Was checking out the network log while doing a search at Google. Found a request to a domain named gexperiments2.com:
The Google search was done on one of my lab machines where I have some malware installed, so I first thought the connection was malware related, but it’s not. The gexperiments2.com domain is registered by Google as you can see in the WHOIS database:
Registrant Name: DNS Admin
Registrant Organization: Google Inc.
Registrant Street: 1600 Amphitheatre Parkway,
Registrant City: Mountain View
Registrant State/Province: CA
Registrant Postal Code: 94043
Registrant Country: US
So, you have nothing to worry about if you see connections to gexperiments2.com in your browser.
Google Inc. also owns gexperiments1.com and gexperiments3.com.
But I’m curious what the purpose of the connections are. Does anyone have some more info on Google’s purpose with the gexperiments2.com domain?
This page shows how to remove fkv.kaeygmagba.com from Mozilla Firefox, Google Chrome and Internet Explorer.
Does this sound like your story? You see fkv.kaeygmagba.com in your browser’s status bar while browsing on sites that typically don’t load any content from third party domains. Perhaps the fkv.kaeygmagba.com domain appear when performing a search at the Google search engine?
Here is a screenshot on fkv.kaeygmagba.com in the network log from my computer:
The following are some of the status bar messages you may see in your browser’s status bar:
Waiting for fkv.kaeygmagba.com…
Transferring data from fkv.kaeygmagba.com…
Looking up fkv.kaeygmagba.com…
Read fkv.kaeygmagba.com
Connected to fkv.kaeygmagba.com…
Does this sound like what you are seeing, you presumably have some potentially unwanted program installed on your computer that makes the fkv.kaeygmagba.com domain appear in your browser. Contacting the owner of the web site you were browsing would be a waste of time. They are not responsible for the fkv.kaeygmagba.com status bar messages. I’ll do my best to help you remove the fkv.kaeygmagba.com message in this blog post.
If you have been spending some time on this blog already know this, but if you are new: Some time ago I dedicated some of my lab systems and intentionally installed a few potentially unwanted programs on them. Since then I’ve been following the behaviour on these computers to see what kinds of advertisements that are displayed. I’m also looking on other interesting things such as if the potentially unwanted program updates itself automatically, or if it downloads and installs additional potentially unwanted programs on the computers. I first found the fkv.kaeygmagba.com in Mozilla Firefox’s status bar on one of these lab systems.
fkv.kaeygmagba.com resolves to 5.153.38.133. fkv.kaeygmagba.com was registered on 2015-03-18.
So, how do you remove fkv.kaeygmagba.com from your web browser? On the machine where fkv.kaeygmagba.com showed up in the status bar I had TinyWallet, BlockAndSurf and BrowserWarden installed. I removed them with FreeFixer and that stopped the browser from loading data from fkv.kaeygmagba.com.
The problem with this type of status bar message is that it can be caused by many variants of potentially unwanted programs, not just the potentially unwanted program running on my machine. This makes it impossible to say exactly what you need to remove to stop the status bar messages.
Anyway, here’s my suggestion for the fkv.kaeygmagba.com removal:
The first thing I would do to remove fkv.kaeygmagba.com is to examine the programs installed on the machine, by opening the “Uninstall programs” dialog. You can open this dialog from the Windows Control Panel. If you are using one of the more recent versions of Windows you can just type in “uninstall” in the Control Panel’s search field to find that dialog:
Click on the “Uninstall a program” link and the Uninstall programs dialog will open up:
Do you see something shady listed there or something that you don’t remember installing? Tip: Sort on the “Installed On” column to see if some program was installed approximately about the same time as you started getting the fkv.kaeygmagba.com status bar messages.
Then I would check the browser add-ons. Potentially unwanted program often appear under the add-ons menu in Mozilla Firefox, Google Chrome, Internet Explorer or Safari. Is there anything that looks suspicious? Something that you don’t remember installing?
I think you will be able to track down and remove the potentially unwanted program with the steps outlined above, but in case that did not work you can try the FreeFixer removal tool to identify and remove the potentially unwanted program. FreeFixer is a freeware tool that I started develop about 8 years ago. It’s a tool designed to manually track down and remove unwanted software. When you’ve tracked down the unwanted files you can simply tick a checkbox and click on the Fix button to remove the unwanted file.
FreeFixer’s removal feature is not locked down like many other removal tools out there. It won’t require you to purchase the program just when you are about to remove the unwanted files.
And if you’re having issues figuring out if a file is clean or potentially unwanted in FreeFixer’s scan report, click on the More Info link for the file. That will open up a web page which contains more information about the file. On that web page, check out the VirusTotal report which can be very useful:
An example of FreeFixer’s “More Info” links. Click for full size.
Did this blog post help you to remove fkv.kaeygmagba.com? Please let me know or how I can improve this blog post.
I was experimenting with an add-on in Firefox that monitors HTTP responses and HTTP requests. While doing a standard Google search I noticed a request to clients1.google.com, specifically to the http://clients1.google.com/ocsp URL:
The request is of the “application/ocsp-request” type. OCSP is an acronym for Online Certificate Status Protocol and it is a protocol used for getting the revocation status of a digital certificate.
And that’s probably what the connection is about: Checking the revocation status for some certificate, probably Google’s HTTPS certificate since I was doing a Google https:// search. I have not bothered to decode the OCSP request to see in detail what information Firefox requests. Please let me know what you find out if you dig deeper into the clients1.google.com communication.
Hi there! Hope you are having a good saturday night. Just wanted to give you the heads up on files digitally signed by TAIMED LLC.
Windows will display TAIMED LLC as the publisher when running the file. The certificate information can also be viewed from Windows Explorer. According to the certificate we can see that TAIMED LLC appears to be located in Lubertsy, Russia and that the certificate is issued by COMODO Code Signing CA 2.
So, why did I put up this blog post? Well, the thing is that the TAIMED LLC file is detected by a few of the antimalware scanners, according to VirusTotal. Tencent classifies Game_of_Thrones_S04E02_HDTV_x264-2HD[ettv].exe as Trojan.Win32.Qudamah.Gen.3
In addition to that, if you run the file, it will install the Jelbrus Secure Web adware. I’m sure the other anti-virus program will detect this in a few days.
Did you also find a file digitally signed by TAIMED LLC? Where did you find it and are the anti-virus programs detecting it? I found it at The Pirate Bay. Please share in the comments below.
I was examining a network log this morning and found that Mozilla Firefox makes a connection to fhr.data.mozilla.com:
Why is Firefox sending data to fhr.data.mozilla.com? The answer is a feature called Firefox Health Report (FHR) that sends metrics to the Mozilla servers. The FAQ explains what data kind of data is sent, and what’s not sent:
For example, FHR sends data to Mozilla on things like: operating system, PC/Mac, number of processors, Firefox version, the number and type of add-ons. The data collected by FHR is tied to a Document ID that corresponds to a browser installation (explained above in question #4) so that the data can be correlated across a limited window of time.
FHR does not collect email addresses or track website visits, which services users are logged into, downloads, or search details, nor does it collect other information which directly identifies you as a user.
If you’d like to view the health report for your browser, type in about:healthreport in the address bar and the health report should appear:
According to the report, I should be able to see more interesting data the more I use the browser. That seems a bit strange, since I’ve been using the browser A LOT. But I’ll check back later on to see if something more interesting appears. If so, I’ll add some more screenshots.
Recently I’ve been examining a lot network logs. A connection that often appears is to id.google.com when visiting the Google search engine. Sometimes you can see the status bar showing “Waiting for id.google.com”
Here’s the id.google.com screenshot from the network log:
Perhaps it is a Web Bug, but those are traditionally used by third parties.
I have not found any reliable information about the purpose of these connections. Do you have some input on why these connections are triggered when searching at Google?
The id subdomain seems to be available on each of Google’s top domains. Thanks to VirusTotal for allowing me to find these:
This page shows how to remove gid.mappingtools.net from Mozilla Firefox, Google Chrome and Internet Explorer.
Did you just see gid.mappingtools.net in the status bar of your browser and ponder where it came from? Or did gid.mappingtools.net show up while you search for something on one of the big search engines, such as the Google search engine?
Here’s a screenshot of gid.mappingtools.net when it showed up on my computer, while I did a standard search at Google:
The following are some of the status bar messages you may see in your browser’s status bar:
Waiting for gid.mappingtools.net…
Transferring data from gid.mappingtools.net…
Looking up gid.mappingtools.net…
Read gid.mappingtools.net
Connected to gid.mappingtools.net…
Does this sound like your computer, you most likely have some potentially unwanted program installed on your system that makes the gid.mappingtools.net domain appear in your browser. There’s no use contacting the owners of the web site you currently were browsing. The gid.mappingtools.net status bar messages are not coming from them. I’ll try help you with the gid.mappingtools.net removal in this blog post.
If you have been spending some time on this blog already know this, but if you are new: Some time ago I dedicated a few of my lab computers and deliberately installed some potentially unwanted programs on them. Since then I have been observing the behaviour on these machines to see what kinds of advertisements that are displayed. I’m also looking on other interesting things such as if the potentially unwanted program updates itself automatically, or if it downloads and installs additional potentially unwanted programs on the computers. I first found the gid.mappingtools.net in Mozilla Firefox’s status bar on one of these lab computers.
gid.mappingtools.net resolves to 208.43.241.242 and is protected by Domains By Proxy LLC. gid.mappingtools.net was registered on 2013-06-26. According to YouGetSignal’s Reverse IP service, a few other domains have also resolved to 208.43.241.242:
So, how do you remove gid.mappingtools.net from your web browser? On the machine where gid.mappingtools.net showed up in the status bar I had WebWaltz, YTDownloader, SpeedChecker and PriceFountain installed. I removed them with FreeFixer and that stopped the web browser from loading data from gid.mappingtools.net.
The issue with status bar messages such as this one is that it can be caused by many variants of potentially unwanted programs, not just the potentially unwanted program on my computer. This makes it impossible to say exactly what you need to remove to stop the status bar messages.
So, what can be done? To remove gid.mappingtools.net you need to review your machine for potentially unwanted programs and uninstall them. Here’s my suggested removal procedure:
What software do you have installed if you look in the Add/Remove programs dialog in the Windows Control Panel? Something that you don’t remember installing yourself or that was recently installed?
You can also review the web browser add-ons. Same thing here, do you see anything that you don’t remember installing?
If that did not help, you can give FreeFixer a try. FreeFixer is built to assist users when manually tracking down potentially unwanted programs. It is a freeware utility that I’ve been working since 2006 and it scans your machine at lots of locations where unwanted software is known to hook into your system. If you would like to get additional details about a file in FreeFixer’s scan result, you can just click the More Info link for that file and a web page with a VirusTotal report will open up, which can be very useful to determine if the file is safe or malware:
An example of FreeFixer’s “More Info” links. Click for full size.
Did you find any potentially unwanted program on your machine? Did that stop gid.mappingtools.net? Please post the name of the potentially unwanted program you uninstalled from your machine in the comment below.
If you see a HTTP connection to ocsp.godaddy.com in your browser’s network traffic log, there’s no need to worry. ocsp.godaddy.com is GoDaddy’s OCSP server and is used to check the revocation status of digital certificates. OCSP is an acronym for Online Certificate Status Protocol. GoDaddy sells domain names, SSL certificates, and lots of other services.
Here’s a screenshot of the ocsp.godaddy.com HTTP requests and responses:
As you can see in the screenshot above, the request has the “application/ocsp-request” type.
If you see Google Chrome, Mozilla Firefox or Internet Explorer connecting to ocsp.godaddy.com, they are in the middle of the process of verifying a digital certificate. Perhaps a certificate for a HTTPS connection you just made? The connection can also be initiated by a javascript running in the browser if that script, for example, makes a HTTPS connection.
Hello readers! If you’ve been following my recent posts here on the FreeFixer blog, you know that I’ve been looking at files that have a valid digital signature and bundle various types of potentially unwanted programs and programs that works as a downloader. A few days ago I found another publisher named Platform Connector (Fried Cookie Ltd.).
Information about a digital signature and the certificate can be found under the Digital Signature tab. The screenshot shows the Platform Connector (Fried Cookie Ltd.) certificate. From the certificate info we can see that Platform Connector (Fried Cookie Ltd.) appears to be located in Tel Aviv in Israel.
So, why am I writing about the Platform Connector (Fried Cookie Ltd.) file? Check out what the anti-viruses report about the file:
Avira detects installer_jdownloader_English.exe as Adware/InstallCore.734264, ESET-NOD32 reports a variant of Win32/InstallCore.WX potentially unwanted, K7GW reports Trojan ( 004b61851 ) and VIPRE reports InstallCore (fs) are a few of the detection names for installer_jdownloader_English.exe.
Did you also find a Platform Connector (Fried Cookie Ltd.) file? Do you remember where you downloaded it?
