Closed Bug 513510 Opened 11 years ago Closed 7 years ago

Blocklist "Search Settings Plugin"

Categories

(Toolkit :: Blocklist Policy Requests, defect, P3, major)

defect

Tracking

()

RESOLVED WONTFIX
Future

People

(Reporter: tanner, Unassigned)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

search settings "plugin" redirects you to urlseek.vmn.net . You cannot uninstall it, via the addons manager, not sure where i got it from, but i've read that it comes with PDFforge...
search settings appears to be malware that attacks IE

http://answers.yahoo.com/question/index?qid=20090111075911AAwv8Vy

but now also firefox.   its on Tanner's system.

entry in his extensions.rdf

  <RDF:Description RDF:about="urn:mozilla:item:search@searchsettings.com"
                   NS1:installLocation="app-global"
                   NS1:version="1.2.2"
                   NS1:name="Search Settings Plugin"
                   NS1:description="Protects your default search settings."
                   NS1:creator="SearchSettings"
                   NS1:homepageURL="http://www.searchsettings.com/"
                   NS1:userDisabled="true">
SearchSettings is also showing in crash reports.  volume is low so far.

I checked versions of a few of the reports.

http://crash-stats.mozilla.com/report/index/13d51bca-8b10-4b25-b80e-047f82090715
SearchSettingsFF.dll  	1.2.1.2

http://crash-stats.mozilla.com/report/index/bf05d256-10cf-49d3-86b8-7b6e22090827
SearchSettingsFF.dll  	1.2.2.2  	 	
SearchSettingsRes409.dll 	1.2.2.2

in that report 

 pdfforgeToolbarFF.dll  	1.0.2.1 

also looks suspicious.
Tanner did appear to have the SearchSettings.exe file in \Program Files\Search Setttings as listed here

http://www.threatremove.com/remove-search-settings/

so the firefox install maybe delivered separate from IE, maybe via an addon install from a non-AMO source.  Tanner's checking some possibilites where he might have picked it up.   Maybe via Dealio toolbar.
http://www.dealio.com/help/uninstall-dealio-toolbar.html  has instructions for uninstalling both delio and the searchsettings programs.

It could be there are both authorized and rogue versions of these programs that could make blocking harder.

The recommended procedure of "if you have problems trying to uninstall, keep downloading and running the installation program, then the uninstaller" seems a bit suspicious.  Other sites have describe a manual process of uninstalling and delio should too.

Delio might be able to help us in identifying possible rouge versions, or suspect "partners" that might be delivering rouge versions if they are out there.
the virus scan log at http://www.bleepingcomputer.com/forums/lofiversion/index.php/t248150.html  has some information on pdfforge

FF - component: c:\program files\mozilla firefox\extensions\{b922d405-6d13-4a2b-ae89-08a030da4402}\components\pdfforgeToolbarFF.dll
FF - component: c:\program files\mozilla firefox\extensions\search@searchsettings.com\components\SearchSettingsFF.dll

uWindow Title = Internet Explorer provided by Dell
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: {e312764e-7706-43f1-8dab-fcdd2b1e416d} - c:\program files\pdfforge toolbar\SearchSettings.dll

web of trust also has this article about PDFCreator ( www.pdfforge.org/ ) causing havoc
 
http://www.mywot.com/en/forum/3256-pdfcreator-www-pdfforge-org-is-causing-havoc-with-toolbar-install
I sent them an email, saying i reported it to mozilla, the makers of firefox, and linked them here, but they decided to reply with directions on how to remove it from IE. Nothing else.
web of trust has almost universal negative ranking by visitors to dealio

http://www.mywot.com/en/scorecard/dealio.com#comment

There are a few positive comments.
The comment below sounds like it might be from a promoter or advocate of the site.

SAFE SITE! The toolbar does not self-install- it can't. The installation comes from whatever software the toolbar is paired with, and by agreeing to the terms to install said software, you agreed to install the Dealio toolbar. Read your end user license agreements before clicking ACCEPT people! As far as this site goes, it's an advertising site. There are lots of good deals here, but if you sign up with your email address, you will run the risk of some unsolicited mailings from advertising partners, just like ANY advertising site. The toolbar passes inspection of many anti-virus and antispyware scanners. It is classified as a browser help object, or BHO and does not harm your computer, nor can it self-install. By removing the toolbar, you will no-doubt violate your agreement with a company's software you installed. Some companies use offerings like this to bring you "freeware". This site is SAFE!
I ran out of time to reply to them, (school, etc) but anyway, they closed the request, could someone else send them an email, so i don't become bothersome to them... Honestly, I have time for very few things anymore...
This doesn't seem to be a big issue -- reopen if it's still causing a significant amount of crashes.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → WONTFIX
(In reply to comment #10)
> This doesn't seem to be a big issue -- reopen if it's still causing a
> significant amount of crashes.

Yeah, i was going to do that. It wasn't crashing, it was malware
reopening so we can track reports of this affecting users in one place and watch for any ramp in this being installed on users systems via bots.
Status: RESOLVED → REOPENED
Resolution: WONTFIX → ---
Summary: Blocklist Search Settings Plugin → Blocklist "Search Settings" Plugin
Its not a plugin, but they call it a plugin. Its an extenstion.
Summary: Blocklist "Search Settings" Plugin → Blocklist "Search Settings Plugin"
There seems to be enough confirmation that this add-on is malware. Why hasn't this been added to the blocklist yet?
Priority: -- → P1
Target Milestone: --- → 5.5
(In reply to comment #14)
> There seems to be enough confirmation that this add-on is malware. Why hasn't
> this been added to the blocklist yet?

I'm not totally sure that it's malware, but it does hijack your DNS, or something. It kind of acts like OpenDNS, but in a not very nice way...
Chris - should we blocklist?
Assignee: nobody → morgamic
I think we should block based on the criteria that DNS hijacking is pretty evil, and exposes users to all kinds of data theft, and data theft=malware.

but we might need a bit more testing to figure out exactly what it takes to block.   is it a simple addon block that does the job, or is the integration more incestuous requiring plugin/.dll blocking?  

comment 13 suggests simple addon blocking would work.

not sure I have cycles to look at this right now so if any one can take a look that would be good.

since addon blocking is more easily reversible it might not be a bad idea to just go ahead and block, and allow some pool of firefox users to begin not having there browsing hijacked.  if there are rational complaints that this was a bad decision on our part we could turn off the blocking.

others should comment.
Priority: P1 → P3
Target Milestone: 5.5 → Future
A user in #firefox just got redirected from about:crashes to http://www.fastbrowsersearch.com/results/results.aspx?sgp=1&s=NAUS&v=18&tid={64155152-582F-2A1B-1612-60AFA51B2876}&q=http%3a%2f%2fabout%3acrashes . I'm not sure if this is related to this at all, but it sounds like it may be. (Better be safe than sorry, right?)
Tanner, can you check to see what addons this person has installed if they are still around?
Assignee: morgamic → nobody
Closing old blocklist bugs. Please reopen if the problem still exists.
Status: REOPENED → RESOLVED
Closed: 11 years ago7 years ago
Resolution: --- → WONTFIX
Product: addons.mozilla.org → Toolkit
You need to log in before you can comment on or make changes to this bug.