TechSpot

Win32/fotomto

By RdRang95
Dec 17, 2007
  1. I have windows defender and when I turn on my computer it says it detected a browser modifier (win32/fotomoto). I click remove and it says it successfully removed it, but then about 30 seconds later the alert will pop up again saying it detected it again. How do I get rid of this thing.
     
  2. evilfantasy

    evilfantasy Banned Posts: 428

  3. RdRang95

    RdRang95 TS Rookie Topic Starter

    Here are the results, Panda AntiRootkit did not find anything.
     
  4. evilfantasy

    evilfantasy Banned Posts: 428

    What about the Combofix log?

    ---------

    Disable Spybot's TeaTimer

    While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent our tools from fixing certain things.
    Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your logs are clean.

    First:
    • Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
    • Choose Exit Spybot S&D Resident
    Second:
    • Open Spybot S&D
    • Click Mode, check Advanced Mode
    • Go To Left Panel, Click Tools, then also in left panel, click Resident
    • If your firewall raises a question, say OK
    • Uncheck the box labeled Resident Tea-Timer and OK any prompts.
    • Use File, Exit to terminate Spybot
    • Reboot your machine for the changes to take effect.

    ----------

    Enable Viewing Of Hidden System Files & Folders

    1. Click Start.
    2. Select Control Panel.
    3. Select the Tools menu and click Folder Options.
    4. Select the View Tab.
    5. Under the Hidden files and folders heading select Show hidden files and folders.
    6. Uncheck the Hide extensions for known file types option.
    7. Uncheck the Hide protected operating system files (recommended) option.
    8. Click Apply.
    9. Click OK.

    ----------

    Open HijackThis and select Do a system scan only then place a check mark next to:

    O2 - BHO: {2caedc36-6ff4-7ec9-4014-089d03b0c4cd} - {dc4c0b30-d980-4104-9ce7-4ff663cdeac2} - C:\WINDOWS\system32\mlsciexr.dll (file missing)
    O2 - BHO: (no name) - {EA1E9D10-D79E-475E-B673-5BE194A041E5} - C:\WINDOWS\system32\awtqp.dll (file missing)
    O4 - HKLM\..\Run: [382ac0cd] rundll32.exe "C:\WINDOWS\system32\ibfpshbd.dll",b


    Close all windows except for HijackThis and click Fix checked

    ----------

    Double click My Computer from the desktop and locate this file/folder and delete it. (in bold)

    C:\WINDOWS\system32\ibfpshbd.dll

    ----------

    Post a new HijackThis log along with the combofix log.
     
  5. RdRang95

    RdRang95 TS Rookie Topic Starter

    Here are the new Log files however I was unable to manually delete the file C:\WINDOWS\system32\ibfpshbd.dll as it was not there.
     
  6. evilfantasy

    evilfantasy Banned Posts: 428

    Delete these files/folders, as follows:

    * Open notepad and copy/paste the text in the quote box below into it (all except the word QUOTE):

    * Save this as CFScript on the desktop.
    * Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

    [​IMG]

    * ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.

    Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang
     
  7. RdRang95

    RdRang95 TS Rookie Topic Starter

    New ComboFix Log
     
  8. evilfantasy

    evilfantasy Banned Posts: 428

    Please download ATF Cleaner by Atribune. ATF Cleaner.exe

    Make sure that all browser windows are closed.
    • Double-click ATF-Cleaner.exe to run the program.
    • Under Main choose: Select All and UNCHECK Cookies.
    • Click the Empty Selected button.

    If you use Firefox browser
    • Click Firefox at the top and choose: Select All and UNCHECK Cookies.
    • Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    If you use Opera browser
    • Click Opera at the top and choose: Select All and UNCHECK Cookies.
    • Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    Click Exit on the Main ATF Cleaner menu to close the program.

    ----------

    One more HijackThis log please, sorry forgot to add that in the last reply.
     
  9. RdRang95

    RdRang95 TS Rookie Topic Starter

    ATF run, new HIjackThis log
     
  10. evilfantasy

    evilfantasy Banned Posts: 428

    Looks good [​IMG]

    Is the computer doing OK?

    Go to Start > Run and copy and paste next command in the field:

    ComboFix /u

    [​IMG]

    Make sure there's a space between Combofix and /
    Then hit Enter.

    This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again

    To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?

    If anything else comes up just let us know.
     
  11. RdRang95

    RdRang95 TS Rookie Topic Starter

    Everything seems to be working alright now. No pop-ups or fotomoto coming up repeatedly. Thanks for all your help. Hopefully no more problems.
     
  12. evilfantasy

    evilfantasy Banned Posts: 428

    Sounds good.

    Safe surfing...........
     
  13. UTCSinfonian

    UTCSinfonian TS Rookie

    Same Problem

    I've had the same problem that was described in this thread. I went to the link and followed all the steps. Panda Antiroot Kit did not find anything. I will attach the log files. Any help would be appreciated.
     
  14. evilfantasy

    evilfantasy Banned Posts: 428

    UTCSinfonian, start a new thread. It is too confusing working multiple fixes in one thread.
     
  15. momok

    momok TS Rookie Posts: 2,265

    Thread closed to discourage other users from replying with similar problems.
    All new problems must be treated as seperate and addressed in their own thread.
    Please message a moderator should the original starter of the thread require it to be reopened.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...