Limited Time!
Totally FREE Web Design!
Click here!

Parasite: CustomToolbar

This record last updated Tue Sep 20 2005 00:34:15

PLEASE NOTE: Due to the overwhelming extent of this problem and the unbelievable volume of email we have received, we regret that we cannot respond to questions about browser parasites at this time. If you have attempted to contact us about this parasite please accept our apology for not responding. "Thank you's" are always appreciated ;-)

Description

CustomToolbar is an Internet Explorer toolbar made using toolbar creation software from customtoolbar.com.

Variants

CustomToolbar/Mojo is an adware toolbar written and distributed by mojo.com (its controlling server).

There are other CustomToolbar variants but none are known to be installed by underhand methods; they are not known to be harmful and are not detected by the script at this site.

Distribution

The Mojo variant is installed by ActiveX drive-by download on pop-up ads served through Standard Internet. It is known to have used an Internet Explorer security exploit to install automatically without prompting; some anti-virus software may detect this exploit as JS.Exception.

Note: one of the sites involved in spreading CustomToolbar/Mojo is stopannoyingpopups.com, which may also install Wink/nsdlua.

What it does

Advertising

Yes, can open untargeted pop-up ads as directed by its controlling server (which is contacted when a new IE window is opened).

Privacy violation

No.

Security issues

In the software itself, no.

However the security exploit often used to install the Mojo variant is an extreme security risk: it enables all ActiveX security settings, allowing any web page to run any code at all (even unsigned code) without prompting.

Stability problems

None known.

Removal

Open a DOS command prompt window (from Start->Programs->Accessories) and enter the following commands:

cd "%WinDir%\System"
regsvr32 /u ..\ctb\CustomToolbar.dll
regsvr32 /u Actbar2.ocx

Restart the computer and you should be to delete the ‘ctb’ folder inside the Windows folder, and the ‘Actbar2.ocx’ file inside the System folder (which is also inside the Windows folder, and called ‘System32’ on Windows NT/2000/XP or just ‘System’ on Windows 95/98/Me). Then open the ‘Downloaded Program Files’ folder in the Windows folder, and delete the ‘CustomToolbar Setup’ entry.

Now check your security settings — if Mojo installed through the IE exploit then not only do you need to fix that hole, but you also need to undo the damage done to your ActiveX security settings, which will be wide open. Go to the Security tab of Internet Options, choose the Internet Zone, click ‘Custom Settings’ and make sure the following options are set:

• ‘Download signed ActiveX controls’ to Prompt (or Disable);
• ‘Download unsigned ActiveX controls’ to Disable;
• ‘Initialize and script ActiveX controls not marked as safe for scripting’ to Disable;

To fix the exploit that allowed Mojo to load, you will need to get a newer version of the Microsoft Java VM. Windows 2000 users can find a patch for it; for everyone else there is only the somewhat temperamental Windows Update. (Or alternatively, using Sun’s Java VM, or disabling Java altogether.)

Links

The software used to create CustomToolbar is from customtoolbar.com.

Mojo.com is a generic portal operated by the advertising network Standard Internet.