CustomToolbar
- By W3 Privacy
- Published 05/8/2007
- Parasites
- Unrated
CustomToolbar
Description
CustomToolbar is an Internet Explorer toolbar made using toolbar creation software from customtoolbar.com.
Variants
CustomToolbar/Mojo is an adware toolbar written and distributed by mojo.com (its controlling server).
There are other CustomToolbar variants but none are known to be installed by underhand methods; they are not known to be harmful and are not detected by the script at this site.
Distribution
The Mojo variant is installed by ActiveX drive-by download on pop-up ads served through Standard Internet. It is known to have used an Internet Explorer security exploit to install automatically without prompting; some anti-virus software may detect this exploit as JS.Exception.
Note: one of the sites involved in spreading CustomToolbar/Mojo is stopannoyingpopups.com, which may also install Wink/nsdlua.
What it does
Advertising
Yes, can open untargeted pop-up ads as directed by its controlling server (which is contacted when a new IE window is opened).
Privacy violation
No.
Security issues
In the software itself, no.
However the security exploit often used to install the Mojo variant is an extreme security risk: it enables all ActiveX security settings, allowing any web page to run any code at all (even unsigned code) without prompting.
Stability problems
None known.
Removal
Open a DOS command prompt window (from Start->Programs->Accessories) and enter the following commands:
cd "%WinDir%\System"
regsvr32 /u ..\ctb\CustomToolbar.dll
regsvr32 /u Actbar2.ocx
Restart the computer and you should be to delete the 'ctb' folder inside the Windows folder, and the 'Actbar2.ocx' file inside the System folder (which is also inside the Windows folder, and called 'System32' on Windows NT/2000/XP or just 'System' on Windows 95/98/Me). Then open the 'Downloaded Program Files' folder in the Windows folder, and delete the 'CustomToolbar Setup' entry.
Now check your security settings — if Mojo installed through the IE exploit then not only do you need to fix that hole, but you also need to undo the damage done to your ActiveX security settings, which will be wide open. Go to the Security tab of Internet Options, choose the Internet Zone, click 'Custom Settings' and make sure the following options are set:
- 'Download signed ActiveX controls' to Prompt (or Disable);
- 'Download unsigned ActiveX controls' to Disable;
- 'Initialize and script ActiveX controls not marked as safe for scripting' to Disable;
To fix the exploit that allowed Mojo to load, you will need to get a newer version of the Microsoft Java VM. Windows 2000 users can find a patch for it; for everyone else there is only the somewhat temperamental Windows Update. (Or alternatively, using Sun's Java VM, or disabling Java altogether.)
