Edited by richt, 22 April 2008 - 03:54 AM.
Spyware [CLOSED]
Started by
richt
, Apr 14 2008 08:40 AM
-
This topic is locked
#16
Posted 22 April 2008 - 03:46 AM
richt
- Topic Starter
-
- Member
-
- 18 posts
Member
#17
Posted 22 April 2008 - 06:49 PM
greyknight17
-
- Visiting Consultant
-
- 16,560 posts
Malware Expert
Please print the below instructions or copy them to Notepad. Make sure to work through the fixes in the order mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.
Do you know what this file is for? -> D:\Workflow.exe
Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. Close the Registry Editor now. Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:
REGEDIT4
[-HKEY_LOCAL_MACHINE\software\classes\CLSID\{AF8B3C81-CD19-45FB-B6BE-160D27711DE8}]
[-hkey_classes_root\clsid\{af8b3c81-cd19-45fb-b6be-160d27711de8}]
[-hkey_local_machine\system\currentcontrolset\control\print\monitors\zepmon]
[-hkey_local_machine\system\controlset001\control\print\monitors\zepmon]
[-hkey_classes_root\clsid\{08a60acf-5b9e-489a-bed5-8dddaa7211d6}]
[-hkey_classes_root\clsid\{3d20508e-59b9-4602-9cf9-49387e9d9beb}]
[-hkey_classes_root\clsid\{471a13e6-8188-47f9-b35e-277de04ff2e2}]
[-hkey_classes_root\clsid\{5e022a40-7cc4-4eba-a143-8d5c3b8838db}]
[-hkey_classes_root\clsid\{ad2069f5-4ecd-48e0-a478-2d0e34d6dc32}]
[-HKEY_LOCAL_MACHINE\software\classes\CLSID\{08A60ACF-5B9E-489A-BED5-8DDDAA7211D6}]
[-hkey_classes_root\clsid\{d7f152aa-2fe1-4cfa-9838-6782bf85c929}]
[-hkey_classes_root\clsid\{d8cb10e7-601a-4176-b6b5-cefa244d4dea}]
[-hkey_classes_root\bayesobj.bayesianobject]
[-HKEY_CLASSES_ROOT\TypeLib\{0AC17D72-80F3-4F79-BFCC-9A779BA70334}]
[-HKEY_CLASSES_ROOT\TypeLib\{AEF5EB3E-0739-4A12-83F3-77249D80F63F}]
[-hkey_classes_root\bayesobj.whitelistobject]
[-hkey_classes_root\cconfirmationobject.cconfirmationob]
[-hkey_classes_root\cconfirmationobject.cconfirmationob.1.0]
[-hkey_classes_root\cemailprompt.cemailprompt]
[-hkey_classes_root\cemailprompt.cemailprompt.1.0]
[-HKEY_LOCAL_MACHINE\software\classes\CLSID\{3D20508E-59B9-4602-9CF9-49387E9D9BEB}]
[-HKEY_LOCAL_MACHINE\software\classes\CLSID\{471A13E6-8188-47F9-B35E-277DE04FF2E2}]
[-hkey_classes_root\noah.cdownloadprogresscontroller]
[-hkey_classes_root\noah.cdownloadprogresscontroller.1]
[-hkey_classes_root\noah.registrationobj]
[-hkey_classes_root\noah.registrationobj.1]
[-hkey_classes_root\bayesobj.mailitem]
[-hkey_classes_root\bayesobj.bayesianobject.1]
[-HKEY_LOCAL_MACHINE\software\classes\CLSID\{5E022A40-7CC4-4EBA-A143-8D5C3B8838DB}]
[-HKEY_LOCAL_MACHINE\software\classes\CLSID\{AD2069F5-4ECD-48E0-A478-2D0E34D6DC32}]
[-HKEY_LOCAL_MACHINE\software\classes\CLSID\{D8CB10E7-601A-4176-B6B5-CEFA244D4DEA}]
[-HKEY_LOCAL_MACHINE\software\classes\CLSID\{D7F152AA-2FE1-4cfa-9838-6782BF85C929}]
[-HKEY_LOCAL_MACHINE\software\classes\CLSID\{B5DD9A64-5C4B-4A48-BE56-97C1A8F85708}]
[-hkey_classes_root\fastvideoplayer.fastvideoplayerctrl.1]
[-hkey_classes_root\fastvideoplayer.fastvideoplayerctrl]
[-hkey_classes_root\clsid\{b5dd9a64-5c4b-4a48-be56-97c1a8f85708}]
[-hkey_local_machine\software\asdplugin]
[-HKEY_CLASSES_ROOT\TypeLib\{03f8822f-8877-4002-8bcd-b532d53d8471}]
Save the file as "delete.reg". Make sure to save it with the quotes. Close Notepad. Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.
Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:
O4 - HKLM\..\Run: [Workflow] D:\Workflow.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O24 - Desktop Component 0: My Current Home Page - About:Home
Go to Start->Run and type in regsvr32 /u occache.dll and hit OK.
Locate the following Files/Folders and delete them if they exist (if no location given, just do a search for them):
C:\WINDOWS\system32\libcurl.dll
c:\windows\system32\ide21201.vxd
c:\windows\inf\fastvideoplayer.inf
c:\program files\common files\oem common
Go to Start->Run and type in regsvr32 occache.dll and hit OK.
Restart and run a new Panda scan. Post the log here along with a new HijackThis log.
Try running DSS again and see if you can get that second log now.
Any improvement?
Do you know what this file is for? -> D:\Workflow.exe
Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. Close the Registry Editor now. Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:
REGEDIT4
[-HKEY_LOCAL_MACHINE\software\classes\CLSID\{AF8B3C81-CD19-45FB-B6BE-160D27711DE8}]
[-hkey_classes_root\clsid\{af8b3c81-cd19-45fb-b6be-160d27711de8}]
[-hkey_local_machine\system\currentcontrolset\control\print\monitors\zepmon]
[-hkey_local_machine\system\controlset001\control\print\monitors\zepmon]
[-hkey_classes_root\clsid\{08a60acf-5b9e-489a-bed5-8dddaa7211d6}]
[-hkey_classes_root\clsid\{3d20508e-59b9-4602-9cf9-49387e9d9beb}]
[-hkey_classes_root\clsid\{471a13e6-8188-47f9-b35e-277de04ff2e2}]
[-hkey_classes_root\clsid\{5e022a40-7cc4-4eba-a143-8d5c3b8838db}]
[-hkey_classes_root\clsid\{ad2069f5-4ecd-48e0-a478-2d0e34d6dc32}]
[-HKEY_LOCAL_MACHINE\software\classes\CLSID\{08A60ACF-5B9E-489A-BED5-8DDDAA7211D6}]
[-hkey_classes_root\clsid\{d7f152aa-2fe1-4cfa-9838-6782bf85c929}]
[-hkey_classes_root\clsid\{d8cb10e7-601a-4176-b6b5-cefa244d4dea}]
[-hkey_classes_root\bayesobj.bayesianobject]
[-HKEY_CLASSES_ROOT\TypeLib\{0AC17D72-80F3-4F79-BFCC-9A779BA70334}]
[-HKEY_CLASSES_ROOT\TypeLib\{AEF5EB3E-0739-4A12-83F3-77249D80F63F}]
[-hkey_classes_root\bayesobj.whitelistobject]
[-hkey_classes_root\cconfirmationobject.cconfirmationob]
[-hkey_classes_root\cconfirmationobject.cconfirmationob.1.0]
[-hkey_classes_root\cemailprompt.cemailprompt]
[-hkey_classes_root\cemailprompt.cemailprompt.1.0]
[-HKEY_LOCAL_MACHINE\software\classes\CLSID\{3D20508E-59B9-4602-9CF9-49387E9D9BEB}]
[-HKEY_LOCAL_MACHINE\software\classes\CLSID\{471A13E6-8188-47F9-B35E-277DE04FF2E2}]
[-hkey_classes_root\noah.cdownloadprogresscontroller]
[-hkey_classes_root\noah.cdownloadprogresscontroller.1]
[-hkey_classes_root\noah.registrationobj]
[-hkey_classes_root\noah.registrationobj.1]
[-hkey_classes_root\bayesobj.mailitem]
[-hkey_classes_root\bayesobj.bayesianobject.1]
[-HKEY_LOCAL_MACHINE\software\classes\CLSID\{5E022A40-7CC4-4EBA-A143-8D5C3B8838DB}]
[-HKEY_LOCAL_MACHINE\software\classes\CLSID\{AD2069F5-4ECD-48E0-A478-2D0E34D6DC32}]
[-HKEY_LOCAL_MACHINE\software\classes\CLSID\{D8CB10E7-601A-4176-B6B5-CEFA244D4DEA}]
[-HKEY_LOCAL_MACHINE\software\classes\CLSID\{D7F152AA-2FE1-4cfa-9838-6782BF85C929}]
[-HKEY_LOCAL_MACHINE\software\classes\CLSID\{B5DD9A64-5C4B-4A48-BE56-97C1A8F85708}]
[-hkey_classes_root\fastvideoplayer.fastvideoplayerctrl.1]
[-hkey_classes_root\fastvideoplayer.fastvideoplayerctrl]
[-hkey_classes_root\clsid\{b5dd9a64-5c4b-4a48-be56-97c1a8f85708}]
[-hkey_local_machine\software\asdplugin]
[-HKEY_CLASSES_ROOT\TypeLib\{03f8822f-8877-4002-8bcd-b532d53d8471}]
Save the file as "delete.reg". Make sure to save it with the quotes. Close Notepad. Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.
Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:
O4 - HKLM\..\Run: [Workflow] D:\Workflow.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O24 - Desktop Component 0: My Current Home Page - About:Home
Go to Start->Run and type in regsvr32 /u occache.dll and hit OK.
Locate the following Files/Folders and delete them if they exist (if no location given, just do a search for them):
C:\WINDOWS\system32\libcurl.dll
c:\windows\system32\ide21201.vxd
c:\windows\inf\fastvideoplayer.inf
c:\program files\common files\oem common
Go to Start->Run and type in regsvr32 occache.dll and hit OK.
Restart and run a new Panda scan. Post the log here along with a new HijackThis log.
Try running DSS again and see if you can get that second log now.
Any improvement?
Edited by greyknight17, 22 April 2008 - 06:50 PM.
#18
Posted 24 April 2008 - 05:26 AM
richt
- Topic Starter
-
- Member
-
- 18 posts
Member
There seems to be an error on there web site when it goes to update just before the scan it give this error
Sorry, updating is incomplete due to an error. Please try again
i have tried the last 2 days and refreshed but still get the same message
Sorry, updating is incomplete due to an error. Please try again
i have tried the last 2 days and refreshed but still get the same message
#19
Posted 24 April 2008 - 07:21 AM
greyknight17
-
- Visiting Consultant
-
- 16,560 posts
Malware Expert
What website? Panda's?
Did you run the fixes listed in my last reply? Any improvement at all?
Did you run the fixes listed in my last reply? Any improvement at all?
#20
Posted 24 April 2008 - 08:20 AM
richt
- Topic Starter
-
- Member
-
- 18 posts
Member
yeah the panda site isnt workin correctly.
I restarted computer the desktop pic and task bar come up straight away but still takes about 3 mins to loads the desktop pics and the5 icons next to the clock
forgot to add in the last post that i dont know what D:\workflow.exe is
I restarted computer the desktop pic and task bar come up straight away but still takes about 3 mins to loads the desktop pics and the5 icons next to the clock
forgot to add in the last post that i dont know what D:\workflow.exe is
#21
Posted 24 April 2008 - 09:04 AM
greyknight17
-
- Visiting Consultant
-
- 16,560 posts
Malware Expert
Is the D: drive your cd drive?
See if this entry is still in HijackThis (if so, fix it):
O24 - Desktop Component 0: My Current Home Page - About:Home
Other than that, I'm not sure if it's just a Windows related issue. Was this a problem that was building up before?
See if this entry is still in HijackThis (if so, fix it):
O24 - Desktop Component 0: My Current Home Page - About:Home
Other than that, I'm not sure if it's just a Windows related issue. Was this a problem that was building up before?
#22
Posted 24 April 2008 - 10:19 AM
richt
- Topic Starter
-
- Member
-
- 18 posts
Member
yes thats correct D is my cd drive
I did remove that once but will look again, its been ok but since i got the virus thats when its gone bad.
I did remove that once but will look again, its been ok but since i got the virus thats when its gone bad.
#23
Posted 29 April 2008 - 04:24 PM
richt
- Topic Starter
-
- Member
-
- 18 posts
Member
I think i have found the problem with the computer runnning slow and on low disk space, since the virus it has created a folder called "richard.RICHARD" in C:/Documents and settings, the only folder that i should have is "Richard" and this has dupilicated windows and i think windows is reading both folders at the same time, i tried deleting richard.RICHARD but it says windows needs to use this folder to operate properly so i am transferring documents from "Richard" to "richard.RICHARD" will this be ok then?
#24
Posted 29 April 2008 - 08:48 PM
greyknight17
-
- Visiting Consultant
-
- 16,560 posts
Malware Expert
Hold off on that....I usually see this when an account is part of a domain.
I suggest asking in the Windows board and see what they say over there before you do anything else. Tell them you cleared the virus/malware issue and just want to see if removing that folder will help with the speed and low disk space issue.
I suggest asking in the Windows board and see what they say over there before you do anything else. Tell them you cleared the virus/malware issue and just want to see if removing that folder will help with the speed and low disk space issue.
#25
Posted 05 May 2008 - 06:42 PM
greyknight17
-
- Visiting Consultant
-
- 16,560 posts
Malware Expert
Due to lack of feedback, this topic has been closed.
If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
As Featured On:
Sign In
Create Account
