Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Partial recurrence of a previous problem


  • This topic is locked This topic is locked
63 replies to this topic

#1 chameleon437

chameleon437

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Local time:01:34 PM

Posted 28 August 2009 - 04:27 AM

Hello peeps,

I thought I had buried the problem myself - some time ago I got the known malware that tries to look for 'CD 1' to install. I don't get this but the same piece of software (Focus 30,000 Photos) tries to say about to install, looking for install files and then the progress bar rolls back. It usually does this at startup, but also if I open any browser - my main browser is Opera 9.64 and launching Firefox 3.5 will make it start to run.
Running Windows XP Pro SP-3 with COMODO Internet Security. Have used Malwarebytes and Super Anti-Spyware and Spyware Blaster and Search & Destroy to no avail.

Best regards,
chameleon437

Attached Files

  • Attached File  bpc.txt   16.14KB   15 downloads

Edited by chameleon437, 28 August 2009 - 04:29 AM.


BC AdBot (Login to Remove)

 


#2 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:08:34 AM

Posted 11 September 2009 - 04:39 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
PW

#3 chameleon437

chameleon437
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Local time:01:34 PM

Posted 13 September 2009 - 04:48 AM

Hi pwgib,

Thanks for getting back to me - I appreciate how busy bleebingcomputer.com is so I have no problems in waiting.

To begin with I had a problem after downloading a peer to peer program in an attempt to recover my lost data on a memory stick and this is the root cause of the problem I think. I have a clipart/photo collection I purchased whose installer keeps asking for the CD but instead of the CD/App name it is asking for '1'. I have read about this malware elswhere on the internet and decided to run scans using all the arsenal given to me last time - Spybot Search and Destroy, Super Anti-Spyware, Malwarebytes Anti-Malware, Spywareblaster. (I was also told about Lavasoft Ad-aware but this conflicts with Spybot Search & Destroy which now uses part of its engine so I do not use this now).

I ran all of these programs and thought it had got rid of any malware found.

I attempted to reduce the level of priority this 'Installer' has to low to prevent it from starting up, but it appears to do so when launching Mozilla Thunderbird or any browser. Another linked problem that started it up again was 'Adobe Download Manager' appearing together with 'Run As' (minimised) on the 'Task Bar' - clicking on this started the installer problem again. I have saved a screen dump of this latter issue in a Word.doc - which is another thing - the Word icon is no longer associating itself with documents written in Word any more - Guess I could always re-install Office at a later stage.

I would just like to add that I also recently purchased a program from DataDoctor.org which did not do what it promised to do - I should have bought GetDataBack for NTFS instead - I am in dispute with the former at present.

Here is the log of the DDS.txt file.


DDS (Ver_09-07-30.01) - NTFSx86
Run by pc at 10:31:39.76 on 13/09/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1022.587 [GMT 1:00]

AV: COMODO Antivirus *On-access scanning enabled* (Updated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDLL32.exe
svchost.exe
C:\Program Files\Trust\R-Series Mouse And Keyboard\PS2USBKbdDrv.exe
svchost.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Opera\opera.exe
C:\Documents and Settings\pc\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [Uniblue RegistryBooster 2] c:\program files\uniblue\registrybooster 2\RegistryBooster.exe /S
uRun: [Uniblue SpyEraser] "c:\program files\uniblue\spyeraser\SpyEraser.exe" -m
uRun: [Uniblue SpeedUpMyPC] c:\program files\uniblue\speedupmypc 3\SpeedUpMyPC.exe -s
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [WireLessKeyboard] c:\program files\trust\r-series mouse and keyboard\StartAutorun.exe PS2USBKbdDrv.exe
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
mRun: [OSSelectorReinstall] c:\program files\common files\acronis\acronis disk director\oss_reinstall.exe
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [SoundMan]
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [QuickTime Task]
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hide
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\easy-printtoolbox.lnk - c:\program files\canon\easy-printtoolbox\BJPSMAIN.EXE
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Easy-PrintToolBox.lnk.disabled
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Logitech Desktop Messenger.lnk.disabled
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Microsoft Office.lnk.disabled
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\photofunstudio.lnk - c:\program files\panasonic\photofunstudio\PhAutoRun.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - {8C85E2EE-9FD6-11D5-B770-504D54C10000} - c:\program files\visualroute\vrie.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {56393399-041A-4650-94C7-13DFCB1F4665} - hxxp://www.ca.com/us/securityadvisor/pestscan/pestscan.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1212595870651
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1212594725745
DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} - hxxp://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} - hxxps://www.maestroasp.com/innerpass_prod/DocManagement/XUpload.ocx
TCP: NameServer = 0 (0x0)
TCP: NameServer = MSICD
TCP: NameServer = http://download.macromedia.com/pub/shockwa...director/sw.cab
TCP: NameServer = c:\windows\downloaded program files\swdir.inf
TCP: NameServer = 11,0,0,458
TCP: NameServer = Tue, 17 Jun 2008 10:53:34 GMT
TCP: NameServer = 0 (0x0)
TCP: NameServer = MSICD
TCP: NameServer = http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
TCP: NameServer = c:\windows\downloaded program files\hcImpl.inf
TCP: NameServer = 6,51,0,1030
TCP: NameServer = Mon, 29 Dec 2008 07:35:28 GMT
TCP: NameServer = 0 (0x0)
TCP: NameServer = MSICD
TCP: NameServer = http://www.ca.com/us/securityadvisor/pestscan/pestscan.cab
TCP: NameServer = c:\windows\downloaded program files\pestscanx.inf
TCP: NameServer = 1,0,0,16
TCP: NameServer = Fri, 15 Feb 2008 23:08:18 GMT
TCP: NameServer = 0 (0x0)
TCP: NameServer = MSICD
TCP: NameServer = http://download.bitdefender.com/resources/scan8/oscan8.cab
TCP: NameServer = c:\windows\downloaded program files\oscan8.inf
TCP: NameServer = 1,0,0,1
TCP: NameServer = Wed, 25 Feb 2009 15:42:48 GMT
TCP: NameServer = 0 (0x0)
TCP: NameServer = MSICD
TCP: NameServer = http://cdn.scan.onecare.live.com/resource/...lscbase6662.cab
TCP: NameServer = c:\windows\downloaded program files\wlscBase.inf
TCP: NameServer = 1,9,6662,1
TCP: NameServer = Tue, 28 Oct 2008 20:30:56 GMT
TCP: NameServer = 0 (0x0)
TCP: NameServer = MSICD
TCP: NameServer = http://www.update.microsoft.com/microsoftu...b?1212595870651
TCP: NameServer = 7,0,6000,381
TCP: NameServer = Tue, 31 Jul 2007 07:06:29 GMT
TCP: NameServer = 0 (0x0)
TCP: NameServer = MSICD
TCP: NameServer = http://www.update.microsoft.com/microsoftu...b?1212594725745
TCP: NameServer = 7,0,6000,381
TCP: NameServer = Tue, 31 Jul 2007 07:06:18 GMT
TCP: NameServer = 0 (0x0)
TCP: NameServer = MSICD
TCP: NameServer = http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
TCP: NameServer = c:\windows\downloaded program files\webscan.inf
TCP: NameServer = 1,1,0,1049
TCP: NameServer = Tue, 06 Mar 2007 22:59:57 GMT
TCP: NameServer = Java Runtime Environment 1.6.0
TCP: NameServer = MSICD
TCP: NameServer = http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab
TCP: NameServer = 1.6.0.15
TCP: NameServer = 0 (0x0)
TCP: NameServer = MSICD
TCP: NameServer = http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab
TCP: NameServer = c:\windows\downloaded program files\erma.inf
TCP: NameServer = 1,0,0,29
TCP: NameServer = Mon, 15 Sep 2008 19:22:01 GMT
TCP: NameServer = Java Runtime Environment 1.6.0
TCP: NameServer = MSICD
TCP: NameServer = http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab
TCP: NameServer = 1.6.0.15
TCP: NameServer = Java Runtime Environment 1.6.0
TCP: NameServer = MSICD
TCP: NameServer = http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab
TCP: NameServer = 1.6.0.15
TCP: NameServer = 0 (0x0)
TCP: NameServer = MSICD
TCP: NameServer = http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab
TCP: NameServer = c:\windows\downloaded program files\swflash.inf
TCP: NameServer = 10,0,32,18
TCP: NameServer = Fri, 24 Jul 2009 23:28:01 GMT
TCP: NameServer = 0 (0x0)
TCP: NameServer = MSICD
TCP: NameServer = http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = c:\windows\downloaded program files\gp.inf
TCP: NameServer = 1,6,2,36
TCP: NameServer = Tue, 14 Jul 2009 23:05:07 GMT
TCP: NameServer = 0 (0x0)
TCP: NameServer = MSICD
TCP: NameServer = https://www.maestroasp.com/innerpass_prod/D...ent/XUpload.ocx
TCP: NameServer = 2,1,0,1
TCP: NameServer = Thu, 08 May 2008 15:24:00 GMT
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\Skype4COM.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
AppInit_DLLs: c:\windows\system32\guard32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 relog_ap

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\pc\applic~1\mozilla\firefox\profiles\3bg72ed7.default\
FF - plugin: c:\documents and settings\pc\application data\mozilla\firefox\profiles\3bg72ed7.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npRLCT4Player.dll
FF - plugin: c:\program files\opera\program\plugins\NPTURNMED.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\drivers\xfilt.sys [2008-6-3 17920]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2009-8-25 132168]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2009-3-4 25160]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-2-17 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-2-17 74480]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2009-3-4 715392]
R2 KMWDSERVICE;Keyboard And Mouse Communication Service;c:\program files\trust\r-series mouse and keyboard\KMWDSrv.exe [2007-2-28 208896]
R2 LANPkt;Realtek LANPkt Protocol;c:\windows\system32\drivers\LANPkt.sys [2008-6-5 8440]
S1 SDManager;SDManager;\??\c:\program files\spywaredetector\sdmanager.sys --> c:\program files\spywaredetector\SDManager.sys [?]
S2 VOODOOTV;3dfx VoodooTV WDM Video Capture;c:\windows\system32\drivers\3dfxVTV.sys [2000-11-9 263657]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2009-6-17 12648]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-2-17 7408]
S3 Vsp;Vsp;\??\c:\windows\system32\drivers\vsp.sys --> c:\windows\system32\drivers\Vsp.sys [?]

=============== Created Last 30 ================

2009-09-05 08:26 130 a------- c:\windows\cfplogvw.INI
2009-08-31 15:42 45,056 a------- c:\windows\system32\PhDi2.sys
2009-08-29 00:39 168,448 a------- c:\windows\system32\unrar.dll
2009-08-29 00:39 38 a------- c:\windows\avisplitter.ini
2009-08-29 00:39 3,596,288 a------- c:\windows\system32\qt-dx331.dll
2009-08-29 00:39 881,664 a------- c:\windows\system32\xvidcore.dll
2009-08-29 00:39 205,824 a------- c:\windows\system32\xvidvfw.dll
2009-08-29 00:39 90,112 a------- c:\windows\system32\dpl100.dll
2009-08-29 00:39 685,056 a------- c:\windows\system32\divx.dll
2009-08-29 00:39 85,504 a------- c:\windows\system32\ff_vfw.dll
2009-08-29 00:39 547 a------- c:\windows\system32\ff_vfw.dll.manifest
2009-08-29 00:22 217,073 a------- c:\windows\meta4.exe
2009-08-28 20:37 <DIR> --d----- c:\program files\YouTube Downloader
2009-08-25 21:07 132,168 a------- c:\windows\system32\drivers\cmdguard.sys
2009-08-20 14:19 <DIR> --d--r-- c:\program files\Skype
2009-08-20 13:26 <DIR> --d----- c:\windows\73C298E04FB64D27AC7905B6FEEAB8F1.TMP
2009-08-20 13:21 <DIR> --d----- C:\Virtual
2009-08-20 12:47 539,160 a------- c:\windows\system32\LVUI2.dll
2009-08-20 12:47 6,754,712 a------- c:\windows\system32\drivers\lvuvc.sys
2009-08-20 12:47 539,160 a------- c:\windows\system32\LVUI2RC.dll
2009-08-20 12:47 416,280 a------- c:\windows\system32\lvcodec2.dll
2009-08-20 12:47 266,828 a------- c:\windows\system32\drivers\LVAFT.cfg
2009-08-20 12:46 199,192 a------- c:\windows\system32\lvci1201278.dll
2009-08-20 12:46 82,289 a------- c:\windows\system32\lvcoinst.ini
2009-08-20 12:46 265,496 a------- c:\windows\system32\drivers\lvrs.sys
2009-08-20 12:46 34,068 a------- c:\windows\system32\Repository.reg
2009-08-20 12:45 23,832 a------- c:\windows\system32\drivers\lvuvcflt.sys
2009-08-16 13:14 53,248 a------- c:\windows\system32\CommonDL.dll
2009-08-16 13:14 44,544 a------- c:\windows\system32\msxml4a.dll
2009-08-16 13:14 2,412 a------- c:\windows\system32\lgAxconfig.ini
2009-08-16 13:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\LGMOBILEAX
2009-08-16 13:10 <DIR> --d----- c:\program files\LG Electronics

==================== Find3M ====================

2009-09-13 10:06 0 a------- c:\windows\system32\drivers\lvuvc.hs
2009-09-13 10:05 0 a------- c:\windows\system32\drivers\logiflt.iad
2009-08-31 15:44 289,320 a------- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-08-25 21:18 179,792 a------- c:\windows\system32\guard32.dll
2009-08-25 21:18 25,160 a------- c:\windows\system32\drivers\cmdhlp.sys
2009-08-20 11:22 224,704 a---h--- c:\windows\system32\mlfcache.dat
2009-08-10 11:11 411,368 a------- c:\windows\system32\deploytk.dll
2009-08-05 10:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-03 13:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 13:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-17 20:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-03 18:09 915,456 a------- c:\windows\system32\wininet.dll
2009-06-25 09:25 730,112 a------- c:\windows\system32\lsasrv.dll
2009-06-25 09:25 301,568 a------- c:\windows\system32\kerberos.dll
2009-06-25 09:25 147,456 a------- c:\windows\system32\schannel.dll
2009-06-25 09:25 136,192 a------- c:\windows\system32\msv1_0.dll
2009-06-25 09:25 56,832 a------- c:\windows\system32\secur32.dll
2009-06-25 09:25 54,272 a------- c:\windows\system32\wdigest.dll
2009-06-16 15:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 15:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-03-04 18:05 286,200 a------- c:\docume~1\pc\applic~1\GDIPFONTCACHEV1.DAT
2004-10-01 15:00 40,960 a------- c:\program files\Uninstall_CDS.exe
2001-11-23 05:08 712,704 a------- c:\windows\inf\other\AUDIO3D.DLL
2008-07-06 09:39 80 ---shr-- c:\windows\CT4MET.BIN

============= FINISH: 10:32:21.81 ===============

I would just like to add that a report in the DDS window said that it could not run something whilst a user defined option was open?

Best regards,
chameleon437

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:34 PM

Posted 14 September 2009 - 07:40 PM

Hi chameleon437,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :(
Posted Image
m0le is a proud member of UNITE

#5 chameleon437

chameleon437
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Local time:01:34 PM

Posted 15 September 2009 - 12:37 PM

Hi m0le,

Just letting you know I got your PM today. Look forward to hearing from you soon.

Best regards,
chameleon437

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:34 PM

Posted 15 September 2009 - 04:10 PM

Hi chameleon457,

Can you attach the attach.txt generated by DDS?


If not,

Visit this site: http://billsway.com/vbspage/
Scroll down to the section that says "List Installed Programs" and download it, by using this icon: Posted Image
Save it to your Desktop, then right-click and select Extract all.
A folder should open, double click on the file inside called InstalledPrograms.vbs.
Press OK at the prompt, then Yes to view the results.
A text file will open, copy and paste this in your next reply.


Next please run this rootkit scanner

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.

    First Location
    Second Location
    Third Location

  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
Thanks :(
Posted Image
m0le is a proud member of UNITE

#7 chameleon437

chameleon437
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Local time:01:34 PM

Posted 17 September 2009 - 04:35 PM

Hi m0le,

Please find attached files as requested.

chameleon437

Attached Files


Edited by chameleon437, 17 September 2009 - 05:04 PM.


#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:34 PM

Posted 17 September 2009 - 05:33 PM

There's no rootkit activity so we're down to the unwanted programs. I haven't found much about Ficus 30,000 photos but let's shift it anyway.


Firstly, we should get your Java up to date.

Please download JavaRa to your desktop and unzip it to its own folder
  • Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.
  • Open JavaRa.exe again and select Search For Updates.
  • Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

Let's start with the obvious and try and uninstall the program

Click "start" on the taskbar and then click on the "Control Panel" icon.
Please doubleclick the "Add or Remove Programs" icon
A list of programs installed will be "populated" this may take a bit of time.
If they exist, uninstall the following by clicking on the following entries and selecting "remove":


focus 30,000 photos


Additional instructions can be found here if needed.


Next

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :folderfind
    *focus 30,000 photos*
    :filefind
    *focus 30,000 photos*
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

This could take a while as it is listing all files in that folder and elsewhere. The log may need to be attached.

Thanks :(
Posted Image
m0le is a proud member of UNITE

#9 chameleon437

chameleon437
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Local time:01:34 PM

Posted 18 September 2009 - 02:35 PM

Hi m0le,

Before I go down this route again (I have attempted to remove Focus 30,000 Photos before - its software house is Hemera - perhaps it should change it to haemorrhage!) I should like you to know that once it is removed, the glitch then asked for a CD for another program so that in the end I will end up with nothing on my computer!

Any thoughts on this would be appreciated.

Best regards,
chameleon437

PS I use Secunia Personal Software Inspector (PSI) which warns me when Java is out of date - haven't run it for a couple of weeks hence the possibility of it not being cleared - I have spotted an error with the Java update - it installs the latest .ocx files but fails to remove the previous ones and PSI still reports a Java warning because Sun Microsystems cannot write a decent uninstall/update program! (Of course I could be wrong!)

Edited by chameleon437, 18 September 2009 - 02:38 PM.


#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:34 PM

Posted 18 September 2009 - 02:39 PM

Okay, run the SystemLook program first so we know what we're dealing with.

JavaRa is a good program which should clear out all your old Java and then install the latest.
Posted Image
m0le is a proud member of UNITE

#11 chameleon437

chameleon437
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Local time:01:34 PM

Posted 19 September 2009 - 05:16 AM

Hi m0le,

Attached are the results of System Look and JavaRa - as to Java my suspicions about Java not doing clean upgrades was confirmed - JavaRa has now made me aware of old junk left in users Application Data folder - nice one! When checking for updates I was greeted with the message that I have the latest Java platform installed which confirmed my suspicions earlier regarding experience with Secunia's PSI! I note that IE8 has two holes - the most severe being Adobe's add-in "NOS Microsystems getPlus ActiveX Control 1.x" which is interesting as I keep getting occasional references to install Adobe Software with a funny looking minimized bar icon which looks like a curved cross at the start of it - sometimes when I have clicked on that the Hemera/Focus 30,000 Photos Collection installer runs! I am currently sticking with Opera as my Default Browser.

Best regards,
chameleon437

Attached Files


Edited by chameleon437, 19 September 2009 - 05:21 AM.


#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:34 PM

Posted 19 September 2009 - 06:56 AM

That's a solid install, there's folders everywhere :(

Okay, let's attempt to remove this program.

Backup Your Registry with ERUNT
  • Please use the following link and scroll down to ERUNT and download it.
    http://aumha.org/freeware/freeware.php
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe

We need to execute an OTM script
  • Please download OTM by OldTimer and save it to your desktop.
  • Double click the Posted Image icon on your desktop.
  • Paste the following code under the Posted Image area. Do not include the word "Code".
    :Files
    C:\Documents and Settings\Administrator\Application Data\Hemera
    C:\Documents and Settings\All Users\Start Menu\Programs\Focus 30,000 Photos
    C:\Program Files\Focus Multimedia
    C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Focus 30,000 Photos.lnk
    C:\Documents and Settings\All Users\Desktop\Focus 30,000 Photos.lnk
    C:\Documents and Settings\All Users\Start Menu\Programs\Focus 30,000 Photos
  • Push the large Posted Image button.
  • OTM may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
  • If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Post the OTM log.


Next, we check the progress of the removal with a deeper scanner

Please download
OTS
and save it to your desktop:
- Double click Posted Image and run
If you are running on Vista then right-click the program and choose Run as Administrator.


- Please check Posted Image & Posted Image
- Next press
Posted Image
- When the scan is complete Notepad will open with the report file loaded in it.
- Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
- Use the Add Reply button in the forum and Attach the scan back here (do not copy/paste it as it will be too big to fit)
- The log will be located in the OTS folder and named OTS.txt.

Let me know if that has improved things. :(
Posted Image
m0le is a proud member of UNITE

#13 chameleon437

chameleon437
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Local time:01:34 PM

Posted 19 September 2009 - 08:22 AM

Hi m0le,

Here is the OTM log - it did not ask for a reboot - do I need to run the OTS now?

Cheers.
chameleon437

Attached Files



#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:34 PM

Posted 19 September 2009 - 04:12 PM

No need to reboot for folder/file removal.

The OTM worked fine so please run the OTS scan. :(
Posted Image
m0le is a proud member of UNITE

#15 chameleon437

chameleon437
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Local time:01:34 PM

Posted 20 September 2009 - 12:15 PM

Hi m0le,

Hitting a problem in OTS. Have attached a .txt file of what comes up on screen.

best regards,
chameleon437

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users