How does mywebsearch get installed?

[Red Squirrel]

I'm usually very good for not having any crap on my PC but I somehow picked up mywebsearch. Not the tool bar, but some trace of it. I decided to run malwarebytes just for heck of it and it found 2 entries related to it.

The only thing I can think of is I installed foxit and it installed some tool bar which I then removed, but that would not have mywebsearch in it would it?

Just wondering what normally causes this toolbar or other spyware having to do with that, actually happen.

 

[Sam25]

I found some info on it here. I doubt if it came with Foxit though. Does it redirect to any particular page on searching?

 

[Red Squirrel]

Nope, was basically 2 registry entries and I removed them. Never even saw a sign of it. Not even anything in hijackthis.

Then again I don't use IE, maybe I would of noticed it before I removed it. Before clearing the registry entries I opened IE to see if the tool bar was there, but did not try a search.

 

[Sam25]

Well I'm glad you got it got it deleted.

I remember once long time back I had one of these nasty search-toolbars install itself onto IE and it was a pain to remove it totally. It would never take me to the search I typed in but re-directed me to some stupid website instead!

 

[Red Squirrel]

Oh yeah some of those are super annoying. I've actually given up on trying to remove that crap from people's PCs. They drop it off at my house and if it says anything lower then PII on it, I don't even boot the OS, I just format.

I don't have people bring me infected PCs that much anymore.

 

[Sam25]

Yes, some of them no matter how many times I try and remove just kept re-appearing after a re-boot. Worst still was when I had dial-up (about 3 years back), the dial-up box would keep popping up wanting to connect to some unknown web address! Super, super annoying!

 

[Bradtechonline]

HTTP Redirect or something you installed is all I can think of.

 

[mechBgon]

I suggest you rethink your "I don't need updates" strategy...

Originally posted by: RedSquirrel
It's the reason I don't bother with updates. I have a router, firewall, and have protection at the port level. 0 issues since 2000 (when we got our first computer).

Updates are a good idea, not just for the OS and browser, but for everything else you've got installed. QuickTime, WinAmp, RealPlayer, Sun Java, Adobe/Acrobat Reader, Flash Player... what do they have in common, along with countless other third-party apps? Yeah. They're all exploited by the bad guys to install junk you don't want, like MyWebSearch.

Solution: use the Secunia Personal Software Inspector to get the updates you need for third-party stuff, as well as Microsoft Update for Microsoft stuff. I also recommend using non-Admin user accounts if you can, which proved very effective for me as a sysadmin.

 

[Bradtechonline]

Anymore it does not take local admin rights to install half the junk you run into online.. AV2009/360/ variants do not need local admin to hop on a machine. lol @ not installing security updates for the OS and browsers.. That's like building a house without windows or doors.

Originally posted by: mechBgon
I suggest you rethink your "I don't need updates" strategy...

Originally posted by: RedSquirrel
It's the reason I don't bother with updates. I have a router, firewall, and have protection at the port level. 0 issues since 2000 (when we got our first computer).

Updates are a good idea, not just for the OS and browser, but for everything else you've got installed. QuickTime, WinAmp, RealPlayer, Sun Java, Adobe/Acrobat Reader, Flash Player... what do they have in common, along with countless other third-party apps? Yeah. They're all exploited by the bad guys to install junk you don't want, like MyWebSearch.

Solution: use the Secunia Personal Software Inspector to get the updates you need for third-party stuff, as well as Microsoft Update for Microsoft stuff. I also recommend using non-Admin user accounts if you can, which proved very effective for me as a sysadmin.

 

[Crusty]

Originally posted by: Bradtechonline
Anymore it does not take local admin rights to install half the junk you run into online.. AV2009/360/ variants do not need local admin to hop on a machine. lol @ not installing security updates for the OS and browsers.. That's like building a house without windows or doors.

Originally posted by: mechBgon
I suggest you rethink your "I don't need updates" strategy...

Originally posted by: RedSquirrel
It's the reason I don't bother with updates. I have a router, firewall, and have protection at the port level. 0 issues since 2000 (when we got our first computer).

Updates are a good idea, not just for the OS and browser, but for everything else you've got installed. QuickTime, WinAmp, RealPlayer, Sun Java, Adobe/Acrobat Reader, Flash Player... what do they have in common, along with countless other third-party apps? Yeah. They're all exploited by the bad guys to install junk you don't want, like MyWebSearch.

Solution: use the Secunia Personal Software Inspector to get the updates you need for third-party stuff, as well as Microsoft Update for Microsoft stuff. I also recommend using non-Admin user accounts if you can, which proved very effective for me as a sysadmin.

:thumbsup:, but if I guess you have a small arsenal of defensive weapons it won't be a problem right? :laugh:

There's never a reason to not patch a system that connects externally, ever.

 

[mechBgon]

Originally posted by: Bradtechonline
Anymore it does not take local admin rights to install half the junk you run into online.. AV2009/360/ variants do not need local admin to hop on a machine. lol @ not installing security updates for the OS and browsers.. That's like building a house without windows or doors.

Originally posted by: mechBgon
I suggest you rethink your "I don't need updates" strategy...

Originally posted by: RedSquirrel
It's the reason I don't bother with updates. I have a router, firewall, and have protection at the port level. 0 issues since 2000 (when we got our first computer).

Updates are a good idea, not just for the OS and browser, but for everything else you've got installed. QuickTime, WinAmp, RealPlayer, Sun Java, Adobe/Acrobat Reader, Flash Player... what do they have in common, along with countless other third-party apps? Yeah. They're all exploited by the bad guys to install junk you don't want, like MyWebSearch.

Solution: use the Secunia Personal Software Inspector to get the updates you need for third-party stuff, as well as Microsoft Update for Microsoft stuff. I also recommend using non-Admin user accounts if you can, which proved very effective for me as a sysadmin.

I'd be interested to hear more about the rogues that are installing without Admin rights. Are they installing into the user's profile and using relatively simple startup methods (e.g. a shortcut in the user's Startup folder)?

If so, that seems like a natural evolution. My next line of defense against that approach, aside from patching (duh) and minimizing attack surface (duh), is a Software Restriction Policy, which would arbitrarily shoot down the installer whether it was launched by an exploit or by a duped (non-Admin) user.

 

[Bradtechonline]

We had Symantec let through AV360 variants.. First thing I did was check the computers local admin account, and it did not have the user there.. The way it gets on there is through the web browser.. Before the current System Admin staff here the old regime had disabled Windows Updates completly at the WSUS level.. So We are playing clean up for the past two years with unpatched systems..

The best ways to block these attacks I've seen getting on here

1. would be a good web filtering system like Websense, 8E6, or etc which gets these parasite domains updated..

2. Good Internet Explorer Security Group Policy settings

3. Patches Patches Patches

4. Good Anti virus system


It is really scary anymore that machines are getting hosed even without local admin rights. We had a programer get one of the AV variants on her machine. She had a clean image, non admin rights, symantec updated, and IE7..


The main two things I see are Browser Redirect hits, and Thumb Drive Autorun viruses right now.. Thankfully NOD32 has been stopping a lot of these while we are getting patches out, and working on our Internet Explorer Security settings best practices for our environment without making people cry about it or breaking certain divisons. Going from IE6 unpatched to IE7 tends to break things for people when you are running old old software.. Then IE8 is already breathing down our necks now too!!

*CRAP!!*

Originally posted by: mechBgon

Originally posted by: Bradtechonline
Anymore it does not take local admin rights to install half the junk you run into online.. AV2009/360/ variants do not need local admin to hop on a machine. lol @ not installing security updates for the OS and browsers.. That's like building a house without windows or doors.

Originally posted by: mechBgon
I suggest you rethink your "I don't need updates" strategy...

Originally posted by: RedSquirrel
It's the reason I don't bother with updates. I have a router, firewall, and have protection at the port level. 0 issues since 2000 (when we got our first computer).

Updates are a good idea, not just for the OS and browser, but for everything else you've got installed. QuickTime, WinAmp, RealPlayer, Sun Java, Adobe/Acrobat Reader, Flash Player... what do they have in common, along with countless other third-party apps? Yeah. They're all exploited by the bad guys to install junk you don't want, like MyWebSearch.

Solution: use the Secunia Personal Software Inspector to get the updates you need for third-party stuff, as well as Microsoft Update for Microsoft stuff. I also recommend using non-Admin user accounts if you can, which proved very effective for me as a sysadmin.

I'd be interested to hear more about the rogues that are installing without Admin rights. Are they installing into the user's profile and using relatively simple startup methods (e.g. a shortcut in the user's Startup folder)?

If so, that seems like a natural evolution. My next line of defense against that approach, aside from patching (duh) and minimizing attack surface (duh), is a Software Restriction Policy, which would arbitrarily shoot down the installer whether it was launched by an exploit or by a duped (non-Admin) user.

 

[mechBgon]

You guys might experiment with Software Restriction Policy, then... it's also a safeguard against malware on thumb drives and other removable items (CDs, DVDs, digital picture frames, etc).

SRP will break both bad stuff and good stuff, though... "hey, why doesn't this CD play when I insert it," etc etc :evil:

 

[Red Squirrel]

I see stuff get through on restricted accounts all the time where I work. They most likely use various IE exploits that allow to run right as admin anyway. Windows user "security" is actually a big joke. It's too easy to bypass. Boot up with Linux on a windows machine, you can access the ENTIRE disk. What do you think these viruses do? Instead of checking against NTFS permissions to access the disk, they just bypass all that and access the disk directly, just like what happens with a linux boot CD.

While patches help, the way I see it is if the virus made it up to the point where the patch is what stops it, then that's a problem on it's own. It should not even make it that far.


If I was fully in charge of IT for a company I'd ban the use of IE, and force firefox, or maybe even a less popular browser like chrome. Then force all web apps to work on that browser. None of this outsourced crap that only works in IE. I'd get real programmers.

Then I'd also have all http traffic forced through a special proxy that removes any potential malicious javascript, blocks bad sites etc... The key is blocking this stuff at the gateway as much as possible. Firefox and even chrome could potentially have exploits but they'll have way less then IE, so while it helps, it wont fix the problem on it's own.

And obviously, AV on each PC helps too.

One of our customers has the most inconsistent network I've ever seen. Some PCs have nod32, some don't, some have AVG, some have norton, it's a mess. They get viruses all the time. I've actually come to the conclusion that medical workers including doctors are very retarded when it comes to computers, but nobody, beats teachers at stupidity. teachers are the worse ever. They simply have zero clue about computers. It's sad really.

 

[mechBgon]

Originally posted by: RedSquirrel Boot up with Linux on a windows machine, you can access the ENTIRE disk. What do you think these viruses do? Instead of checking against NTFS permissions to access the disk, they just bypass all that and access the disk directly, just like what happens with a linux boot CD.

I really doubt that, since they are inside of a Windows environment in the first place. Do you have any concrete examples, e.g. a professional writeup at any security vendor showing how that would be accomplished without Admin privileges? Because even Mebroot, which F-Secure regards as the most advanced malware they've ever seen, cannot accomplish that without Admin rights available to set up the necessary framework. You can read their full write-up here (PDF file). Interesting reading for those in the "known thine enemy" camp

As for your desire to forbid the use of Internet Explorer, that really won't help much if your alternate browser is still providing an exploitation path by which your out-of-date, vulnerable browser add-ons can be attacked. Which is how your MyWebSearch probably got onto your rig. I suggest checking your system with Secunia's checkup and addressing any vulnerabilities it finds.