1

Some https sites on my laptop are delivered with an invalid certificate (just found one site so far: https://gstatic.com). The invalid certificate is issued by cloudguard.me (adware as far as i can tell) but I found nothing on my pc - not even the ads cloudguard.me is supposed to show. This happens on Internet Explorer, Chrome and Firefox.

This question is specificly about the injected https certificate and not a generic "how to remove malware xy from my pc". I'm pretty confident, that there is no (active) adware on my machine except this invalid https certificate (leftover)

I already checked the following:

  • no proxy used by browsers.
  • installed software (everything is accounted for)
  • running processes (nothing suspicious - everything signed, no virustotal hits)
  • services: nothing suspicious
  • checked with autoruns for unusual items: nothing
  • cert. manager: no certificates by cloudguard.me
  • connected via VPN to the internet (to rule out MITM)
  • did a full scan with avira antivir (free)
  • Created a new user account: same symptoms

I don't know if the certificate itself is important, if you want to take a look at it:

Base64 encoded X.509

-----BEGIN CERTIFICATE-----
MIIDXDCCAkQCAxAA5jANBgkqhkiG9w0BAQsFADB9MQswCQYDVQQGEwJJTDERMA8G
A1UECBMIR3VzaCBEYW4xEjAQBgNVBAcTCUhlcnR6aWxpYTEhMB8GA1UEChMYR3Jl
ZW5UZWFtIEludGVybmV0LCBMdGQuMQwwCgYDVQQLEwNXZWIxFjAUBgNVBAMTDWNs
b3VkZ3VhcmQubWUwHhcNMTIwODE0MDUwMDAwWhcNMjUxMDE1MTUyNzAxWjBpMQsw
CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRh
aW4gVmlldzETMBEGA1UEChMKR29vZ2xlIEluYzEYMBYGA1UEAxMPd3d3LmdzdGF0
aWMuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqWpOFEv4eRZF
jb00ffsG5ZAJMEnPGS76E/Ws60i00pJWEHtk1n8dBILx5dsa0OCi1vOPA4jZbEin
pBDrMyAGdP9//fh/dh4ouVwEp6VFn9bj5io0+d6o1RMZAYsDhUmLX4u8CQO6y5RE
uap9ZeQ5XwjSl6ba9BzFF0ti9f4p5wrhPghZOhRKr6cNzT8IVyamkDL3xwHPlczB
lEMT42AIcl3QXDORyffLtYfRDoEY/Ve0ICFSFpKBMRacjI2r4LIwq/MarGI0B96w
+V0L4tXk9Rx6AO8isYJLQqrNfq/oB7kL1d/TD5UXzUrznsf7MifEQs5XSfu/ubn+
bRU4ZgYUsQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBbEj8WkvFrcdAjcJ5qoujn
zZGuqT8hL+ts8q/mg4sg+S1468RmsxPtm2+Gy57iYIIvCIa1T8YzEysSQhYSTY4X
58kFjKrNEN+H5N4GScne5Lnbnthm8exG+26F7uKWtQjx1wzyohQQ5WC5Iy24IqLG
A64om1Rmji5E3pIfu98NlVyU8wlE6jbRCl/r4mHEO2D8CGhDaWiQiolkgNZk1yQG
8rwHrr7yJRV247aTAPdvDX6GmM2OfH1F003n7RwlzxHBksxQZEr0LC85pHsiwMZV
XZ4rLaI2gjBT90qx8V5EUSvZwA8Vk8fof4BVhRXzYtBW3ITQTLk1Vzg1FzUXB5k5
-----END CERTIFICATE-----

Would be great if someone has an idea how to fix this problem, or where else to look. Thanks!

wischi
  • 121
  • 5
  • It seems like [CloudGuard.me is part of some malware package](https://www.google.com/search?client=safari&rls=en&q=%22cloudguard.me%22&ie=UTF-8&oe=UTF-8) so remove the malware and the problem should clear up. – Giacomo1968 Aug 23 '16 at 13:33
  • 2
    Possible duplicate of [How can I remove malicious spyware, malware, adware, viruses, trojans or rootkits from my PC?](http://superuser.com/questions/100360/how-can-i-remove-malicious-spyware-malware-adware-viruses-trojans-or-rootkit) – Ramhound Aug 23 '16 at 13:41
  • Verify your not using a proxy. Chrome, IE, and Firefox all respect the proxy settings on Windows. – Ramhound Aug 23 '16 at 13:42
  • @Ramhound no proxy enabled. – wischi Aug 23 '16 at 14:59
  • 1
    @Ramhound imgo this is not a duplicate, because I specificly look for methods the certificate can be swapped that are not listed above. – wischi Aug 23 '16 at 15:05
  • @JakeGould already followed numerous removal guides - no success. – wischi Aug 23 '16 at 15:07
  • You believe you are infected with the adware known as `cloudguard.me` which means it is indeed a duplicate. You don't have to indicate you don't agree with my close vote. Create a new user account, if the behavior does not exhibit itself, then your user certificate store does indeed contain a cloudguard.me certificate. – Ramhound Aug 23 '16 at 15:08
  • @Ramhound I don't believe I'm infected. I think I was infected. Removed the infection (actual software that messed up the configuration). And now there are leftovers from a previous infected system that I'm trying to fix. PS: Trying to create a new user account now. – wischi Aug 23 '16 at 15:14
  • You were infected, and which ever software you used, incorrectly removed the adware (or at the very least didn't do a complete job). The point is, we have a single historical question, for removing adware here at Superuser. – Ramhound Aug 23 '16 at 15:17

1 Answers1

2

Your computer is going to cloudguard.me's IP when it looks up the address for gstatic.com.

The malware altered your DNS settings to resolve some names to their malicious server for ad injection.

Fix your DNS settings to use your ISP's DNS and – if the malware really was removed – the problem should go away.

Eric
  • 386
  • 1
  • 7