X
Tap here to go to the mobile version of the site.
Your Firefox is out of date and may contain a security risk! Upgrade Firefox

Support Forum

Potentially malicious add-on added to firefox, web security keeper, what is it?

Posted

Earlier today, a friend of mine came to me complaining about no longer being able to access his web e-mail service that used Outlook 365. It worked on my laptop and my desktop, so it was a problem with his computer. I accessed his computer and attempted to use another browser. He originally was using Firefox and I went to use IE. It at first didn't work, but then I selected "Reset..." to reset literally every setting to default installation properties. I then tried to access Outlook 365 web e-mail and to my surprise it worked.

At this point, I knew it was browser issues, not a firewall issue or anything like that. After messing around with firefox's security settings, I tried disabling all extensions, to no avail. I then looked at the add-ons and saw something called "Web Security Keeper". It linked to a website that I will not post here for security reasons.

After doing some research, I see LITERALLY NOTHING on the web about this website or this add-on to firefox. I removed the add-on and suddenly everything worked flawlessly. If you look on the website, it is so poorly coded / vulnerable that it cannot possibly be a professional site. Furthermore, the "Download" button doesn't actually do anything as far as I could tell.

My friend had completely updated browsers/MBAM/Comodo Firewall/ESET NOD32 and isn't stupid. He also hasn't downloaded anything in 2 weeks and he has no idea where it came from. Does anyone have any information on this "add-on" ?

Chosen solution

I have some information on this I would like to share!

I too had this addon, when it was installed... it was installed for both Chrome and FF at the same time. This addon appears to be a direct result of having ran a program I downloaded called "IOBit Uninstaller". (A program by IObit used to completely uninstall and remove all traces of programs, inluding registry entries".

It is my belief that this "IObit Uninstaller" is the root source of this...WebSecurityKeeper addon.

    • I came to this conclusion after thoroughly examining my Norton IS history logs, I noticed that the date/times this "addon" was installed & it's files were created matched EXACTLY the times this program was downloading/installing/running.

I would like to hear from anyone else if they have downloaded or installed ANYTHING from either "IObit.com" OR "FreeNew.net".

I was trying to download a program from IObit called "IObit_Uninstaller", the D/L link redirected me to "freenew.net", which then through again clicking on their D/L link, gave me "free_new_downloader_for_iobit_uninstaller.exe". This "downloader" attempted to access my net about 30 times, each time silently blocked by Norton. This was happening "while" it was downloading the IObit program.

THEN, when Norton checked and cleared this IObit_uninstaller.exe file, I obviously started that .exe file. Which then THAT file started Google Chrome, which in turn automatically downloaded this WebSecurityKeeper addon for bboth Chrome and FF...but never told me, never prompted me for anything.

So again... let me know if we have anything in common as far as how this came to be! I don't care what this addon 'does'... because I can't close it, it keeps popping back up and screwing up my browser... as far as I'm concerned, it's malicious!

    • Notice how when you go to WebSecurityKeeper.com... there is no corporate information?! Any company that makes LEGIT programs is going to have some sort of company information available. If not, then not legit!
Read this answer in context 4

Additional System Details

Installed Plug-ins

  • Shockwave Flash 11.5 r502
  • BlackBerry WebSL Browser Plug-In
  • Next Generation Java Plug-in 10.10.2 for Mozilla browsers
  • Adobe PDF Plug-In For Firefox and Netscape 11.0.0
  • Adobe Shockwave for Director Netscape plug-in, version 11.6.7.637
  • Adobe Shockwave for Director Netscape plug-in, version 11.6.6.636
  • Adobe Shockwave for Director Netscape plug-in, version 11.6.5.635
  • 5.1.10411.0
  • DivX Plus Web Player version 2.2.0.52
  • DivX VOD Helper Plug-in
  • The plug-in allows you to open and edit files using Microsoft Office applications

Application

  • User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20100101 Firefox/17.0

More Information

the-edmeister
  • Top 10 Contributor
  • Moderator
3195 solutions 24389 answers

Did you try using the Firefox Reset?

The Reset Firefox feature can fix many issues by restoring Firefox to its factory default state while saving your essential information. Note: This will cause you to lose any Extensions, Open websites, and some Preferences.

To Reset Firefox do the following:

  1. Go to Firefox > Help > Troubleshooting Information.
  2. Click the "Reset Firefox" button.
  3. Firefox will close and reset. After Firefox is done, it will show a window with the information that is imported. Click Finish.
  4. Firefox will open with all factory defaults applied.


Further information can be found in the Reset Firefox – easily fix most problems article.

Did this fix your problems? Please report back to us!

Question owner

Did you try reading my post instead of using canned speeches? If you are going to post, at least put the time required to read my post, that way you could actually help me. I clearly already said "I removed the add-on and suddenly everything worked flawlessly."

I don't mean to be snippy, but please, don't give me canned speeches.

Modified by Wafflemonger

the-edmeister
  • Top 10 Contributor
  • Moderator
3195 solutions 24389 answers

Like your search, I came up with nothing about "Web Security Keeper".

What do you expect? You didn't post the URL of that website, so there is nothing we can go by to even start to figure out what he has installed as an "add-on".

If that is an "add-on", the Reset should solve that problem. Besides that, if the "reset" worked in IE, why not try that in Firefox?

Tyler Downer
  • Administrator
  • Moderator
1164 solutions 6634 answers

@the-edmister, he already fixed the problem by removing the add-on, he is just wondering what the add-on is and if it's malicious.

@Wafflemonger, do you have more information, like the website this add-on came from? I can take a look and we can see if we need to blocklist it or not.

Question owner

@Tylerdowner the website is:

http://www.websecuritykeeper.com but as far as I can tell, as I said, the download button does nothing, unless I have security features preventing it from doing anything. My apologies for not posting the site originally, I didn't want random users coming by and clicking it and potentially getting infected.

Also, thank you for actually taking the time to read my post and question, I appreciate it.

Modified by Wafflemonger

Tyler Downer
  • Administrator
  • Moderator
1164 solutions 6634 answers

You are right, the download button doesn't work (it points to "#"). If you have the add-on install file somewhere I'd love to see it, otherwise I can't really do anything here (I can't find a copy of the addon to install and test). If I do get one we can potentially block this in the future.

Question owner

I have the extension folder. I archived the content (it says websecuritykeeper10@gmail.com as the ID) just in case there was no way to download it. How would you like me to provide it to you?

SilentResident 0 solutions 4 answers

Any ideas how this damn addon gets installed? Somehow it got installed to my Firefox without my permission. I didn't downloaded anything lately that can explain this addon's installation to my computer.

No clue how it was installed. And I discovered now that causes visual issues to my firefox - It shrinks drastically the text of the webpages such as google search, etc, making more difficult for me to read the pages.

I don't understand. Why a so called "security" addon is installed in a sneaky way to my PC?

Seriously I am worried now if it can steal our passwords stored in Firefox and send them to hackers?

castor26 0 solutions 1 answers

I had this problem too.,, i tried finding it, I disabled my add-on and plugins, nothing it turns out it was an Extension, so I removed that extension and restarted firefox.

title: firefox security component 1.0 website: iseekdeal_dot_com

i dont know how it was installed there, but the date was sometime in December

The visual (shrinking effect) only happened awhile ago, that's why i noticed it and it had a bottom tool bar for the Links to Web Security Keeper.

Modified by castor26

Baelydon 1 solutions 2 answers

Chosen Solution

I have some information on this I would like to share!

I too had this addon, when it was installed... it was installed for both Chrome and FF at the same time. This addon appears to be a direct result of having ran a program I downloaded called "IOBit Uninstaller". (A program by IObit used to completely uninstall and remove all traces of programs, inluding registry entries".

It is my belief that this "IObit Uninstaller" is the root source of this...WebSecurityKeeper addon.

    • I came to this conclusion after thoroughly examining my Norton IS history logs, I noticed that the date/times this "addon" was installed & it's files were created matched EXACTLY the times this program was downloading/installing/running.

I would like to hear from anyone else if they have downloaded or installed ANYTHING from either "IObit.com" OR "FreeNew.net".

I was trying to download a program from IObit called "IObit_Uninstaller", the D/L link redirected me to "freenew.net", which then through again clicking on their D/L link, gave me "free_new_downloader_for_iobit_uninstaller.exe". This "downloader" attempted to access my net about 30 times, each time silently blocked by Norton. This was happening "while" it was downloading the IObit program.

THEN, when Norton checked and cleared this IObit_uninstaller.exe file, I obviously started that .exe file. Which then THAT file started Google Chrome, which in turn automatically downloaded this WebSecurityKeeper addon for bboth Chrome and FF...but never told me, never prompted me for anything.

So again... let me know if we have anything in common as far as how this came to be! I don't care what this addon 'does'... because I can't close it, it keeps popping back up and screwing up my browser... as far as I'm concerned, it's malicious!

    • Notice how when you go to WebSecurityKeeper.com... there is no corporate information?! Any company that makes LEGIT programs is going to have some sort of company information available. If not, then not legit!
SilentResident 0 solutions 4 answers

Baelydon, I am surprised you found that. I use Iobit Uninstaller too!

Iobit Uninstaller was installed on my computer a few days ago, and around the same time the WebSecurityKeeper addon was installed on my Firefox browser.

So this explains it all.

But I never imagined that the Iobit Uninstaller, whos only task is to uninstall softwares from your computer, does interferes with our Web Browsers and installs addons to them.

I love Iobit Uninstaller - is one of the best software uninstallers in my opinion, but I am utterly disappointed that such program does installs third-party addons to our computers without our permission.

micromvp 0 solutions 2 answers

Samething Happened here. I got this addon by installing uTorrent

Modified by micromvp

micromvp 0 solutions 2 answers

PS: Anyway, it is a toolbar, something like babylon toolbar

Senchy 0 solutions 1 answers

Since few days ago I too have this problem. It's a toolbar at the bottom of every page I open and it messes with fonts on some pages. I tried to uninstall it but it does not show in Plugins or Extensions. How do I get rid of this thing?

djMot 0 solutions 2 answers

I can confirm IOBit Advanced Uninstaller as the source of this malware. And it IS malware. I thought the installation was a bit peculiar since a review of the program I read mentioned that it was a "portable" app - able to run from a usb drive, and yet it had a two stage formal installer. It downloaded an installer stub which then downloaded another installer.

Later in the day, I noticed the font changes in Google searches, and then noticed an unknown icon bar at the bottom of my browser (Firefox) with icons for yahoo, YouTube, amazon, and a few more. If I closed it, it just reappeared with any new page or reload of an existing page. Hovering on any of it's icons, I noticed the underlying link had websecuritykeeper embedded in the address. At that point I knew I was infected from somewhere. I checked my addons in Firefox and found the Web Security Keeper addon was present. Disabled it and the font problem and bottom icon bar went away.

Researched and found this thread and the link to IOBit Advanced Uninstaller was immediately apparent. As this thread notes that Chrome is affected, too, I tried to launch Chrome to see if the addon had infected it, too. My Chrome installation was found to be corrupt - Chrome reported the preference file was corrupt and replaced it with a default one, wiping out all my extensions. However, the new preference file already had Web Security Keeper installed and running. I disabled and deleted it. To get my preferences (all of my Chrome extensions) back, I had to restore my profile from yesterday's backup. Unfortunately, I realized the backup had been run AFTER the infection, so it came back with the restore, but thankfully the preference file was not corrupt and I could disable/delete the malware and still have a functioning Google Chrome Browser.

Checked my MS Security Essentials history and found an item had been quarantined at about the time the IOBit Advanced Uninstaller was installed. The item is called Exploit:Java/CVE-2012-0507.CG and has an "Unknown" alert level.

Mozilla should implement immediate countermeasures against this malware.

rwba13572 0 solutions 1 answers

I too have had exactly the same problem & like baelydon I found the source to be www.freenew.net/. My Iobit uninstaller prompted me to update from version 2.3 to 2.4 when I clicked to update I was transfered to the above site, like he say's it downloaded a file (not the actual iobit uninstaller file) when running it the iobit uninstaller file was then downloaded & installed but on checking Firefox I had the Web Security Keeper addon which had installed without my knowledge or consent & I also had the bar at the bottom of each page with a link to various sites. I removed the addon & did a scan with malwarebytes & one with Avast & my system was clean, so on the face of it it's easy to remove. I then downloaded iobit Uninstaller from a different but trusted source (www.cnet.com) & this time it installed without any unwanted additions, so I don't think iobit Uninstaller is the culprit but I am suspicious about this freenew.net & indeed www.websecuritykeeper.com which research has shown to be a very new site so it could be a phishing site. I will be watching this thread with interest to see if anyone has any additional information.

Tyler Downer
  • Administrator
  • Moderator
1164 solutions 6634 answers

Everyone, I'm currently trying to track down where this "add-on" comes from, to see if thee is anything we can do to keep it from infecting more users (blocklisting, etc.) I've tried downloading Iobit uninstaller from freenew.net, but it is only an exe, not a program I can install and doesn't seem to give me the toolbar. Does anyone have any reliable steps that I can follow? Also, what are some exact symptoms of this add-on that would justify it being blocked (and ones I can test once I do get it). Please private message me with details :) Thanks!

djMot 0 solutions 2 answers

Helpful Reply

Go to this page: http://www.iobit.com/advanceduninstaller.html

Click the download button at the bottom of the page (big and green; can't miss it.)

You are taken here: http://www.freenew.net/windows/iobit-uninstaller-2-0/68873.htm

On that page, there is a another download button in the upper left.

WARNING: It was upon entering that site, or during the download of the installer for IOBit Advanced Uninstaller that MS Security Essentials quarantined an exploit called Java/CVE-2012-0507.CG

I'm not going to run the installer again. Already been there, done, that got the plague, not a T-shirt. You're on your own after that.

Symptoms: Like I said in my post, a strange foreign tool bar at the bottom of the screen with icons for YouTube, Amazon, etc., and Google search results were in a font about 80% of normal size. Firefox shows "web security keeper" in the addons page. Also affected Google Chrome, and in my instance, it trashed the preferences file, so Chrome had to rebuild a new, blank one missing all my installed addons for Chrome.

If that's not what you're getting, I don't get it. I got the java exploit before even trying to install the program. That's obviously not the addon, either, so this thing has multiple payloads.