Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: Facebook Photo Uploader Active X problem

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
Programs

Relating to this vendor:
Facebook
And, this specific program:
Facebook Photo Uploader ActiveX Control 4.x

This thread has been marked as locked.
taffy078 Facebook Photo Uploader Active X problem
Contributor 20th Feb, 2010 09:21
Ranking: 408
Posts: 1,321
User Since: 26th Feb, 2009
System Score: 100%
Location: UK
Good morning. Has anyone tried running the fix? It prompts me to download the solution but all that then happens is three files are downloaded:
PhotoUploader55, PhotoUploader55.ocx and unicows.dll.
Selecting any of them brings a window "Select a destination" with a sub-heading "select a place where you want to extract the selected item".
There is nowhere to simply hit "Run".
How can I run the fix please.
PS I like the new layout but haven't yet found out how to find the specific topics pages. So, apologies if I should have posted somewhere else.

--
taffy078, West Yorkshire, UK

Desktop: Compaq Presario (OEM) 32 bit / AMD Athlon / 2 GB RAM
XP Home - SP3/ IE8/ Norton IS - Secunia PSI v2.0.0.3003

Laptop: Win 7 / IE11 / PSI v2.0.0.3003

taffy078 RE: Facebook Photo Uploader Active X problem
Contributor 20th Feb, 2010 15:42
Score: 408
Posts: 1,321
User Since: 26th Feb 2009
System Score: 100%
Location: UK
It gets worse. I deleted the programs or so I thought. But a second scan shows the insecure file still there:
C:\WINDOWS\Downloaded program files\PhotoUploader5.ocx

But it's not in that folder. I've searched hidden files as well.
Anyone else having this problem?


--
taffy078, West Yorkshire, UK

Desktop: Compaq Presario (OEM) 32 bit / AMD Athlon / 2 GB RAM
XP Home - SP3/ IE8/ Norton IS - Secunia PSI v2.0.0.3003

Laptop: Win 7 / IE11 / PSI v2.0.0.3003
Was this reply relevant?
+0
-0
thedillpickl RE: Facebook Photo Uploader Active X problem
Contributor 21st Feb, 2010 07:51
Score: 376
Posts: 872
User Since: 3rd May 2009
System Score: 100%
Location: US
Hi taffy;

Having trouble with unicows.dll, hmm? Could it be Welsh?

Any file you have to extract to use is a zipped file. For select a destination, if it's not suggesting something like "C:/program files/FaceBook/...", is 'desktop' an option. If so try it. Or possibly create an empty folder on the desktop and extract them there. If all works, you should put them where the old Face Book files were before 'installing' them.

Don't forget that .ocx files 'hang' if they're being used or Windows thinks they're being used. You used the folder icon in PSI to find this file? Did you try to find it using cmd.exe in the 'run' box? If you can find it, I know of a utility that will get rid of it.


Fred

--
XP Home
Chrome, Firefox, IE8
--
consilio et animis
Was this reply relevant?
+0
-0
taffy078 RE: Facebook Photo Uploader Active X problem
Contributor 21st Feb, 2010 11:27
Score: 408
Posts: 1,321
User Since: 26th Feb 2009
System Score: 100%
Location: UK
on 21st Feb, 2010 07:51, thedillpickl wrote:
Hi taffy;

Having trouble with unicows.dll, hmm? Could it be Welsh?

Any file you have to extract to use is a zipped file. For select a destination, if it's not suggesting something like "C:/program files/FaceBook/...", is 'desktop' an option. If so try it. Or possibly create an empty folder on the desktop and extract them there. If all works, you should put them where the old Face Book files were before 'installing' them.

Don't forget that .ocx files 'hang' if they're being used or Windows thinks they're being used. You used the folder icon in PSI to find this file? Did you try to find it using cmd.exe in the 'run' box? If you can find it, I know of a utility that will get rid of it.


Fred


Hi Fred. I think Unicows is a load of bull - groan! Excuse my ignorance but I've never really used DOS commands. (I will, now I have the time to read up on the subject.)
So, after cmd.exe, and 'OK' what should I do next?I've entered the filename but it says "bad command/parameter" etc.
By the way, when I used the folder icon in PSI, nothing happened. I used the PSI solution wizard. That found the folders but there was no 'run' command.

--
taffy078, West Yorkshire, UK

Desktop: Compaq Presario (OEM) 32 bit / AMD Athlon / 2 GB RAM
XP Home - SP3/ IE8/ Norton IS - Secunia PSI v2.0.0.3003

Laptop: Win 7 / IE11 / PSI v2.0.0.3003
Was this reply relevant?
+0
-0
Maurice Joyce RE: Facebook Photo Uploader Active X problem
Handling Contributor 21st Feb, 2010 12:08
Score: 11615
Posts: 8,906
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Hello Taffy,
Not really active on this Forum anymore but saw U were in distress while I was doing some research work.

Me thinks U could be going round in circles. If I am reading your posts correctly U have successfully removed:

PhotoUploader55, PhotoUploader55.ocx and unicows.dll?

What U cannot find is:
C:\WINDOWS\Downloaded program files\PhotoUploader5.ocx
which Secunia is saying is vulnerable.

Am I correct so far?



--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+0
-0
taffy078 RE: Facebook Photo Uploader Active X problem
Contributor 21st Feb, 2010 12:19
Score: 408
Posts: 1,321
User Since: 26th Feb 2009
System Score: 100%
Location: UK
Hi Maurice. Nice to hear from you again.Yes - you're spot on.

--
taffy078, West Yorkshire, UK

Desktop: Compaq Presario (OEM) 32 bit / AMD Athlon / 2 GB RAM
XP Home - SP3/ IE8/ Norton IS - Secunia PSI v2.0.0.3003

Laptop: Win 7 / IE11 / PSI v2.0.0.3003
Was this reply relevant?
+0
-0
Maurice Joyce RE: Facebook Photo Uploader Active X problem
Handling Contributor 21st Feb, 2010 12:49
Score: 11615
Posts: 8,906
User Since: 4th Jan 2009
System Score: N/A
Location: UK
OK. Navigate back to: C:\WINDOWS\Downloaded program files.

Can U see this entry?

0CCA191D-13A6-4E29-B746-314DEE697D83

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+0
-0
taffy078 RE: Facebook Photo Uploader Active X problem
Contributor 21st Feb, 2010 17:36
Score: 408
Posts: 1,321
User Since: 26th Feb 2009
System Score: 100%
Location: UK
Hi Maurice. There are three files that look like that:

4A85DBE0-BFB2-4119-8401-186A7C6EB654 Installed (Last accessed 11/12/2007)
8FFBE65D-2C9C-4669-84BD-5829DC0B603C unknown (Last accessed none)
D821DC4A-0814-435E-9820-661C543A4679 Damaged (Last accessed 20/02/2010)

Could it be the last one?

--
taffy078, West Yorkshire, UK

Desktop: Compaq Presario (OEM) 32 bit / AMD Athlon / 2 GB RAM
XP Home - SP3/ IE8/ Norton IS - Secunia PSI v2.0.0.3003

Laptop: Win 7 / IE11 / PSI v2.0.0.3003
Was this reply relevant?
+0
-0
Maurice Joyce RE: Facebook Photo Uploader Active X problem
Handling Contributor 21st Feb, 2010 18:34
Score: 11615
Posts: 8,906
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Right click on each entry - what are their properties?

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+0
-0
taffy078 RE: Facebook Photo Uploader Active X problem
Contributor 21st Feb, 2010 20:06
Score: 408
Posts: 1,321
User Since: 26th Feb 2009
System Score: 100%
Location: UK
Hi Maurice.

Properties are:

4A85DBE0-BFB2-4119-8401-186A7C6EB654 Installed (Last accessed 11/12/2007)
ActiveX Control MSN Messenger

8FFBE65D-2C9C-4669-84BD-5829DC0B603C unknown (Last accessed none)
Active X control fpdownload. macromedia

D821DC4A-0814-435E-9820-661C543A4679 Damaged (Last accessed 20/02/2010)
Active X Control drmlicense.one.microsoft.com/crlupdate

In case it's relevant, last night I went to run an overnight scan on my Ad-Aware (paid version 8.2.0). It said an update was available, which I downloaded. The damage would have happened during either the download or subsequent scan.

--
taffy078, West Yorkshire, UK

Desktop: Compaq Presario (OEM) 32 bit / AMD Athlon / 2 GB RAM
XP Home - SP3/ IE8/ Norton IS - Secunia PSI v2.0.0.3003

Laptop: Win 7 / IE11 / PSI v2.0.0.3003
Was this reply relevant?
+0
-0
Maurice Joyce RE: Facebook Photo Uploader Active X problem
Handling Contributor 21st Feb, 2010 22:45
Score: 11615
Posts: 8,906
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Not what we want but we can clear these up.

Looks like U are not using MSN Messenger in which case remove entry ActiveX Control MSN Messenger by right click>delete.

This entry Active X control fpdownload. Macromedia
indicates to me that U have a bit of Adobe bloatware installed mainly a download manager from NOS.

Check in add/remove for an entry Adobe Download Manager - if it is there I strongly advise U remove it then return
C:\WINDOWS\Downloaded program files and delete the ActiveX.

The damaged ActiveX is just that - delete it. When required again by the Windows Media Player U will be asked for permission to install it.

That clears bit up but not the main event - I am 100% sure that PSI is correct & the ActiveX is there somewhere. Can U please double check the properties of all remaining entries - any U are not completely sure about please post back.




--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+0
-0
thedillpickl RE: Facebook Photo Uploader Active X problem
Contributor 22nd Feb, 2010 04:18
Score: 376
Posts: 872
User Since: 3rd May 2009
System Score: 100%
Location: US
Hi Taffy & Maurice;

Glad to see Maurice has not forgot his friends on the forum. :) Will let you two work this out.

@Taffy, let me know if you care to dabble with the 'black box' later.

@Maurice, if I don't get a chance to say for a while, please know that I appreciate you. Your presence is missed. Take care of yourself.


Fred

--
XP Home
Chrome, Firefox, IE8
--
consilio et animis
Was this reply relevant?
+0
-0
taffy078 RE: Facebook Photo Uploader Active X problem
Contributor 22nd Feb, 2010 08:44
Score: 408
Posts: 1,321
User Since: 26th Feb 2009
System Score: 100%
Location: UK
Thanks Maurice - and a 'good morning' to you.

I haven’t got Adobe Download Manager (I did a search too) – just Flash, Shockwave and Air (whatever that is!).

I deleted all three and scanned again:
(1) The Upload Manager is still there
(2) I’ve also gained Macromedia Flash Player 7.x and
(3) found a warning for Firefox 3.6.x.
I removed Macromedia Flash, using the Adobe tool posted on the Secunia site.

I’ll check out the forum for Firefox and am confident there’ll be something already posted but the blasted Facebook Photo Upload Manager5.ocx is annoying me!
I googled (to show you guys that I am trying!) - I found many entries with problems; they all refer to Uploader 5 but say the file name is UploadManager55.ocx
According to one entry (SpywareHammer) the program has been used to let in all kinds of mischief – rootkits and backdoor Trojans. Some poor guy is in real doobies (a technical term):
http://spywarehammer.com/simplemachinesforum/index...

So, chaps – what should I do next, please?


--
taffy078, West Yorkshire, UK

Desktop: Compaq Presario (OEM) 32 bit / AMD Athlon / 2 GB RAM
XP Home - SP3/ IE8/ Norton IS - Secunia PSI v2.0.0.3003

Laptop: Win 7 / IE11 / PSI v2.0.0.3003
Was this reply relevant?
+0
-0
Maurice Joyce RE: Facebook Photo Uploader Active X problem
Handling Contributor 22nd Feb, 2010 10:28
Score: 11615
Posts: 8,906
User Since: 4th Jan 2009
System Score: N/A
Location: UK
That is my concern - Photouploader5.ocx & Photouploader55.ocx CAN be hidden because they COULD be a Roolkit.

I can see U have been dabbling but have U completed all this by deleting all 3 ActiveX?

This entry Active X control fpdownload. Macromedia
indicates to me that U have a bit of Adobe bloatware installed mainly a download manager from NOS.

Check in add/remove for an entry Adobe Download Manager - if it is there I strongly advise U remove it then return
C:\WINDOWS\Downloaded program files and delete the ActiveX.

The damaged ActiveX is just that - delete it. When required again by the Windows Media Player U will be asked for permission to install it.

That clears bits up but not the main event - I am 100% sure that PSI is correct & the ActiveX is there somewhere.


Can U please double check the properties of all remaining entries - any U are not completely sure about please post back. What was the result of this?

As U now know, if we cannot find the entry in the folder highlighted by Secunia the assumption must be U have a Roolkit which is a completely different ball game.

I need to be absolutely sure what is in the folder pointed out by PSI as vulnerable before giving any more advice.



--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+0
-0
taffy078 RE: Facebook Photo Uploader Active X problem
Contributor 22nd Feb, 2010 10:57
Score: 408
Posts: 1,321
User Since: 26th Feb 2009
System Score: 100%
Location: UK
Hi Maurice. I have checked the properties of every file in the Downloaded Program Files. There was a new one there, from today:

D27CDB6E-AE6D-11CF-96B8-44455354000 Active X Control fpdownload2.macromedia.com/get/shockwave version 10.0.42.34 Description/Company/Language/Copyright: all “unknown”

I’ve deleted it.

I’ve checked/ searched everywhere for Adobe Download Manager but no trace of it.

The offending file is shown by Secunia as C:\WINDOWS\Downloaded Program Files\PhotoUploader 5.ocx

I followed the Secunia Fix and got three new files: PhotoUploader 55 (Set Up information), unicows.dll and PhotoUploader55.ocx but there are no Run/instal buttons on them.

I'm so sorry to take up your time Maurice.

--
taffy078, West Yorkshire, UK

Desktop: Compaq Presario (OEM) 32 bit / AMD Athlon / 2 GB RAM
XP Home - SP3/ IE8/ Norton IS - Secunia PSI v2.0.0.3003

Laptop: Win 7 / IE11 / PSI v2.0.0.3003
Was this reply relevant?
+0
-0
taffy078 RE: Facebook Photo Uploader Active X problem
Contributor 22nd Feb, 2010 11:04
Score: 408
Posts: 1,321
User Since: 26th Feb 2009
System Score: 100%
Location: UK
PS What I find extremely frustrating is I have Norton Internet Security, AdAware and Spywareblaster. I check for updates every day rather than rely on automatic updates.
Yet this happens! humph.

--
taffy078, West Yorkshire, UK

Desktop: Compaq Presario (OEM) 32 bit / AMD Athlon / 2 GB RAM
XP Home - SP3/ IE8/ Norton IS - Secunia PSI v2.0.0.3003

Laptop: Win 7 / IE11 / PSI v2.0.0.3003
Was this reply relevant?
+0
-0
taffy078 RE: Facebook Photo Uploader Active X problem
Contributor 22nd Feb, 2010 11:07
Score: 408
Posts: 1,321
User Since: 26th Feb 2009
System Score: 100%
Location: UK
PPS and I don't even use Facebook.My daughters have, so when this episode is over, I'll delete anything to do with Facebook!

--
taffy078, West Yorkshire, UK

Desktop: Compaq Presario (OEM) 32 bit / AMD Athlon / 2 GB RAM
XP Home - SP3/ IE8/ Norton IS - Secunia PSI v2.0.0.3003

Laptop: Win 7 / IE11 / PSI v2.0.0.3003
Was this reply relevant?
+0
-0
taffy078 RE: Facebook Photo Uploader Active X problem
Contributor 22nd Feb, 2010 11:07
Score: 408
Posts: 1,321
User Since: 26th Feb 2009
System Score: 100%
Location: UK
PPS and I don't even use Facebook.My daughters have, so when this episode is over, I'll delete anything to do with Facebook!

--
taffy078, West Yorkshire, UK

Desktop: Compaq Presario (OEM) 32 bit / AMD Athlon / 2 GB RAM
XP Home - SP3/ IE8/ Norton IS - Secunia PSI v2.0.0.3003

Laptop: Win 7 / IE11 / PSI v2.0.0.3003
Was this reply relevant?
+0
-0
Maurice Joyce RE: Facebook Photo Uploader Active X problem
Handling Contributor 22nd Feb, 2010 12:02
Score: 11615
Posts: 8,906
User Since: 4th Jan 2009
System Score: N/A
Location: UK
My time is not important. I am reluctant to declare the fact that I think it is a Roolkit so the search goes on.

Although very boring could U please confirm:

1. U have checked the properties of all the entries in C:\WINDOWS\Downloaded program files & U are 100% certain the Photoloader5.ocx is not lurking?

2. That this data is correct C:\WINDOWS\Downloaded program files\PhotoUploader5.ocx in that we are looking for an issue with the C drive.

3. Please open IE. Go to Tools>from the drop down box select Manage Add Ons> is there an entry there?

I have got an appointment shortly to fix a PC. If the above has not found the issue then I need a clue as to whether it is a Roolkit.

Please download Malwarebytes from here:
http://www.malwarebytes.org/

Once installed disable Ad Watch - run a full scan.
If the scanner will not start STOP what U are doing because I need that information.
If it does start let it run & act on any recommendations it makes - again I would like to know the result.

Will be back later








--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+0
-0
taffy078 RE: Facebook Photo Uploader Active X problem
Contributor 22nd Feb, 2010 13:44
Score: 408
Posts: 1,321
User Since: 26th Feb 2009
System Score: 100%
Location: UK
on 22nd Feb, 2010 12:02, Maurice Joyce wrote:
My time is not important. I am reluctant to declare the fact that I think it is a Roolkit so the search goes on.

Although very boring could U please confirm:

1. U have checked the properties of all the entries in C:\WINDOWS\Downloaded program files & U are 100% certain the Photoloader5.ocx is not lurking?

2. That this data is correct C:\WINDOWS\Downloaded program files\PhotoUploader5.ocx in that we are looking for an issue with the C drive.

3. Please open IE. Go to Tools>from the drop down box select Manage Add Ons> is there an entry there?

I have got an appointment shortly to fix a PC. If the above has not found the issue then I need a clue as to whether it is a Roolkit.

Please download Malwarebytes from here:
http://www.malwarebytes.org/

Once installed disable Ad Watch - run a full scan.
If the scanner will not start STOP what U are doing because I need that information.
If it does start let it run & act on any recommendations it makes - again I would like to know the result.

Will be back later


I confirm #1 and #2, Maurice. Nothing lurking in Downloaded Program files and it's def. the C drive shown by Secunia scan.
3. When I tried to open Manage Add-ons I got an error message "instruction at 0x04b30068 referenced memory at 0x04b30068 could not be written."
4. I downloaded Malwarebytes - but couldn't find Ad Watch. Is this in the Paid version perhaps?
5. Full scan being done - currently 93510 items scanned - 1 hour 15 minutes. Found 15 infected items so far.
I've got to pop out now for a half hour so I'll leave it scanning.

--
taffy078, West Yorkshire, UK

Desktop: Compaq Presario (OEM) 32 bit / AMD Athlon / 2 GB RAM
XP Home - SP3/ IE8/ Norton IS - Secunia PSI v2.0.0.3003

Laptop: Win 7 / IE11 / PSI v2.0.0.3003
Was this reply relevant?
+0
-0
taffy078 RE: Facebook Photo Uploader Active X problem
Contributor 22nd Feb, 2010 15:40
Score: 408
Posts: 1,321
User Since: 26th Feb 2009
System Score: 100%
Location: UK
Last edited on 22nd Feb, 2010 15:41
Hi. Scanning completed. 350,000 files in just under 3 hours. 20 objects found:
Malwarebytes' Anti-Malware 1.44
Database version: 3774
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

22/02/2010 14:38:04
mbam-log-2010-02-22 (14-38-04).txt

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 346459
Time elapsed: 2 hour(s), 56 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 17
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{79f562e5-768c-4494-8e6c-824ad a4a9c2c} (Adware.AdRotator) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{6fc3c36d-7635-4d43-ba62-0d9d2 f2cd06e} (Adware.Fotomoto) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f 569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de 4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Settings\{79f562e5-768c-4494-8e6c-82 4ada4a9c2c} (Adware.AdRotator) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Settings\{6fc3c36d-7635-4d43-ba62-0d 9d2f2cd06e} (Adware.Fotomoto) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Settings\{00a6faf1-072e-44cf-8957-58 38f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Settings\{07b18ea9-a523-4961-b6bb-17 0de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Ext\PreApproved\{25560540-9571-4d7b-938 9-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Ext\PreApproved\{2eff3cf7-99c1-4c29-bc2 b-68e057e22340} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Ext\PreApproved\{3dc201fb-e9c9-499c-a11 f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Ext\PreApproved\{63d0ed2c-b45b-4458-8b3 b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Ext\PreApproved\{98d9753d-d73b-42d5-8c8 5-4469cda897ab} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Ext\PreApproved\{9ff05104-b030-46fc-94b 8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\W MPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Relevant Knowledge (Adware.RelevantKnowledge) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\WhoisCL.exe (Trojan.BHO) -> Quarantined and deleted successfully.
C:\Program Files\Setup.exe (Rogue.Installer) -> Quarantined and deleted successfully.

I'll run another Secunia scan now, Maurice.

--
taffy078, West Yorkshire, UK

Desktop: Compaq Presario (OEM) 32 bit / AMD Athlon / 2 GB RAM
XP Home - SP3/ IE8/ Norton IS - Secunia PSI v2.0.0.3003

Laptop: Win 7 / IE11 / PSI v2.0.0.3003
Was this reply relevant?
+0
-0
taffy078 RE: Facebook Photo Uploader Active X problem
Contributor 22nd Feb, 2010 15:54
Score: 408
Posts: 1,321
User Since: 26th Feb 2009
System Score: 100%
Location: UK
nope - the PhotoUploader is still there in my C Drive Downloaded files. I'll trawl through everything again.

--
taffy078, West Yorkshire, UK

Desktop: Compaq Presario (OEM) 32 bit / AMD Athlon / 2 GB RAM
XP Home - SP3/ IE8/ Norton IS - Secunia PSI v2.0.0.3003

Laptop: Win 7 / IE11 / PSI v2.0.0.3003
Was this reply relevant?
+0
-0
taffy078 RE: Facebook Photo Uploader Active X problem
Contributor 22nd Feb, 2010 19:25
Score: 408
Posts: 1,321
User Since: 26th Feb 2009
System Score: 100%
Location: UK
Last edited on 22nd Feb, 2010 19:26
I don't know why I didn't click on the Open Folder icon on the scan results page before, Maurice, but I have just now.

There's a message:
_______________________________

"The program has been detected in a special folder on your PC. This means that opening the folder where this program was found, most likely won't display for you the actual file.

You can, however, open a "Command Prompt" and go to the directory and see the files with 'dir'. Do this by:
1) Press "Start" then select "Run . . "
2) Type "cmd" and click "Ok"
3) In the new window, type "cd C:\WINDOWS\Downloaded Program Files\"
4) type "dir"

Do you still want to open the folder?"
_________________________________________

Should I do this next, Maurice?

Gotta go now to eat - it'll probably be stale bread and warm water, given the day I've had today!

--
taffy078, West Yorkshire, UK

Desktop: Compaq Presario (OEM) 32 bit / AMD Athlon / 2 GB RAM
XP Home - SP3/ IE8/ Norton IS - Secunia PSI v2.0.0.3003

Laptop: Win 7 / IE11 / PSI v2.0.0.3003
Was this reply relevant?
+0
-0
Maurice Joyce RE: Facebook Photo Uploader Active X problem
Handling Contributor 22nd Feb, 2010 21:49
Score: 11615
Posts: 8,906
User Since: 4th Jan 2009
System Score: N/A
Location: UK
That is merely taking us where we have already been. We can give that a look later.

Have U cleared the IE cache? Open the browser>look for the SAFETY TAB (normally top right)>select Delete Browsing History(tick the boxes U want in ADDITION to the TOP 4 which should be ticked by default.

Go to Start>Run>type in REGEDIT>at the top click on EDIT>from the drop down box select FIND>in the box provided type in PHOTOUPLOADER>click find next

Does it find anything? If it finds an entry make a note of the highlighted bit on the RIGHT screen.

Keep clicking the FIND NEXT option from the EDIT drop down box until U are told it has finished the search. NOTE ALL RIGHT HAND highlighted entries.

Do exactly the same thing again only this time type in DC7.exe in the search box. Anything?

Close REGEDIT via the red box (top right) & post any info.

Go to Start>search>(ensure the C drive is selected/all files & folders including hidden ones) - type in set6930.tmp - anything?

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+0
-0
Anthony Wells RE: Facebook Photo Uploader Active X problem
Expert Contributor 22nd Feb, 2010 22:49
Score: 2428
Posts: 3,316
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

If it helps , this is what Online Armour has to say about the elusive .ocx's and their status , normal location , etc. :-

http://www.tallemu.com/oasis2/file/facebook__inc_/...


http://www.tallemu.com/oasis2/report/photouploader...

Good hunting.

Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
taffy078 RE: Facebook Photo Uploader Active X problem
Contributor 23rd Feb, 2010 05:54
Score: 408
Posts: 1,321
User Since: 26th Feb 2009
System Score: 100%
Location: UK
Hi Maurice.

regedit search for photouploader

Right screen #1:
Name: "ab" icon (Default)
Type: REZ_SZ
Data: Facebook PhotoUploader5 Control
(on the left screen are two sub-folders, one is CurVer and the other is Insertable)

Right screen #2:
Name: "ab" icon (Default)
Type: REZ_SZ
Data: value not set

Right screen #3:
Name: "ab" icon.Owner
Type: REZ_SZ
Data: Unknown Owner

Right screen #4:
Name: C:\WINDOWS\Downloadable Program Files\PhotoUploader5
Type: REG_DWORD
Data: 0x00000001 (01)

Right screen #5:
Name: "ab" icon. 005
Type: REZ_SZ
Data: PhotoUploader

Right screen #6:
Name: "ab" icon. 007
Type: REZ_SZ
Data: PhotoUploader

REGEDIT search for DC7.exe found nothing

part 2 to follow

--
taffy078, West Yorkshire, UK

Desktop: Compaq Presario (OEM) 32 bit / AMD Athlon / 2 GB RAM
XP Home - SP3/ IE8/ Norton IS - Secunia PSI v2.0.0.3003

Laptop: Win 7 / IE11 / PSI v2.0.0.3003
Was this reply relevant?
+0
-0
taffy078 RE: Facebook Photo Uploader Active X problem
Contributor 23rd Feb, 2010 05:59
Score: 408
Posts: 1,321
User Since: 26th Feb 2009
System Score: 100%
Location: UK
Hi Maurice.

Search (via Start/Search) for set6930.tmp found nothing..

Regards

David

--
taffy078, West Yorkshire, UK

Desktop: Compaq Presario (OEM) 32 bit / AMD Athlon / 2 GB RAM
XP Home - SP3/ IE8/ Norton IS - Secunia PSI v2.0.0.3003

Laptop: Win 7 / IE11 / PSI v2.0.0.3003
Was this reply relevant?
+0
-0
olaflacour RE: Facebook Photo Uploader Active X problem
Member 23rd Feb, 2010 09:11
Score: 0
Posts: 9
User Since: 10th Jun 2009
System Score: N/A
Location: N/A
sorry, but you cant delete the file by using the DOS command. I have tryed, but it isnt posible.
Was this reply relevant?
+0
-0
taffy078 RE: Facebook Photo Uploader Active X problem
Contributor 23rd Feb, 2010 10:08
Score: 408
Posts: 1,321
User Since: 26th Feb 2009
System Score: 100%
Location: UK
Hi Olaf. Hopefully Maurice will be able to resolve this problem. In the meantime, you may wish to run through all the steps he's already posted?

(Maurice - Olaf has the same problem, by the looks:
http://secunia.com/community/forum/thread/show/358...)

--
taffy078, West Yorkshire, UK

Desktop: Compaq Presario (OEM) 32 bit / AMD Athlon / 2 GB RAM
XP Home - SP3/ IE8/ Norton IS - Secunia PSI v2.0.0.3003

Laptop: Win 7 / IE11 / PSI v2.0.0.3003
Was this reply relevant?
+0
-0
olaflacour RE: Facebook Photo Uploader Active X problem
Member 23rd Feb, 2010 10:29
Score: 0
Posts: 9
User Since: 10th Jun 2009
System Score: N/A
Location: N/A
Hi Taffy

I have looked at all the correspondings, and I se the same problem. It is not an add, so it isnt posible to disconnect in IE. I have been in the REGIDIT, but I cant delete it from here. You can delete data here, but the files still exist after doing that.

Secunia show 2 items as I should update:

C:\WINDOWS\Downloaded Program Files\PhotoUploader5.ocx
C:\WINDOWS\Downloaded Program Files\ImageUploader5.ocx

I have tryed to extract the files to the map, but without success.

It isnt posible to do anything with files in the map C:\WINDOWS\Downloaded Program Files\ - this is a closed map !

We have to wait for a solution.....

Olaf
Was this reply relevant?
+0
-0
Maurice Joyce RE: Facebook Photo Uploader Active X problem
Handling Contributor 23rd Feb, 2010 11:05
Score: 11615
Posts: 8,906
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Last edited on 23rd Feb, 2010 11:12
There is good news. I am now 99.99% sure U have not got a Roolkit & we are dealing with a straightforward file(s) that you cannot find.

Regedit has confirmed that Photouploader is there as found by Secunia in C:\WINDOWS\Downloadable Program Files\PhotoUploader5. Just a matter of finding it!!

1. Please confirm U have cleared the cache as requested.

2. I am interested in this entry.
Right screen #4:
Name: C:\WINDOWS\Downloadable Program Files\PhotoUploader5
Type: REG_DWORD
Data: 0x00000001 (01)


Please go back to the registry & search again for PHOTOUPLOADER.

This time I would like to know where it located from the LEFT PANE.

Hopefully U will give me an answer like:

HKEY_CURRENT_USER Downloaded programs ......

or it might highlight an entry that should read
0CCA191D-13A6-4E29-B746-314DEE697D83

Edit: There is no great rush for a reply - I am off out to finish off the PC work I started yesterday.

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+0
-0
olaflacour RE: Facebook Photo Uploader Active X problem
Member 23rd Feb, 2010 11:37
Score: 0
Posts: 9
User Since: 10th Jun 2009
System Score: N/A
Location: N/A
Last edited on 23rd Feb, 2010 12:05
Hi Maurice

By searching wit the word "PhotoUploader I find keys here:
HKEY_CLASSES_ROOT\CLSID\{0CCA191D-13A6-4E29-B746-3 14DEE697D83}

- and
HKEY_CLASSES_ROOT\CLSID\{11C00D9C-F6B0-4470-A4EB-C 9927DF57970}

- and
HKEY_CLASSES_ROOT\CLSID\{316DC664-0D6A-4505-A282-8 C0248C27110}

- and
HKEY_CLASSES_ROOT\CLSID\{57D12894-A7FB-4239-A0F6-D FE13CF261BC}

- and
HKEY_CLASSES_ROOT\CLSID\{70A07902-4D50-4D4B-A5D2-9 14EFE80E94A}

- and
HKEY_CLASSES_ROOT\CLSID\{8100D56A-5661-482c-BEE8-A FECE305D968}

- and
HKEY_CLASSES_ROOT\CLSID\{A770F9B2-935A-4086-9C5E-1 081EC6BAE61}

- and
HKEY_CLASSES_ROOT\CLSID\{E57034DA-F2E5-4e06-9393-F F54B1F00C39}

-and
HKEY_CLASSES_ROOT\Facebook.FacebookPhotoUploader5

-and
HKEY_CLASSES_ROOT\Facebook.FacebookPhotoUploader5. 1

- and
HKEY_CLASSES_ROOT\TheFacebook.FacebookPhotoUploade r5.5

-and
HKEY_CLASSES_ROOT\TheFacebook.FacebookPhotoUploade r5.5.1

-and
HKEY_CLASSES_ROOT\TypeLib\{4A85DC9D-85B8-4A9E-A3A0 -8E15002EA201}

-and
HKEY_CLASSES_ROOT\TypeLib\{C9C78BE1-AF82-4396-8CDA -1AC4F5933131}

-and
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0CCA191 D-13A6-4E29-B746-314DEE697D83}

-and
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11C00D9 C-F6B0-4470-A4EB-C9927DF57970}

- and
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{316DC66 4-0D6A-4505-A282-8C0248C27110}

-and
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{57D1289 4-A7FB-4239-A0F6-DFE13CF261BC}

-and
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{70A0790 2-4D50-4D4B-A5D2-914EFE80E94A}

-and
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8100D56 A-5661-482c-BEE8-AFECE305D968}

-and
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A770F9B 2-935A-4086-9C5E-1081EC6BAE61}

-and
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E57034D A-F2E5-4e06-9393-FF54B1F00C39}

-and
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Facebook.Faceb ookPhotoUploader5

-and
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Facebook.Faceb ookPhotoUploader5.1

-and
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TheFacebook.Fa cebookPhotoUploader5.5

-and
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TheFacebook.Fa cebookPhotoUploader5.5.1

-and
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{4A85D C9D-85B8-4A9E-A3A0-8E15002EA201}

-and
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C9C78 BE1-AF82-4396-8CDA-1AC4F5933131}

- and
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database

-and
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8100D56A-5661-482C-BEE8-AFECE305D968}

-and
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/PhotoUploader5.ocx

-and
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/PhotoUploader55.ocx

I dont need to clere data in the cache, because I never keep data in IE.

Hope it helps you to help other, because I cant use such data to anything...

Olaf

Was this reply relevant?
+0
-0
taffy078 RE: Facebook Photo Uploader Active X problem
Contributor 23rd Feb, 2010 12:03
Score: 408
Posts: 1,321
User Since: 26th Feb 2009
System Score: 100%
Location: UK
on 23rd Feb, 2010 11:05, Maurice Joyce wrote:
There is good news. I am now 99.99% sure U have not got a Roolkit & we are dealing with a straightforward file(s) that you cannot find.

Regedit has confirmed that Photouploader is there as found by Secunia in C:\WINDOWS\Downloadable Program Files\PhotoUploader5. Just a matter of finding it!!

1. Please confirm U have cleared the cache as requested.

2. I am interested in this entry.
Right screen #4:
Name: C:\WINDOWS\Downloadable Program Files\PhotoUploader5
Type: REG_DWORD
Data: 0x00000001 (01)


Please go back to the registry & search again for PHOTOUPLOADER.

This time I would like to know where it located from the LEFT PANE.

Hopefully U will give me an answer like:

HKEY_CURRENT_USER Downloaded programs ......

or it might highlight an entry that should read
0CCA191D-13A6-4E29-B746-314DEE697D83

Edit: There is no great rush for a reply - I am off out to finish off the PC work I started yesterday.


Hi Maurice.

1) I’ve cleared the cache - if that’s what’s meant by
Internet Explorer/Tools/Internet Option/delete browsing history (ticking all seven boxes)
2) The entry in "right screen 4" above is in HKEY_LOCAL MACHINE / SOFTWARE / MICROSOFT / WINDOWS / CURRENT VERSION / MODULE USEAGE / SET UP / SHAREDDLLS

Hoping this helps.

DAvid

--
taffy078, West Yorkshire, UK

Desktop: Compaq Presario (OEM) 32 bit / AMD Athlon / 2 GB RAM
XP Home - SP3/ IE8/ Norton IS - Secunia PSI v2.0.0.3003

Laptop: Win 7 / IE11 / PSI v2.0.0.3003
Was this reply relevant?
+0
-0
Maurice Joyce RE: Facebook Photo Uploader Active X problem
Handling Contributor 23rd Feb, 2010 17:11
Score: 11615
Posts: 8,906
User Since: 4th Jan 2009
System Score: N/A
Location: UK
David,
Looks like U have cleared the cache.

If it was my PC I would just delete that key but I want to be absolutely certain of what U are telling me before I confirm the action.

U claim U have found this in the LEFT hand pane.

HKEY_LOCAL MACHINE / SOFTWARE / MICROSOFT / WINDOWS / CURRENT VERSION / MODULE USEAGE / SET UP / SHAREDDLLS

LEFT click on that entry in the registry - what key shows up in the RIGHT pane?

It should be something like this

0CCA191D-13A6-4E29-B746-3 14DEE697D83

Olaf - I will come back to U.


--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+0
-0
taffy078 RE: Facebook Photo Uploader Active X problem
Contributor 23rd Feb, 2010 18:37
Score: 408
Posts: 1,321
User Since: 26th Feb 2009
System Score: 100%
Location: UK
on 23rd Feb, 2010 17:11, Maurice Joyce wrote:
David,
Looks like U have cleared the cache.

If it was my PC I would just delete that key but I want to be absolutely certain of what U are telling me before I confirm the action.

U claim U have found this in the LEFT hand pane.

HKEY_LOCAL MACHINE / SOFTWARE / MICROSOFT / WINDOWS / CURRENT VERSION / MODULE USEAGE / SET UP / SHAREDDLLS

LEFT click on that entry in the registry - what key shows up in the RIGHT pane?

It should be something like this

0CCA191D-13A6-4E29-B746-3 14DEE697D83

Olaf - I will come back to U.


Hi again Maurice. Left-clicking on SharedDlls in the above "route/pathway'? brings up dozens of REG_DWORD enties, including

Name: C:\WINDOWS\Downloadable Program Files\PhotoUploader5
Type: REG_DWORD
Data: 0x00000001 (01)

All of them have similar names, nearly all .dll but only one of them has the style you mention. It's "8CD7F5AF-ECFA- etc etc.

I'm happy to follow your advice and just delete it. If I do a 'save' under System Restore, will it bring it back later if I need to?
As I see it, I don't use Face Book so if I 'lose' their PhotoUploader, it won't be the end of the world.

Oh no. It's just started snowing again! It looks like it will stick so I'll have to stay in tomorrow anyway! :0)
You're a star, Maurice but please don't blush!

--
taffy078, West Yorkshire, UK

Desktop: Compaq Presario (OEM) 32 bit / AMD Athlon / 2 GB RAM
XP Home - SP3/ IE8/ Norton IS - Secunia PSI v2.0.0.3003

Laptop: Win 7 / IE11 / PSI v2.0.0.3003
Was this reply relevant?
+0
-0
Maurice Joyce RE: Facebook Photo Uploader Active X problem
Handling Contributor 23rd Feb, 2010 19:06
Score: 11615
Posts: 8,906
User Since: 4th Jan 2009
System Score: N/A
Location: UK
David,
Creating a Restore Point is a good idea if U have that feature turned on.
Deleting from the Registry is PERMANENT.

The trouble is with editing the registry is that there is a possibility of the Black Screen Of Death at boot if the wrong key is removed in which case the restore point is useless because the system will not boot into Windows in any mode.

That is why I need exact answers to my questions so I do not give U bad advice.

We have proved beyond doubt that the little blighter is in fact in

C:\WINDOWS\Downloaded program files\PhotoUploader5.ocx

It is safer for U to go back here and investigate further.

Navigate back to
C:\WINDOWS\Downloaded program files\PhotoUploader5.ocx

Please give me an exact list of all the entries U find.

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+0
-0
olaflacour RE: Facebook Photo Uploader Active X problem
Member 23rd Feb, 2010 21:00
Score: 0
Posts: 9
User Since: 10th Jun 2009
System Score: N/A
Location: N/A
tnx Maurice

I will wait.

Olaf
Was this reply relevant?
+0
-0
taffy078 RE: Facebook Photo Uploader Active X problem
Contributor 24th Feb, 2010 09:14
Score: 408
Posts: 1,321
User Since: 26th Feb 2009
System Score: 100%
Location: UK
"Navigate back to
C:\WINDOWS\Downloaded program files\PhotoUploader5.ocx

Please give me an exact list of all the entries U find."

There are 32 programs there, Maurice but that file isn't there now.

I'll rescan with Secunia to see what that brings.

--
taffy078, West Yorkshire, UK

Desktop: Compaq Presario (OEM) 32 bit / AMD Athlon / 2 GB RAM
XP Home - SP3/ IE8/ Norton IS - Secunia PSI v2.0.0.3003

Laptop: Win 7 / IE11 / PSI v2.0.0.3003
Was this reply relevant?
+0
-0
taffy078 RE: Facebook Photo Uploader Active X problem
Contributor 24th Feb, 2010 09:24
Score: 408
Posts: 1,321
User Since: 26th Feb 2009
System Score: 100%
Location: UK
I've just rescanned - it's still picking it up as an insecure program, pointing me to
C:\WINDOWS\Downloaded Program Files|PhotoUploader5.ocx.
Should I create an 'ignore rule' for it?

--
taffy078, West Yorkshire, UK

Desktop: Compaq Presario (OEM) 32 bit / AMD Athlon / 2 GB RAM
XP Home - SP3/ IE8/ Norton IS - Secunia PSI v2.0.0.3003

Laptop: Win 7 / IE11 / PSI v2.0.0.3003
Was this reply relevant?
+0
-0
Maurice Joyce RE: Facebook Photo Uploader Active X problem
Handling Contributor 24th Feb, 2010 10:06
Score: 11615
Posts: 8,906
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Last edited on 24th Feb, 2010 11:39
Up to U but U are hiding a vulnerability. It is there and is dependant on one of the 32 U can see. By listing them, I will be able to give U a clue of which one it is.

U can of course do it yourself.

On each entry RIGHT click & look at the properties - in the box that appears is a tab called DEPENDENCY - that will reveal which one is used by the vulnerable file.



--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+0
-0
taffy078 RE: Facebook Photo Uploader Active X problem
Contributor 24th Feb, 2010 12:00
Score: 408
Posts: 1,321
User Since: 26th Feb 2009
System Score: 100%
Location: UK
Last edited on 24th Feb, 2010 12:01
on 24th Feb, 2010 10:06, Maurice Joyce wrote:
Up to U but U are hiding a vulnerability. It is there and is dependant on one of the 32 U can see. By listing them, I will be able to give U a clue of which one it is.

U can of course do it yourself.

On each entry RIGHT click & look at the properties - in the box that appears is a tab called DEPENDENCY - that will reveal which one is used by the vulnerable file.


Hi Maurice. I am slowly working my way through them. I'll post them in batches but first I'd like to show you this:

Java Runtime Environment 1.6.0. THERE ARE THREE OF THESE. All are ActiveX Control, version 6,0,170,4 and are showing unknown Description and Company. Size of each is 0 bytes.

ALL ARE SHOWING LAST ACCESSED ON 11/10/2073

#1 ID {8AD9C840-044E-11D1-B3E9-00805F499D93} Created on 23.02.09
#2 ID {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} Created on 23.02.09
#3 ID {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} Created on 11.10.2009

Is it normal to have IDs like #2 and #3? The letters are reversed.
And is 11/10 a co-incidence?

--
taffy078, West Yorkshire, UK

Desktop: Compaq Presario (OEM) 32 bit / AMD Athlon / 2 GB RAM
XP Home - SP3/ IE8/ Norton IS - Secunia PSI v2.0.0.3003

Laptop: Win 7 / IE11 / PSI v2.0.0.3003
Was this reply relevant?
+0
-0
taffy078 RE: Facebook Photo Uploader Active X problem
Contributor 24th Feb, 2010 12:40
Score: 408
Posts: 1,321
User Since: 26th Feb 2009
System Score: 100%
Location: UK
Here's the entire list. 1 of 3:

(Dependency in brackets)
I haven’t shown the Java packages on which some depend.

Checkers Class (C:\WINDOWS\DOW…\MSGRCHKR.DLL) 132 KB
DevicEnum Class (C:\WINDOWS\DOWNLOA…\SETUP.INF) 4 KB
GMNRev Class (C:\WINDOWS\DOWNLOA…\SETUP.INF) 4 KB
iCC Class C:\WINDOWS\…\PCPCONNCHECK.DLL) 86 KB and
(C:\WINDOWS\D…\MSGRCHKR.INF) 4KB
Installation Support (C:\PRO…\YINSTHELPER20073151.DLL) 213 KB and
(C:\PROGRAM FIL…\YINSTHELPER.DLL) 195 KB and
(C:\PROGRAM FILES\YAHO…\YINST.INF) 4 KB


--
taffy078, West Yorkshire, UK

Desktop: Compaq Presario (OEM) 32 bit / AMD Athlon / 2 GB RAM
XP Home - SP3/ IE8/ Norton IS - Secunia PSI v2.0.0.3003

Laptop: Win 7 / IE11 / PSI v2.0.0.3003
Was this reply relevant?
+0
-0
taffy078 RE: Facebook Photo Uploader Active X problem
Contributor 24th Feb, 2010 12:41
Score: 408
Posts: 1,321
User Since: 26th Feb 2009
System Score: 100%
Location: UK
Here's #2of 3:

Java Runtime Environment 1.6.0. THERE ARE THREE OF THESE. All are ActiveX Control, version 6,0,170,4 and are showing unknown Description and Company. Size of each is 0 bytes.
ALL ARE SHOWING LAST ACCESSED ON 11/10/2073
#1 ID {8AD9C840-044E-11D1-B3E9-00805F499D93} Created on 23.02.09
#2 ID {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} Created on 23.02.09
#3 ID {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} Created on 11.10.2009

MessengerStatsClient Class (C:\...\MESSENGERSTATSPACECLIENT.DLL) 307 KB
Microsoft Data Collection Control (C:\WINDOWS\DOWNL…\MSDCODE.DLL) 397KB
Minesweeper Flags Class (C:\WINDOWS\D…\MINESWEEPER.DLL) 131KB
MSN Games Installer (C:\WINDOWS\DOWNLO…\ZINTRO.OCX) 159KB
MUWebControl Class (C:\WINDOWS\DOWNLO…\MUWEB.INF) 4KB and
(C:\WINDOWS\SYSTE…\MUWEB.DLL) 217KB
Oberon Flash Game Host (C:\WI…\OBERONGAMEHOST_DBG.INF) 4KB and
(C:\WINDO…\OBERONGAMEHOST.DLL) 635KB
Office Genuine Advantage Validation Tool (C:\WINDO…\OGACHECKCONTROL.DLL) 696KB and
(C:\WINDOWS\DO…\OGACONTROL.INF) 4KB


--
taffy078, West Yorkshire, UK

Desktop: Compaq Presario (OEM) 32 bit / AMD Athlon / 2 GB RAM
XP Home - SP3/ IE8/ Norton IS - Secunia PSI v2.0.0.3003

Laptop: Win 7 / IE11 / PSI v2.0.0.3003
Was this reply relevant?
+0
-0
taffy078 RE: Facebook Photo Uploader Active X problem
Contributor 24th Feb, 2010 12:42
Score: 408
Posts: 1,321
User Since: 26th Feb 2009
System Score: 100%
Location: UK
and here's the final third of the list:

PCPitstop Exam (C:\WINDOWS\DOW…\PCPITSTOP2.DLL) 389,120 bytes and
(C:\WINDOWS\DOW…\PCPITSTOP2.DLL) 385,024 bytes and
(C:\WINDOWS\DOW…\PCPITSTOP2.DLL) 385,024 bytes
PreQualifier Class (C:\WINDOWS\…\MOTIVEPREQUAL.INF) 4KB
Shockwave ActiveX Control. There are two of these. Both are showing created 18/01/2010. Both are versions 11,5,6, 606 and 4KB. Different IDs though:
{166B1BCA-3F9C-11CF-8075-444553540000} and
{233C1507-6A77-46A4-9443-F871F945D258}
Shockwave Flash Object (C:\WIN…\FP_AX_CAB_INSTALLER.EXE) 1.9KB and
(C:\WINDOWS\DOWNL…\SWFLASH.INF) 4KB
Solitaire Showdown Class (C:\WIND…\ SOLITAIRESHOWDOWN.DLL) 140KB
Symantec Download Manager (C:\WINDOWS\DOW…\SYMDLMGR.DLL) 450KB and
(C:\WINDOWS\DOWN…\ SYMDLMGR.INF) 4KB
Symantec RuFSI Utility Class (C:\WINDOWS\DOWNLOAD…\CABSA.INF) 4KB and
(C:\WINDOWS\DOWNLOAD…\ RUFSI.DLL) 4KB

System Requirements Lab (C:\WINDOWS\...\SYSREQLAB_NVD.DLL) 356KB and
(C:\WINDOWS\DO…\ SYSREQLAB.OSD) 4KB
UnoCtrl Class (C:\WINDOWS\DOW...\GAME_UNO1.DLL) 386KB and
(C:\WINDOWS\DOW…\ GAME_UNO1.INF) 4KB
Webhelper Class (C:\WINDOWS\...\BTWEBCONTROL.DLL) 167KB and
(C:\WINDOWS\...\BTWEBCONTROL.INF) 4KB

Windows Live Safety Center Base Module (C:\WINDOWS\DOWN...\WLSCBASE.DLL) 458KB and
(C:\WINDOWS\DOWN...\WLSCBASE.INF) 4KB

WUWebControl Class (C:\WINDOWS\DOWNLO...\WUWEB.INF) 4KB and
(C:\WINDOWS\SYSTE...\WUWEB.DLL) 213KB
Yahoo! Chess (C:\WINDOWS\D...\YAHOO!CHESS.OSD) 4KB
Yahoo! Poker (C:\WINDOWS\...\YAHOO!POKER.OSD) 4KB
Yahoo! Pool2 (C:\WINDOWS\D..\YAHOO!POOL2.OSD) 4KB
ZoneChess Object (C:\WINDOWS\Downloa..\CHESS.OSX) 380KB


--
taffy078, West Yorkshire, UK

Desktop: Compaq Presario (OEM) 32 bit / AMD Athlon / 2 GB RAM
XP Home - SP3/ IE8/ Norton IS - Secunia PSI v2.0.0.3003

Laptop: Win 7 / IE11 / PSI v2.0.0.3003
Was this reply relevant?
+0
-0
taffy078 RE: Facebook Photo Uploader Active X problem
Contributor 24th Feb, 2010 12:47
Score: 408
Posts: 1,321
User Since: 26th Feb 2009
System Score: 100%
Location: UK
PS I see there was a vulnerablity in version 4 too:
http://secunia.com/advisories/28713/

--
taffy078, West Yorkshire, UK

Desktop: Compaq Presario (OEM) 32 bit / AMD Athlon / 2 GB RAM
XP Home - SP3/ IE8/ Norton IS - Secunia PSI v2.0.0.3003

Laptop: Win 7 / IE11 / PSI v2.0.0.3003
Was this reply relevant?
+0
-0
M.Hansen RE: Facebook Photo Uploader Active X problem
Secunia Official 24th Feb, 2010 13:51
Score: 188
Posts: 410
User Since: 26th Jan 2009
System Score: N/A
Location: Copenhagen, DK
Hi

ActiveX Controls is located in "C:\Windows\Downloaded Program Files\"

On Windows XP and Vista:
Looking in this folder will NOT display the files the PSI detects. Instead, use the Command Prompt to see the content of the folder and locate the insecure files.
If a Solution Download link is not available and you can't replace the old files with the patched one, a possible solution could be to remove the insecure files from the system, and let the website that needs them install the needed files next time you visit the page that uses the ActiveX Control. Please note that deleting files may cause some programs to loose functionality

Command Prompt Guide:

(On Windows XP only)

Go to "Start" -> "All Programs" -> "Accessories" -> "Command Prompt"

(On Windows Vista only)

Go to "Start" -> "All Programs" -> "Accessories" ->, right click the "Command Prompt" Program and run as admin

A black windowbox should now appear.
Type: cd "c:\Windows\Downloaded Program Files\"

To see the content of the folder, type: dir

You should now be able to see the files with their filenames and file extension (such as .dll or .ocx)

To delete files type: del filename.fileextension
Example: del ActiveX.ocx

On Windows 7:
With Windows 7 you can now see the files as normal files (.dll, .ocx, etc.)
Simply replace the needed files or delete them if needed.
olaflacour RE: Facebook Photo Uploader Active X problem
Member 24th Feb, 2010 15:50
Score: 0
Posts: 9
User Since: 10th Jun 2009
System Score: N/A
Location: N/A
Hi M.Hansen

If you read all threads, then you will se it isnt posible to delete anything in this map. I have tryed 2 times without succes.

This is just shit and crap from Facebook

Olaf
Was this reply relevant?
+0
-0
Maurice Joyce RE: Facebook Photo Uploader Active X problem
Handling Contributor 24th Feb, 2010 16:09
Score: 11615
Posts: 8,906
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Thanks Morten,
I am working on the assumption that neither David or Olaf can identify the "bit" to delete wherever they look.

Fred was heading in that direction in the first instance but lack of positive ID prevents the deletion of the offender.

Having seen entries in their registries & got more of a handle on it both might now be able to "see" the blighter(s) & dump them the traditional way as U describe.

Olaf - U have more than one entry. Can U identify them by the method described?

Edit: Olaf - I see U have responded. Let me see how this pans out with David before I get back to U.

I have posted this 3 times - other attempts did not register - If 3 entries appear I apologise.






--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+0
-0
taffy078 RE: Facebook Photo Uploader Active X problem
Contributor 24th Feb, 2010 20:43
Score: 408
Posts: 1,321
User Since: 26th Feb 2009
System Score: 100%
Location: UK
Hi Maurice. I saw Morten's reply earlier. But as you have invested so much of your spare time in this problem, I'd like to stick with your thoughts - I'm sure Morten will understand.

So did the Java Runtime Environment files stick out as the possible problem, Maurice?

--
taffy078, West Yorkshire, UK

Desktop: Compaq Presario (OEM) 32 bit / AMD Athlon / 2 GB RAM
XP Home - SP3/ IE8/ Norton IS - Secunia PSI v2.0.0.3003

Laptop: Win 7 / IE11 / PSI v2.0.0.3003
Was this reply relevant?
+0
-0
taffy078 RE: Facebook Photo Uploader Active X problem
Contributor 24th Feb, 2010 21:04
Score: 408
Posts: 1,321
User Since: 26th Feb 2009
System Score: 100%
Location: UK
sorry guys but I decided to try Morten's solution. I've done nothing but shovel blasted snow all day today and I didn't want to take up any more of Maurice's time, especially as Olaf now needs your help, Maurice.

It worked!!! Yippeeeeeeeeeeeeeeeeeeeeeeee. It's really cheered me up.

Thank you ever so much Maurice, and Morten. Much appreciated.

Especially as I needed cheering up - I've just had the results of my annual medical "MOT" - in the UK, it's free for people "of a certain age" (30+!).

The doctor said I've got pneumonoultramicroscopicsilicovolcanoconiosis.

Well, he thinks I have. Apparently it's hard to say. ;0)

Thank you all again, especially Maurice. I'll stick to the "IE8 - German Government" thread from now on!

--
taffy078, West Yorkshire, UK

Desktop: Compaq Presario (OEM) 32 bit / AMD Athlon / 2 GB RAM
XP Home - SP3/ IE8/ Norton IS - Secunia PSI v2.0.0.3003

Laptop: Win 7 / IE11 / PSI v2.0.0.3003
Was this reply relevant?
+0
-0
taffy078 RE: Facebook Photo Uploader Active X problem
Contributor 24th Feb, 2010 21:06
Score: 408
Posts: 1,321
User Since: 26th Feb 2009
System Score: 100%
Location: UK
oops - in my excitement, I forgot the rather strange entries for Java Runtime Environment files - see above. Should I delete these and be told later, when I need them, to instal them again?

--
taffy078, West Yorkshire, UK

Desktop: Compaq Presario (OEM) 32 bit / AMD Athlon / 2 GB RAM
XP Home - SP3/ IE8/ Norton IS - Secunia PSI v2.0.0.3003

Laptop: Win 7 / IE11 / PSI v2.0.0.3003
Was this reply relevant?
+0
-0
Maurice Joyce RE: Facebook Photo Uploader Active X problem
Handling Contributor 24th Feb, 2010 21:28
Score: 11615
Posts: 8,906
User Since: 4th Jan 2009
System Score: N/A
Location: UK
David,
Pleased everything is OK - I perhaps got the wrong end of the stick in your case - I thought U could not identify the file by name. Never mind U eventually got there.

From your logs I suspect U use BT as your ISP? Could not help seeing U have some bloatware/hassleware on board. If U are happy with your set up so be it - if U want to know more just let me know.

Olaf - Below is my bog standard ActiveX remover. Your situation is not that much different from David who has managed to find the file & deleted it. In your case U need to find a few more which I suggest U delete one at a time. Give it a try & let me know the outcome.

REMOVING ACTIVEX
=================
The traditional method to remove ActiveX is:

* * * Windows XP
++++++++++++++++


Launch the command prompt from accessories in the programs list or go to Start>run> and type cmd in the box that appears.
type: cd c:\windows\downloaded program files
press enter
type: dir
press enter
find the files you wish to remove from the list that appears
type: del now type the details of the file found above
press enter
type: exit
press enter

* * * Vista
+++++++++++

Click Start>In the search box type cmd
A Command Prompt icon will display at the top
Right click on it & select "Run as administrator"
type: cd c:\windows\downloaded program files
press enter
type: dir
press enter
find the file you wish to remove from the list that appears
type: del now type the details of the file found above
press enter
type: exit
press enter

Windows 7
+++++++++
Life is much simpler with Windows 7.

Just note the FILE PATH of the insecurity highlighted by Secunia by clicking the + sign next to the entry> click OPEN FOLDER in the toolbox>a screen will appear>click OK>now select the file noted in the FILE PATH & zap it.
















--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+0
-0
wlls2 RE: Facebook Photo Uploader Active X problem
Member 25th Feb, 2010 00:14
Score: 0
Posts: 3
User Since: 24th Feb 2010
System Score: N/A
Location: US
Last edited on 25th Feb, 2010 00:19
Use "Disk Cleanup" in Windows making sure to check the box next to "Downloaded Program Files", this will remove the "Facebook Photo Uploader 5 Control", rerun SPSI and you'll find the alert is gone.

Hope this helps.

--
Bill (not Gate$)
Was this reply relevant?
+0
-0
taffy078 RE: Facebook Photo Uploader Active X problem
Contributor 25th Feb, 2010 09:24
Score: 408
Posts: 1,321
User Since: 26th Feb 2009
System Score: 100%
Location: UK
Thanks Maurice. I'd be happy to delete all the bloatware, the chocolate teapots, as you say!
Should I post a new thread?

BTW are you happy with the strange Java files I have?

--
taffy078, West Yorkshire, UK

Desktop: Compaq Presario (OEM) 32 bit / AMD Athlon / 2 GB RAM
XP Home - SP3/ IE8/ Norton IS - Secunia PSI v2.0.0.3003

Laptop: Win 7 / IE11 / PSI v2.0.0.3003
Was this reply relevant?
+0
-0
Maurice Joyce RE: Facebook Photo Uploader Active X problem
Handling Contributor 25th Feb, 2010 11:05
Score: 11615
Posts: 8,906
User Since: 4th Jan 2009
System Score: N/A
Location: UK
David,
I suggest it is a good idea to create a new thread called something like BT Hub Set Up.

It could be interesting to UK residents because there are settings that improve security. All I need to know is which hub U have. Mk1 is generally white & has green lights & has a small aerial. Mk 1.5 or the latest v2. The details are on the plate at the back. Please do not disclose any other details from the label.

As a wash up to this thread our journey was not a complete waste of time.

ORACLE JAVA. I have just looked at my test machine which is XP. There are 3 entries as U describe. Have U got the latest version of JAVA installed which is version 6 update 18?

The difference I see is that all mine are dated 16/1/10 with a version number of 6.0.180.7 which reflects the latest version.

LAVA SOFT AD AWARE
U mentioned somewhere in the thread that U had Lavasoft Ad Aware paid version installed. I asked U to switch off Ad Watch which U thought might be part of Malwarebytes. Ad Watch is part of Ad Aware & can be activated to give real time protection. Have U got it switched on?

I think I have posted elsewhere how to clear the Blue Screen Of Death if it occurs in XP with Lavasoft.

MALWAREBYTES Have U uninstalled Malwarebytes? If not, keep an eye on it - it does NOT like Ad Aware & they fight each other resulting in excessive CPU usage. I have dumped my Pro version of Ad Aware for the Pro version of Malwarebytes which is much more focused.

SYMANTEC (NORTON) INTERNET SECURITY U also have this installed. Works seamlessly with Malwarebytes but again does not like Ad Aware dependant on version. Lavasoft introduced an anti virus element into the latest & greatest Pro version. Once again this caused massive CPU usage as the battled for dominance.

It looks like your overall security set up is OK because our search proved that U had not got a Roolkit in relation to Photouploader after all.

ACTIVEX There is much hype about ACTIVEX. I have no concerns but they do need controlling. From your log U can clearly identify what most of them are for. Delete any that are redundant.

Hope this helps & pleased to hear U are back to 100%.



--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+0
-0
Anthony Wells RE: Facebook Photo Uploader Active X problem
Expert Contributor 25th Feb, 2010 19:33
Score: 2428
Posts: 3,316
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 25th Feb, 2010 19:41
Hello taffy and Maurice ,

FWIW , it is often recommended to run MBAM again after it has found the sort of aggressive "adware" which showed in your log and to Keep rerunning MBAM until it shows clear . The first clear out can expose other stuff .

The following item will reappear as it refers to your Windows Security Centre status ; if your set up is as you wish , you can select to ignore this alert , and it will appear under the "ignore list" tab

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

SuperAntiSpyware is a very good (complimentary) partner to MBAM and they don't fight ; they both have free and paid versions , I have both as free versions and so only get on "demand scans" , this is fine for me as I prefer to have only one "active guard" running at a time and the one in my Security Suite does all I require .

I have found they are better for me than AdAware , in all respects , which became very uppity on my system when they added the A/V stuff 14 months or so ago

Take care

Anthony

PS: look away now taffy , you won't want to know that our temperature todaay is 16°C nor that the first strawberries are in from Maroc at 3 to 5 € per kilo :))))







--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability