TabNav and Appimaker Certificate Removal guide

  • March 27, 2015

TabNav is a program that displays advertisements and collects information on the sites that you visit. It does this by installing a Layered Service Provider that is able to examine and manipulate all the network data that you transmit and receive on your computer. Using this ability, TabNav can easily inject ads into the web sites that you visit and collect information about your browsing habits. TabNav also installs a root certificate into Windows called appimaker. This root certificate allows it to see SSL traffic so that it is able to inject ads even into encrypted connections. Unfortunately, this also gives it the ability to see all data you transmit over an encrypted SSL connection including login information. For example, in the picture below you see that the appimaker certificate is being used to encrypt the connection between a computer and the Citibank banking site.

  • TabNav signing the Citibank web sites
  • TabNav root certificate

Thankfully, there may be side effects to the installation of the TabNav root certificate that will indicate it is installed on your computer. When browsing sites, you may find warnings that display alerts stating there are certificate errors. For example, Internet Explorer may display errors such as :

Content was blocked because it was not signed by a valid security certificate.
For more information see "About Certificate Errors" in Internet Explorer Help.

and

There is a problem with this website's security certificate.
The security certificate presented by this website was not issued by a trusted certificate authority.
Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.

In Chrome you may see a message stating "Your connection is not private" and then it gives Net::ERR_CERT_COMMON_NAME_INVALID error. An example of this type of alert can be seen below.


Chrome Certificate Warning

If you see errors like this, there is a good chance that you either have TabNav installed or another program that has installed their own root certificate in order to sign SSL connections.

It is important to note that TabNav is bundled with and installed by free programs that did not adequately disclose that other software would be installed along with it. Therefore, in the future it is important that you pay close attention to license agreements and installation screens when installing anything off of the Internet. If an installation screen offers you Custom or Advanced installation options, you should select these options as they will typically disclose what other 3rd party software will also be installed. Furthermore, if the license agreement or installation screens state that they are going to install a toolbar or other unwanted adware, it is advised that you immediately cancel the install and not use the free software.

Without a doubt, TabNav is not a program that you want on your computer. There are no obvious benefits and the risks are too strong to ignore. If you find that you have TabNav installed on your computer, please use the guide below to remove it and any related adware.

Self Help Guide

This guide contains advanced information, but has been written in such a way so that anyone can follow it. Please ensure your data is backed up before proceeding.

If you are uncomfortable making changes to your computer or following these steps, do not worry! Instead you can get free one-on-one help by asking in the forums.
  1. This removal process may appear overwhelming due to the amount of the steps and the various programs used. Please do not be concerned as it is only written this way to give you clear and easy instructions so that anyone can use this guide. Before using this guide, you should print out these instructions and close any open programs and files as your web browser will need to be closed and your computer rebooted later in this fix.

  2. We want to terminate any other adware or malware processes that may be running by downloading and running Rkill. Rkill will search your computer for active malware processes and attempt to terminate them so that they wont interfere with the removal process. To do this, please download RKill to your desktop from the following link.

    RKill Download Link - (Download page will open in a new tab or browser window.)

    When at the download page, click on the Download Now button labeled iExplore.exe. When you are prompted where to save it, please save it on your desktop.

  3. Once it is downloaded, double-click on the iExplore.exe icon in order to automatically attempt to stop any processes associated with TabNav and other malware. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and a log file will open. Please review the log file and then close so you can continue with the next step. If you have problems running RKill, you can download the other renamed versions of RKill from the rkill download page. All of the files are renamed copies of RKill, which you can try instead. Please note that the download page will open in a new browser window or tab.

    Do not reboot your computer after running RKill as the malware programs will start again.


  4. At this point you should download Malwarebytes Anti-Malware, or MBAM, to scan your computer for any any infections or adware that may be present. Please download Malwarebytes from the following location and save it to your desktop:

    Malwarebytes Anti-Malware Download Link (Download page will open in a new window)

  5. Once downloaded, close all programs and Windows on your computer, including this one.

  6. Double-click on the icon on your desktop named mb3-setup-1878.1878-3.0.6.1469.exe. This will start the installation of MBAM onto your computer.

  7. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave Launch Malwarebytes Anti-Malware checked. Then click on the Finish button. If MalwareBytes prompts you to reboot, please do not do so.

  8. MBAM will now start and you will be at the main screen as shown below.



    Malwarebytes Anti-Malware


    Please click on the Scan Now button to start the scan. If there is an update available for Malwarebytes it will automatically download and install it before performing the scan.

  9. MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you do something else and periodically check on the status of the scan to see when it is finished.



    Malwarebytes Anti-Malware


  10. When MBAM is finished scanning it will display a screen that displays any malware that it has detected. Please note that the infections found may be different than what is shown in the image below due to the guide being updated for newer versions of MBAM.


    MalwareBytes Scan Results


    You should now click on the Remove Selected button to remove all the seleted malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.

  11. You can now exit the MBAM program.

  12. As final cleanup step, please download AdwCleaner and save it to your desktop. AdwCleaner will scan your computer for adware programs that may have been installed on your computer without your knowledge. You can download AdwCleaner from the following URL:

    https://www.bleepingcomputer.com/download/adwcleaner/

  13. When AdwCleaner has finished downloading, please double-click on the AdwCleaner.exe icon that now appears on your desktop. Once you double-click on the icon the AdwCleaner program will open and you will be presented with its start screen as shown below. If Windows prompts you as to whether or not you wish to run AdwCleaner, please allow it to run.


    AdwCleaner Start Screen

  14. Now click on the Scan button in AdwCleaner. The program will now start to search for known adware programs that may be installed on your computer. When it has finished it will display all of the items it has found in Results section of the screen above. Please look through the results and try to determine if the programs that are listed contain ones that you do not want installed. If you find programs that you need to keep, then uncheck the entries associated with them.

    For most people, the contents of the Results section may appear confusing or as gibberish. Unless you see a program name that you know should not be removed, please continue with the next step.

  15. To remove the adware programs that were detected in the previous step, please click on the Clean button on the AdwCleaner screen. AdwCleaner will now prompt you to save any open files or data as the program will need to reboot the computer. Please do so and then click on the OK button. AdwCleaner will now delete all detected adware from your computer. When it is done it will display an alert that explains what PUPs (Potentially Unwanted Programs) and Adware are. Please read through this information and then press the OK button. You will now be presented with an alert that states AdwCleaner needs to reboot your computer.



    AdwCleaner Reboot Prompt

    Please click on the OK button to let AdwCleaner reboot your computer.

  16. When your computer reboots and you are logged in, AdwCleaner will automatically open a log file that contains the files, registry keys, and programs that were removed from your computer.



    AdwCleaner Log

    Please review this log file and then close the Notepad Window.

  17. We now need to delete the root certificate installed by TabNav. To do this press the Windows keyboard key (Windows Key) and the R key at the same time to open the Run dialog box. When it opens, type certmgr.msc in the Open: field and press the Enter key. The Windows Certificate Manage will now open. Click on the little arrow next to Trusted Root Certification Authority category to expand it and then click on the Certificates folder. You should now see a list of certificates similar to the image below.




    Certificate Manager


    Right-click on the certificate called appimaker and select Delete as shown below.




    Delete appimaker certificate


    Once you have deleted the appimaker certificate you can close the Certificate Manager window and proceed with the rest of the steps.


  18. As many malware and unwanted programs are installed through vulnerabilities found in out-dated and insecure programs, it is strongly suggested that you use Secunia PSI to scan for vulnerable programs on your computer. A tutorial on how to use Secunia PSI to scan for vulnerable programs can be found here:

    How to detect vulnerable and out-dated programs using Secunia Personal Software Inspector

 

Your computer should now be free of the TabNav program. If your current anti-virus solution let this infection through, you may want to consider purchasing the PRO version of Malwarebytes Anti-Malware to protect against these types of threats in the future.

View Associated TabNav Files

%ProgramFiles%\TabNav\ %ProgramFiles%\TabNav\abengine.dll %ProgramFiles%\TabNav\abengine.exe %ProgramFiles%\TabNav\abengine.tlb %ProgramFiles%\TabNav\abengine64.dll %ProgramFiles%\TabNav\abenginecert.dll %ProgramFiles%\TabNav\abenginep.exe %ProgramFiles%\TabNav\abenginew.exe %ProgramFiles%\TabNav\abenginewd.dll %ProgramFiles%\TabNav\freebl3.dll %ProgramFiles%\TabNav\ins.exe %ProgramFiles%\TabNav\lengine.exe %ProgramFiles%\TabNav\lengine.ini %ProgramFiles%\TabNav\lengine64.exe %ProgramFiles%\TabNav\libnspr4.dll %ProgramFiles%\TabNav\libplc4.dll %ProgramFiles%\TabNav\libplds4.dll %ProgramFiles%\TabNav\list.txt %ProgramFiles%\TabNav\nss3.dll %ProgramFiles%\TabNav\nssckbi.dll %ProgramFiles%\TabNav\nssdbm3.dll %ProgramFiles%\TabNav\nssutil3.dll %ProgramFiles%\TabNav\slite.exe %ProgramFiles%\TabNav\smime3.dll %ProgramFiles%\TabNav\softokn3.dll %ProgramFiles%\TabNav\sqlite3.dll %ProgramFiles%\TabNav\ssl3.dll %ProgramFiles%\TabNav\term.txt %ProgramFiles%\TabNav\trik3004.exe %ProgramFiles%\TabNav\uninstall.exe %Temp%\SpOrder.dll %WinDir%\SysWOW64\config\systemprofile\AppData\Local\abengine\ %WinDir%\SysWOW64\config\systemprofile\AppData\Local\abengine\abengine.ini %WinDir%\SysWOW64\abengine.dll %WinDir%\SysWOW64\abengineOff.ini %System%\Tasks\trik3004 %System%\abengine64.dll %System%\abengineOff.ini %WinDir%\Temp\abengine.log C:\END

File Location Notes:

%System% is a variable that refers to the Windows System folder. By default this is C:\Windows\System for Windows 95/98/ME, C:\Winnt\System32 for Windows NT/2000, or C:\Windows\System32 for Windows XP/Vista/7/8.

%Windir% refers to the Windows installation folder. By default, this is C:\Windows for Windows 95/98/ME/XP/Vista/7/8 or C:\Winnt for Windows NT/2000.

%ProgramFiles% refers to the Program Files folder. The path to this folder is C:\Program Files\ or C:\Program Files (X86)\ depending on whether the version of Windows or the program being installed is 32-bit or 64-bit.

%Temp% refers to the Windows Temp folder. By default, this is C:\Windows\Temp for Windows 95/98/ME, C:\DOCUMENTS AND SETTINGS\<Current User>\LOCAL SETTINGS\Temp for Windows 2000/XP, and C:\Users\<Current User>\AppData\Local\Temp in Windows Vista, Windows 7, and Windows 8.

View Associated TabNav Registry Information

HKLM\SOFTWARE\Classes\AppID\abengine.EXE HKLM\SOFTWARE\Classes\AppID\{D1AACF27-6B3D-47D7-AF24-5D48828C0953} HKLM\SOFTWARE\Classes\Interface\{0FCE4F01-64EC-42F1-83E1-1E08D38605D2} HKLM\SOFTWARE\Classes\Interface\{1A2A195A-A0F9-4006-AF02-3F05EEFDE792} HKLM\SOFTWARE\Classes\Interface\{2D9DB233-DC4B-4677-946C-5FA5ABCF506B} HKLM\SOFTWARE\Classes\Interface\{3AE76A17-C344-4A83-81CE-65EFEE41E42D} HKLM\SOFTWARE\Classes\Interface\{4AEC2270-2E5F-40C8-BE5A-E5A5264714C0} HKLM\SOFTWARE\Classes\Interface\{4C0A69B0-CE97-42B7-86FC-08280C99C74D} HKLM\SOFTWARE\Classes\Interface\{4E9EB4D5-C929-4005-AC62-1856B1DA5A24} HKLM\SOFTWARE\Classes\Interface\{62163814-0C94-4DC3-BA99-5E9E2420C914} HKLM\SOFTWARE\Classes\Interface\{68AEA825-D48B-4A56-87F0-6FCE988A2C48} HKLM\SOFTWARE\Classes\Interface\{7AF435BC-80A9-466E-938B-32E4482EBD65} HKLM\SOFTWARE\Classes\Interface\{85CEBABD-A775-41E2-8B67-FE06104F06ED} HKLM\SOFTWARE\Classes\Interface\{8FAF962C-3EDE-405E-B1D0-62B8235C6044} HKLM\SOFTWARE\Classes\Interface\{AE92A5AB-E575-4487-BCC0-96D333E5346C} HKLM\SOFTWARE\Classes\Interface\{C1F5E799-B218-4C32-B189-3C389BA140BB} HKLM\SOFTWARE\Classes\Interface\{CDB85458-AE08-4106-B699-B946FF4A61CD} HKLM\SOFTWARE\Classes\Interface\{E1964712-F369-4B2B-8B66-3911C3CD4F02} HKLM\SOFTWARE\Classes\Interface\{F60C9408-3110-4C98-A139-ABE1EE1111DD} HKLM\SOFTWARE\Classes\TypeLib\{1BCB34DC-BA6D-4B44-B786-4E259598A7C8} HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{028F96B8-C73A-4C60-B82F-3944A19B046E} HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{51F7DE65-A990-4213-BDB9-C2657FA7F3F4} HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{533403E2-6E21-4615-9E28-43F4E97E977B} HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{879F721E-7F23-4B7F-B65B-F5A8F518864A} HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{B9EE49F9-62A3-408D-858F-4ED9A23BAA24} HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{BF6D8439-BAC1-4E73-94FE-9910D098AE00} HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{D4F14684-336F-44FC-8D9E-8A73DAE003EC} HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{0FCE4F01-64EC-42F1-83E1-1E08D38605D2} HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{1A2A195A-A0F9-4006-AF02-3F05EEFDE792} HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{2D9DB233-DC4B-4677-946C-5FA5ABCF506B} HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{3AE76A17-C344-4A83-81CE-65EFEE41E42D} HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{4AEC2270-2E5F-40C8-BE5A-E5A5264714C0} HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{4C0A69B0-CE97-42B7-86FC-08280C99C74D} HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{4E9EB4D5-C929-4005-AC62-1856B1DA5A24} HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{62163814-0C94-4DC3-BA99-5E9E2420C914} HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{68AEA825-D48B-4A56-87F0-6FCE988A2C48} HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{7AF435BC-80A9-466E-938B-32E4482EBD65} HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{85CEBABD-A775-41E2-8B67-FE06104F06ED} HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{8FAF962C-3EDE-405E-B1D0-62B8235C6044} HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{AE92A5AB-E575-4487-BCC0-96D333E5346C} HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{C1F5E799-B218-4C32-B189-3C389BA140BB} HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{CDB85458-AE08-4106-B699-B946FF4A61CD} HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{E1964712-F369-4B2B-8B66-3911C3CD4F02} HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{F60C9408-3110-4C98-A139-ABE1EE1111DD} HKLM\SOFTWARE\Classes\Wow6432Node\AppID\abengine.EXE HKLM\SOFTWARE\Classes\Wow6432Node\AppID\{D1AACF27-6B3D-47D7-AF24-5D48828C0953} HKLM\SOFTWARE\Classes\Wow6432Node\TypeLib\{1BCB34DC-BA6D-4B44-B786-4E259598A7C8} HKLM\SOFTWARE\Classes\abengineLib.DataContainer HKLM\SOFTWARE\Classes\abengineLib.DataContainer.1 HKLM\SOFTWARE\Classes\abengineLib.DataController HKLM\SOFTWARE\Classes\abengineLib.DataController.1 HKLM\SOFTWARE\Classes\abengineLib.DataTable HKLM\SOFTWARE\Classes\abengineLib.DataTable.1 HKLM\SOFTWARE\Classes\abengineLib.DataTableFields HKLM\SOFTWARE\Classes\abengineLib.DataTableFields.1 HKLM\SOFTWARE\Classes\abengineLib.DataTableHolder HKLM\SOFTWARE\Classes\abengineLib.DataTableHolder.1 HKLM\SOFTWARE\Classes\abengineLib.LSPLogic HKLM\SOFTWARE\Classes\abengineLib.LSPLogic.1 HKLM\SOFTWARE\Classes\abengineLib.ReadOnlyManager HKLM\SOFTWARE\Classes\abengineLib.ReadOnlyManager.1 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B6B938FA-BDB4-484B-B7E0-B2FBCF91B9F7} HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\trik3004 HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\TabNav HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{028F96B8-C73A-4C60-B82F-3944A19B046E} HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{51F7DE65-A990-4213-BDB9-C2657FA7F3F4} HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{533403E2-6E21-4615-9E28-43F4E97E977B} HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{879F721E-7F23-4B7F-B65B-F5A8F518864A} HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{B9EE49F9-62A3-408D-858F-4ED9A23BAA24} HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{BF6D8439-BAC1-4E73-94FE-9910D098AE00} HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{D4F14684-336F-44FC-8D9E-8A73DAE003EC} HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{0FCE4F01-64EC-42F1-83E1-1E08D38605D2} HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{1A2A195A-A0F9-4006-AF02-3F05EEFDE792} HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{2D9DB233-DC4B-4677-946C-5FA5ABCF506B} HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{3AE76A17-C344-4A83-81CE-65EFEE41E42D} HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{4AEC2270-2E5F-40C8-BE5A-E5A5264714C0} HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{4C0A69B0-CE97-42B7-86FC-08280C99C74D} HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{4E9EB4D5-C929-4005-AC62-1856B1DA5A24} HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{62163814-0C94-4DC3-BA99-5E9E2420C914} HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{68AEA825-D48B-4A56-87F0-6FCE988A2C48} HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{7AF435BC-80A9-466E-938B-32E4482EBD65} HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{85CEBABD-A775-41E2-8B67-FE06104F06ED} HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{8FAF962C-3EDE-405E-B1D0-62B8235C6044} HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{AE92A5AB-E575-4487-BCC0-96D333E5346C} HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{C1F5E799-B218-4C32-B189-3C389BA140BB} HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{CDB85458-AE08-4106-B699-B946FF4A61CD} HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{E1964712-F369-4B2B-8B66-3911C3CD4F02} HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{F60C9408-3110-4C98-A139-ABE1EE1111DD} HKLM\SOFTWARE\Wow6432Node\Classes\AppID\abengine.EXE HKLM\SOFTWARE\Wow6432Node\Classes\AppID\{D1AACF27-6B3D-47D7-AF24-5D48828C0953} HKLM\SOFTWARE\Wow6432Node\Classes\TypeLib\{1BCB34DC-BA6D-4B44-B786-4E259598A7C8} HKLM\SOFTWARE\Wow6432Node\TabNav HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\abengine HKLM\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\AppId_Catalog\1CDC01C9\AppFullPath %ProgramFiles%\TabNav\abengine.exe HKLM\SYSTEM\CurrentControlSet\services\abengine HKLM\SYSTEM\CurrentControlSet\services\InjectorService

This is a self-help guide. Use at your own risk.

BleepingComputer.com can not be held responsible for problems that may occur by using this information. If you would like help with any of these fixes, you can ask for malware removal assistance in our Virus,Trojan,Spyware, and Malware Removal Logs forum.

If you have any questions about this self-help guide then please post those questions in our Am I infected? What do I do? and someone will help you.

search guides

Login

Remember Me
Sign in anonymously