Author Topic: Help to remove FOTOMOTO.A Trojan  (Read 55659 times)

0 Members and 1 Guest are viewing this topic.

mauserme

  • Guest
Re: Help to remove FOTOMOTO.A Trojan
« Reply #75 on: July 27, 2007, 01:49:46 PM »
Often when you have security software installed you'll find some running processes even though you think of the program as being non-resident.  Lavasoft's explanation is that the scan engine for the free version of AdAware 2007 is the same as the the paid version with some functions disabled.  But it still loads when you start the computer just like the paid version.

I haven't tried AdAware 2007 because there have been so many complaints about it.  The old version, AdAware SE, doesn't seem to run any processes unless I start it.  You could try disbaling aawservice.exe at startup with WinPatrol - I think this should work.



If you google MsMpEng.exe you'll find many users complain of long boot times in some cases.  Microsoft says this is because Defender does a "min-scan" at startup and this can take appreciable time on some computers. 

I just tried disabling the service on my Vista box (the only one I have with Windows Defender installed) and noticed only a slight improvement in boot time.  If you want to try this open the Adminstative Tools in the Control Panel and double click Services.  Scroll down to Windows Defender, double click it, and set the Start Up Type to Disabled.  Then click OK.


jusched.exe is the Java updater.  If you monitor a forum like this one where you will be aware of Java updates this can be disbaled by turning off automatic updates in Java.  Open Java in the Control Panel, click the Update tab, and uncheck the box for Automatic Updates.

If you don't have an alternate means of knowing about updates leave this running.  It doesn't use too many resources compared to the risk of never updating.


You also still have C:\Program Files\Installed\Anti Virus\AVG Anti-Spyware 7.5\guard.exe which I usually disable with WinPatrol.


And although this won't help your boot times you could fix these lines in HJT

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
« Last Edit: July 27, 2007, 02:01:45 PM by mauserme »

Maze

  • Guest
Re: Help to remove FOTOMOTO.A Trojan
« Reply #76 on: July 28, 2007, 08:09:19 PM »
Hi Mauserme,
- Uninstalled Adaware2007 & AVG AntiSpyware
- Windows Defender at Startup disabled
- Spyware Terminator, Avast & Comodo Firewall running
- Java left as it is
- Fixed your recommendations with HJT
- Startup time for laptop has considerable decreased (down 5-7min from 10-13 min).

Thank you so much for being patient and walking me through fixing both my computers for the last almost a month I believe. I never expected this kind of help when I posted. Hopefully I can learn enough to someday help someone else as you do. Thank you!!

mauserme

  • Guest
Re: Help to remove FOTOMOTO.A Trojan
« Reply #77 on: July 29, 2007, 05:27:54 AM »
- Startup time for laptop has considerable decreased (down 5-7min from 10-13 min).
That still seems excessive to me. 

After your computer finishes booting open the task manager (contol/alt/delete) before opening any other programs.   Click the Processes tab.  How many running processes are shown at the bottom left corner of that wndow?


... for the last almost a month I believe.
Has it been that long  ;D

Maze

  • Guest
Re: Help to remove FOTOMOTO.A Trojan
« Reply #78 on: July 30, 2007, 02:26:37 PM »
Hi Mauserme,
The following processes are currently running after startup.
Only manually started program: firefox.exe

- firefox.exe
- taskmgr.exe
- alg.exe
- ashWebSv.exe
- ashMaiSv.exe
- wmpnetwk.exe
- svchost.exe   (SYSTEM - 1304K)
- explorer.exe
- sp_rsser.exe  (spyware terminator research tool, part of crawler, uses 5MB RAM, could we take this off?)
- ashServ.exe
- aswUpdSv.exe
- svchost.exe   (SYSTEM - 260K)
- cmdagent.exe
- svchost.exe    (Local Servie - 1648K)
- wmpnscfg.exe (I do not share my music files. Uses 440K, could we take this off?)
- ctfmon.exe
- svchost.exe   (Network Service - 740K)
- Spywaretorshield.exe
- svchost.exe   (System - 5132K)
- svchost.exe   (Network Service - 836K)
- svchost.exe   (System - 728K)
- lsass.exe       (1236K)
- services.exe
- winlogon.exe
- csrss.exe
- smss.exe       (I found another SMSS.exe [all caps] in c:\I386\SYSTEM32    [again all caps]
- jusched.exe
- cpf.exe         (Comodo firewall)
- spoolsv.exe
- System
- System Idle Process

Page File Usage is consistently 338-339MB
CPU Usage varies from 0% - 8%, but mostly at 5%

mauserme

  • Guest
Re: Help to remove FOTOMOTO.A Trojan
« Reply #79 on: August 01, 2007, 05:14:22 AM »
- sp_rsser.exe  (spyware terminator research tool, part of crawler, uses 5MB RAM, could we take this off?)
Sure - just disable the Spyware Terminator realtime shield and it should end.

- wmpnscfg.exe (I do not share my music files. Uses 440K, could we take this off?)
I don't think there's and easy way to make this stop.  It seems to require editing the registry and I'm not sure its worth the trouble.

- Spywaretorshield.exe
Should this read Spywareterminatorshield.exe?  If not we need to look deeper.

- smss.exe       (I found another SMSS.exe [all caps] in c:\I386\SYSTEM32    [again all caps]
The copy in c:\I386\SYSTEM32 is OK as long as its not running from that location.  That folder contains copies of some important files.



The list of running processes is actually impressively short.  How much RAM do you have?

Maze

  • Guest
Re: Help to remove FOTOMOTO.A Trojan
« Reply #80 on: August 08, 2007, 05:32:45 AM »
Hi Mauserme,
Long time no chat :-)

Well, sorry for not replying to your last post earlier - got busy with some work. Just to update you:

sp_rsser.exe: I couldnt find a way to disable Spyware Terminator realtime (did not see the option). But again, if there is such an option, is that a wise thing to do? Wouldn't the laptop be vulnerable to spywares?

Spywareterminatorshield.exe: You were right about the spelling. I misspelled it.

Hope everything is going great on your end. Thanks you...

mauserme

  • Guest
Re: Help to remove FOTOMOTO.A Trojan
« Reply #81 on: August 09, 2007, 06:40:26 AM »
Hi Maze.  Feeling any better?

There is an option in the Spyware Terminator interface to disable real time protection.  As to the wisdom of doing this?  If your comfortable with the way your computer boots leave it active;  otherwise disable it.  There's always a give and take between performance and security and I can't really determine what's best for you.  It does seem like avast! is geting stronger every day on trojan detections but, on the other hand, I still have BoClean runnng in the background.

Is increasing your RAM an option?  It could help.

Maze

  • Guest
Re: Help to remove FOTOMOTO.A Trojan
« Reply #82 on: August 09, 2007, 06:36:04 PM »
Hi Mauserme,
Feeling a little better, but looks like I may have torn a tendon, so it is going to take a while to heal.

For safety considerations, I would rather leave the spywareterminator realtime shield on, since I would rather not go through a repeat of what I had. As you suggested, I will probably look into upgrading, and in the meantime I will just grab me a cup of tea while the laptop boots up :-)

I noticed avast update does not seem to say "avast has been updated" everytime I boot up, like it used to. I think I may have removed it from system tray using one of the programs we previously used to clean up, but it would still run in the background and update by itself right? or should I manually update it now? Task Manager shows that ashwebsv.exe, ashmaisv.exe and ashserv.exe are running.

How is BoClean according to your experience? Google found the following review:
http://www.anti-trojan-software-reviews.com/review-boclean.htm

mauserme

  • Guest
Re: Help to remove FOTOMOTO.A Trojan
« Reply #83 on: August 10, 2007, 03:37:39 AM »
Feeling a little better, but looks like I may have torn a tendon, so it is going to take a while to heal.
Ouch! (but it could be worse).


Hi Mauserme,
For safety considerations, I would rather leave the spywareterminator realtime shield on, since I would rather not go through a repeat of what I had. As you suggested, I will probably look into upgrading, and in the meantime I will just grab me a cup of tea while the laptop boots up :-)

Sounds good to me.


Hi Mauserme,
I noticed avast update does not seem to say "avast has been updated" everytime I boot up, like it used to. I think I may have removed it from system tray using one of the programs we previously used to clean up, but it would still run in the background and update by itself right? or should I manually update it now? Task Manager shows that ashwebsv.exe, ashmaisv.exe and ashserv.exe are running.

If you have the a-icon in your system tray right click it, then left click Program Settings. In the Update(Basic) section make sure updates are set to automatic, and under Updates(Connections) make sure the proper choice is checked.


How is BoClean according to your experience? Google found the following review:
http://www.anti-trojan-software-reviews.com/review-boclean.htm

I don't know - I've never actually been aware of it ever cleaning anything in real time.  Nor AVG AntiSpyware nor Spyware Terminator when I tried those as resident protection.  But, if nothing else, its a great placebo since it gives me the same piece of mind as the others without using so many resources  ;D

Avast! seems better everyday with its Trojan detections so I tend to rely less on other resident programs now.  And I've actually seen the avast! web shield stop a few bad files.  But you know, if a little protection is good a lot must be better...

Maze

  • Guest
Re: Help to remove FOTOMOTO.A Trojan
« Reply #84 on: August 15, 2007, 05:20:04 PM »
Hi Mauserme,
Looks like we have done most of what we can. Dont understand what kind of kick these virus creators get out of it. Its not like anyone is applauding or paying them for this. I still get tracking cookies, unfortunately avast does not catch it, but a spywareterminator scan does. It keeps coming back, but I guess I just have to keep running a thorough scan with spywareterminator every week. Thanks for all the time and effort again. Keep helping other novices like me ;)

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Help to remove FOTOMOTO.A Trojan
« Reply #85 on: August 15, 2007, 05:22:01 PM »
I still get tracking cookies, unfortunately avast does not catch it
avast does not monitor cookies... you need, as you've discovered, an antispyware tool.
The best things in life are free.

mauserme

  • Guest
Re: Help to remove FOTOMOTO.A Trojan
« Reply #86 on: August 15, 2007, 07:56:55 PM »
Looks like we have done most of what we can.
I think you're right ...


Dont understand what kind of kick these virus creators get out of it. Its not like anyone is applauding or paying them for this.
It actually is mostly about money these days - stealling information that can be sold like game keys or used to steal funds like credit card info. 


I still get tracking cookies
You're always going to get some cookies if you go online.  Make sure you reject third party cookies when you use Internet Explorer (Tool>Internet Options>Privacy>Advanced>check Override Automatic Cookie Handling>under Third Party Cookies check Block).  And I usually use CleanUp after every browsing session to clear cookies and temporary files

http://www.stevengould.org/index.php

ATF Cleaner, which you downloaded early in this thread, would also work as would CCleaner

http://www.ccleaner.com/

If you try CCleaner uncheck the Yahoo Tool Bar option during the installation.


Oh, and , glad I could help. :)