Before doing anything else on the system, I wanted to backup the system. I normally boot Windows systems with a Norton Ghost 2003 boot disc and backup the systems to a USB attached hard drive. But Norton Ghost 2003 would not see the drive when I used boot CDs with either USB 1.1 or USB 2.0 drivers. Nor did a Panasonic USB driver work. I also tried a Partimage Is Not Ghost (PING) boot CD, but neither of two external USB drives I tried were reconized with it, either. Nor did a Image for Linux boot CD allow me to see an external USB drive. I was finally able to backup the system by using a Bart PE bootable CD with EASUS Todo to backup the system.
After I was able to backup the system, I rebooted into Windows Vista on the system and installed Spybot Search & Destroy 1.6.2.46. I updated its detection database to the latest version dated 12/30/2009. When I checked the system with it, it showed the following entries:
Problem | Kind |
---|---|
DoubleClick |
1 entries Browser |
Microsoft.Windows.Security.InternetExplorer |
1 entries Security |
FastBrowserSearchToolbar | 10 entries PUPSC |
Details on what Spybot found: Spybot SD Results
When I did a Google search on "fast browser search uninstall", I found someone reporting the following in a Google forum at How do I remove "Fast Browser Search"?:
How do I remove "Fast Browser Search"?
5/29/09
My daughter downloaded a facebook application "My Tattoos" and it installed "fast browser search" on my computer. I no longer have google as the default. I have searched my computer and can find no hints of the original program (was uninstalled), but am unable to change default search engine.
I had noticed that the user's home page was Tattoodle, which was a tattoo website.
When I chose "Uninstall a program" from the Control Panel, I saw an Entry for "Fast Browser Search (My Web Tattoo)". I also saw other entries that contained "(My Web Tattoo)"
Name | Publisher | Installed | Size |
---|---|---|---|
Search Guard Plus Updater (My Web Tattoo) | Make The Web Better, LLC | 9/25/2009 | 916 KB |
Search Guard Plus (My Web Tattoo) | Make The Web Better, LLC | 9/25/2009 | 1.31 MB |
Fast Browser Search (My Web Tattoo) | Make The Web Better, LLC | 9/25/2009 | 6.39 MB |
I checked the Spyware Warrior: Rogue Anti-Spyware Products & Web Sites,but didn't find any "Search Guard" product there. Nor did I find any listed at Rogue Antispyware.
I had Spybot leave the system as is. I left the FastBrowserSearchToolbar software in place to see if other antimalware programs would report it as malware.
I installed the free version of Malwarebytes' Anti-Malware. The version I installed was 1.43. I updated its malware definitions to the latest version available, version 3487. I then performed a "full" scan.
Objects scanned: 257817
Objects infected: 1
Scan type: Full Scan (C:\|)
Time elapsed: 1 hour(s), 37 minute(s), 37 second(s)
Vendor | Category | Items | Other | Action Taken |
---|---|---|---|---|
Rogue.Multiple | Folder | C:\ProgramData\62460927 | No action taken |
Malwarebytes' Anti-Malware Results
I turned on the display of hidden and system files and
folders, but didn't see any files or subdirectories in the
C:\ProgramData\62460927
folder when
I checked from the Windows Explorer nor did I see any
when I checked at a command prompt. The
timestamp on the folder was January 2, 2010 5:04 PM.
I had Malwarebytes' Anti-Malware remove the folder,
even though I didn't see anything in it.
The system had Trend Micro PC-cillin Internet Security on it, but I saw a "Your subscription has expired" notice with the expiration date listed as Saturday, September 19, 2009. When I clicked on the Renew button on the expiration window that appeared, I had two options:
Renew to Trend Micro Internet Security Pro (3 PCs)
$69.95Now Only: $55.95
Renew Trend Micro PC-cillin Internet Security for Dell (1 PC) $39.00
When I checked the status inside the program, I saw the following:
Last event information | |
Last scan: | 11/01/2009 |
Last detection: | 10/30/2009 |
Update information | |
Last update: | 09/17/2009 (out of date) |
Virus scan engine: | 8.911.1001 |
Virus scan pattern: | 6.453.00 |
When I checked PC-cillin's quarantined files, I saw six quarantined items under Viruses. They were identified as 5 .mp3 files, 1 .au file, 1 .wma file, and 1 .snd file. There was nothing listed under Spyware.
Since PC-cillin was being loaded into memory, but the software had expired. I scanned the system with it. It found 11 items, but they were only cookies.
Time elapsed: | 01:58:54 |
Target(s) | 217363 |
Inciden(s) detected: | 11 |
CyberDefender was on the system, so I checked its status. It indicated it was up-to-date when I checked for updates. I'm not familiar with CyberDefender. I didn't see it listed as being a rogue antispyware program on the Spyware Warrior: Rogue/Suspect Anti-Spyware Products & Web Sites webpage, but I saw a note on that page regarding another rogue product, SpyBlocs/eBlocs.com referencing CyberDefender:
false positives work as goad to purchase; previous versions were Ad-aware knockoffs; same company as CyberDefender;
I didn't see it listed at the Rogue Antispyware website. I did find 11 complaints regarding it at CyberDefender Complaints, but almost any antivirus/antispyware will get some complaints, so I couldn't give a lot of weight to the complaints I found there.
When I checked its status on the system, I saw the following:
Subscription expires: | 12-18-2010 |
Virus Database Version: | 9.12.24.13 |
earlyVirus Software Version: | 5.07.21.04 |
Last update completed on: | 12/18/2009 9:51:25 |
I then performed an earlyVIRUS scan using that software. It reported "0 Viruses Found."
I next installed ClamWin Free AntiVirus 0.95.3. I scanned the system with it. It reported 1 infected file: C:\Users\Public\Desktop\desktop.ini: Trojan.Agent-134626. When I checked the contents of that file, which had a timestamp of August 4, 2008 7:23 PM, I saw the following:
[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21816
\windows\system32\shell32.dll
itself. I'd classify this as a
false positive. I've encountered this
problem before with ClamWin 0.95.3 on another system
- see
ClamWin 0.95.3 Scan of Windows 7 Home Premium Edition Laptop on
2009-11-15 - where ClamWin reported a false positive
with a desktop.ini
file.
I next ran a CyberDefender earlySPY scan.
Last Scan: | 12/22/2009 |
Last Update: | 01/02/2010 |
When CyberDefender earlySPY completed, it reported the following:
Items | Scanned | Found |
---|---|---|
Memory | 35 | 0 |
Registry | 5876 | 0 |
Files | 6572 | 0 |
Cookies | 1724 | 26 |
When I used its earlyMONITOR check it reported the following firewall status:
Status | Name | Company Name |
---|---|---|
[ ] Disabled | Windows Firewall | Microsoft |
[x] Enabled | TmPfw | Trend Micro Personal Firewall |
[x] Enabled | PC-cillin Internet Security - Firewall | Trend Micro, Inc. |
I downloaded BlackLight from F-Secure and checked the system for rootkits. BlackLight reported "No hidden items found."
I then did some further research on "Search Guard Plus". I found a
ThreatExpert report referring to it. That report mentioned the
creation of c:\users\public\MyWebTattoo.exe
. I found
that file on the system with a timestamp of 9/24/2009 10:31 AM. I submitted
the file to VirusTotal, a site
which scans submitted files with many antivirus programs. VirusTotal
indicated the file was first submitted for analysis on 2009.9.25 with
0 of the 41 different antivirus programs with which it scanned the file
reporting a problem with the file. I chose to have the file reanalyzed.
Only Sophos, of the 41 programs
with which it scanned the file reported a problem. Sophos reported its
result as Make The Web Better
(
VirusTotal Analysis of MyWebTattoo.exe). VirusTotal's report included
the following information on the file:
original name: | FastBrowserURLDownload.exe |
internal name: | FastBrowserURLDownload.exe |
file version.: | 1.0.0.1 |
comments.....: | n/a |
signers......: | Make The Web Better, LLC |
Make The Web Better - Adware - Sophos security analysis identifies the software as Adware or Potentially Unwanted Application (PUA). Sophos report states "The Company generates revenues through its Fast Browser Search product."
I downloaded Norton Security Scan and scanned the system with it. Its virus definitions were dated Monday, January 4, 2010. When it completed its scan it reported "Threats have been detected! Your computer is infected with viruses, spyware or other risks. Fix these threats by installing an award-winning, comprehensive security solution from Norton."
Total Items Scanned: 230527
Total Threats Detected: 182
When I clicked on the Fix Now button, it showed me what it had found. It listed 2 viruses and 180 cookies. I regard advertising cookies as being fairly innocuous, so I wasn't concerned about those. The viruses found were as follows:
Threat Name:
Trojan.Wimad
Target Name: c:\users\mary\documents\limewire\saved\...
Target Type: Infection
Remediation Status:
Not Fixed - Requires Product Upgrade
Threat Name:
Trojan.Wimad
Target Name: c:\users\mary\documents\limewire\saved\...
Target Type: Browser Cache
Remediation Status:
Not Fixed - Requires Product Upgrade
Unfortunately the file name was not displayed and I couldn't stretch
the "Threat Information" column to see the file name, but when I hovered
the mouse over "Not Fixed - Requires Product Upgrade", the file name
was then displayed. It was
goodbye to you scandle - greatest hits.mp3 [Note: I am making
the file available for download to anyone who wants to perform further analysis
on the file or use it to test antivirus/antispyware software. The userid
required for download is zoo
and the password is
malware
]. The "created",
"modified", and "accessed" timestamps on the file were all Friday, December 19,
2008.
Symantec's Trojan.Wimad Technical Details page has the following information regarding Trojan.Wimad:
Discovered: January 11, 2005
Updated: January 12, 2005 3:11:08 PM
Type: Trojan
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows NT, Windows 2000The Trojan arrives on the compromised computer as a license-protected multimedia file.
The Trojan exploits the Windows Media Digital Rights Management technology in Microsoft Windows Media Player.
When executed, the Trojan sends a POST request to the following URL:
[http://]licenses.overpeer.com/simple_li[REMOVED].The server replies by sending an .htm file, which opens a browser window and loads an .htm file from the following domain:
serve.alcena.com
The .htm file from alcena.com loads another .htm file from the following domain:
install.xxxtoolbar.comThe Trojan then displays one of the following messages:
Message:
Thanks for downloading this file.
Click play to listen.
Message:
You must click YES to get access.
If the user clicks Yes or Play, the Trojan will download and execute the following files:
- 0006_adult.cab from the install.xxxtoolbar.com domain ( Adware.Istbar)
- ist_netscape.xpi from the install.xxxtoolbar.com domain (Adware.Istbar)
- istinstall_netscape.exe from the www.slotch.com domain (Download.Trojan)
- javainstaller.jar from the www.ysbweb.com domain, which downloads and executes istdownload.exe ( Adware.Istbar) from the www.slotch.com domain.
When I double-clicked on the file to see if one of the prompts Symantec's site mentioned would appear, the default media player, Apple's iTunes, opened. I didn't see the mp3 file listed in it, though. I right clicked on the file name from Windows Explorer and chose "Open With" and selected "Windows Media Player". I then saw a message stating "This file you are attempting to play has an extension (.mp3) that does not match the file format. Playing the file may result in unexpected behavior." I chose not to play the file.
I uploaded the file to VirusTotal for analysis. VirusTotal reported a file with that MD5 checksum had been analyzed previously.
MD5: | c1641497a691276a49b2e26eb8f62ae9 |
First received: | 2008.12.06 10:17:49 UTC |
Date: | 2009.01.01 13:31:06 UTC [>369D] |
Results: | 11/38 |
Permalink: | analisis/4414f9fa3cc4cb6f0a156c30c2249c025d00115e106abd19508ee2e8697ee936-1230816666 |
When the file was analyzed on December 6, 2008, 11 of the 38 antimalware programs that VirusTotal used at that time identified the file as being associated with malware.
Though the file extension was .mp3, the VirusTotal report provided the following information on the file type:
TrID : File type identification
94.1% (.WMV) Windows Media Video (16019/6)
5.8% (.CAT) Microsoft Security Catalog (1000/1)
TrID, which is software that identifies the type of a file by analyzing the contents of the file rather than from the file's extension, reported with 94.1% certainty that the file was a Windows Media Video (WMV) file.
I installed FileAlyzer and used its "hex dump" feature to look for URLs in the file. The only one it listed was http://coolpixhost.biz/rd/redir.php?kw=mp36. I deleted the file after checking it with FileAlyzer.
I removed "Search Guard Plus Updater (My Web Tattoo)", "Search Guard Plus (My Web Tattoo)", and "Fast Browser Search (My Web Tattoo)" through the Control Panel. When I uninstalled "Fast Browser Search", I was taken to the webpage http://gallery.fastbrowsersearch.com/goodbye.html, which displayed a note that "You have successfully uninstalled Fast Browser Search Toolbar".
I did not see any warning popups regarding malware on the system at any time after I rebooted into Windows after backing up the system. The system was connected to the Internet for many hours while I downloaded antimalware software, ran scans, etc., but no malware warning popup reappeared. Nor did I have any further problems running the Task Manager or obtaining a command prompt.
References: