Author Topic: Help to remove FOTOMOTO.A Trojan  (Read 55657 times)

0 Members and 1 Guest are viewing this topic.

Maze

  • Guest
Re: Help to remove FOTOMOTO.A Trojan
« Reply #15 on: July 08, 2007, 10:15:15 PM »
One more - ComboFix Quarantined Files:

Code: [Select]
2003-08-13 12:08      135168    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\wpcap.dll.vir
2003-08-13 12:08      36864    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\packet.dll.vir
2006-06-27 10:39      767    --a------    C:\Qoobox\Quarantine\C\DOCUME~1\Family\Desktop\Internet Explorer.lnk.vir
2007-04-01 14:05      89    --a------    C:\Qoobox\Quarantine\C\DOCUME~1\Family\APPLIC~1\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol.vir
2007-06-02 16:00      21    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\zxdnt3d.cfg.vir
2007-07-08 14:47      2956    --a------    C:\Qoobox\Quarantine\Registry_backups\services_DomainService.reg.cf
2007-07-08 14:47      846    --a------    C:\Qoobox\Quarantine\Registry_backups\LEGACY_DOMAINSERVICE.reg.cf


Folder PATH listing
Volume serial number is 70BA-881B
C:\QOOBOX
\---Quarantine
    +---C
    |   +---DOCUME~1
    |   |   \---Family
    |   |       +---APPLIC~1
    |   |       |   \---Macromedia
    |   |       |       \---Flash Player
    |   |       |           \---macromedia.com
    |   |       |               \---support
    |   |       |                   \---flashplayer
    |   |       |                       \---sys
    |   |       |                           \---#www.broadcaster.com
    |   |       |                                   settings.sol.vir
    |   |       |                                   
    |   |       \---Desktop
    |   |               Internet Explorer.lnk.vir
    |   |               
    |   \---WINDOWS
    |       \---system32
    |               packet.dll.vir
    |               wpcap.dll.vir
    |               zxdnt3d.cfg.vir
    |               
    \---Registry_backups
            LEGACY_DOMAINSERVICE.reg.cf
            services_DomainService.reg.cf
           

mauserme

  • Guest
Re: Help to remove FOTOMOTO.A Trojan
« Reply #16 on: July 08, 2007, 10:39:48 PM »
You have some very old, exploitable Java on this computer.

There is an uninstaller for Microsoft Java here

http://www.softpedia.com/get/System/System-Miscellaneous/MSJVM-Removal-Tool.shtml

You will see all sorts of warnings that once uninstalled you can't go back.  It's best disposed of and replaced by the current Sun Java which you can download from

http://filehippo.com/download_java_runtime/

Once you've installed this open Add/Remove Programs in the Control Panel and uninstall any older versions of Java you find (particularly 1.4.2).  You will need this step because neither the MS uninstaller nor the Sun update will remove these versions.


After your finished with that upload this file to Virus Total and post the analysis results.

C:\WINDOWS\system32\drivers\njyoxcnhlwus.sys


Now open HJT again and click to do a System Scan Only.  Place a check mark next to these lines

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)

O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)


Close all other windows, including your browser, and click Fix Checked.  Close HJT when that's complete.

You seem to either be in the middle of installing a program called Narrator or the installation hung.  Are you aware of the program?  Has the installation completed successfully?

Maze

  • Guest
Re: Help to remove FOTOMOTO.A Trojan
« Reply #17 on: July 09, 2007, 01:55:29 AM »
Hi Mauserme,
The only Narrator I am aware of is the MS text to speech program, I probably did check it out when I first installed XP, but never after that. Is there a way to stop it if its still installing?

Also one other recent pop up that came up was that of a program called "Magic Folders". Its basically a program that hides folders. I tried the program during the trial period. I have been trying to uninstall it but it gives me a error saying "try after disabling Spyagent monitoring". Upon googling Spyagent and reading up on their site its a software that actually saves keystrokes, and remote monitoring option. That is even worse than Viruses and trojans. Are there any processes that can be stopped through Hijackthis to prevent spyagent or disable it. I have searched high and low on my computer but been unable to track it down.

As per your suggestion, posting report from Virus Total: (thanks)
C:\WINDOWS\system32\drivers\njyoxcnhlwus.sys
==========
Complete scanning result of "njyoxcnhlwus.sys", received in VirusTotal at 07.09.2007, 01:02:13 (CET).
Antivirus   Version   Update   Result
AhnLab-V3         2007.7.7.0   07.06.2007   no virus found
AntiVir                     7.4.0.39        07.08.2007   no virus found
Authentium          4.93.8             07.07.2007   no virus found
Avast                     4.7.997.0      07.08.2007   no virus found
AVG                     7.5.0.476      07.08.2007   no virus found
BitDefender            7.2               07.09.2007   no virus found
CAT-QuickHeal         9.00             07.07.2007   no virus found
ClamAV                   devel-20070416   07.08.2007   no virus found
DrWeb                   4.33              07.08.2007   no virus found
eSafe                  7.0.15.0              07.08.2007   no virus found
eTrust-Vet        30.8.3769            07.07.2007   no virus found
Ewido                   4.0                 07.08.2007   no virus found
FileAdvisor            1                07.09.2007   no virus found
Fortinet           2.91.0.0                07.09.2007   no virus found
F-Prot                   4.3.2.48     07.06.2007   no virus found
Ikarus                   T3.1.1.8     07.08.2007   no virus found
Kaspersky               4.0.2.24   07.08.2007   no virus found
McAfee                  5069            07.06.2007   no virus found
Microsoft                1.2704          07.09.2007   no virus found
NOD32v2                  2384          07.08.2007   no virus found
Norman                   5.80.02          07.06.2007   no virus found
Panda                       9.0.0.4   07.08.2007   no virus found
Sophos                     4.19.0        07.06.2007   no virus found
Sunbelt                     2.2.907.0        07.07.2007   no virus found
Symantec                 10            07.08.2007   no virus found
TheHacker                 6.1.6.143   07.05.2007   no virus found
VBA32                       3.12.0.2       07.08.2007   no virus found
VirusBuster                4.3.23:9      07.08.2007   no virus found
Webwasher-Gateway   6.0.1        07.08.2007   no virus found
Aditional Information
File size: 8704 bytes
MD5: 34d44edd829476e085f5c22ac9dfe315
SHA1: 409f8e1239c67925b4f7d137af35a30ddb40235a

===============

mauserme

  • Guest
Re: Help to remove FOTOMOTO.A Trojan
« Reply #18 on: July 09, 2007, 06:00:39 AM »
Click Start and open Control Panel>Administrative Tools>Services.  Scroll down the list to Narrator and double click it.  In the window that opens click the Stop button.  Then, just above the the Stop button drop down the Start Up Type and choose Disabled.  Click OK and close the Services, Administrative Tools, and Control Panel windows.

Now open HJT, place a check next to these lines, and fix them after closing all other windows

O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')




I don't see Spyagent on the HJT log so lets try something different.

Download WinPFind3u.exe  to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.
  • Close ALL OTHER PROGRAMS.
  • Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
  • Under Additional Scans click the checkboxes in front of the following items to select them:
      <list of options>
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in. If, after posting, the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts.


I would also like you to download OTMoveIt  by OldTimer.  Save it to your desktop but don't do anything with it just yet.   

Do you recall how long ago you installed Magic Folders/Spyagent?

Maze

  • Guest
Re: Help to remove FOTOMOTO.A Trojan
« Reply #19 on: July 09, 2007, 05:43:07 PM »
Narrator is not in the “Services” List within Administrative Tools. Could I still go ahead and use HJT to fix the Narrator service or does something else have to be done before?

Magic Folders Uninstallation/Spyagent Error
As of July 9, 2007 I have exceeded the “Magic Folders” evaluation period by 227 days. So a total of 257 days. I installed it, checked it out, but then completely forgot about it, until all this came up.
This is my personal computer, but I do a lot of work-related stuff on it too. So I would never install something like Spyagent on this. I became aware of it when I tried uninstalling Magic Folders and Magic Folders uninstallation conflicted with SpyAgent. So I contacted Spytech technical support and in report to my query they emailed the following:
“If you do not see the program installed in either of folders , it is likely that the program magic folders, gives false positive & spyagent is not actually there.
SpyAgent Stealth Install Directory: c:/program files/sysconfig
Default non-stealth Install Directory:
c:/program files/spytech software/spytech spyagent”

These folders were not in the computer, unless they are masked in some way. Hence I searched MagicFolders FAQs and as per their instruction re-installed mfx.exe and retried without effect. I have sent an email out to their helpdesk, but no reply yet. Also I do not know how to deal with false positives if it is one. But I am really concerned about a keystroke capturing program like SpyAgent being installed on my computer. That could be quite disastrous.

Winpfind3u log will follow in the next few posts. Its big, so am dividing it up as you suggested.

Maze

  • Guest
Re: Help to remove FOTOMOTO.A Trojan
« Reply #20 on: July 09, 2007, 05:45:08 PM »
Winp3u log:

WinPFind3 logfile created on: 7/9/2007 11:30:11 AM
WinPFind3U by OldTimer - Version 1.0.39   Folder = E:\Program Files\Anti Virus\WinPFind3u\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 7.0.5730.11)
 
1022.73 Mb Total Physical Memory | 614.86 Mb Available Physical Memory | 60.12% Memory free
2.40 Gb Paging File | 2.10 Gb Available in Paging File | 87.52% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072;
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 29.29 Gb Total Space | 15.24 Gb Free Space | 52.04% Space Free
Drive D: | 29.29 Gb Total Space | 4.20 Gb Free Space | 14.33% Space Free
Drive E: | 53.19 Gb Total Space | 14.00 Gb Free Space | 26.32% Space Free
F: Drive not present or media not loaded

Computer Name: HOMEUSER
Current User Name: Mr.C!
Logged in as Administrator.
Current Boot Mode: Normal


[Processes - Non-Microsoft Only]
aolsoftware.exe -> %CommonProgramFiles%\AOL\1141834038\ee\AOLSoftware.exe -> America Online, Inc. [Ver = 1.4.9.1 | Size = 50792 bytes | Modified Date = 11/2/2005 11:01:14 PM | Attr =    ]
ashdisp.exe -> E:\Program Files\Anti Virus\Avast\ashDisp.exe -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 75392 bytes | Modified Date = 4/30/2007 11:42:48 AM | Attr =    ]
ashmaisv.exe -> E:\Program Files\Anti Virus\Avast\ashMaiSv.exe -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 243328 bytes | Modified Date = 4/30/2007 12:04:38 PM | Attr =    ]
ashserv.exe -> E:\Program Files\Anti Virus\Avast\ashServ.exe -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 132736 bytes | Modified Date = 4/30/2007 11:42:40 AM | Attr =    ]
ashwebsv.exe -> E:\Program Files\Anti Virus\Avast\ashWebSv.exe -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 345728 bytes | Modified Date = 4/30/2007 11:41:28 AM | Attr =    ]
aswupdsv.exe -> E:\Program Files\Anti Virus\Avast\aswUpdSv.exe -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 16512 bytes | Modified Date = 4/30/2007 11:29:56 AM | Attr =    ]
devdtct2.exe -> %ProgramFiles%\Olympus\DeviceDetector\DevDtct2.exe -> OLYMPUS Corporation. [Ver = 2, 4, 3, 1 | Size = 114688 bytes | Modified Date = 1/16/2004 3:45:08 PM | Attr =    ]
firefox.exe -> E:\Program Files\Internet\Mozilla\firefox.exe -> Mozilla Corporation [Ver = 1.8.1.4: 2007051502 | Size = 7637104 bytes | Modified Date = 5/15/2007 3:33:24 PM | Attr =    ]
guard.exe -> E:\Program Files\Anti Virus\AVG Anti-Spyware 7.5\guard.exe -> GRISOFT s.r.o. [Ver = 7, 5, 1, 22 | Size = 312880 bytes | Modified Date = 5/30/2007 8:31:10 AM | Attr =    ]
hotsync.exe -> %ProgramFiles%\palmOne\Hotsync.exe -> PalmSource, Inc [Ver = 6.0.1 | Size = 471040 bytes | Modified Date = 6/9/2004 2:16:08 PM | Attr =    ]
hpqgalry.exe -> %ProgramFiles%\HP\Digital Imaging\bin\hpqgalry.exe -> Hewlett-Packard Co. [Ver = 043.001.005.000 | Size = 520192 bytes | Modified Date = 5/28/2004 11:08:52 PM | Attr =    ]
hpwuschd2.exe -> %ProgramFiles%\HP\HP Software Update\HPWuSchd2.exe -> Hewlett-Packard Company [Ver = 2, 0, 39, 0 | Size = 49152 bytes | Modified Date = 2/12/2004 1:38:56 PM | Attr =    ]
ipodservice.exe -> %ProgramFiles%\iPod\bin\iPodService.exe -> Apple Computer, Inc. [Ver = 6.0.5.20 | Size = 323584 bytes | Modified Date = 6/14/2006 4:23:58 PM | Attr =    ]
ituneshelper.exe -> E:\Program Files\Utilities\iTunes&Quicktime\iTunesHelper.exe -> Apple Computer, Inc. [Ver = 6.0.5.20 | Size = 278528 bytes | Modified Date = 6/14/2006 4:24:14 PM | Attr =    ]
jusched.exe -> E:\Program Files\Utilities\Java Runtime Environment\bin\jusched.exe -> Sun Microsystems, Inc. [Ver = 6.0.20.5 | Size = 132760 bytes | Modified Date = 6/14/2007 6:32:40 PM | Attr =    ]
logitray.exe -> E:\Program Files\Internet\Logitech WebCam\LogiTray.exe -> Logitech Inc. [Ver = 8.1.1.1100 | Size = 77824 bytes | Modified Date = 8/29/2003 3:20:02 PM | Attr =    ]
lvcoms.exe -> %System32%\LVComS.exe -> Logitech Inc. [Ver = 8.1.1.1100 | Size = 135214 bytes | Modified Date = 8/29/2003 2:44:50 PM | Attr =    ]
nvsvc32.exe -> %System32%\nvsvc32.exe -> NVIDIA Corporation [Ver = 6.14.10.4469 | Size = 73728 bytes | Modified Date = 6/18/2003 1:31:00 AM | Attr =    ]
qttask.exe -> E:\Program Files\Utilities\Quicktime\qttask.exe -> Apple Computer, Inc. [Ver = 7.1.5 | Size = 282624 bytes | Modified Date = 2/16/2007 10:54:04 AM | Attr =    ]
realsched.exe -> %CommonProgramFiles%\Real\Update_OB\realsched.exe -> RealNetworks, Inc. [Ver = 0.1.0.3510 | Size = 180269 bytes | Modified Date = 4/25/2006 8:53:20 PM | Attr =    ]
saservice.exe -> %ProgramFiles%\SiteAdvisor\6066\SAService.exe -> McAfee, Inc. [Ver = 2.4.0 | Size = 321064 bytes | Modified Date = 6/3/2007 10:49:56 PM | Attr =    ]
winpfind3u.exe -> E:\Program Files\Anti Virus\WinPFind3u\WinPFind3U.exe -> OldTimer Tools [Ver = 1.0.38.0 | Size = 322048 bytes | Modified Date = 6/23/2007 3:15:54 PM | Attr =    ]

[Win32 Services - Non-Microsoft Only]
(aswUpdSv) avast! iAVS4 Control Service [Win32_Own | Auto | Running] -> E:\Program Files\Anti Virus\Avast\aswUpdSv.exe -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 16512 bytes | Modified Date = 4/30/2007 11:29:56 AM | Attr =    ]
(avast! Antivirus) avast! Antivirus [Win32_Own | Auto | Running] -> E:\Program Files\Anti Virus\Avast\ashServ.exe -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 132736 bytes | Modified Date = 4/30/2007 11:42:40 AM | Attr =    ]
(avast! Mail Scanner) avast! Mail Scanner [Win32_Own | On_Demand | Running] -> E:\Program Files\Anti Virus\Avast\ashMaiSv.exe -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 243328 bytes | Modified Date = 4/30/2007 12:04:38 PM | Attr =    ]
(avast! Web Scanner) avast! Web Scanner [Win32_Own | On_Demand | Running] -> E:\Program Files\Anti Virus\Avast\ashWebSv.exe -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 345728 bytes | Modified Date = 4/30/2007 11:41:28 AM | Attr =    ]
(AVG Anti-Spyware Guard) AVG Anti-Spyware Guard [Win32_Own | Auto | Running] -> E:\Program Files\Anti Virus\AVG Anti-Spyware 7.5\guard.exe -> GRISOFT s.r.o. [Ver = 7, 5, 1, 22 | Size = 312880 bytes | Modified Date = 5/30/2007 8:31:10 AM | Attr =    ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %System32%\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 224768 bytes | Modified Date = 8/4/2004 3:56:48 AM | Attr =    ]
(IDriverT) InstallDriver Table Manager [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\InstallShield\Driver\11\Intel 32\IDriverT.exe -> Macrovision Corporation [Ver = 11.00.28844 | Size = 69632 bytes | Modified Date = 4/4/2005 12:41:10 AM | Attr =    ]
(iPodService) iPodService [Win32_Own | On_Demand | Running] -> %ProgramFiles%\iPod\bin\iPodService.exe -> Apple Computer, Inc. [Ver = 6.0.5.20 | Size = 323584 bytes | Modified Date = 6/14/2006 4:23:58 PM | Attr =    ]
(NVSvc) NVIDIA Driver Helper Service [Win32_Own | Auto | Running] -> %System32%\nvsvc32.exe -> NVIDIA Corporation [Ver = 6.14.10.4469 | Size = 73728 bytes | Modified Date = 6/18/2003 1:31:00 AM | Attr =    ]
(Pml Driver HPZ12) Pml Driver HPZ12 [Win32_Own | On_Demand | Stopped] -> %System32%\HPZipm12.exe -> HP [Ver = 8, 0, 0, 0 | Size = 65536 bytes | Modified Date = 3/18/2004 4:55:48 PM | Attr =    ]
(SiteAdvisor Service) SiteAdvisor Service [Win32_Own | Auto | Running] -> %ProgramFiles%\SiteAdvisor\6066\SAService.exe -> McAfee, Inc. [Ver = 2.4.0 | Size = 321064 bytes | Modified Date = 6/3/2007 10:49:56 PM | Attr =    ]

Winp3u log will continue in next post

Maze

  • Guest
Re: Help to remove FOTOMOTO.A Trojan
« Reply #21 on: July 09, 2007, 05:55:09 PM »
Hi Mauseme,

Additional scans: the "check list" in your post wasn't visible I had to select all. The log generated is huge, its going to take at the least 25-30 posts and it may be more helpful and short if you could repost the checks marks I have to make in Winp3u log (it shows up as <list of options> in your previous post), else I will post the entire log. There is no way to upload a text file in here is there?

Thanks!

Maze

  • Guest
Re: Help to remove FOTOMOTO.A Trojan
« Reply #22 on: July 09, 2007, 05:57:21 PM »
Also in Winp3u should I select files created within the last 30,60,90 days or none? Sorry just trying to narrow this down to make a concise list.

mauserme

  • Guest
Re: Help to remove FOTOMOTO.A Trojan
« Reply #23 on: July 09, 2007, 06:31:38 PM »
Well it would be nice if I would give you all the infomration you need ...

These settings should be fine


Shot at 2007-07-09

Maze

  • Guest
Re: Help to remove FOTOMOTO.A Trojan
« Reply #24 on: July 09, 2007, 07:06:37 PM »
Hi Thanks for the info.

Below is the winpfind3u log. (5 posts including this one)

WinPFind3 logfile created on: 7/9/2007 12:46:11 PM
WinPFind3U by OldTimer - Version 1.0.39   Folder = E:\Program Files\Anti Virus\WinPFind3u\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 7.0.5730.11)
 
1022.73 Mb Total Physical Memory | 661.89 Mb Available Physical Memory | 64.72% Memory free
2.40 Gb Paging File | 2.14 Gb Available in Paging File | 89.18% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072;
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 29.29 Gb Total Space | 15.24 Gb Free Space | 52.03% Space Free
Drive D: | 29.29 Gb Total Space | 4.20 Gb Free Space | 14.33% Space Free
Drive E: | 53.19 Gb Total Space | 14.00 Gb Free Space | 26.31% Space Free
F: Drive not present or media not loaded

Computer Name: HOMEUSER
Current User Name: Mr.C!
Logged in as Administrator.
Current Boot Mode: Normal


[Processes - Non-Microsoft Only]
aolsoftware.exe -> %CommonProgramFiles%\AOL\1141834038\ee\AOLSoftware.exe -> America Online, Inc. [Ver = 1.4.9.1 | Size = 50792 bytes | Modified Date = 11/2/2005 11:01:14 PM | Attr =    ]
ashdisp.exe -> E:\Program Files\Anti Virus\Avast\ashDisp.exe -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 75392 bytes | Modified Date = 4/30/2007 11:42:48 AM | Attr =    ]
ashmaisv.exe -> E:\Program Files\Anti Virus\Avast\ashMaiSv.exe -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 243328 bytes | Modified Date = 4/30/2007 12:04:38 PM | Attr =    ]
ashserv.exe -> E:\Program Files\Anti Virus\Avast\ashServ.exe -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 132736 bytes | Modified Date = 4/30/2007 11:42:40 AM | Attr =    ]
ashwebsv.exe -> E:\Program Files\Anti Virus\Avast\ashWebSv.exe -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 345728 bytes | Modified Date = 4/30/2007 11:41:28 AM | Attr =    ]
aswupdsv.exe -> E:\Program Files\Anti Virus\Avast\aswUpdSv.exe -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 16512 bytes | Modified Date = 4/30/2007 11:29:56 AM | Attr =    ]
devdtct2.exe -> %ProgramFiles%\Olympus\DeviceDetector\DevDtct2.exe -> OLYMPUS Corporation. [Ver = 2, 4, 3, 1 | Size = 114688 bytes | Modified Date = 1/16/2004 3:45:08 PM | Attr =    ]
guard.exe -> E:\Program Files\Anti Virus\AVG Anti-Spyware 7.5\guard.exe -> GRISOFT s.r.o. [Ver = 7, 5, 1, 22 | Size = 312880 bytes | Modified Date = 5/30/2007 8:31:10 AM | Attr =    ]
hotsync.exe -> %ProgramFiles%\palmOne\Hotsync.exe -> PalmSource, Inc [Ver = 6.0.1 | Size = 471040 bytes | Modified Date = 6/9/2004 2:16:08 PM | Attr =    ]
hpqgalry.exe -> %ProgramFiles%\HP\Digital Imaging\bin\hpqgalry.exe -> Hewlett-Packard Co. [Ver = 043.001.005.000 | Size = 520192 bytes | Modified Date = 5/28/2004 11:08:52 PM | Attr =    ]
hpwuschd2.exe -> %ProgramFiles%\HP\HP Software Update\HPWuSchd2.exe -> Hewlett-Packard Company [Ver = 2, 0, 39, 0 | Size = 49152 bytes | Modified Date = 2/12/2004 1:38:56 PM | Attr =    ]
ipodservice.exe -> %ProgramFiles%\iPod\bin\iPodService.exe -> Apple Computer, Inc. [Ver = 6.0.5.20 | Size = 323584 bytes | Modified Date = 6/14/2006 4:23:58 PM | Attr =    ]
ituneshelper.exe -> E:\Program Files\Utilities\iTunes&Quicktime\iTunesHelper.exe -> Apple Computer, Inc. [Ver = 6.0.5.20 | Size = 278528 bytes | Modified Date = 6/14/2006 4:24:14 PM | Attr =    ]
jusched.exe -> E:\Program Files\Utilities\Java Runtime Environment\bin\jusched.exe -> Sun Microsystems, Inc. [Ver = 6.0.20.5 | Size = 132760 bytes | Modified Date = 6/14/2007 6:32:40 PM | Attr =    ]
logitray.exe -> E:\Program Files\Internet\Logitech WebCam\LogiTray.exe -> Logitech Inc. [Ver = 8.1.1.1100 | Size = 77824 bytes | Modified Date = 8/29/2003 3:20:02 PM | Attr =    ]
lvcoms.exe -> %System32%\LVComS.exe -> Logitech Inc. [Ver = 8.1.1.1100 | Size = 135214 bytes | Modified Date = 8/29/2003 2:44:50 PM | Attr =    ]
nvsvc32.exe -> %System32%\nvsvc32.exe -> NVIDIA Corporation [Ver = 6.14.10.4469 | Size = 73728 bytes | Modified Date = 6/18/2003 1:31:00 AM | Attr =    ]
qttask.exe -> E:\Program Files\Utilities\Quicktime\qttask.exe -> Apple Computer, Inc. [Ver = 7.1.5 | Size = 282624 bytes | Modified Date = 2/16/2007 10:54:04 AM | Attr =    ]
realsched.exe -> %CommonProgramFiles%\Real\Update_OB\realsched.exe -> RealNetworks, Inc. [Ver = 0.1.0.3510 | Size = 180269 bytes | Modified Date = 4/25/2006 8:53:20 PM | Attr =    ]
saservice.exe -> %ProgramFiles%\SiteAdvisor\6066\SAService.exe -> McAfee, Inc. [Ver = 2.4.0 | Size = 321064 bytes | Modified Date = 6/3/2007 10:49:56 PM | Attr =    ]
winpfind3u.exe -> E:\Program Files\Anti Virus\WinPFind3u\WinPFind3U.exe -> OldTimer Tools [Ver = 1.0.38.0 | Size = 322048 bytes | Modified Date = 6/23/2007 3:15:54 PM | Attr =    ]

[Win32 Services - Non-Microsoft Only]
(aswUpdSv) avast! iAVS4 Control Service [Win32_Own | Auto | Running] -> E:\Program Files\Anti Virus\Avast\aswUpdSv.exe -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 16512 bytes | Modified Date = 4/30/2007 11:29:56 AM | Attr =    ]
(avast! Antivirus) avast! Antivirus [Win32_Own | Auto | Running] -> E:\Program Files\Anti Virus\Avast\ashServ.exe -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 132736 bytes | Modified Date = 4/30/2007 11:42:40 AM | Attr =    ]
(avast! Mail Scanner) avast! Mail Scanner [Win32_Own | On_Demand | Running] -> E:\Program Files\Anti Virus\Avast\ashMaiSv.exe -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 243328 bytes | Modified Date = 4/30/2007 12:04:38 PM | Attr =    ]
(avast! Web Scanner) avast! Web Scanner [Win32_Own | On_Demand | Running] -> E:\Program Files\Anti Virus\Avast\ashWebSv.exe -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 345728 bytes | Modified Date = 4/30/2007 11:41:28 AM | Attr =    ]
(AVG Anti-Spyware Guard) AVG Anti-Spyware Guard [Win32_Own | Auto | Running] -> E:\Program Files\Anti Virus\AVG Anti-Spyware 7.5\guard.exe -> GRISOFT s.r.o. [Ver = 7, 5, 1, 22 | Size = 312880 bytes | Modified Date = 5/30/2007 8:31:10 AM | Attr =    ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %System32%\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 224768 bytes | Modified Date = 8/4/2004 3:56:48 AM | Attr =    ]
(IDriverT) InstallDriver Table Manager [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\InstallShield\Driver\11\Intel 32\IDriverT.exe -> Macrovision Corporation [Ver = 11.00.28844 | Size = 69632 bytes | Modified Date = 4/4/2005 12:41:10 AM | Attr =    ]
(iPodService) iPodService [Win32_Own | On_Demand | Running] -> %ProgramFiles%\iPod\bin\iPodService.exe -> Apple Computer, Inc. [Ver = 6.0.5.20 | Size = 323584 bytes | Modified Date = 6/14/2006 4:23:58 PM | Attr =    ]
(NVSvc) NVIDIA Driver Helper Service [Win32_Own | Auto | Running] -> %System32%\nvsvc32.exe -> NVIDIA Corporation [Ver = 6.14.10.4469 | Size = 73728 bytes | Modified Date = 6/18/2003 1:31:00 AM | Attr =    ]
(Pml Driver HPZ12) Pml Driver HPZ12 [Win32_Own | On_Demand | Stopped] -> %System32%\HPZipm12.exe -> HP [Ver = 8, 0, 0, 0 | Size = 65536 bytes | Modified Date = 3/18/2004 4:55:48 PM | Attr =    ]
(SiteAdvisor Service) SiteAdvisor Service [Win32_Own | Auto | Running] -> %ProgramFiles%\SiteAdvisor\6066\SAService.exe -> McAfee, Inc. [Ver = 2.4.0 | Size = 321064 bytes | Modified Date = 6/3/2007 10:49:56 PM | Attr =    ]

[Registry - Non-Microsoft Only]
< Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
avast! -> E:\Program Files\Anti Virus\Avast\ashDisp.exe -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 75392 bytes | Modified Date = 4/30/2007 11:42:48 AM | Attr =    ]
HostManager -> %CommonProgramFiles%\AOL\1141834038\ee\AOLSoftware.exe -> America Online, Inc. [Ver = 1.4.9.1 | Size = 50792 bytes | Modified Date = 11/2/2005 11:01:14 PM | Attr =    ]
HP Software Update -> %ProgramFiles%\HP\HP Software Update\HPWuSchd2.exe -> Hewlett-Packard Company [Ver = 2, 0, 39, 0 | Size = 49152 bytes | Modified Date = 2/12/2004 1:38:56 PM | Attr =    ]
iTunesHelper -> E:\Program Files\Utilities\iTunes&Quicktime\iTunesHelper.exe -> Apple Computer, Inc. [Ver = 6.0.5.20 | Size = 278528 bytes | Modified Date = 6/14/2006 4:24:14 PM | Attr =    ]

WinpFind3u continues in next post.

Maze

  • Guest
Re: Help to remove FOTOMOTO.A Trojan
« Reply #25 on: July 09, 2007, 07:08:28 PM »
WinpFind3u log continues:

LogitechVideoRepair -> E:\Program Files\Internet\Logitech WebCam\ISStart.exe -> Logitech Inc. [Ver = 8.1.1.1100 | Size = 188416 bytes | Modified Date = 8/29/2003 3:17:26 PM | Attr =    ]
LogitechVideoTray -> E:\Program Files\Internet\Logitech WebCam\LogiTray.exe -> Logitech Inc. [Ver = 8.1.1.1100 | Size = 77824 bytes | Modified Date = 8/29/2003 3:20:02 PM | Attr =    ]
nwiz -> %System32%\nwiz.exe -> NVIDIA Corporation [Ver = 6.14.10.4469 | Size = 323584 bytes | Modified Date = 6/18/2003 1:31:00 AM | Attr =    ]
QuickTime Task -> E:\Program Files\Utilities\Quicktime\qttask.exe -> Apple Computer, Inc. [Ver = 7.1.5 | Size = 282624 bytes | Modified Date = 2/16/2007 10:54:04 AM | Attr =    ]
SunJavaUpdateSched -> E:\Program Files\Utilities\Java Runtime Environment\bin\jusched.exe -> Sun Microsystems, Inc. [Ver = 6.0.20.5 | Size = 132760 bytes | Modified Date = 6/14/2007 6:32:40 PM | Attr =    ]
TkBellExe -> %CommonProgramFiles%\Real\Update_OB\realsched.exe -> RealNetworks, Inc. [Ver = 0.1.0.3510 | Size = 180269 bytes | Modified Date = 4/25/2006 8:53:20 PM | Attr =    ]
< OptionalComponents [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\ ->
IMAIL -> Installed = 1 ->
MAPI -> Installed = 1 ->
MSFS -> Installed = 1 ->
< Run [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
Aim6 ->  -> File not found
FolderShare -> E:\Program Files\Utilities\FolderShare\FolderShare.exe -> File not found
< Common Startup > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup ->
%AllUsersStartup%\Adobe Gamma Loader.exe.lnk -> %CommonProgramFiles%\Adobe\Calibration\Adobe Gamma Loader.exe -> Adobe Systems, Inc. [Ver = 1, 0, 0, 1 | Size = 113664 bytes | Modified Date = 11/4/1999 4:06:48 PM | Attr =    ]
%AllUsersStartup%\Device Detector 2.lnk -> %ProgramFiles%\Olympus\DeviceDetector\DevDtct2.exe -> OLYMPUS Corporation. [Ver = 2, 4, 3, 1 | Size = 114688 bytes | Modified Date = 1/16/2004 3:45:08 PM | Attr =    ]
%AllUsersStartup%\HotSync Manager.lnk -> %ProgramFiles%\palmOne\Hotsync.exe -> PalmSource, Inc [Ver = 6.0.1 | Size = 471040 bytes | Modified Date = 6/9/2004 2:16:08 PM | Attr =    ]
%AllUsersStartup%\HP Image Zone Fast Start.lnk -> %ProgramFiles%\HP\Digital Imaging\bin\hpqthb08.exe -> Hewlett-Packard Co. [Ver = 043.001.005.000 | Size = 53248 bytes | Modified Date = 5/28/2004 11:06:36 PM | Attr =    ]
< ShellExecuteHooks [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks ->
{57B86673-276A-48B2-BAE7-C6DBB3020EB8} [HKLM] -> E:\Program Files\Anti Virus\AVG Anti-Spyware 7.5\shellexecutehook.dll [AVG Anti-Spyware 7.5] -> GRISOFT s.r.o. [Ver = 7, 5, 1, 36 | Size = 79408 bytes | Modified Date = 5/30/2007 8:29:58 AM | Attr =    ]
{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} [HKLM] -> E:\Program Files\Anti Virus\SuperAntiSpyware\SASSEH.DLL [] -> SuperAdBlocker.com [Ver = 1, 0, 0, 1008 | Size = 77824 bytes | Modified Date = 12/20/2006 1:55:48 PM | Attr =    ]
< SecurityProviders [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders ->
*SecurityProviders* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders ->
zwebauth.dll -> %System32%\ZWebAuth.dll ->  [Ver =  | Size = 16973 bytes | Modified Date = 9/18/2001 7:37:34 PM | Attr =    ]
< Winlogon settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon\Notify settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ ->
!SASWinLogon -> E:\Program Files\Anti Virus\SuperAntiSpyware\SASWINLO.dll -> SUPERAntiSpyware.com [Ver = 1, 0, 0, 1046 | Size = 294912 bytes | Modified Date = 4/19/2007 1:41:36 PM | Attr =    ]
NavLogon -> Reg Data - Value does not exist -> File not found
< CurrentVersion Policy Settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->  ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Attachments\ ->  ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Attachments\\ScanWithAntiVirus -> 2 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ ->  ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\AllowLegacyWebView -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\AllowUnhashedWebView -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\LinkResolveIgnoreLinkInfo -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoResolveSearch -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ ->  ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\ ->  ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID\ ->  ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID\\{17492023-C23A-453E-A040-C7C580BBF700} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ ->  ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ ->  ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption ->  ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext ->  ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\undockwithoutlogon -> 1 ->
< CurrentVersion Policy Settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->  ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\\NoResolveTrack -> 1 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ ->  ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations\ ->  ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ ->  ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 36 ->

WinpFind3u log continues in next post:

Maze

  • Guest
Re: Help to remove FOTOMOTO.A Trojan
« Reply #26 on: July 09, 2007, 07:10:27 PM »
WinpFind3u log continues from previous post:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\LinkResolveIgnoreLinkInfo -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveAutoRun -> ÿÿÿÿ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ ->  ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ ->  ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\Shell\ ->  ->
< HOSTS File > (27 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts ->
127.0.0.1       localhost ->  ->
< Internet Explorer Settings > ->  ->
HKLM: Default_Page_URL -> http://go.microsoft.com/fwlink/?LinkId=69157 ->
HKLM: Main\\Default_Search_URL -> http://go.microsoft.com/fwlink/?LinkId=54896 ->
HKLM: Local Page -> %SystemRoot%\system32\blank.htm ->
HKLM: Search Bar -> http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html ->
HKLM: Search Page -> http://go.microsoft.com/fwlink/?LinkId=54896 ->
HKLM: Start Page -> about:blank ->
HKLM: CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm ->
HKLM: SearchAssistant -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm ->
HKCU: Local Page -> C:\WINDOWS\system32\blank.htm ->
HKCU: Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKCU: Start Page -> www.bbc.co.uk ->
HKCU: ProxyEnable -> 0 ->
< Trusted Sites > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
msn.com [ - ] ->  ->
< BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ ->
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> %CommonProgramFiles%\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [Adobe PDF Reader Link Helper] -> Adobe Systems Incorporated [Ver = 8.0.0.2006102200 | Size = 62080 bytes | Modified Date = 10/22/2006 11:08:42 PM | Attr =    ]
{089FD14D-132B-48FC-8861-0048AE113215} [HKLM] -> %ProgramFiles%\SiteAdvisor\6066\SiteAdv.dll [Reg Data - Value does not exist] -> McAfee, Inc. [Ver = 2.4.0 | Size = 1099304 bytes | Modified Date = 3/30/2007 11:41:24 AM | Attr =    ]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} [HKLM] -> E:\Program Files\Utilities\Java Runtime Environment\bin\ssv.dll [SSVHelper Class] -> Sun Microsystems, Inc. [Ver = 6.0.20.5 | Size = 509592 bytes | Modified Date = 6/14/2007 6:32:36 PM | Attr =    ]
< Internet Explorer ToolBars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar ->
{0BF43445-2F28-4351-9252-17FE6E806AA0} [HKLM] -> %ProgramFiles%\SiteAdvisor\6066\SiteAdv.dll [McAfee SiteAdvisor] -> McAfee, Inc. [Ver = 2.4.0 | Size = 1099304 bytes | Modified Date = 3/30/2007 11:41:24 AM | Attr =    ]
< Internet Explorer ToolBars [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ ->
WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKLM] -> Reg Data - Value does not exist [&Google] -> File not found
< Internet Explorer Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ ->
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %System32%\msjava.dll [MenuText: Sun Java Console] -> File not found
{4528BBE0-4E08-11D5-AD55-00010333D0AD} -> Reg Data - Value does not exist [ButtonText: Messenger] -> File not found
{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -> Reg Data - Value does not exist [ButtonText: Real.com] -> File not found
{e2e2dd38-d088-4134-82b7-f2ba38496583} [HKLM] -> Reg Data - Key not found [MenuText: @xpsp3res.dll,-20001] -> File not found
{FB858B22-55E2-413f-87F5-30ADC5552151} -> E:\Program Files\Utilities\PDFill\DownloadPDF.exe [ButtonText: PDFill PDF Editor] -> PlotSoft LLC [Ver = 1.1 | Size = 172032 bytes | Modified Date = 2/23/2006 9:26:38 PM | Attr =    ]
< DNS Name Servers [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ ->
{26BD2C10-1C5D-4554-ACE7-5448D9FEC5F2} ->    (3Com Gigabit LOM (3C940)) ->
{3757A94B-D174-4396-B478-AF4C6442B82E} ->    (1394 Net Adapter) ->
{FBEE8126-A5B5-43FA-9CA2-6548B4BE79E4} ->    () ->
< Protocol Handlers [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ ->
cetihpz -> %ProgramFiles%\HP\hpcoretech\comp\hpuiprot.dll -> Hewlett-Packard Company [Ver = 2.1.5 | Size = 81920 bytes | Modified Date = 5/12/2004 3:18:56 PM | Attr =    ]
ipp -> Reg Data - Key not found -> File not found
msdaipp -> Reg Data - Key not found -> File not found
siteadvisor -> %ProgramFiles%\SiteAdvisor\6066\SiteAdv.dll -> McAfee, Inc. [Ver = 2.4.0 | Size = 1099304 bytes | Modified Date = 3/30/2007 11:41:24 AM | Attr =    ]
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ ->
{30528230-99F7-4BB4-88D8-FA1D4F56A2AB} -> YInstStarter Class - CodeBase = http://download.yahoo.com/dl/installs/yinst0401.cab ->
{474F00F5-3853-492C-AC3A-476512BBC336} -> UploadListView Class - CodeBase = http://picasaweb.google.com/s/v/14.21/uploader2.cab ->
{4CCA4E6B-9259-11D9-AC6E-444553544200} ->  - CodeBase = http://h30155.www3.hp.com/ediags/dd/install/HPInstallMgr_v01.cab ->
{611627F1-D9A5-4235-958E-618E483BF8E7} -> AutoUploader Class - CodeBase = http://www.splashbulb.com/uploader/lib/uploader.cab ->
{8AD9C840-044E-11D1-B3E9-00805F499D93} -> Java Plug-in 1.6.0_02 - CodeBase = http://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab ->
{9F1C11AA-197B-4942-BA54-47A8489BB47F} ->  - CodeBase = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37988.6395486111 ->
{BAC01377-73DD-4796-854D-2A8997E3D68A} ->  - CodeBase = http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_3us.cab ->
{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} -> Java Plug-in 1.6.0_02 - CodeBase = http://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab ->
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -> Java Plug-in 1.6.0_02 - CodeBase = http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab ->
{D27CDB6E-AE6D-11CF-96B8-444553540000} ->  - CodeBase = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab ->


[Files/Folders - Created Within 30 days]
78875.sym -> %SystemDrive%\78875.sym ->  [Ver =  | Size = 2711 bytes | Created Date = 7/8/2007 6:08:40 PM | Attr =    ]
mfx_temp -> %SystemDrive%\mfx_temp ->  [Folder | Created Date = 7/9/2007 9:53:52 AM | Attr =    ]
ord.htm -> %SystemDrive%\ord.htm ->  [Ver =  | Size = 418 bytes | Created Date = 7/9/2007 9:54:36 AM | Attr =    ]
QooBox -> %SystemDrive%\QooBox ->  [Folder | Created Date = 7/8/2007 1:47:16 PM | Attr =    ]
$NtUninstallKB929123$ -> %SystemRoot%\$NtUninstallKB929123$ ->  [Folder | Created Date = 6/15/2007 8:11:25 AM | Attr =  H ]
$NtUninstallKB935839$ -> %SystemRoot%\$NtUninstallKB935839$ ->  [Folder | Created Date = 6/15/2007 8:09:53 AM | Attr =  H ]
$NtUninstallKB935840$ -> %SystemRoot%\$NtUninstallKB935840$ ->  [Folder | Created Date = 6/15/2007 8:11:13 AM | Attr =  H ]
catchme.exe -> %SystemRoot%\catchme.exe ->  [Ver =  | Size = 104960 bytes | Created Date = 7/8/2007 1:44:53 PM | Attr =    ]
erdnt -> %SystemRoot%\erdnt ->  [Folder | Created Date = 7/8/2007 1:47:31 PM | Attr =    ]

WinPFind3u log continues in next post

Maze

  • Guest
Re: Help to remove FOTOMOTO.A Trojan
« Reply #27 on: July 09, 2007, 07:14:29 PM »
WinPfind3u log continues from previous post:

fw20.vxd -> %SystemRoot%\fw20.vxd ->  [Ver =  | Size = 79947 bytes | Created Date = 2/24/2067 3:21:18 PM | Attr =    ]
nircmd.exe -> %SystemRoot%\nircmd.exe -> NirSoft [Ver = 2.00 | Size = 51200 bytes | Created Date = 7/8/2007 1:44:53 PM | Attr =    ]
QTFont.for -> %SystemRoot%\QTFont.for ->  [Ver =  | Size = 1409 bytes | Created Date = 6/20/2007 12:10:57 PM | Attr =    ]
QTFont.qfn -> %SystemRoot%\QTFont.qfn ->  [Ver =  | Size = 54156 bytes | Created Date = 6/20/2007 12:10:57 PM | Attr =  H ]
awgvioka.ini -> %System32%\awgvioka.ini ->  [Ver =  | Size = 903273 bytes | Created Date = 6/18/2007 9:32:17 PM | Attr =  HS]
awwqhkbm.ini -> %System32%\awwqhkbm.ini ->  [Ver =  | Size = 2608880 bytes | Created Date = 6/25/2007 10:06:40 AM | Attr =  HS]
btuceges.ini -> %System32%\btuceges.ini ->  [Ver =  | Size = 4004 bytes | Created Date = 7/5/2007 9:23:40 AM | Attr =  HS]
byctvjad.ini -> %System32%\byctvjad.ini ->  [Ver =  | Size = 1832150 bytes | Created Date = 6/13/2007 12:02:30 PM | Attr =  HS]
cokqgjee.ini -> %System32%\cokqgjee.ini ->  [Ver =  | Size = 3967346 bytes | Created Date = 7/2/2007 7:47:35 AM | Attr =  HS]
eclblhoy.ini -> %System32%\eclblhoy.ini ->  [Ver =  | Size = 2610513 bytes | Created Date = 6/24/2007 7:19:28 AM | Attr =  HS]
epimlscn.ini -> %System32%\epimlscn.ini ->  [Ver =  | Size = 922340 bytes | Created Date = 6/14/2007 12:09:35 PM | Attr =  HS]
esagrbsj.ini -> %System32%\esagrbsj.ini ->  [Ver =  | Size = 2825021 bytes | Created Date = 6/29/2007 12:25:21 PM | Attr =  HS]
fxscount.h -> %System32%\fxscount.h ->  [Ver =  | Size = 1361 bytes | Created Date = 6/11/2007 8:49:11 AM | Attr =    ]
fxsperf.ini -> %System32%\fxsperf.ini ->  [Ver =  | Size = 1793 bytes | Created Date = 6/11/2007 8:49:11 AM | Attr =    ]
FxsTmp -> %System32%\FxsTmp ->  [Folder | Created Date = 6/11/2007 8:49:47 AM | Attr =    ]
ggfccaun.ini -> %System32%\ggfccaun.ini ->  [Ver =  | Size = 899002 bytes | Created Date = 6/17/2007 1:15:12 PM | Attr =  HS]
hanujeoc.ini -> %System32%\hanujeoc.ini ->  [Ver =  | Size = 902645 bytes | Created Date = 6/19/2007 10:18:40 PM | Attr =  HS]
hfeblegh.ini -> %System32%\hfeblegh.ini ->  [Ver =  | Size = 1836902 bytes | Created Date = 6/11/2007 11:03:32 PM | Attr =  HS]
honmjkuk.ini -> %System32%\honmjkuk.ini ->  [Ver =  | Size = 2607208 bytes | Created Date = 6/26/2007 10:11:50 AM | Attr =  HS]
hticons.dll -> %System32%\hticons.dll -> Hilgraeve, Inc. [Ver = 5.1.2600.0 | Size = 44544 bytes | Created Date = 6/11/2007 8:49:21 AM | Attr =    ]
java.exe -> %System32%\java.exe -> Sun Microsystems, Inc. [Ver = 6.0.20.5 | Size = 135168 bytes | Created Date = 7/8/2007 5:57:18 PM | Attr =    ]
javacpl.cpl -> %System32%\javacpl.cpl -> Sun Microsystems, Inc. [Ver = 6.0.20.5 | Size = 69632 bytes | Created Date = 7/8/2007 5:57:18 PM | Attr =    ]
javaw.exe -> %System32%\javaw.exe -> Sun Microsystems, Inc. [Ver = 6.0.20.5 | Size = 135168 bytes | Created Date = 7/8/2007 5:57:18 PM | Attr =    ]
javaws.exe -> %System32%\javaws.exe -> Sun Microsystems, Inc. [Ver = 6.0.20.5 | Size = 139264 bytes | Created Date = 7/8/2007 5:57:18 PM | Attr =    ]
jyuukovc.ini -> %System32%\jyuukovc.ini ->  [Ver =  | Size = 2605510 bytes | Created Date = 6/27/2007 10:28:04 AM | Attr =  HS]
kadhngey.ini -> %System32%\kadhngey.ini ->  [Ver =  | Size = 1861349 bytes | Created Date = 6/15/2007 12:09:39 PM | Attr =  HS]
knircdfl.ini -> %System32%\knircdfl.ini ->  [Ver =  | Size = 2831368 bytes | Created Date = 6/28/2007 12:29:12 PM | Attr =  HS]
kycvaurl.ini -> %System32%\kycvaurl.ini ->  [Ver =  | Size = 838518 bytes | Created Date = 6/21/2007 9:59:22 PM | Attr =  HS]
mapisvc.inf -> %System32%\mapisvc.inf ->  [Ver =  | Size = 535 bytes | Created Date = 6/11/2007 8:49:32 AM | Attr =    ]
meskflyf.ini -> %System32%\meskflyf.ini ->  [Ver =  | Size = 3584 bytes | Created Date = 7/3/2007 8:31:48 AM | Attr =  HS]
qoorjrbi.ini -> %System32%\qoorjrbi.ini ->  [Ver =  | Size = 3765 bytes | Created Date = 7/4/2007 8:49:17 AM | Attr =  HS]
rosksxkd.ini -> %System32%\rosksxkd.ini ->  [Ver =  | Size = 4064 bytes | Created Date = 7/6/2007 9:37:35 AM | Attr =  HS]
seglavgs.ini -> %System32%\seglavgs.ini ->  [Ver =  | Size = 3812146 bytes | Created Date = 7/1/2007 12:04:31 AM | Attr =  HS]
swreg.exe -> %System32%\swreg.exe -> SteelWerX [Ver = 2.0.1.6 | Size = 428032 bytes | Created Date = 7/8/2007 1:44:53 PM | Attr =    ]
swsc.exe -> %System32%\swsc.exe -> SteelWerX [Ver = 2.0.0.0 | Size = 370688 bytes | Created Date = 7/8/2007 1:44:52 PM | Attr =    ]
swxcacls.exe -> %System32%\swxcacls.exe -> SteelWerX [Ver = 1.0.1.1 | Size = 212480 bytes | Created Date = 7/8/2007 1:44:52 PM | Attr =    ]
tuikrbvg.ini -> %System32%\tuikrbvg.ini ->  [Ver =  | Size = 1861408 bytes | Created Date = 6/16/2007 12:11:17 PM | Attr =  HS]
veiixtnf.ini -> %System32%\veiixtnf.ini ->  [Ver =  | Size = 1699502 bytes | Created Date = 6/22/2007 10:04:01 PM | Attr =  HS]
vfind.exe -> %System32%\vfind.exe ->  [Ver =  | Size = 49152 bytes | Created Date = 7/8/2007 1:44:53 PM | Attr =    ]
vwhpwrca.ini -> %System32%\vwhpwrca.ini ->  [Ver =  | Size = 1858630 bytes | Created Date = 6/16/2007 12:19:32 PM | Attr =  HS]
wvejtjfw.ini -> %System32%\wvejtjfw.ini ->  [Ver =  | Size = 891854 bytes | Created Date = 6/20/2007 9:53:33 PM | Attr =  HS]
htrn_jis.dll -> %System32%\dllcache\htrn_jis.dll -> Hilgraeve, Inc. [Ver = 5.1.2600.0 | Size = 13312 bytes | Created Date = 6/11/2007 8:49:21 AM | Attr =    ]
AvgArCln.sys -> %System32%\drivers\AvgArCln.sys -> GRISOFT, s.r.o. [Ver = 1.0.0.14 | Size = 3968 bytes | Created Date = 7/7/2007 4:51:23 PM | Attr =    ]
AvgAsCln.sys -> %System32%\drivers\AvgAsCln.sys -> GRISOFT, s.r.o. [Ver = 1.0.0.14 | Size = 10872 bytes | Created Date = 7/7/2007 4:30:25 PM | Attr =    ]
njyoxcnhlwus.sys -> %System32%\drivers\njyoxcnhlwus.sys ->  [Ver =  | Size = 8704 bytes | Created Date = 7/8/2007 1:30:26 PM | Attr =    ]

[Files/Folders - Modified Within 30 days]
78875.sym -> %SystemDrive%\78875.sym ->  [Ver =  | Size = 2711 bytes | Modified Date = 7/8/2007 7:08:42 PM | Attr =    ]
Config.Msi -> %SystemDrive%\Config.Msi ->  [Folder | Modified Date = 7/8/2007 6:58:38 PM | Attr =  H ]
mfx_temp -> %SystemDrive%\mfx_temp ->  [Folder | Modified Date = 7/9/2007 11:03:50 AM | Attr =    ]
ord.htm -> %SystemDrive%\ord.htm ->  [Ver =  | Size = 418 bytes | Modified Date = 7/9/2007 10:54:38 AM | Attr =    ]
QooBox -> %SystemDrive%\QooBox ->  [Folder | Modified Date = 7/8/2007 2:47:18 PM | Attr =    ]
System Volume Information -> %SystemDrive%\System Volume Information ->  [Folder | Modified Date = 7/7/2007 5:32:44 PM | Attr =  HS]
WINDOWS -> %SystemRoot% ->  [Folder | Modified Date = 7/9/2007 10:57:18 AM | Attr =    ]
$hf_mig$ -> %SystemRoot%\$hf_mig$ ->  [Folder | Modified Date = 6/15/2007 9:07:08 AM | Attr =  H ]
$NtUninstallKB929123$ -> %SystemRoot%\$NtUninstallKB929123$ ->  [Folder | Modified Date = 6/15/2007 9:11:28 AM | Attr =  H ]
$NtUninstallKB935839$ -> %SystemRoot%\$NtUninstallKB935839$ ->  [Folder | Modified Date = 6/15/2007 9:09:56 AM | Attr =  H ]
$NtUninstallKB935840$ -> %SystemRoot%\$NtUninstallKB935840$ ->  [Folder | Modified Date = 6/15/2007 9:11:16 AM | Attr =  H ]
addins -> %SystemRoot%\addins ->  [Folder | Modified Date = 6/11/2007 9:49:14 AM | Attr =    ]
bootstat.dat -> %SystemRoot%\bootstat.dat ->  [Ver =  | Size = 2048 bytes | Modified Date = 7/9/2007 10:56:00 AM | Attr =   S]
catchme.exe -> %SystemRoot%\catchme.exe ->  [Ver =  | Size = 104960 bytes | Modified Date = 7/4/2007 7:21:06 PM | Attr =    ]
Cursors -> %SystemRoot%\Cursors ->  [Folder | Modified Date = 6/11/2007 9:49:28 AM | Attr =    ]
erdnt -> %SystemRoot%\erdnt ->  [Folder | Modified Date = 7/8/2007 2:47:32 PM | Attr =    ]
Help -> %SystemRoot%\Help ->  [Folder | Modified Date = 7/8/2007 6:53:52 PM | Attr =    ]
ie7updates -> %SystemRoot%\ie7updates ->  [Folder | Modified Date = 6/15/2007 9:08:40 AM | Attr =    ]
imsins.BAK -> %SystemRoot%\imsins.BAK ->  [Ver =  | Size = 1374 bytes | Modified Date = 6/15/2007 9:11:22 AM | Attr =    ]
inf -> %SystemRoot%\inf ->  [Folder | Modified Date = 7/8/2007 6:53:52 PM | Attr =  H ]
Installer -> %SystemRoot%\Installer ->  [Folder | Modified Date = 7/8/2007 6:58:38 PM | Attr =  HS]
nircmd.exe -> %SystemRoot%\nircmd.exe -> NirSoft [Ver = 2.00 | Size = 51200 bytes | Modified Date = 6/17/2007 12:11:58 AM | Attr =    ]
pfirewall.log.old -> %SystemRoot%\pfirewall.log.old ->  [Ver =  | Size = 4026387 bytes | Modified Date = 6/22/2007 11:02:46 AM | Attr =    ]

WinWinPfind3u log continues in next post

Maze

  • Guest
Re: Help to remove FOTOMOTO.A Trojan
« Reply #28 on: July 09, 2007, 07:18:24 PM »
WinPfind3u log post (final)

Prefetch -> %SystemRoot%\Prefetch ->  [Folder | Modified Date = 7/9/2007 11:28:06 AM | Attr =    ]
QTFont.for -> %SystemRoot%\QTFont.for ->  [Ver =  | Size = 1409 bytes | Modified Date = 6/20/2007 1:10:58 PM | Attr =    ]
QTFont.qfn -> %SystemRoot%\QTFont.qfn ->  [Ver =  | Size = 54156 bytes | Modified Date = 6/23/2007 6:21:22 PM | Attr =  H ]
security -> %SystemRoot%\security ->  [Folder | Modified Date = 6/11/2007 11:09:58 AM | Attr =    ]
system32 -> %System32% ->  [Folder | Modified Date = 7/8/2007 6:58:26 PM | Attr =    ]
Tasks -> %SystemRoot%\Tasks ->  [Folder | Modified Date = 7/9/2007 10:59:04 AM | Attr =   S]
Temp -> %SystemRoot%\Temp ->  [Folder | Modified Date = 7/9/2007 11:33:10 AM | Attr =    ]
win.ini -> %SystemRoot%\win.ini ->  [Ver =  | Size = 1088 bytes | Modified Date = 7/6/2007 12:36:54 PM | Attr =    ]
MP Scheduled Scan.job -> %SystemRoot%\tasks\MP Scheduled Scan.job ->  [Ver =  | Size = 370 bytes | Modified Date = 7/9/2007 10:59:04 AM | Attr =  H ]
SA.DAT -> %SystemRoot%\tasks\SA.DAT ->  [Ver =  | Size = 6 bytes | Modified Date = 7/9/2007 10:56:08 AM | Attr =  H ]
apnbopbd.ini -> %System32%\apnbopbd.ini ->  [Ver =  | Size = 896958 bytes | Modified Date = 6/11/2007 9:31:14 PM | Attr =  HS]
awgvioka.ini -> %System32%\awgvioka.ini ->  [Ver =  | Size = 903273 bytes | Modified Date = 6/19/2007 10:46:10 PM | Attr =  HS]
awwqhkbm.ini -> %System32%\awwqhkbm.ini ->  [Ver =  | Size = 2608880 bytes | Modified Date = 6/26/2007 11:07:18 AM | Attr =  HS]
btuceges.ini -> %System32%\btuceges.ini ->  [Ver =  | Size = 4004 bytes | Modified Date = 7/6/2007 10:24:10 AM | Attr =  HS]
byctvjad.ini -> %System32%\byctvjad.ini ->  [Ver =  | Size = 1832150 bytes | Modified Date = 6/15/2007 10:10:24 AM | Attr =  HS]
CatRoot -> %System32%\CatRoot ->  [Folder | Modified Date = 6/15/2007 9:13:38 AM | Attr =    ]
CatRoot2 -> %System32%\CatRoot2 ->  [Folder | Modified Date = 7/8/2007 3:27:24 PM | Attr =    ]
cokqgjee.ini -> %System32%\cokqgjee.ini ->  [Ver =  | Size = 3967346 bytes | Modified Date = 7/3/2007 9:29:26 AM | Attr =  HS]
config -> %System32%\config ->  [Folder | Modified Date = 7/8/2007 2:47:42 PM | Attr =    ]
dllcache -> %System32%\dllcache ->  [Folder | Modified Date = 6/15/2007 9:11:32 AM | Attr = RHS]
drivers -> %System32%\drivers ->  [Folder | Modified Date = 7/8/2007 2:51:54 PM | Attr =    ]
eclblhoy.ini -> %System32%\eclblhoy.ini ->  [Ver =  | Size = 2610513 bytes | Modified Date = 6/25/2007 11:04:24 AM | Attr =  HS]
epimlscn.ini -> %System32%\epimlscn.ini ->  [Ver =  | Size = 922340 bytes | Modified Date = 6/14/2007 1:09:44 PM | Attr =  HS]
esagrbsj.ini -> %System32%\esagrbsj.ini ->  [Ver =  | Size = 2825021 bytes | Modified Date = 7/1/2007 1:02:16 AM | Attr =  HS]
FxsTmp -> %System32%\FxsTmp ->  [Folder | Modified Date = 7/6/2007 12:36:38 PM | Attr =    ]
ggfccaun.ini -> %System32%\ggfccaun.ini ->  [Ver =  | Size = 899002 bytes | Modified Date = 6/18/2007 10:27:00 PM | Attr =  HS]
hanujeoc.ini -> %System32%\hanujeoc.ini ->  [Ver =  | Size = 902645 bytes | Modified Date = 6/20/2007 10:30:04 PM | Attr =  HS]
hfeblegh.ini -> %System32%\hfeblegh.ini ->  [Ver =  | Size = 1836902 bytes | Modified Date = 6/13/2007 12:51:22 PM | Attr =  HS]
honmjkuk.ini -> %System32%\honmjkuk.ini ->  [Ver =  | Size = 2607208 bytes | Modified Date = 6/27/2007 11:12:28 AM | Attr =  HS]
java.exe -> %System32%\java.exe -> Sun Microsystems, Inc. [Ver = 6.0.20.5 | Size = 135168 bytes | Modified Date = 6/14/2007 3:51:50 PM | Attr =    ]
javacpl.cpl -> %System32%\javacpl.cpl -> Sun Microsystems, Inc. [Ver = 6.0.20.5 | Size = 69632 bytes | Modified Date = 6/14/2007 4:53:22 PM | Attr =    ]
javaw.exe -> %System32%\javaw.exe -> Sun Microsystems, Inc. [Ver = 6.0.20.5 | Size = 135168 bytes | Modified Date = 6/14/2007 3:51:54 PM | Attr =    ]
javaws.exe -> %System32%\javaws.exe -> Sun Microsystems, Inc. [Ver = 6.0.20.5 | Size = 139264 bytes | Modified Date = 6/14/2007 4:53:24 PM | Attr =    ]
jyuukovc.ini -> %System32%\jyuukovc.ini ->  [Ver =  | Size = 2605510 bytes | Modified Date = 6/28/2007 1:21:10 PM | Attr =  HS]
kadhngey.ini -> %System32%\kadhngey.ini ->  [Ver =  | Size = 1861349 bytes | Modified Date = 6/16/2007 1:11:22 PM | Attr =  HS]
knircdfl.ini -> %System32%\knircdfl.ini ->  [Ver =  | Size = 2831368 bytes | Modified Date = 6/28/2007 1:58:54 PM | Attr =  HS]
kycvaurl.ini -> %System32%\kycvaurl.ini ->  [Ver =  | Size = 838518 bytes | Modified Date = 6/22/2007 10:59:44 PM | Attr =  HS]
mapisvc.inf -> %System32%\mapisvc.inf ->  [Ver =  | Size = 535 bytes | Modified Date = 6/11/2007 9:49:34 AM | Attr =    ]
mcrh.tmp -> %System32%\mcrh.tmp ->  [Ver =  | Size = 143 bytes | Modified Date = 6/11/2007 2:57:20 PM | Attr =    ]
meskflyf.ini -> %System32%\meskflyf.ini ->  [Ver =  | Size = 3584 bytes | Modified Date = 7/4/2007 9:47:18 AM | Attr =  HS]
perfc009.dat -> %System32%\perfc009.dat ->  [Ver =  | Size = 65130 bytes | Modified Date = 6/11/2007 9:49:58 AM | Attr =    ]
perfh009.dat -> %System32%\perfh009.dat ->  [Ver =  | Size = 407820 bytes | Modified Date = 6/11/2007 9:49:58 AM | Attr =    ]
PerfStringBackup.INI -> %System32%\PerfStringBackup.INI ->  [Ver =  | Size = 480434 bytes | Modified Date = 6/11/2007 9:49:58 AM | Attr =    ]
qoorjrbi.ini -> %System32%\qoorjrbi.ini ->  [Ver =  | Size = 3765 bytes | Modified Date = 7/5/2007 10:18:18 AM | Attr =  HS]
Restore -> %System32%\Restore ->  [Folder | Modified Date = 7/7/2007 6:32:08 PM | Attr =    ]
rosksxkd.ini -> %System32%\rosksxkd.ini ->  [Ver =  | Size = 4064 bytes | Modified Date = 7/6/2007 10:37:52 AM | Attr =  HS]
rqtss.bak2 -> %System32%\rqtss.bak2 ->  [Ver =  | Size = 1844926 bytes | Modified Date = 7/7/2007 3:00:12 PM | Attr =  HS]
rqtss.ini -> %System32%\rqtss.ini ->  [Ver =  | Size = 1866703 bytes | Modified Date = 7/8/2007 10:51:14 AM | Attr =  HS]
seglavgs.ini -> %System32%\seglavgs.ini ->  [Ver =  | Size = 3812146 bytes | Modified Date = 7/2/2007 8:45:42 AM | Attr =  HS]
tuikrbvg.ini -> %System32%\tuikrbvg.ini ->  [Ver =  | Size = 1861408 bytes | Modified Date = 6/16/2007 1:11:52 PM | Attr =  HS]
veiixtnf.ini -> %System32%\veiixtnf.ini ->  [Ver =  | Size = 1699502 bytes | Modified Date = 6/24/2007 8:11:12 AM | Attr =  HS]
vwhpwrca.ini -> %System32%\vwhpwrca.ini ->  [Ver =  | Size = 1858630 bytes | Modified Date = 6/17/2007 2:15:20 PM | Attr =  HS]
wpa.dbl -> %System32%\wpa.dbl ->  [Ver =  | Size = 13002 bytes | Modified Date = 7/9/2007 10:56:40 AM | Attr =    ]
wvejtjfw.ini -> %System32%\wvejtjfw.ini ->  [Ver =  | Size = 891854 bytes | Modified Date = 6/21/2007 10:54:20 PM | Attr =  HS]
etc -> %System32%\drivers\etc ->  [Folder | Modified Date = 7/8/2007 2:49:30 PM | Attr =    ]
njyoxcnhlwus.sys -> %System32%\drivers\njyoxcnhlwus.sys ->  [Ver =  | Size = 8704 bytes | Modified Date = 7/8/2007 2:30:18 PM | Attr =    ]

[File String Scan - Non-Microsoft Only]
UPX! , UPX0 ,  -> %System32%\aswBoot.exe -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 745600 bytes | Modified Date = 4/30/2007 11:46:10 AM | Attr =    ]
PEC2 ,  -> %System32%\dfrg.msc ->  [Ver =  | Size = 41397 bytes | Modified Date = 8/23/2001 8:00:00 AM | Attr =    ]
UPX! , UPX0 ,  -> %System32%\pncrt.dll -> Real Networks, Inc [Ver = 6.0.0.0 | Size = 123392 bytes | Modified Date = 11/25/2003 7:32:02 PM | Attr =    ]
winsync ,  -> %System32%\wbdbase.deu ->  [Ver =  | Size = 1309184 bytes | Modified Date = 8/23/2001 8:00:00 AM | Attr =    ]
WSUD , UPX0 ,  -> %System32%\dllcache\hwxjpn.dll ->  [Ver =  | Size = 13463552 bytes | Modified Date = 8/23/2001 8:00:00 AM | Attr =    ]
PTech ,  -> %System32%\drivers\mtlstrm.sys -> Smart Link [Ver = 3.80.01MC15 | Size = 1309184 bytes | Modified Date = 8/4/2004 1:41:38 AM | Attr =    ]

< End of report >

Thank you.

Magic Folders is 257 days old. MagicFolders site says Spyagent could be a false positive.
Narrator was not found in Services

mauserme

  • Guest
Re: Help to remove FOTOMOTO.A Trojan
« Reply #29 on: July 10, 2007, 05:08:09 AM »
Narrator is not in the “Services” List within Administrative Tools. Could I still go ahead and use HJT to fix the Narrator service ...
Yes, those lines can be fixed.

I became aware of it when I tried uninstalling Magic Folders and Magic Folders uninstallation conflicted with SpyAgent. So I contacted Spytech technical support and in report to my query they emailed the following:
“If you do not see the program installed in either of folders , it is likely that the program magic folders, gives false positive & spyagent is not actually there.
SpyAgent Stealth Install Directory: c:/program files/sysconfig
Default non-stealth Install Directory:
c:/program files/spytech software/spytech spyagent”

These folders were not in the computer, unless they are masked in some way. Hence I searched MagicFolders FAQs and as per their instruction re-installed mfx.exe and retried without effect. I have sent an email out to their helpdesk, but no reply yet. Also I do not know how to deal with false positives if it is one. But I am really concerned about a keystroke capturing program like SpyAgent being installed on my computer. That could be quite disastrous.
I'm not seeing anything in the logs that looks like either of these programs, so I'm inclined to think neither are running at start up and, possibly, Spyagent isn't there at all.   But these commercial keyloggers can be tricky so I'm not 100% sure on this yet.

I would like to draw a distinction between a trojan type keylogger where there is a serious concern that private information is being sent to criminals vs a commercial keylogger that is usually installed by a parent concerned about his child's well being or a suspicious spouse.  SpyAgent seems to be in the latter category and, although I would not completely dismiss the risk, there are a few things I noticed in your WinPFind log and a file listed in ComboFix that I would like to address first.



If you haven't already installed OTMoveIt please do so now.  Double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\rqtss.bak1

Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply with a new Hijack log.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.



Now download VundoFix.exe to your desktop.

Double-click VundoFix.exe to run it.
When VundoFix re-opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
 

 Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the
Scan for Vundo button." when VundoFix appears at reboot.

A log will be produced which you can post in your next response.