« previous next »
Pages: 1 ... 3 4 [5] 6   Go Down

Author Topic: Help to remove FOTOMOTO.A Trojan  (Read 55787 times)

0 Members and 1 Guest are viewing this topic.

mauserme

  • Guest
Re: Help to remove FOTOMOTO.A Trojan
« Reply #60 on: July 18, 2007, 07:47:17 PM »
Quote from: Maze on July 18, 2007, 05:36:56 PM
Hi Mauserme,

Magic Folders: I open it from the Start Menu.
I ran into an even bigger problem. Since today morning, the computer will not startup. I opened the CPU up, cleaned out the dust build up on the fans (usually that works), but no luck today. I am going to wait and see till today evening, else tomorrow I may have to take it out to Geek Squad or some store. There are LEDs lighted up inside, so obviously power is coming in, its possible the power-switch could be shorted. Hopefully its that simple.
Maybe the power supply, but that's a guess.

Anyway, it gives us some time with the laptop.  Lets start with a ComboFix log, followed by HJT.

Logged

Maze

  • Guest
Re: Help to remove FOTOMOTO.A Trojan
« Reply #61 on: July 18, 2007, 08:55:57 PM »
Desktop is back up and running. Yeah, checked the power supply. Your suggestion gave me an idea to go for simplest solution. Changed the power cord. It worked.

Symantec did not run. Required IE. (Made sure ActiveX and Scripting were enabled)

Next post: later today with Laptop ComboFix & HJT logs
Logged

mauserme

  • Guest
Re: Help to remove FOTOMOTO.A Trojan
« Reply #62 on: July 19, 2007, 07:40:10 PM »
Quote from: Maze on July 18, 2007, 08:55:57 PM
[Next post: later today with Laptop ComboFix & HJT logs
I'm ready when you are  :)
Logged

Maze

  • Guest
Re: Help to remove FOTOMOTO.A Trojan
« Reply #63 on: July 19, 2007, 10:34:53 PM »
Hi Mauserme,
Sorry for the delay. I was doing some homework, to be more specific the initial antivirus scans that we performed for the other computer, so that I could save you some time by looking at a cleaner Combofix and HijackThis log. I have listed the process performed in the last 24 hours in order below.


1.   Uninstalled Old Java and installed latest version from filehippo
2.   Downloaded and installed/updated the following
         - Windows Defender
         - Ad-Aware 2007
         - Spyware Terminator
         - AVG Anti-Spyware
         - Avast (update only)
         - Spybot Search & Destroy (update only)
         - SuperAntiSpyware
3.   Disabled system restore
4.   Turned off internet access
5.   Restarted in safe mode
6.   Ran all the above
7.   Restarted in normal mode with internet off
8.   Immunized with Spywareblaster & Spybot search & destroy
9.   Turned internet on
10.   Downloaded and installed Comodo Firewall
11.   Uninstalled Norton Security Center
12.   Could not remove 0.13MB of Norton Antivirus 2005 (that has to be removed before uninstalling   “Norton Live Update 2.5)
13.   Ran Ccleaner – cleared temporary files and registry (after backup)
14.   Enabled thorough inspection system inspection for insecure applications with Secunia Software Inspector. The following were flagged
         - Quicktime (uninstalled)
         - Adobe Flashplayer 7.x, 8.x, 9.x (couldn’t find an option to uninstall old ones) before installing new version)
         - Macromedia Flashplayer 7.x & 8.x (couldn’t find an option to uninstall old ones) before installing new version)
         - Mozilla Firefox (update downloaded and installed)
15.   Ran ComboFix (log pasted in the next post)
16.   Ran HijackThis (log pasted in the post after ComboFix log)
Logged

Maze

  • Guest
Re: Help to remove FOTOMOTO.A Trojan
« Reply #64 on: July 19, 2007, 10:37:44 PM »
"Maze" - 2007-07-19 16:04:30 - ComboFix Log 07-07-17.8 - Service Pack 2  NTFS 


(((((((((((((((((((((((((   Files Created from 2007-06-19 to 2007-07-19  )))))))))))))))))))))))))))))))


2007-07-19 16:01   51,200   --a------   C:\WINDOWS\nircmd.exe
2007-07-19 14:19   <DIR>   d--------   C:\DOCUME~1\Gladys\APPLIC~1\Comodo
2007-07-19 14:19   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\Comodo
2007-07-18 23:44   3,968   --a------   C:\WINDOWS\system32\drivers\AvgArCln.sys
2007-07-18 17:39   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-07-18 17:34   <DIR>   d--------   C:\DOCUME~1\Gladys\APPLIC~1\SUPERAntiSpyware.com
2007-07-18 17:23   10,872   --a------   C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-07-18 17:14   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-07-18 17:10   <DIR>   d--------   C:\Program Files\Common Files\Wise Installation Wizard
2007-07-18 17:03   138,368   --a------   C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2007-07-18 16:54   <DIR>   d--------   C:\Program Files\Spyware Terminator
2007-07-18 16:54   <DIR>   d--------   C:\DOCUME~1\Gladys\APPLIC~1\Spyware Terminator
2007-07-18 16:54   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spyware Terminator
2007-07-17 22:42   52,108   --a------   C:\WINDOWS\system32\drivers\XMS1563K.SYS


((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-19 19:01:26   --------   d--h--w   C:\Program Files\InstallShield Installation Information
2007-07-19 19:00:53   --------   d-----w   C:\Program Files\QuickTime
2007-07-19 18:26:25   --------   d-----w   C:\Program Files\Common Files\Symantec Shared
2007-07-19 12:13:37   --------   d-----w   C:\Program Files\DivX
2007-07-19 03:37:23   --------   d-----w   C:\Program Files\Installed
2007-07-18 14:57:25   --------   d-----w   C:\Program Files\Microsoft Money 2005
2007-06-18 21:23:01   --------   d-----w   C:\DOCUME~1\Gladys\APPLIC~1\Talkback
2007-06-13 14:49:06   --------   d-----w   C:\Program Files\Internet
2007-06-04 19:18:48   9,344   ----a-w   C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 19:17:02   8,320   ----a-w   C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 19:14:56   6,272   ----a-w   C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-05-16 15:12:02   683,520   ----a-w   C:\WINDOWS\system32\inetcomm.dll
2007-04-30 15:46:10   745,600   ----a-w   C:\WINDOWS\system32\aswBoot.exe
2007-04-30 15:35:28   95,872   ----a-w   C:\WINDOWS\system32\AVASTSS.scr
2007-04-25 14:21:15   144,896   ----a-w   C:\WINDOWS\system32\schannel.dll


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
 
 
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-10-22 23:08   62080   --a------   C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
2005-05-31 02:04   853672   --a------   C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2007-07-12 04:00   501136   --a------   C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-07-14 22:16]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2004-10-13 21:34]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"!AVG Anti-Spyware"="C:\Program Files\Installed\Anti Virus\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25]
"COMODO Firewall Pro"="C:\Program Files\Installed\Anti Virus\Comodo\Firewall\CPF.exe" [2007-07-19 14:06]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=0 (0x0)
"NoResolveSearch"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Installed\Anti Virus\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 08:29]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\Installed\Anti Virus\SuperAntiSpyware\SASSEH.DLL" [2006-12-20 13:55]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\Installed\Anti Virus\SuperAntiSpyware\SASWINLO.dll --a------ 2007-04-19 13:41 294912 C:\Program Files\Installed\Anti Virus\SuperAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]


Contents of the 'Scheduled Tasks' folder
2007-07-19 19:24:48  C:\WINDOWS\tasks\MP Scheduled Scan.job
2007-07-19 17:26:22  C:\WINDOWS\tasks\Symantec NetDetect.job

**************************************************************************

catchme 0.3.1040 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-19 16:07:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

C:\WINDOWS\system32\drivers\MFX.sys

scan completed successfully
hidden files: 1

**************************************************************************

Completion time: 2007-07-19 16:10:11

   --- E O F ---

Next post: HijackThis Log
Logged

Maze

  • Guest
Re: Help to remove FOTOMOTO.A Trojan
« Reply #65 on: July 19, 2007, 10:39:20 PM »
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:21:22 PM, on 7/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Installed\Anti Virus\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Installed\Anti Virus\aswUpdSv.exe
C:\Program Files\Installed\Anti Virus\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Installed\Anti Virus\AdAware2007\aawservice.exe
C:\Program Files\Installed\Anti Virus\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Installed\Anti Virus\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Installed\Anti Virus\ashMaiSv.exe
C:\Program Files\Installed\Anti Virus\ashWebSv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Installed\Anti Virus\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Installed\Anti Virus\Comodo\Firewall\CPF.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Installed\Anti Virus\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=laptop
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Installed\Anti Virus\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Installed\Anti Virus\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: PDFill PDF Editor - {FB858B22-55E2-413f-87F5-30ADC5552151} - C:\Program Files\Installed\PDFill\\DownloadPDF.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=laptop
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\Installed\Anti Virus\SuperAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Installed\Anti Virus\AdAware2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Installed\Anti Virus\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Installed\Anti Virus\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Installed\Anti Virus\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Installed\Anti Virus\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Installed\Anti Virus\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Installed\Anti Virus\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 6420 bytes

Thank you :-)
Logged

mauserme

  • Guest
Re: Help to remove FOTOMOTO.A Trojan
« Reply #66 on: July 20, 2007, 06:06:41 AM »
My goodness - aren't you ambitious  :o

Other than a remnant or two of Magic Folders and some stray Symantec (Norton) entries I don't see anything of note in these logs.  Are you experiencing any symptoms of infection?

Here are a few thoughts:

Quote
3.   Disabled system restore
If you ever need to clean your restore points again I prefer the following method as it never leaves you without at least one restore point:

1. Click Start>All Programs>Accessories > System tools > System Restore
2. In the dialog box that appears  Click in the radio button to Create a Restore Point
3. Click NEXT
4. Enter a name you will remember if you need to find this again (like Clean Point)
5. Click CREATE

You now have a clean restore point, to get rid of the bad ones:

1. Click Start>All Programs>Accessories > System tools > Disk Clean Up
2. Click OK on the C: drive
3. Click the More Options tab
4. In the System Restore section click the Clean Up button

Quote
8.   Immunized with Spywareblaster & Spybot search & destroy
Again, just for future reference, I think its safer to immunize after you know the computer is clean.  Save this step if you suspect there is any infection.

Quote
12.   Could not remove 0.13MB of Norton Antivirus 2005 (that has to be removed before uninstalling   “Norton Live Update 2.5)
There is a removal tool you should download and run

http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039

Then look for and delete any remaining traces of Norton/Symantec from your hard drive.  After running the tool you can post anther HJT log and we'll remove any lines that remain.

Quote
catchme 0.3.1040 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-19 16:07:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

C:\WINDOWS\system32\drivers\MFX.sys

scan completed successfully
hidden files: 1
This file is a remnant of Magic Folders that is still on your computer (the rootkit componant that hides the rest).  There is another, C:\WINDOWS\system32\drivers\XMS1563K.SYS, that may or may not still be there.

Download OTMoveit to this computer and paste these paths in


C:\WINDOWS\system32\drivers\XMS1563K.SYS
C:\WINDOWS\system32\drivers\MFX.sys
C:\WINDOWS\magic.exe
c:\syz_dat
c:\x__x

Click the MoveIt button and paste the results in your next response.

In that mfx.sys is detected by ComboFix I have to say Magic Folders is not installed on your desk top.  We ran multiple ComboFix logs with no trace of that file.  Maybe you have a menu scree with nothing behind it.
Logged

Maze

  • Guest
Re: Help to remove FOTOMOTO.A Trojan
« Reply #67 on: July 20, 2007, 07:20:41 AM »
OTMoveIt Results:
C:\WINDOWS\system32\drivers\XMS1563K.SYS moved successfully.
File/Folder C:\WINDOWS\system32\drivers\MFX.sys not found.
File/Folder C:\WINDOWS\magic.exe not found.
File/Folder c:\syz_dat not found.
File/Folder c:\x__x not found.
 
Created on 07/20/2007 01:08:07

Symantec (Norton) Removed

System Restore: New Clean Point created

Thanks Mauserme.
Logged

mauserme

  • Guest
Re: Help to remove FOTOMOTO.A Trojan
« Reply #68 on: July 20, 2007, 01:11:21 PM »
If you set your folder  options to "Show Hidden Files and Foldes" and uncheck "Hide protected Operaing System Files", can you see C:\WINDOWS\system32\drivers\MFX.sys by navigating to the folder?
Logged

Maze

  • Guest
Re: Help to remove FOTOMOTO.A Trojan
« Reply #69 on: July 20, 2007, 05:10:37 PM »
Hi Mauserme,
mfx.sys not in C:\WINDOWS\system32\drivers\MFX.sys

The closest thing I found was mf.sys but the description says "multifunction enumerator" by Microsoft Corportation.

One other thing:
I guess loading all the antivirus programs + the other stuff I have already, has made the laptop really really slow. It takes over 10min to load up and even Word takes a whole min to load. Should we stop some non-essential processes?

Thanks again,
Maze
Logged

mauserme

  • Guest
Re: Help to remove FOTOMOTO.A Trojan
« Reply #70 on: July 20, 2007, 08:17:58 PM »
Quote from: Maze on July 20, 2007, 05:10:37 PM
The closest thing I found was mf.sys but the description says "multifunction enumerator" by Microsoft Corportation.
Let's leave that file alone.


Quote from: Maze on July 20, 2007, 05:10:37 PM
I guess loading all the antivirus programs + the other stuff I have already, has made the laptop really really slow. It takes over 10min to load up and even Word takes a whole min to load. Should we stop some non-essential processes?
One resident antivirus, one resident antispyware, one firewall and Winpatrol is enough (plus any nonresident scanners you might want to use).  Windows Defender + AVG AntiSpyware + Spyware Terminator all resident is a bit much.  AVG AS will become nonresident when the trial period ends (unless you purchase it), and Defender is, well, not my first choice in protection.  So, unless you really like Defender, either keep Spyware Terminator loading at start up or purchase AVG AS, and disable the others in their respective GUIs.

It would also be good to run HJT again and fix any Symantec lines that might still be present - I'm sure you know how to do this by now.

I will be away from the forum for a couple days and will check back after the weekend  :)
« Last Edit: July 20, 2007, 08:19:41 PM by mauserme »
Logged

mauserme

  • Guest
Re: Help to remove FOTOMOTO.A Trojan
« Reply #71 on: July 24, 2007, 02:33:01 AM »
Hey Maze, I'm back. 

Is it booting any better?
Logged

Maze

  • Guest
Re: Help to remove FOTOMOTO.A Trojan
« Reply #72 on: July 26, 2007, 04:41:56 AM »
Hi Mauserme,
Hope you had a nice weekend. Sorry for the late reply, I had a small accident over the weekend, so kinda have been in a lot of pain recently. So just fired up the laptop after a few days.

Status quo:
1) Booting is just as before since I have not changed anything. How do I check what is currently loading at start up?

2) Did not find Symantec in HJT log

3) I am posting my current HJT log. Please tell me if you see any anomalies. I am still a 3-week old novice at this.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:34:23 PM, on 7/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Installed\Anti Virus\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Installed\Anti Virus\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Installed\Anti Virus\ashServ.exe
C:\Program Files\Installed\Anti Virus\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Installed\Anti Virus\Comodo\Firewall\CPF.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Installed\Anti Virus\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Installed\Anti Virus\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Installed\Anti Virus\ashMaiSv.exe
C:\Program Files\Installed\Anti Virus\ashWebSv.exe
C:\Program Files\Internet\Firefox Browser\firefox.exe
C:\Program Files\Installed\Anti Virus\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=laptop
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Installed\Anti Virus\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Installed\Anti Virus\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: PDFill PDF Editor - {FB858B22-55E2-413f-87F5-30ADC5552151} - C:\Program Files\Installed\PDFill\\DownloadPDF.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=laptop
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\Installed\Anti Virus\SuperAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Installed\Anti Virus\AdAware2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Installed\Anti Virus\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Installed\Anti Virus\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Installed\Anti Virus\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Installed\Anti Virus\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Installed\Anti Virus\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Installed\Anti Virus\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 5842 bytes

Thank you.
Logged

mauserme

  • Guest
Re: Help to remove FOTOMOTO.A Trojan
« Reply #73 on: July 26, 2007, 05:28:44 AM »
It sounds like my weekend was a lot better than yours.  Hope you're feeling better soon.

I don't see any more remnants of Symantec in your most recent HJT log so SymNRT did it's job.  I just notice, though, that you also have AdAware loading at startup  too.  This in one I would definitely disable and use as an on-demand scanner only.

Get the anti-spyware/adware startups down to a single program and let me know how the computer boots.
Logged

Maze

  • Guest
Re: Help to remove FOTOMOTO.A Trojan
« Reply #74 on: July 26, 2007, 10:48:03 PM »
Hi Mauserme,
I disabled "Realtime protection" in all except
Avast
Spyware Terminator &
Comodo firewall

Questions:
C:\Program Files\Installed\Anti Virus\AdAware2007\aawservice.exe:
is still loading. Adaware.exe is not. Realtime protection is turned off. I ran the aawservice.exe manually. A command prompt window came up and disappeared.

C:\Program Files\Installed\Anti Virus\Windows Defender\MsMpEng.exe:
Windows defender real time is turned off too, but this file is in the HJT log

C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe:
Is this ok?

The rest I am assuming are registers, not sure how to interpret them. (noticed adaware in there too). Should I use HJT to stop these, or should I uninstall or have I missed an option in settings?

Posted is the most recent HJT log after making the updates you recommended followed by a restart.

Thanks a lot again.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:27:32 PM, on 7/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Installed\Anti Virus\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Installed\Anti Virus\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Installed\Anti Virus\ashServ.exe
C:\Program Files\Installed\Anti Virus\Comodo\Firewall\CPF.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Installed\Anti Virus\AdAware2007\aawservice.exe
C:\Program Files\Installed\Anti Virus\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Installed\Anti Virus\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet\Firefox Browser\firefox.exe
C:\Program Files\Installed\Anti Virus\ashMaiSv.exe
C:\Program Files\Installed\Anti Virus\ashWebSv.exe
C:\Program Files\Installed\Anti Virus\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=laptop
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Installed\Anti Virus\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: PDFill PDF Editor - {FB858B22-55E2-413f-87F5-30ADC5552151} - C:\Program Files\Installed\PDFill\\DownloadPDF.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=laptop
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\Installed\Anti Virus\SuperAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Installed\Anti Virus\AdAware2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Installed\Anti Virus\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Installed\Anti Virus\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Installed\Anti Virus\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Installed\Anti Virus\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Installed\Anti Virus\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Installed\Anti Virus\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 5716 bytes


Logged
Pages: 1 ... 3 4 [5] 6   Go Up
« previous next »