Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Persistent Certified-Toolbar Possible Hijack


  • Please log in to reply
6 replies to this topic

#1 Troy Jollimore

Troy Jollimore

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:42 PM

Posted 14 January 2013 - 04:03 PM

One of my users 'got a malware' over the weekend. I identified the certified-toolbar malware, removed it in 'Remove Programs' and followed other instructions that I found after a Google search. That didn't seem to work, so I manually searched through the Registry, changing all occurances of certified-toolbar to google.ca. Overall, this seems to have fixed things up. The only persistent annoying problem is that when any browser first starts, the certified-toolbar search page is what comes up. All other browser functions, including the home page, seem fine. I know I'm going to get yelled at, but since a couple of MalWarebytes scans turned up completely empty, I ran rkill, TDSKiller and combofix. Nothing of note turned up with any of them, and the problem remains. Even hijackthis turned up everything as being on the up-and-up, so far as I can tell.

As I mentioned, this computer isn't 'mine', so access to it may be a bit sporadic. Fire off your instructions and I'll do my best to get you the information! Thanks!

System is a notebook, running Windows 7 64-bit.

Just discovered, this even affects MS Outlook. When the application is started, it defaults to the certified-toolbar.com website.

Edited by Troy Jollimore, 14 January 2013 - 04:16 PM.


BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,760 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:05:42 PM

Posted 14 January 2013 - 08:07 PM

Welcome aboard Posted Image

Which browser is affected?
What about other browser(s)?

======================

Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

=====================

Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#3 Troy Jollimore

Troy Jollimore
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:42 PM

Posted 15 January 2013 - 09:57 AM

It's not just browsers. It's IE and Chrome, as well as Outlook and even MS Office apps. They open with that Certified-toolbar's start page. This ADWCleaner looks like a nice tool... After I got it's logfile, I re-ran IE to download JRT. The malware search page remained.

# AdwCleaner v2.105 - Logfile created 01/15/2013 at 10:38:58
# Updated 08/01/2013 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : Dave - RKO-DAVIDG-NTBK
# Boot Mode : Normal
# Running from : C:\Users\Dave\Downloads\AdwCleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

File Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\eBay.lnk
Folder Deleted : C:\Program Files (x86)\Protected Search
Folder Deleted : C:\Users\Dave\AppData\Local\Temp\boost_interprocess

***** [Registry] *****

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{761F6A83-F007-49E4-8EAC-CDB6808EF06F}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{76C45B18-A29E-43EA-AAF8-AF55C2E1AE17}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{7CD74AFF-3433-4E34-92E2-D98DFDB30754}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{96EF404C-24C7-43D0-9096-4CCC8BB7CCAC}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{97720195-206A-42AE-8E65-260B9BA5589F}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{986F7A5A-9676-47E1-8642-F41F8C3FCF82}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{B18788A4-92BD-440E-A4D1-380C36531119}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16457

[OK] Registry is clean.

-\\ Google Chrome v24.0.1312.52

File : C:\Users\Dave\AppData\Local\Google\Chrome\User Data\Default\Preferences

Deleted [l.12] : homepage = "hxxp://search.certified-toolbar.com?si=41460&home=true&tid=3204",
Deleted [l.1122] : homepage = "hxxp://search.certified-toolbar.com?si=41460&home=true&tid=3204",

*************************

AdwCleaner[S1].txt - [1931 octets] - [15/01/2013 10:38:58]

########## EOF - C:\AdwCleaner[S1].txt - [1991 octets] ##########

____________________________________________________________________

I seem to be having trouble copying and pasting the JRT log from the remote computer, but the results 'seem' empty. Nothing was listed under the categories.

The malware search page is still opening with the applications.

#4 Troy Jollimore

Troy Jollimore
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:42 PM

Posted 15 January 2013 - 11:25 AM

This is going to sound like a cheap cop-out, but I realized at this point that a System Restore would probably negate the Registry entries causing this issue. It worked like a charm.

#5 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,760 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:05:42 PM

Posted 15 January 2013 - 11:36 AM

Very well :)

Go ahead with Eset scan.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#6 Troy Jollimore

Troy Jollimore
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:42 PM

Posted 15 January 2013 - 03:17 PM

No threats found. I'm seeing similar threads popping up. New variant, perhaps?

#7 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,760 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:05:42 PM

Posted 15 January 2013 - 03:53 PM

Update Malwarebytes and run FULL scan.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users