Making me angry - Win32/fotomoto

[munch2477]

I have windows defender and I just turned on my computer and it says it detected a browser modifier (win32/fotomoto). It says the alert level is high. So i click remove and it says it successfully removes it. Then about 30 seconds later the alert will pop up again saying it detected the "fotomoto" thing. It doesn't seem to be affecting my computer but then again it just started popping up 30 minutes ago. Anyone have any ideas for me? should i be worried that something bad will happen?

 

[evilfantasy]

Please download Combofix by sUBs from either here or here

Save Combofix.exe to your your Desktop.

1. Double click combofix.exe & follow the prompts. (from the keyboard select 1 and press enter)
2. When finished, it will produce a log for you.
3. Attach that log in your next reply.

Note:
Do not mouseclick combofix's window while it's running. That may cause your computer to stall


----------

Then run a HijackThis scan and post both logs as attachments.

HijackThis and Attachment Instructions

 

[munch2477]

Logs

Here is my combofix log and my hijackthis log

 

[evilfantasy]

Open HijackThis and select Do a system scan only and place a check mark next to:

R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://w4s2.work4sure.com/c/ge/w4sgeen10.exe

Close all windows except for HijackThis and click Fix checked

---------------

Download ViewpointKiller

* Unzip the program and all of the contents of ViewpointKiller.zip to a location such as your desktop.
* Double click the ViewpointKiller icon to run ViewpointKiller.exe. Select the "File" menu, and select "Check to see if you have Viewpoint installed".
* If ViewpointKiller indicates that any of the Viewpoint variants are installed, select the proper "Kill" option in the File menu.

Follow the prompts and instructions very carefully, answering "Yes" or "No" depending on which option you are most comfortable with. The MsConfig instructions are very important, so be sure to read them carefully.

Note: When done with ViewpointKiller, simply right click and delete all files that were unzipped.

---------------

Please download ATF Cleaner by Atribune. ATF Cleaner.exe

Make sure that all browser windows are closed.
* Double-click ATF-Cleaner.exe to run the program.
* Under Main choose: Select All and UNCHECK Cookies.
* Click the Empty Selected button.

If you use Firefox browser
* Click Firefox at the top and choose: Select All and UNCHECK Cookies.
* Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser
* Click Opera at the top and choose: Select All and UNCHECK Cookies.
* Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.

---------------

Download SmitfraudFix (by S!Ri) to your Desktop.

Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please attach that log in your next reply.

Note: process.exe ( which is used by SmitFraudFIx ) is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/processutil/processutil.htm

---------------

Last, run a new HijackThis scan and attach the log.

---------------

Next post please attach
rapport.txt
New HijackThis log

 

[munch2477]

I ran the viewpoint killer and it said it couldn't find some of the files so i guess it couldnt kill the viewpoint manager. I included the log. I dont know if that is a big deal.

 

[evilfantasy]

The ViewpointKiller worked.

----------

Open HijackThis and select Do a system scan only and place a check mark next to:

O3 - Toolbar: (no name) - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - (no file)

Next click Fix checked

----------

PLEASE READ ALL OF THESE INSTRUCTIONS FIRST BEFORE DOING ANYTHING. Ask any questions that you may have before starting.

You may want print out these instructions or copy and paste them to notepad and save it to the desktop as you will not be able to see this page in safe mode

Please reboot your computer in Safe Mode by tapping the F8 key just before Windows starts to load and selecting Safe Mode.

Open the SmitfraudFix Folder on your Desktop, then double-click smitfraudfix.cmd file to start the tool.

Select option #2 - Clean by typing 2 and press Enter.
The program will start cleaning your computer and go through a series of cleanup processes. Wait for the tool to complete and disk cleanup to finish. This process can take some time depending on your computer, so please be patient. When it is complete, it will close automatically and you should continue with next step.

You will be prompted: "Registry cleaning - Do you want to clean the registry?" answer Yes by typing Y and hit Enter.

The tool will also check if wininet.dll is infected. If it is infected and a clean version is found, you will be prompted to replace the infected wininet.dll with the clean file. Answer Yes to the question "Replace infected file?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt

Optional:
To restore Trusted and Restricted site zone, select 3 and hit Enter.
You will be prompted: Restore Trusted Zone? answer Y (yes) and hit Enter to delete trusted zone.

Now reboot into normal mode and attach this new rapport.txt in the next post.

WARNING Running this option on a non infected computer will remove the desktop background. So only run it once!

----------

Next post please attach
rappaport.txt
New HijackThis log

 

[munch2477]

Sorry it took so long. I've been busy. my computer doesn't seem to have a problem anymore with the fotomoto by the way.

 

[evilfantasy]

The logs look fine now.

Run ATF Cleaner.

-----

Go to Start > Run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit Enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again

-----

Let's clear out the programs we've been using to clean up your computer, they are not suitable for
general malware removal and could cause damage if launched accidentally.

Please download OTMoveIt by OldTimer OTMoveIt.exe and place it on your desktop.

1. Double click OTMoveIt.exe to launch it.
2. Click on the CleanUp! button.
3. OTMoveIt will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. You will be prompted to allow the clean up procedure, click Yes
5. When finished exit out of OTMoveIt

-----

If anything else comes up just let us know.

To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?


Safe surfing........