Win32/fotomto

Status
Not open for further replies.
R

RdRang95

Posts: 6   +0
I have windows defender and when I turn on my computer it says it detected a browser modifier (win32/fotomoto). I click remove and it says it successfully removed it, but then about 30 seconds later the alert will pop up again saying it detected it again. How do I get rid of this thing.
 
What about the Combofix log?

---------

Disable Spybot's TeaTimer

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent our tools from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your logs are clean.

First:
  • Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
  • Choose Exit Spybot S&D Resident
Second:
  • Open Spybot S&D
  • Click Mode, check Advanced Mode
  • Go To Left Panel, Click Tools, then also in left panel, click Resident
  • If your firewall raises a question, say OK
  • Uncheck the box labeled Resident Tea-Timer and OK any prompts.
  • Use File, Exit to terminate Spybot
  • Reboot your machine for the changes to take effect.

----------

Enable Viewing Of Hidden System Files & Folders

1. Click Start.
2. Select Control Panel.
3. Select the Tools menu and click Folder Options.
4. Select the View Tab.
5. Under the Hidden files and folders heading select Show hidden files and folders.
6. Uncheck the Hide extensions for known file types option.
7. Uncheck the Hide protected operating system files (recommended) option.
8. Click Apply.
9. Click OK.

----------

Open HijackThis and select Do a system scan only then place a check mark next to:

O2 - BHO: {2caedc36-6ff4-7ec9-4014-089d03b0c4cd} - {dc4c0b30-d980-4104-9ce7-4ff663cdeac2} - C:\WINDOWS\system32\mlsciexr.dll (file missing)
O2 - BHO: (no name) - {EA1E9D10-D79E-475E-B673-5BE194A041E5} - C:\WINDOWS\system32\awtqp.dll (file missing)
O4 - HKLM\..\Run: [382ac0cd] rundll32.exe "C:\WINDOWS\system32\ibfpshbd.dll",b

Close all windows except for HijackThis and click Fix checked

----------

Double click My Computer from the desktop and locate this file/folder and delete it. (in bold)

C:\WINDOWS\system32\ibfpshbd.dll

----------

Post a new HijackThis log along with the combofix log.
 
Here are the new Log files however I was unable to manually delete the file C:\WINDOWS\system32\ibfpshbd.dll as it was not there.
 
Delete these files/folders, as follows:

* Open notepad and copy/paste the text in the quote box below into it (all except the word QUOTE):

Folder::
C:\VundoFix Backups

File::
C:\WINDOWS\system32\sgwkmntk.ini
C:\WINDOWS\system32\rvtdhssx.ini
C:\WINDOWS\system32\rmedadux.ini
C:\WINDOWS\system32\bbvsrkyx.ini
C:\WINDOWS\system32\hppshmyu.ini
C:\WINDOWS\system32\qfpxxvow.ini
C:\rtfjiqam.exe

Registry::
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{dc4c0b30-d980-4104-9ce7-4ff663cdeac2}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EA1E9D10-D79E-475E-B673-5BE194A041E5}]
Click to expand...

* Save this as CFScript on the desktop.
* Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

CFScript.gif


* ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang
 
Please download ATF Cleaner by Atribune. ATF Cleaner.exe

Make sure that all browser windows are closed.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All and UNCHECK Cookies.
  • Click the Empty Selected button.

If you use Firefox browser
  • Click Firefox at the top and choose: Select All and UNCHECK Cookies.
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser
  • Click Opera at the top and choose: Select All and UNCHECK Cookies.
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.

----------

One more HijackThis log please, sorry forgot to add that in the last reply.
 
Looks good
2.gif


Is the computer doing OK?

Go to Start > Run and copy and paste next command in the field:

ComboFix /u

combofixu3.jpg


Make sure there's a space between Combofix and /
Then hit Enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again

To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?

If anything else comes up just let us know.
 
Everything seems to be working alright now. No pop-ups or fotomoto coming up repeatedly. Thanks for all your help. Hopefully no more problems.
 
Same Problem

I've had the same problem that was described in this thread. I went to the link and followed all the steps. Panda Antiroot Kit did not find anything. I will attach the log files. Any help would be appreciated.
 
Thread closed to discourage other users from replying with similar problems.
All new problems must be treated as seperate and addressed in their own thread.
Please message a moderator should the original starter of the thread require it to be reopened.
 
Status
Not open for further replies.

Similar threads

O
Syngate - what is it and why has it shown up on my laptop?
Replies
2
Views
297
Nelson28
N
E
I have been taken over by a software called Astanda using XML to Log everything and roaming to an SQL server.
Replies
0
Views
480
eriksnyman1
E
L
HP Class Action Lawsuit in 2023
Replies
0
Views
313
lsmartin
L

Latest posts

Back