparently not responsible, but from the potentially unwanted program that’s running on your machine. I’ll try help you with the buzzdock.com removal in this blog post.

For those that are new to the blog: Not long ago I dedicated some of my lab computers and deliberately installed some potentially unwanted programs on them. I’ve been monitoring the behaviour on these computers to see what kinds of ads, if any, that are displayed. I’m also looking on other interesting things such as if the potentially unwanted program updates itself automatically, or if it downloads additional software on the computers. I first spotted buzzdock.com in Mozilla Firefox’s status bar on one of these lab machines.

buzzdock.com was registered on 2009-11-02. buzzdock.com resolves to the 8.25.35.116 IP address. I’ve also seen edge.buzzdock.com in use.

So, how do you remove buzzdock.com from your browser? On the machine where buzzdock.com showed up in the status bar I had PriceFountain, SpeedChecker, YTDownloader and WebWaltz installed. I removed them with FreeFixer and that stopped the browser from loading data from buzzdock.com.

The issue with status bar messages like this one is that it can be caused by many variants of potentially unwanted programs, not just the potentially unwanted program that’s installed on my machine. This makes it impossible to say exactly what you need to remove to stop the status bar messages.

Anyway, here’s my suggestion for the buzzdock.com removal:

The first thing I would do to remove buzzdock.com is to examine the software installed on the machine, by opening the “Uninstall programs” dialog. You can open this dialog from the Windows Control Panel. If you are using one of the more recent versions of Windows you can just type in “uninstall” in the Control Panel’s search field to find that dialog:
Uninstall a program search

Click on the “Uninstall a program” link and the Uninstall programs dialog will open up:
Uninstall a program dialog

Do you see something dubious in there or something that you don’t remember installing? Tip: Sort on the “Installed On” column to see if something was installed about the same time as you started seeing the buzzdock.com status bar messages.

Then you can examine you browser add-ons. Potentially unwanted programs often appear under the add-ons dialog in Chrome, Firefox, Internet Explorer or Safari. Is there anything that looks suspicious? Something that you don’t remember installing?
Firefox add-ons manager

I think most users will be able to find and remove the potentially unwanted program with the steps outlined above, but in case that did not work you can try the FreeFixer removal tool to identify and remove the potentially unwanted program. FreeFixer is a freeware tool that I started develop many years ago. Freefixer is a tool built to manually identify and remove unwanted software. When you’ve tracked down the unwanted files you can simply tick a checkbox and click on the Fix button to remove the unwanted file.

FreeFixer’s removal feature is not crippled like many other removal tools out there. It won’t require you to pay a fee just when you are about to remove the unwanted files.

And if you’re having troubles deciding if a file is clean or potentially unwanted in FreeFixer’s scan result, click on the More Info link for the file. That will open up a web page which contains additional information about the file. On that web page, check out the VirusTotal report which can be very useful:

FreeFixer More Info link example
An example of FreeFixer’s “More Info” links. Click for full size.

Did you find any potentially unwanted program on your machine? Did that stop buzzdock.com? Please post the name of the potentially unwanted program you uninstalled from your machine in the comment below.

Thank you!

Remove go.1800option.com and promotions.1800option.com Pop Up Ads

browser status bar, pop-ups,

Did you just get a pop-up from go.1800option.com or promotions.1800option.com and ponder where it came from? Did the go.1800option.com ad appear to have been initiated from a web site that under normal circumstances don’t use advertising such as pop-up windows? Or did the go.1800option.com pop-up show up while you clicked a link on one of the major search engines, such as Google, Bing or Yahoo?

Here is how the go.1800option.com ad looked like on my machine:

go.1800option.com pop up

And here’s promotions.1800option.com in the status bar:

promotions.1800option.com status bar

If this sounds like what you are seeing on your computer, you most likely have some adware installed on your computer that pops up the go.1800option.com ads. There’s no use contacting the owners of the site you currently were browsing. The ads are not coming from them. I’ll try help you to remove the go.1800option.com pop-ups in this blog post.

For those that are new to the blog: Recently I dedicated some of my lab computers and deliberately installed a few adware programs on them. Since then I’ve been monitoring the behaviour on these computers to see what kinds of advertisements that are displayed. I’m also looking on other interesting things such as if the adware updates itself automatically, or if it installs additional unwanted software on the machines. I first found the go.1800option.com pop-up on one of these lab computers.

go.1800option.com was registered on 2014-08-13. promotions.1800option.com resolves to 199.83.129.86 and go.1800option.com to the 92.222.66.143 IP address.

So, how do you remove the go.1800option.com pop-up ads? On the machine where I got the go.1800option.com ads I had istartsurf, MedPlayerNewVersion and Movie Wizard installed. I removed them with FreeFixer and that stopped the go.1800option.com pop-ups and all the other ads I was getting in Mozilla Firefox.

If you are wonder if there are many others out there also getting the go.1800option.com ads, the answer is probably yes. Check out the traffic rank from Alexa:

1800option.com traffic rank

The problem with pop-ups like this one is that it can be popped up by many variants of adware, not just the adware running on my system. This makes it impossible to say exactly what you need to remove to stop the pop-ups.

So, what can be done to solve the problem? To remove the go.1800option.com pop-up ads you need to review your system for adware or other types of unwanted software and uninstall it. Here’s my suggested removal procedure:

The first thing I would do to remove the go.1800option.com pop-ups is to examine the programs installed on the machine, by opening the “Uninstall programs” dialog. You can reach this dialog from the Windows Control Panel. If you are using one of the more recent versions of Windows Operating System you can just type in “uninstall” in the Control Panel’s search field to find that dialog:
Uninstall a program search

Click on the “Uninstall a program” link and the Uninstall programs dialog will open up:
Uninstall a program dialog

Do you see something strange-looking in there or something that you don’t remember installing? Tip: Sort on the “Installed On” column to see if some program was installed approximately about the same time as you started getting the go.1800option.com pop-ups.

The next thing to check would be your browser’s add-ons. Adware often appear under the add-ons menu in Google Chrome, Mozilla Firefox, Internet Explorer, Safari or Opera. Is there anything that looks suspicious? Something that you don’t remember installing?
Firefox add-ons manager

I think most users will be able to find and uninstall the adware with the steps outlined above, but in case that did not work you can try the FreeFixer removal tool to identify and remove the adware. FreeFixer is a freeware tool that I started develop many years ago. It’s a tool designed to manually find and remove unwanted software. When you’ve identified the unwanted files you can simply tick a checkbox and click on the Fix button to remove the unwanted file.

FreeFixer’s removal feature is not crippled like many other removal tools out there. It won’t require you to purchase the program just when you are about to remove the unwanted files.

And if you’re having difficulties figuring out if a file is safe or unsafe in FreeFixer’s scan result, click on the More Info link for the file. That will open up a web page which contains additional information about the file. On that web page, check out the VirusTotal report which can be very useful:

FreeFixer More Info link example
An example of FreeFixer’s “More Info” links. Click for full size.

Here you can see FreeFixer in action removing pop-up ads:

Did you find any adware on your machine? Did that stop the go.1800option.com ads? Please post the name of the adware you uninstalled from your machine in the comment below.

Thank you!