Malware Scanning on Dell Inspiron 1526

The owner of a Dell Inspiron 1526 laptop running Microsoft Windows Vista with Service Pack 2 installed was seeing popups warning the system was infected with malware. When I logged into the system, I saw one such warning. The Task Manager would not run nor could I get a command prompt at the time.

Before doing anything else on the system, I wanted to backup the system. I normally boot Windows systems with a Norton Ghost 2003 boot disc and backup the systems to a USB attached hard drive. But Norton Ghost 2003 would not see the drive when I used boot CDs with either USB 1.1 or USB 2.0 drivers. Nor did a Panasonic USB driver work. I also tried a Partimage Is Not Ghost (PING) boot CD, but neither of two external USB drives I tried were reconized with it, either. Nor did a Image for Linux boot CD allow me to see an external USB drive. I was finally able to backup the system by using a Bart PE bootable CD with EASUS Todo to backup the system.

After I was able to backup the system, I rebooted into Windows Vista on the system and installed Spybot Search & Destroy I updated its detection database to the latest version dated 12/30/2009. When I checked the system with it, it showed the following entries:

DoubleClick 1 entries
Microsoft.Windows.Security.InternetExplorer 1 entries
FastBrowserSearchToolbar 10 entries

Details on what Spybot found: Spybot SD Results

When I did a Google search on "fast browser search uninstall", I found someone reporting the following in a Google forum at How do I remove "Fast Browser Search"?:

How do I remove "Fast Browser Search"?


My daughter downloaded a facebook application "My Tattoos" and it installed "fast browser search" on my computer. I no longer have google as the default. I have searched my computer and can find no hints of the original program (was uninstalled), but am unable to change default search engine.

I had noticed that the user's home page was Tattoodle, which was a tattoo website.

When I chose "Uninstall a program" from the Control Panel, I saw an Entry for "Fast Browser Search (My Web Tattoo)". I also saw other entries that contained "(My Web Tattoo)"

Search Guard Plus Updater (My Web Tattoo) Make The Web Better, LLC9/25/2009 916 KB
Search Guard Plus (My Web Tattoo) Make The Web Better, LLC9/25/2009 1.31 MB
Fast Browser Search (My Web Tattoo) Make The Web Better, LLC9/25/2009 6.39 MB

I checked the Spyware Warrior: Rogue Anti-Spyware Products & Web Sites,but didn't find any "Search Guard" product there. Nor did I find any listed at Rogue Antispyware.

I had Spybot leave the system as is. I left the FastBrowserSearchToolbar software in place to see if other antimalware programs would report it as malware.

I installed the free version of Malwarebytes' Anti-Malware. The version I installed was 1.43. I updated its malware definitions to the latest version available, version 3487. I then performed a "full" scan.

Objects scanned: 257817
Objects infected: 1

Scan type: Full Scan (C:\|)
Time elapsed: 1 hour(s), 37 minute(s), 37 second(s)

VendorCategoryItems OtherAction Taken
Rogue.Multiple FolderC:\ProgramData\62460927  No action taken

Malwarebytes' Anti-Malware Results

I turned on the display of hidden and system files and folders, but didn't see any files or subdirectories in the C:\ProgramData\62460927 folder when I checked from the Windows Explorer nor did I see any when I checked at a command prompt. The timestamp on the folder was January 2, 2010 5:04 PM. I had Malwarebytes' Anti-Malware remove the folder, even though I didn't see anything in it.

The system had Trend Micro PC-cillin Internet Security on it, but I saw a "Your subscription has expired" notice with the expiration date listed as Saturday, September 19, 2009. When I clicked on the Renew button on the expiration window that appeared, I had two options:

Renew to Trend Micro Internet Security Pro (3 PCs) $69.95 Now Only: $55.95
Renew Trend Micro PC-cillin Internet Security for Dell (1 PC) $39.00

When I checked the status inside the program, I saw the following:

PC-cillin Internet Security Summary
Last event information
Last scan:11/01/2009
Last detection:10/30/2009
Update information
Last update:09/17/2009 (out of date)
Virus scan engine:8.911.1001
Virus scan pattern:6.453.00

When I checked PC-cillin's quarantined files, I saw six quarantined items under Viruses. They were identified as 5 .mp3 files, 1 .au file, 1 .wma file, and 1 .snd file. There was nothing listed under Spyware.

Since PC-cillin was being loaded into memory, but the software had expired. I scanned the system with it. It found 11 items, but they were only cookies.

Time elapsed:01:58:54
Inciden(s) detected:11

CyberDefender was on the system, so I checked its status. It indicated it was up-to-date when I checked for updates. I'm not familiar with CyberDefender. I didn't see it listed as being a rogue antispyware program on the Spyware Warrior: Rogue/Suspect Anti-Spyware Products & Web Sites webpage, but I saw a note on that page regarding another rogue product, SpyBlocs/ referencing CyberDefender:

false positives work as goad to purchase; previous versions were Ad-aware knockoffs; same company as CyberDefender;

I didn't see it listed at the Rogue Antispyware website. I did find 11 complaints regarding it at CyberDefender Complaints, but almost any antivirus/antispyware will get some complaints, so I couldn't give a lot of weight to the complaints I found there.

When I checked its status on the system, I saw the following:

Subscription expires:12-18-2010
Virus Database Version:
earlyVirus Software Version:
Last update completed on:12/18/2009 9:51:25

I then performed an earlyVIRUS scan using that software. It reported "0 Viruses Found."

I next installed ClamWin Free AntiVirus 0.95.3. I scanned the system with it. It reported 1 infected file: C:\Users\Public\Desktop\desktop.ini: Trojan.Agent-134626. When I checked the contents of that file, which had a timestamp of August 4, 2008 7:23 PM, I saw the following:


It didn't report any problems with \windows\system32\shell32.dll itself. I'd classify this as a false positive. I've encountered this problem before with ClamWin 0.95.3 on another system - see ClamWin 0.95.3 Scan of Windows 7 Home Premium Edition Laptop on 2009-11-15 - where ClamWin reported a false positive with a desktop.ini file.

I next ran a CyberDefender earlySPY scan.

Last Scan:12/22/2009
Last Update:01/02/2010

When CyberDefender earlySPY completed, it reported the following:

CyberDefender earlySPY results

When I used its earlyMONITOR check it reported the following firewall status:

StatusNameCompany Name
[ ] DisabledWindows FirewallMicrosoft
[x] EnabledTmPfwTrend Micro Personal Firewall
[x] EnabledPC-cillin Internet Security - Firewall Trend Micro, Inc.

I downloaded BlackLight from F-Secure and checked the system for rootkits. BlackLight reported "No hidden items found."

I then did some further research on "Search Guard Plus". I found a ThreatExpert report referring to it. That report mentioned the creation of c:\users\public\MyWebTattoo.exe. I found that file on the system with a timestamp of 9/24/2009 10:31 AM. I submitted the file to VirusTotal, a site which scans submitted files with many antivirus programs. VirusTotal indicated the file was first submitted for analysis on 2009.9.25 with 0 of the 41 different antivirus programs with which it scanned the file reporting a problem with the file. I chose to have the file reanalyzed. Only Sophos, of the 41 programs with which it scanned the file reported a problem. Sophos reported its result as Make The Web Better ( VirusTotal Analysis of MyWebTattoo.exe). VirusTotal's report included the following information on the file:

original name:FastBrowserURLDownload.exe
internal name:FastBrowserURLDownload.exe
file version.:
signers......:Make The Web Better, LLC

Make The Web Better - Adware - Sophos security analysis identifies the software as Adware or Potentially Unwanted Application (PUA). Sophos report states "The Company generates revenues through its Fast Browser Search product."

I downloaded Norton Security Scan and scanned the system with it. Its virus definitions were dated Monday, January 4, 2010. When it completed its scan it reported "Threats have been detected! Your computer is infected with viruses, spyware or other risks. Fix these threats by installing an award-winning, comprehensive security solution from Norton."

Total Items Scanned: 230527
Total Threats Detected: 182

When I clicked on the Fix Now button, it showed me what it had found. It listed 2 viruses and 180 cookies. I regard advertising cookies as being fairly innocuous, so I wasn't concerned about those. The viruses found were as follows:

Threat Name: Trojan.Wimad
Target Name: c:\users\mary\documents\limewire\saved\...
Target Type: Infection
Remediation Status: Not Fixed - Requires Product Upgrade

Threat Name: Trojan.Wimad
Target Name: c:\users\mary\documents\limewire\saved\...
Target Type: Browser Cache
Remediation Status: Not Fixed - Requires Product Upgrade

Unfortunately the file name was not displayed and I couldn't stretch the "Threat Information" column to see the file name, but when I hovered the mouse over "Not Fixed - Requires Product Upgrade", the file name was then displayed. It was goodbye to you scandle - greatest hits.mp3 [Note: I am making the file available for download to anyone who wants to perform further analysis on the file or use it to test antivirus/antispyware software. The userid required for download is zoo and the password is malware]. The "created", "modified", and "accessed" timestamps on the file were all Friday, December 19, 2008.

Symantec's Trojan.Wimad Technical Details page has the following information regarding Trojan.Wimad:

Discovered: January 11, 2005
Updated: January 12, 2005 3:11:08 PM
Type: Trojan
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows NT, Windows 2000

The Trojan arrives on the compromised computer as a license-protected multimedia file.

The Trojan exploits the Windows Media Digital Rights Management technology in Microsoft Windows Media Player.

When executed, the Trojan sends a POST request to the following URL:

The server replies by sending an .htm file, which opens a browser window and loads an .htm file from the following domain:

The .htm file from loads another .htm file from the following domain:

The Trojan then displays one of the following messages:
Thanks for downloading this file.
Click play to listen.
You must click YES to get access.

If the user clicks Yes or Play, the Trojan will download and execute the following files:

When I double-clicked on the file to see if one of the prompts Symantec's site mentioned would appear, the default media player, Apple's iTunes, opened. I didn't see the mp3 file listed in it, though. I right clicked on the file name from Windows Explorer and chose "Open With" and selected "Windows Media Player". I then saw a message stating "This file you are attempting to play has an extension (.mp3) that does not match the file format. Playing the file may result in unexpected behavior." I chose not to play the file.

Windows Media Player extension warning

I uploaded the file to VirusTotal for analysis. VirusTotal reported a file with that MD5 checksum had been analyzed previously.

MD5: c1641497a691276a49b2e26eb8f62ae9
First received: 2008.12.06 10:17:49 UTC
Date: 2009.01.01 13:31:06 UTC [>369D]
Results: 11/38
Permalink: analisis/4414f9fa3cc4cb6f0a156c30c2249c025d00115e106abd19508ee2e8697ee936-1230816666

When the file was analyzed on December 6, 2008, 11 of the 38 antimalware programs that VirusTotal used at that time identified the file as being associated with malware.

Though the file extension was .mp3, the VirusTotal report provided the following information on the file type:

TrID : File type identification
94.1% (.WMV) Windows Media Video (16019/6)
5.8% (.CAT) Microsoft Security Catalog (1000/1)

TrID, which is software that identifies the type of a file by analyzing the contents of the file rather than from the file's extension, reported with 94.1% certainty that the file was a Windows Media Video (WMV) file.

I installed FileAlyzer and used its "hex dump" feature to look for URLs in the file. The only one it listed was I deleted the file after checking it with FileAlyzer.

I removed "Search Guard Plus Updater (My Web Tattoo)", "Search Guard Plus (My Web Tattoo)", and "Fast Browser Search (My Web Tattoo)" through the Control Panel. When I uninstalled "Fast Browser Search", I was taken to the webpage, which displayed a note that "You have successfully uninstalled Fast Browser Search Toolbar".

I did not see any warning popups regarding malware on the system at any time after I rebooted into Windows after backing up the system. The system was connected to the Internet for many hours while I downloaded antimalware software, ran scans, etc., but no malware warning popup reappeared. Nor did I have any further problems running the Task Manager or obtaining a command prompt.


  1. Spybot Search & Destroy
  2. How do I remove "Fast Browser Search"?
    May 30, 2009
    Help forum - Google
  3. Spyware Warrior: Rogue/Suspect Anti-Spyware Products & Web Sites
    Spyware Warrior
  4. Rogue Antispyware
  6. ClamWin
  7. BlackLight
  8. Norton Security Scan
  9. Norton Security Scan Download and Review
    Date: February 3, 2008
    Free AntiVirus Help
  10. Trojan.Wimad Technical Details
    Updated: January 12, 2005
    Symantec Security Response
  11. TrID
  12. FileAlyzer
    The home of Spybot-S&D!

Valid HTML 4.01 Transitional