Click Here to Install Silverlight*
United StatesChange|All Microsoft Sites
Microsoft
Security 

Malicious Software Encyclopedia: BrowserModifier:Win32/Fotomoto

Published: November 19, 2007

BrowserModifier:Win32/Fotomoto modifies Web browser settings, and is usually installed with other potentially unwanted software or adware.

**

Glossary Terms

Click the term to get the definition from our Security Glossary.

Trojan horse

virus

worm

**
On This Page
Threat OverviewThreat Overview
Aliases (Also Known As)Aliases (Also Known As)
Technical AnalysisTechnical Analysis
How to Prevent InfectionHow to Prevent Infection
How to Tell If Your Computer Is InfectedHow to Tell If Your Computer Is Infected
How to Recover from InfectionHow to Recover from Infection

Threat Overview

Class/typePotentially Unwanted Software - Settings Modifier
DiscoveredOctober 7, 2008
CirculatingYes
Affected operating systems
Affected software Not specified
Infection ratingLow
Recovery difficultyModerate
Damage ratingMedium
Transmission ratingLow

Aliases (Also Known As)

Different antivirus vendors may be using different names to refer to this malicious software. Here are some of the names currently in use by antivirus software vendors participating in the Microsoft Virus Information Alliance (VIA):

  • Norman: W32/BHO.AHS
  • Sophos: Mal/Heuri-E
  • Sunbelt Software: Mirar
  • Trend Micro: Adware_eZula

    • Learn more about the Microsoft Virus Information Alliance.

    Technical Analysis

    BrowserModifier:Win32/Fotomoto modifies Web browser settings, and is usually installed with other potentially unwanted software or adware.
     
    Installation
    BrowserModifier:Win32/Fotomoto is installed as a Web Browser Helper Object (BHO), and is installed to the Windows system folder as a file named ns####.dll, where #### is a character string of variable length. Fotomoto may also be known as "ads_optimizer."
     
    Fotomoto may create a BHO entry into the system registry to load itself whenever the Web browser is
    launched:
     Adds key: {26E45419-7205-4fac-BBFE-174BC7337A79}
     Within subkeys:
     HKEY_CLASSES_ROOT\CLSID\
     HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
     
    Additional Information
    BrowserModifier:Win32/Fotomoto may be installed with other potentially unwanted software such as Adware:Win32/AdRotator. This adware component may exist as a file named "ninjaext.dll", also in the Windows system folder.

    How to Prevent Infection

    Follow these general security tips to better protect your system:
    • Enable a firewall on your computer.
    • Get the latest computer updates.
    • Run an up-to-date scanning and removal tool.
    • Use caution with attachments and file transfers.

    Enable a firewall on your computer

    Use a third-party firewall product or turn on the Microsoft Windows XP Internet Connection Firewall.
    To turn on the Internet Connection Firewall in Windows XP
    1. Click Start, and click Control Panel.
    2. Click Network and Internet Connections. If you do not see Network and Internet Connections, click Switch to Category View.
    3. Click Change Windows Firewall Settings.
    4. Select On.
    5. Click OK.

    Get the latest computer updates

    Updates help protect your computer from viruses, worms, and other threats as they are discovered. You can use the Automatic Updates feature in Microsoft Windows XP to automatically download future Microsoft security updates while your computer is on and connected to the Internet.
    To turn on Automatic Updates in Windows XP
    1. Click Start, and click Control Panel.
    2. Click Performance and Maintenance. If you do not see Performance and Maintenance, click Switch to Category View.
    3. Click System.
    4. Click Automatic Updates.
    5. Select a setting. Microsoft recommends selecting Automatic. If you do not choose Automatic, but you choose to be notified when updates are ready, a notification balloon appears when new downloads are available to install. Click the notification balloon to review and install the updates.

    Run an up-to-date scanning and removal tool

    Most scanning and removal software can detect and prevent the installation of known malicious software and potentially unwanted software such as adware or spyware. You should frequently run a scanning and removal tool that is updated with the latest signature files. For more information, see http://www.microsoft.com/athome/security/downloads/default.mspx

    Use caution with attachments and file transfers

    Exercise caution with e-mail and attachments received from unknown sources, or received unexpectedly from known sources.  Use extreme caution when accepting file transfers from known or unknown sources.

    How to Tell If Your Computer Is Infected

    BrowserModifier:Win32/Fotomoto may not display symptoms, other than adding a registry entry, or being accompanied by other potentially unwanted software. The following registry key may exist:
     Key: HKEY_CLASSES_ROOT\CLSID\
     Key value: {26E45419-7205-4fac-BBFE-174BC7337A79}
     
     Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
     Key value: {26E45419-7205-4fac-BBFE-174BC7337A79}

    How to Recover from Infection

    Manual Recovery

    Use Microsoft Windows Defender or another up-to-date scanning and removal tool to detect and remove BrowserModifier:Win32/Fotomoto.A and other potentially unwanted software from your computer. For more information, see http://www.microsoft.com/athome/security/downloads/default.mspx.

    © 2009 Microsoft Corporation. All rights reserved. Contact Us |Terms of Use |Trademarks |Privacy Statement