"Fast Browser Search" spyware

You are 7 months out of date with your version of MGtools. You must ALWAYS download and use the current version to avoid being out of date.

Did you simply try going to Add/Remove Programs and uninstall it? Fast Browser Search (My Tattoons)

Also delete this file from it after uninstalling: c:\users\Public\MyWebTattoo.exe

 

I just noticed that you said that Add/Remove Programs did not work. Try using the below and see if it helps.

Your Uninstaller! 2009

 

If the Your Uninstaller does not help, try the below.


Uninstall the below old versions of software:
Java(TM) 6 Update 15

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Preserve
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: BrowserHelper Class - {8A9D74F9-560B-4FE7-ABEB-3B2E638E5CD6} - C:\Program Files\SGPSA\SearchAssistant.dll (file missing)

After clicking Fix, exit HJT.

Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

Also delete all files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\Windows\temp
C:\Users\pcromero\AppData\Local\Temp

Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

Now attach the below log:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

According to your log, you did not shutdown ZoneAlarm nor did you get AVG properly shutdown (which you also noted) before running the fix. This is necessary as stated. They will get in the way of the fix. (Sometimes this will work: http://www.avg.com/us-en/faq.num-1209 ) But sometimes, it is even necessary to uninstall AVG since it can be quite problematic. Let's try a new fix.

Not fishy at all. Since you did not shutdown protection, ComboFix could not run properly and was trying to repair your network connection that is disabled while ComboFix is running.
Logs attached. Thanks for any help. I hope I didnt mess things up more than they were!

Click Start, Run, and copy and paste the below into the Run box and click OK.

notepad c:\users\pcromero\AppData\Roaming\Mozilla\Firefox\Profiles\h0nriuj8.default\prefs.js

This should bring up your preferences file for FireFox in a notepad window. Look for lines containing the below information and delete the whole line where it appears.

browser.search.defaulturl - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=DEF&v=4&q=
keyword.URL - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=NAUS&v=4&tid={28B3A99A-A2A3-3DE5-6286-AADDFBBDBB4E}&q=

After deleting those lines, click File, and select Save. If you cannot save the file, close all browsers first before saving.

Now locate the below file and delete it.
c:\users\Public\MyWebTattoo.exe

Now close ALL browsers and then reopen one and see how things are working.

 

• Did you find the lines in the pref.js file that I asked you to delete? The config settings in FireFox should allow you to edit and remove these. Type about:config in the address bar in Firefox. In the filter, type fast. This should show the instances of where Fast Browser Search appears. Also you should try filtering on fbs . Right click on each of the Fast Browser Search entries and select reset. This should put most of them back to google. Also you should look under Add-Ons and remove any related to FBS. Also click the down button next to Search and select Manage Search Engines and remove any related to FBS.
• Did you find the file I asked you to delete and did it delete?
• Do you see any or the below files/folders?

C:\Program Files\Fast Browser Search\IE\basis.xml
C:\Program Files\Fast Browser Search\IE\fbsSearchProvider.xml
C:\Program Files\Search Guard Plus\fbsSearchProvider.xml
C:\Program Files\Search Guard PlusU\Tmp
C:\Program Files\FBrowser
C:\Program Files\FBSeach Toolbar
C:\Program Files\SGPSA
c:\users\Public\MyWebTattoo.exe

Perhaps but since this is hooked into FireFox, it may just be easier to uninstall FireFox, reboot (don't skip), then delete the FireFox folders. Then download and install it again ( Mozilla FireFox )


Does any of the above help?

 

My last message suggested uninstalling FireFox.


First try deleting the below two files. Make sure FireFox is closed when you delete these:

C:\Program Files\Mozilla Firefox\searchplugins\fast.png
C:\Program Files\Mozilla Firefox\searchplugins\fast.xml

Then open FireFox. If you still have a problem. Don't say things like "no dice". Please describe the exact problem.

 

We will not know until you try it. If it is an addon to the browser, it should be gone after the reinstall as long as you don't install anything but FireFox.

Possibly or at least start checking thru the list of Addons and Toolbars and disabling them to see what happens.

 

What is this WebMate program you have installed? It appears to have something to due with browsing. Perhaps you should uninstal it for now. You can always reinstall it later if it is not part of the problem.

FYI to disable Windows Defender: Disabling & Enabling Windows Defender in Vista




Please do ALL of the below exactly as written and do it in the order written ( no exceptions ).

• Downloaded and save the current version of ComboFix.exe to your Desktop but do not run it. Get it here: combofix.exe
• Download and save the current version of Mozilla FireFox to your Desktop but do not run this yet.
• Uninstall AVG to make sure that it is not getting in our way of removal by interferring with ComboFix.
• Uninstall your current copy of FireFox. Use Internet Explore for now.
• Complete the below procedure with ComboFix:

Now we need to use ComboFix again

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.




After reboot, use Internet Explorer to download Registry Search (see the link titled RegSearch Download Link )

• Extract the files from Regsearch.zip into a folder.
• Doubleclick regsearch.exe to start the program.
• See the top 3 boxes under the Enter search strings (case independen) and click Ok... option, enter the below string (use copy and past)
  • 8A9D74F9-560B-4FE7-ABEB-3B2E638E5CD6
• Then click "OK".
• Notepad will be opened with text in it (the file named RegSearch.txt will be saved in the program's folder as well).
• Attach this RegSearch.txt file.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


Then immediately attach the below logs before doing anything else:

• C:\ComboFix.txt
• RegSearch.txt
• C:\MGlogs.zip

Now print the below instructions or save locally so that you do not have to open up IE or FireFox until FireFox is install and runs itself. After printing or saving locally in a text file continue.

• Now install the new version of FireFox. Do not add and addons or special tools to it just install FireFox.
• Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).
• Now use FireFox to attach the new C:\MGlogs.zip file
• Is the toolbar still present in FireFox?

Reinstall your AVG protection now so that you are not surfing unprotected.

 

Not true. You do have a Program File directory. It shows in all of your logs and even a few messages back I asked you delete a couple of files in it and you said

So how could you have deleted these files if the Program Files folder did not exist?

 

Must be something to do with automatic language translation because if you look at the logs you are posting for us you will see that is shows things like below and show C:\Program Files which is even where it shows FireFox, iTunes,....etc running from. This is just a small snapshot from the HijackThis log:

Run my previous fix anyway. It will not hurt anything if it cannot find the files it would just fail to find them. Let's see what happens.

NOTE: It is okay if you reneable UAC inbetween fixes but you must remember that each time before running any fix you will have to disable it and then you MUST reboot for it to take effect. And then you can run the fix. You cannot run the fix if UAC has not been disabled and you have not rebooted.

 

Okay perhaps the problem really is that the logs are displaying the English folder name of C:\Program Files and possibly also various registry keys in English terms but when we run the fixes, the programs are not really able to find the associated items. Based on your logs, I could see things that should haven been deleted that are still there. So let's try the fix using the Spanish names and see if that changes anything. Let's run a similar fix to last time with these changes.

Remember to disable all protection first.



Please do ALL of the below exactly as written and do it in the order written ( no exceptions ).

• Downloaded and save the current version of ComboFix.exe to your Desktop but do not run it. Get it here: combofix.exe
• Download and save the current version of Mozilla FireFox to your Desktop but do not run this yet.
• Uninstall AVG to make sure that it is not getting in our way of removal by interferring with ComboFix.
• Uninstall your current copy of FireFox. Use Internet Explore for now.
• Complete the below procedure with ComboFix:

Now we need to use ComboFix again

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).




Then immediately attach the below logs before doing anything else:

• C:\ComboFix.txt
• C:\MGlogs.zip

Now print the below instructions or save locally so that you do not have to open up IE or FireFox until FireFox is install and runs itself. After printing or saving locally in a text file continue.

• Now install the new version of FireFox. Do not add and addons or special tools to it just install FireFox.
• Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).
• Now use FireFox to attach the new C:\MGlogs.zip file
• Is the toolbar still present in FireFox?

Reinstall your AVG protection now so that you are not surfing unprotected.

 

Is all protection software shutdown? Windows Defender too?

It's impossible to have two folders with the same name in the same location. Are you sure that you are seeing exactly the same names on the folders? Is one a file and one a folder. Does one have different spaces between the letters?

 

Not sure how this is happening. One folder must have hidden characters in it or it belongs to the system and there is a junction on it giving what appears to be a dfferent name as far as the file system would be concerned.


Download and save the below to your PC and save it to the C:\MGtools folder! Then right click on it and select Run As Administratort.

FLook.bat

It should take a only a few seconds to run. You will see a black command prompt window while it is running and it should close when it is finished. Once it finishes, attach the c:\MGtools\Dlog.zip file that is created. Then continue on to the below.



Please do ALL of the below exactly as written and do it in the order written ( no exceptions ).

• Download and save the current version of Mozilla FireFox to your Desktop but do not run this yet.
• Uninstall your current copy of FireFox. Use Internet Explore for now. Do not reinstall FireFox until I ask you to do so.
• Complete the below procedure with Avenger:

Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

After reboot look for all of the above files we had Avenger attempt to delete. If you still see them, delete them yourself.

Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\TEMP
C:\Documents and Settings\Sean Walsh\Local Settings\Temp

Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

Then attach the below logs:

• C:\avenger.txt
• make sure you have atttached the C:\MGtools\Dlog.zip file
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

You were not suppose to delete this folder or the other one in Windows. I only asked you to delete what is in these temp folders.

Based on your logs which is a direct output from the Windows Dir command ( Dir stands or Directory ), you have both of the below folders:

Code:

 Directorio de C:\
10/10/2008  20:06    <DIR>          archivos de programa
17/11/2009  09:13    <DIR>          program files

So thus you actually do have a Program Files folder. And you need to look in it too to make sure that any Mozilla Firefox folder has been deleted before reinstalling FireFox. Search your PC for FireFox and delete anything related to it except the installer program you downloaded to install the new version of FireFox.

I assume right now with FireFox being uninstalled that all is good?

After cleaning up any remaining files and folders for FireFox, disconnect your cable to the internet and then reinstall FireFox and only FireFox. See if the toolbar appear right now and choose the appropriate below

• If the toolbar does appear, get a new log from MGtools and then reattach your cable to come here and post your log.
• If the toolbar does not appear, reconnect your cable to the internet and see if the toolbar comes back after connecting. Also open and close FireFox to see if it only comes back after FireFox is restarted.

 

Yes! If you open a command prompt and run a dir command on the root folder you will see what I see.

Try installing this ExplorerXP and see what it shows you.

You really don't need to manually search anyway. You could just do a file search to try and locate remnants of FireFox or Mozilla.

 

You're welcome.

Excellent.

It will work which is why I asked you to try it. I have used it with Vista. Not necessary any more unless you just wish to play with it.


If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
9. If you are running Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 6 of the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!