Category Archives: malware

Firefox Addons Insecure

0
Posted by chris on Saturday, August 1, 2009 – 4:19 PM
Filed under 0day, DefCon, malware
Tagged as ,

Unable to attend DefCon this year, I’ve been following it on twitter. There was a talk about how insecure Firefox extensions are.

@ramereth word to the wise: DO NOT trust any firefox extension. assume they can grab and do anything including executing other code #defcon

Just one of many tweets talking about how scary the talk was. So until I can get more information on this, I’m disabling most of my Firefox extensions. Could this be Firefox’s vulnerability equivalent to Internet Explorer’s active-x? Ironically, I’ve been using Google’s Chrome browser lately. I’m liking it more and more. I was just switching back to Firefox because it has a couple extensions I use a lot. But now that they might not be safe, it looks like Chrome is going to be set as my default browser. At least until I find out more about these Firefox extension exploits.

Seeing how this talk was given today, I suspect there will soon be a rash of these exploits and figured I should pass on the info I have even though it’ sketchy at best at this point. To disable your extensions in Firefox, just go to Tools, then addons, then extensions, and uninstall or disable them.

Removing My Web Tattoo Phone Number

0
Posted by chris on Sunday, July 26, 2009 – 12:48 AM
Filed under malware, Uncategorized
Tagged as ,

I haven’t stopped working on how to remove My Web Tattoo and the associated programs. If you have it in Firefox, then you’re kinda in luck. I have removed it from Firefox

And I found a phone number that was on the EULA page for Make The Web Better, which is the first program that is downloaded from the My Web Tattoo page. I suggest if you haven’t been able to get it removed from Internet Explorer yet, you follow the advice on their page

If you experience any problems installing and/or
uninstalling the Software Product, please contact us via email at: info@make-the-web-better.com, or call us at: 1 (800) 831-8940.

I’m still working on removing it. I can’t get it installed on IE 7 on my test computer. So I’ve been doing some other stuff like running it in a sandbox to see what it does. I’ve identified several registry keys that are affected and where it’s sending data to. I just got this info though and I’m in the middle of a computer repair job that should have been done already. So when I get some more time I’ll write up what I have found about removing it and more.

In the meant time, there is the number you can all. You can leave comments on how it went if you do call them. I’m sure others will be interested in how they helped you.

Vulnerability in Microsoft Office Web Components

2
Posted by chris on Wednesday, July 15, 2009 – 6:06 PM
Filed under malware, security, virus
Tagged as ,

Looks like there is another ActiveX vulnerability. If you are unfamiliar with ActiveX, basically, a web page can do stuff like read and write files when you use Internet Explorer and allow ActiveX options. This nice for the Microsoft Update site to see which files it needs to update, but that’s about it in my opinion. Sure, there is a pop-up that asks you if you want to allow a website to use ActiveX but history shows that too many people allow ActiveX when the shouldn’t. There is an unbelievable amount of attacks that use ActiveX. That’s one of the main reasons I use Firefox instead of Internet Explorer, it doesn’t have ActiveX so you don’t have to worry. Google’s Chrome is another web browsers that doesn’t have ActiveX.

Our friends over at the Internet Storm Center are keeping an active eye on this new vulnerability. You can read all about it and follow their updates here. So do your Microsoft Updates, several just came out, and if you really want to be safe, stop using Internet Explorer or use it as little as possible and switch to Firefox, Chrome or even Opera. Stay Safe.

Project Web Tattoo Fast Browser Search Removal – Update

3
Posted by chris on Sunday, June 28, 2009 – 6:50 PM
Filed under fix, malware, software, Tests
Tagged as ,

I’m afraid I have some bad news on my mission to install Web Tattoo and remove it and the Fast Browser Search redirector that takes over your web browser.. First I couldn’t find it on Facebook anymore. I don’t know if it was finally removed because of the problems it caused or maybe I’m just not searching correctly but it appears to be gone. So I did a google search for it and was able to find the website where it could be downloaded and installed. Unfortunately, I can’t get it to install into Internet Explorer 7. Every time I’ve tried to install it into IE7, I got an error and it just hangs or quits.

So it’s back the drawing board. Just writing this has given me a couple of ideas of why it won’t install this time. I haven’t given up but I’m afraid it’s already taking longer than I expected. So stay tuned and with any luck, the next update will be the solution.

UPDATE: Here is some info I found about removing fast browser search from Internet Explorer (IE) http://www.pccybertek.com/2009/10/remove-fast-browser-search-from-ie-7-ie8

Project Web Tattoo Fast Browser Search Remove Part 1

25
Posted by chris on Friday, June 26, 2009 – 1:21 AM
Filed under fix, free software, malware, scams
Tagged as ,

One post has brought this site more traffic than anything else ever before. My article on removing Fast Browser Search. That nasty little search re-director that gets installed when you install a Facebook plug in called Web Tattoo.

The story thus far. For some reason I decided to install web tattoo. I knew it was probably going to install something else. Rule #1 – Programs on the internet that claim to be free, especially add-ons for social sites, aren’t really free. I just figured I could uninstall whatever it slipped in. After I uninstalled Web Tattoo, from FireFox and using add and remove programs in the windows control panel, and it was still redirecting my traffic to Fast Browser Search, I’d just remove it with Spybot or Ad-Aware or Hi-Jack This and remove it from the registry. However, none of these detected it and I couldn’t find any sign of it in the registry. Then I did a search on the internet and couldn’t find anything about removing it either. So I did some thinking and figured out how to remove it. Seeing how there was such a lack of articles dealing with this pest, I figured it would be the perfect thing for my blog. So I wrote this article on how I removed it from FireFox .

Next thing I know there’s a spike in the traffic coming to my little unknown blog. I was happy to learn that referrers were search engine results for “fast browser remove” and other similar queries. All of them looking for a way to take out this blasted thing. For a short time, my blog was on the first page in google if you were searching for a way to remove it. This got me pretty jazzed. I’ve had this blog for a couple years but never had much traffic before. After a couple weeks, the traffic to that article I wrote started tapering off. I was no longer in the first page or two when people searched for it. Then all the sudden it spiked again. Turns out someone on a google forum had Fast Browser Search take over their browser. Next thing I know I’m getting a ton of hits again, this time all comming from this post. Now if the people this helped would just click on my google adds, I could earn a couple cents in this tough economy ;)

There was only one problem. My article only covered how to remove it from FireFox. Turns out there are plenty of people with Internet Explorer who have been attacked by this scourge known as Fast Browser Search. So here is what I’m going to do. Initially I was going to install Windows XP on a virtual Machine. But this would take quite some time and work before I could deliberately infect myself with Fast Browser Search. So I decided to take a short cut. After I’m done writing this, I’m going to create a new user account in windows, head over to Facebook and install Web Tattoo while using Internet Explorer. Then I’m going to figure out how to remove it and write part 2 of this article. So check back in a day or so, hopefully it won’t take me longer than that to figure out. If you would like to show some appreciation, click on my google adds, or leave me a reply. I love getting replies and hearing from you.

Spyware Protect 2009 is a Virus

2
Posted by chris on Saturday, June 13, 2009 – 7:52 PM
Filed under botnets, conficker, cybercrime, free software, malware, phishing, scams, software, virus
Tagged as , , ,

ConfickerFakeAV I’m sure you have all seen this before. Your surfing along, when all of a sudden, you get a pop-up that alerts you that your computer is infected! YIKES! What to do!??! Ah, you can just download a “free” program that will fix it for you. I’d hope you already know, this is a scam. It’s one of two things. You can either download a legit program that will scan your computer, tell you how badly infected it is and you can purchase a full version of the program to remove all your “infections.” Just in case your not really infected, these programs will increase your infection count by adding your cookies to the list. Pretty good way to jack up the numbers, but I wouldn’t call cookies an infection. And I sure don’t have to buy any program to remove them. The other thing that could happen, and probably will is, you will download a program that will then install it’s own addware. Turns out they have a name for this stuff now, and that name is Scareware.

Turns out many people are still falling for this scam. I had to clean my parents computer up, from one of these. Try doing it over VNC, and you may have your patience tested like I did. Anyways, the old folks aren’t the only ones falling for this, and now their is a new variation. Spware Protect 2009, is the new breed of scareware. Not only does it con you by getting you to install it, it actually does damage to get you to “purchase” it for $49.99 and install a trojan downloader. Meanwhile it increases the pop ups telling you how infected your computer is. So you order the program with your credit card and guess what, you just gave them your credit card number, no hacking needed. A local electronics store, with the initials RS, got hit by it and from what I could get out of them, sounds like the whole corp has been infected through their network.

Since I first found out about this last week, I’ve found out that it’s now also being installed by the conficker virus. At first I was thinking, wouldn’t people be suspicious if there was a new piece of software, on their computer? I sure as hell would. Then I started thinking about it, in a corporate situation. Some poor schmuck, in accounting or where ever, could think it was installed by their IT Dept. So the keylogger installed would run until the computer crashed. The one good thing is, the domain that was selling Spyware Protect 2009 is gone. Keep an eye out for variations with new names and the same or slightly modified interface.

-Your friendly neighborhood PC Cybertek

Remove Fast Browser Search

257
Posted by chris on Tuesday, May 19, 2009 – 9:17 PM
Filed under fix, malware
Tagged as , , ,

First I have to admit, I did something stupid. I decided to install My Web Tattoo on my Facebook page. I knew with all the spam about this addon it would try and sneak in some kind of malware. Being the “I know how to fix anything” PC Tech that I am, I pretty much dared it to install something. Which it promptly did. It changed my default search to some crap called “Fast Browser Search.”  I tried Spybot and BHO Remover, both of which found my system clean. I looked in the addons under firefox and uninstalled My Web Tatoo. Then I found that some of my search’s were still getting redirected to Fast Browser Search. So I searched my registry for Fast Browser Search and various combinations of those words. Nothing…. I searched the internet for Fast Browser Search and their site has nothing about how to remove it, big surprise. I won’t go into how it should be illegal for companies to pull this !#$!. I did find a page from the My Web Tattoo people that said you can remove it from the addons in firefox. Well I already did that, and it was still redirecting. Then I remembered the config settings in Firefox. And there it was.

crap-browser-searchFast-browser-search

Since this was such a nightmare to find and remove, I felt it was my duty to pass on this to you, my faithful readers ;)   Type about:config in the address bar in Firefox.  In the filter, type fast. This should bring up all the instances of where Fast Browser Search has taken over. Right click on each of the Fast Browser Search entry s and select reset. This should put most of them back to google. And that’s it!

UPDATE: One of our readers, ED, has added another step

There was a few more steps i needed to do to remove it from list…in the search engine toolbar I had forgotten to click that and manage search engines as well, after the Tools/Add-on removal. Also , in the about:config area, I also typed in … fbs … in the filter section and found more fast browser search stuff in that filter set. Just in case, I reset them as well.=)

Thanks for the info Ed

reset fast browser search

MORE HELP
I figured out some more information on removing this. I can tell buy some of the replies that not everyone has seen the other posts I made later. Here is another one that might help if the above info didn’t.

more-my-web-tatto-removal-information