Remove ib.adnxs.com from Firefox, Chrome and Internet Explorer

browser status bar

This page shows how to remove ib.adnxs.com from Mozilla Firefox, Google Chrome and Internet Explorer.

Does this sound familiar? You see ib.adnxs.com in your browser’s status bar while browsing web sites that generally don’t load any content from third party domains. Perhaps the ib.adnxs.com domain appear when performing a search at the Google search engine?

Here’s a screenshot of ib.adnxs.com when it showed up on my computer:

ib.adnxs.com

(I know, lots of watermarks. Have to do it to stop the copy-cats.)

The following are some of the status bar messages you may see in your browser’s status bar:

  • Waiting for ib.adnxs.com…
  • Transferring data from ib.adnxs.com…
  • Looking up ib.adnxs.com…
  • Read ib.adnxs.com
  • Connected to ib.adnxs.com…

If this description sounds like what you are seeing, you presumably have some potentially unwanted program installed on your system that makes the ib.adnxs.com domain appear in your browser. Contacting the owner for the site you were at would be a waste of time. The ib.adnxs.com statusbar messages are not coming from them. I’ll do my best to help you with the ib.adnxs.com removal in this blog post.

I found ib.adnxs.com on one of the lab systems where I have some potentially unwanted programs running. I’ve talked about this in some of the previous blog posts. The potentially unwanted programs was installed on purpose, and from time to time I check if something new has appeared, such as pop-up windows, new tabs in the browsers, injected ads on web site that usually don’t show ads, or if some new files have been saved to the hard-drive.

ib.adnxs.com was registered on 2008-05-27. ib.adnxs.com resolves to the 68.67.153.211 address. adnxs.net is located on the same IP.

So, how do you remove ib.adnxs.com from your browser? On the machine where ib.adnxs.com showed up in the status bar I had YouTubeAdBlocke, SalePlus and IStart 5.3.7 installed. I removed them with FreeFixer and that stopped the browser from loading data from ib.adnxs.com.

Judging from Alexa’s traffic rank, ib.adnxs.com is getting quite a lot of traffic:

adnxs.com traffic

The bad news with this type of status bar message is that it can be caused by many variants of potentially unwanted programs, not just the potentially unwanted program that’s installed on my system. This makes it impossible to say exactly what you need to remove to stop the status bar messages.

Anyway, here’s my suggestion for the ib.adnxs.com removal:

The first thing I would do to remove ib.adnxs.com is to examine the programs installed on the machine, by opening the “Uninstall programs” dialog. You can open this dialog from the Windows Control Panel. If you are using one of the more recent versions of Windows OS you can just type in “uninstall” in the Control Panel’s search field to find that dialog:
Uninstall a program search

Click on the “Uninstall a program” link and the Uninstall programs dialog will open up:
Uninstall a program dialog

Do you see something suspicious in there or something that you don’t remember installing? Tip: Sort on the “Installed On” column to see if something was installed approximately about the same time as you started seeing the ib.adnxs.com statusbar messages.

Then I would check the web browser add-ons. Potentially unwanted programs often show up under the add-ons menu in Google Chrome, Mozilla Firefox, Internet Explorer, Safari or Opera. Is there something that looks suspicious? Something that you don’t remember installing?
Firefox add-ons manager

I think you will be able to identify and uninstall the potentially unwanted program with the steps outlined above, but in case that did not work you can try the FreeFixer removal tool to identify and remove the potentially unwanted program. FreeFixer is a freeware tool that I started develop many years ago. Freefixer is a tool built to manually track down and uninstall unwanted software. When you’ve identified the unwanted files you can simply tick a checkbox and click on the Fix button to remove the unwanted file.

FreeFixer’s removal feature is not crippled like many other removal tools out there. It will not require you to purchase the program just when you are about to remove the unwanted files.

And if you’re having a hard time determining if a file is safe or potentially unwanted in the FreeFixer scan result, click on the More Info link for the file. That will open up your browser with a page which contains additional information about the file. On that web page, check out the VirusTotal report which can be very useful:

FreeFixer More Info link example
An example of FreeFixer’s “More Info” links. Click for full size.

Did this blog post help you to remove ib.adnxs.com? Please let me know or how I can improve this blog post.

Thank you!

Oleg Odincov – VirusTotal Reports “MultiPlug”

digital signature,

Hello readers! Just a quick post on a publisher called Oleg Odincov that I found while running some tests for the upcoming FreeFixer release.

Here how Oleg Odincov appears in the UAC dialog when double-clicking on the file:

Oleg Odincov publisher

I’m still waiting on the results from VirusTotal, but it sure looks like another variant of the unwanted MultiPlug software.

Oleg Odincov certificate

Did you also find an Oleg Odincov? Do you remember the download link? Please post it in the comments below and I’ll upload it to VirusTotal to see if that one is also detected.

Thanks for reading.

Random Pop-Ups and Domains – July 2015

Uncategorized

Sorry for the lack of post lately. I’m still short on time here, so I’ll just summarise some stuff I found lately:

Pop-ups from lp.leveltrade.com:

lp.leveltrade.com

Pops ups from bbcc-news.com:

bbcc-news.com

And pop-ups from vinnarum.com:

vinnarum.com

Here’s a few domains you may see in the browser’s status bar or in the network log if you have adware or other types of potentially unwanted software installed on your machine:

  • xlj.candlespeediest.com
  • js.neoprodevsrv.com
  • logs.neoprodevsrv.com
  • app.neoprodevsrv.com
  • js.keybufferbox.com
  • app.keybufferbox.com
  • logs.keybufferbox.com
  • zpn.gobetweenwhere.com
  • xao.ribaldcruciate.com
  • static.icmwebserv.com
  • search.gogorithm.com
  • zff.attitudespoliceman.com
  • fwa.gasketcobwebs.com
  • igf.allegingmemorandum.com
  • app.globalnodemax.com
  • logs.globalnodemax.com

Normands, LLC – Detected as Terkcop and MultiPlug

digital signature

Hello readers! I was playing around and testing some downloads when I found a file signed by Normands, LLC.

This is how Normands, LLC appears when running the file:

Normands LLC publisher

The certificate is issued by GlobalSign CodeSigning CA – SHA256 – G2. Normands seems to be located in Ukraine.

Normands, LLC certificate

21 of the scanners detected the file. The Download Uc Browser V Handler Zip.exe file is detected as Win32:FakeDownload-G [PUP] by Avast, Gen:Variant.Adware.Terkcop.32 by BitDefender, HW32.Packed.D625 by Bkav, a variant of Win32/Adware.MultiPlug.NI by ESET-NOD32, W32/S-a467db7e!Eldorado by F-Prot, Gen:Variant.Adware.Terkcop by F-Secure and Trojan.Win32.WebPick.dujvsa by NANO-Antivirus.

Normands, LLC anti-virus report

Did you also find an Normands, LLC? Do you remember the download link? Please post it in the comments below and I’ll upload it to VirusTotal to see if that one is also detected.

Thanks for reading.

Vladislav Mastenko – 38% Detection – Terkcop / MultiPlug

digital signature,

Welcome! Just a short note on a publisher called Vladislav Mastenko.

Vladislav Mastenko publisher

If you have a Vladislav Mastenko file on your computer you may have noticed that Vladislav Mastenko pops up as the publisher in the User Account Control dialog when running the file. To view more information about the embedded certificate you can right-click on the file, then choose Properties and then select the Digital Signatures tab. According to the certificate we can see that Vladislav Mastenko seems to be located in Ukraine and that the certificate is issued by DigiCert Assured ID Code Signing CA-1.

Vladislav Mastenko cert

I decided to upload the Vladislav Mastenko file to VirusTotal. Currently, the detection rate is 21/56. Gen:Variant.Adware.Terkcop.32, Win32:FakeDownload-G [PUP], Gen:Variant.Adware.Terkcop.32 and a variant of Win32/Adware.MultiPlug.NI are some of the detection names.

Vladislav Mastenko virustotal

Did you also find a file digitally signed by Vladislav Mastenko? What kind of download was it and where did you find it?

Thanks for reading.

SAfe downlOAd gtL – 52% Detection Rate – Outbrowse

digital signature, Uncategorized,

Hello readers! Just wanted to let you know about a publisher called SAfe downlOAd gtL before going back to writing some code for FreeFixer.

The following screenshot shows the User Account Control dialog when running the SAfe downlOAd gtL file:

SAfe downlOAd gtL publisher

By examining the certificate, we can see that SAfe downlOAd gtL is located in Dublin, Ireland. The certificate is issued by thawte SHA256 Code Signing CA.

SAfe downlOAd gtL cert

The reason I’m writing this blog post is that the SAfe downlOAd gtL file is detected by many of the anti-malwares at VirusTotal. ESET-NOD32 classifies Player.exe as a variant of Win32/OutBrowse.CB potentially unwanted, Malwarebytes detects it as PUP.Optional.Outbrowse and Sophos calls it Generic PUA OC.

SAfe downlOAd gtL anti-virus report

Did you also find an SAfe downlOAd gtL? Do you remember the download link? Please post it in the comments below and I’ll upload it to VirusTotal to see if that one is also detected.

Thank you for reading.

VLADIMIR MASLOV – 54% Detection Rate – Adware.Terkcop / MultiPlug / Graftor / Eldorado

digital signature,

Hello readers! If you’ve been following me for the last year you know that I’ve been examining many software publishers that put a digital signature on their downloads. Today I found another publisher called VLADIMIR MASLOV.

VLADIMIR MASLOV publisher

If you have a VLADIMIR MASLOV file on your computer you may have noticed that VLADIMIR MASLOV pops up as the publisher in the User Account Control dialog when running the file. The certificate information can also be viewed from Windows Explorer. The screenshot below shows the VLADIMIR MASLOV certificate. From the certificate info we can see that VLADIMIR MASLOV appears to be located in Minsk, Belarus.

VLADIMIR MASLOV cert

If you are considering to run the VLADIMIR MASLOV signed file, I’ll advice you not to. Delete it instead. Just check out detection list by some of the anti-virus program:

ClamAV classifies Download Uc Browser V Handler Zip.exe as Win.Adware.Graftor-1196, F-Prot calls it W32/S-bb33fd8b!Eldorado, F-Secure detects it as Gen:Variant.Adware.Terkcop, Microsoft classifies it as SoftwareBundler:Win32/InstalleRex and Sophos detects it as MultiPlug.

VLADIMIR MASLOV virus total

Did you also find a VLADIMIR MASLOV file? Do you remember where you downloaded it?

Thank you for reading.

DMN Partners SRL – 30% Detection Rate – GetNow / LiveSoftAction / Downware

Uncategorized,

Hello readers! Just a quick post today, since I’m busy working with the next release of FreeFixer. Did you see a file, such as provided through Diplodocs.exe, on your system digitally signed by DMN Partners SRL? Then read on..

DMN Partners SRL publisher

You can look at the DMN Partners SRL certificate and digital signature by looking under the Digital Signatures tab on the file’s properties. According to the certificate, DMN Partners SRL is located in Bucharest, Romania.

DMN Partners SRL cert

The reason I’m writing this blog post is that the DMN Partners SRL file is detected by many of the anti-malware software at VirusTotal. Avira reports provided through Diplodocs.exe as PUA/GetNow.Gen, ESET-NOD32 names it a variant of Win32/GetNow.I potentially unwanted, McAfee-GW-Edition detects it as BehavesLike.Win32.LiveSoftAction.jc and NANO-Antivirus reports Riskware.Win32.Downware.duemgn.

DMN Partners SRL virustotal

Since you probably came here after finding a download that was digitally signed by DMN Partners SRL, please share what kind of download it was and if it was reported by the anti-malwares at VirusTotal.

Thanks for reading.

LLC DE PROEKT – 39% Detection Rate – Amonetize / Strictor / PUP.Optional.Bundle

digital signature, , , , , ,

Hi there! Short on time this evening, but I just wanted to give you the heads up on a publisher called LLC DE PROEKT.

LLC DE PROEKT publisher

If you have a LLC DE PROEKT file on your machine you may have noticed that LLC DE PROEKT is displayed as the publisher in the UAC dialog when double-clicking on the file. The certificate is issued by COMODO RSA Code Signing CA. The publisher is located in the Ukraine.

LLC DE PROEKT cert

The problem here is that if FlashPlayer__6741_i1561835113_il7532.exe really was a setup file for Adobe Flash Player, it should have been digitally signed by Adobe Systems Incorporated and not by some unknown company. This looks suspicious. Here’s how the authentic Adobe Flash Player looks like when you double click on it. Notice that the “Verified publisher” says “Adobe Systems Incorporated”.
Adobe Systems Incorporated - Adobe Flashplayer Installer

The issue with the LLC DE PROEKT file is that it is detected by many of the antimalware software. Here are some of the detection names: Trojan.Application.Strictor.D164B3, BundleApp.IVU, W32.HfsAdware.B493, Gen:Variant.Application.Strictor, PUP.Optional.Bundle and Amonetize (fs).

LLC DE PROEKT virustotal report

Did you also find a download that was digitally signed by LLC DE PROEKT? What kind of download was it and was it detected by the anti-viruses at VirusTotal? Please share by posting a comment.

Thanks for reading.

Update 2015-08-18: Found another download today, also signed by LLC DE PROEKT and also using “Flash” in the filename to confuse users. The detection rate for this file was 25% according to VirusTotal:

LLC DE PROEKT av report update

 

When I ran the installer it disclosed that it bundled a bitcoin miner or some other type of crypto currency miner:

LLC DE PROEKT bitcoin miner

 

Just a quick update on the certificate chain. It begins with UserTrust, then Comodo and then LLC DE PROEKT:

LLC DE PROEKT certificate chain

Dmitry Banak – 30% Detection Ratio – Kryptik / MultiPlug / WebPick

digital signature

Welcome! Lately I’ve been looking on the digital signatures on those files that push various types of unwanted programs. This morning I found a new file called How I Met Your Mother S09E22 HDTV x264-KILLERS[ettv].exe, digitally signed by Dmitry Banak.

Dmitry Banak pop up

Dmitry Banak certificate

Of the 56 scanners, 17 detected the file. The How I Met Your Mother S09E22 HDTV x264-KILLERS[ettv].exe file is detected as Win32:MultiPlug-ABB [PUP] by Avast, a variant of Win32/Kryptik.DPGT by ESET-NOD32, PUP.Optional.Multiplug by Malwarebytes and Trojan.Win32.WebPick.dtsbvc by NANO-Antivirus.

Dmitry Banak virus total

Did you also find a Dmitry Banak download? What kind of download was it?

Thank you for reading.