Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Spyware [CLOSED]


  • This topic is locked This topic is locked

#16
richt

richt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Did you want the hijack this log aswell?

Edited by richt, 22 April 2008 - 03:54 AM.

  • 0

Advertisements


#17
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Please print the below instructions or copy them to Notepad. Make sure to work through the fixes in the order mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Do you know what this file is for? -> D:\Workflow.exe

Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. Close the Registry Editor now. Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

REGEDIT4
[-HKEY_LOCAL_MACHINE\software\classes\CLSID\{AF8B3C81-CD19-45FB-B6BE-160D27711DE8}]
[-hkey_classes_root\clsid\{af8b3c81-cd19-45fb-b6be-160d27711de8}]
[-hkey_local_machine\system\currentcontrolset\control\print\monitors\zepmon]
[-hkey_local_machine\system\controlset001\control\print\monitors\zepmon]
[-hkey_classes_root\clsid\{08a60acf-5b9e-489a-bed5-8dddaa7211d6}]
[-hkey_classes_root\clsid\{3d20508e-59b9-4602-9cf9-49387e9d9beb}]
[-hkey_classes_root\clsid\{471a13e6-8188-47f9-b35e-277de04ff2e2}]
[-hkey_classes_root\clsid\{5e022a40-7cc4-4eba-a143-8d5c3b8838db}]
[-hkey_classes_root\clsid\{ad2069f5-4ecd-48e0-a478-2d0e34d6dc32}]
[-HKEY_LOCAL_MACHINE\software\classes\CLSID\{08A60ACF-5B9E-489A-BED5-8DDDAA7211D6}]
[-hkey_classes_root\clsid\{d7f152aa-2fe1-4cfa-9838-6782bf85c929}]
[-hkey_classes_root\clsid\{d8cb10e7-601a-4176-b6b5-cefa244d4dea}]
[-hkey_classes_root\bayesobj.bayesianobject]
[-HKEY_CLASSES_ROOT\TypeLib\{0AC17D72-80F3-4F79-BFCC-9A779BA70334}]
[-HKEY_CLASSES_ROOT\TypeLib\{AEF5EB3E-0739-4A12-83F3-77249D80F63F}]
[-hkey_classes_root\bayesobj.whitelistobject]
[-hkey_classes_root\cconfirmationobject.cconfirmationob]
[-hkey_classes_root\cconfirmationobject.cconfirmationob.1.0]
[-hkey_classes_root\cemailprompt.cemailprompt]
[-hkey_classes_root\cemailprompt.cemailprompt.1.0]
[-HKEY_LOCAL_MACHINE\software\classes\CLSID\{3D20508E-59B9-4602-9CF9-49387E9D9BEB}]
[-HKEY_LOCAL_MACHINE\software\classes\CLSID\{471A13E6-8188-47F9-B35E-277DE04FF2E2}]
[-hkey_classes_root\noah.cdownloadprogresscontroller]
[-hkey_classes_root\noah.cdownloadprogresscontroller.1]
[-hkey_classes_root\noah.registrationobj]
[-hkey_classes_root\noah.registrationobj.1]
[-hkey_classes_root\bayesobj.mailitem]
[-hkey_classes_root\bayesobj.bayesianobject.1]
[-HKEY_LOCAL_MACHINE\software\classes\CLSID\{5E022A40-7CC4-4EBA-A143-8D5C3B8838DB}]
[-HKEY_LOCAL_MACHINE\software\classes\CLSID\{AD2069F5-4ECD-48E0-A478-2D0E34D6DC32}]
[-HKEY_LOCAL_MACHINE\software\classes\CLSID\{D8CB10E7-601A-4176-B6B5-CEFA244D4DEA}]
[-HKEY_LOCAL_MACHINE\software\classes\CLSID\{D7F152AA-2FE1-4cfa-9838-6782BF85C929}]
[-HKEY_LOCAL_MACHINE\software\classes\CLSID\{B5DD9A64-5C4B-4A48-BE56-97C1A8F85708}]
[-hkey_classes_root\fastvideoplayer.fastvideoplayerctrl.1]
[-hkey_classes_root\fastvideoplayer.fastvideoplayerctrl]
[-hkey_classes_root\clsid\{b5dd9a64-5c4b-4a48-be56-97c1a8f85708}]
[-hkey_local_machine\software\asdplugin]
[-HKEY_CLASSES_ROOT\TypeLib\{03f8822f-8877-4002-8bcd-b532d53d8471}]


Save the file as "delete.reg". Make sure to save it with the quotes. Close Notepad. Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.


Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

O4 - HKLM\..\Run: [Workflow] D:\Workflow.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O24 - Desktop Component 0: My Current Home Page - About:Home


Go to Start->Run and type in regsvr32 /u occache.dll and hit OK.

Locate the following Files/Folders and delete them if they exist (if no location given, just do a search for them):

C:\WINDOWS\system32\libcurl.dll
c:\windows\system32\ide21201.vxd
c:\windows\inf\fastvideoplayer.inf
c:\program files\common files\oem common


Go to Start->Run and type in regsvr32 occache.dll and hit OK.

Restart and run a new Panda scan. Post the log here along with a new HijackThis log.

Try running DSS again and see if you can get that second log now.

Any improvement?

Edited by greyknight17, 22 April 2008 - 06:50 PM.

  • 0

#18
richt

richt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
There seems to be an error on there web site when it goes to update just before the scan it give this error

Sorry, updating is incomplete due to an error. Please try again

i have tried the last 2 days and refreshed but still get the same message
  • 0

#19
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
What website? Panda's?

Did you run the fixes listed in my last reply? Any improvement at all? :)
  • 0

#20
richt

richt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
yeah the panda site isnt workin correctly.

I restarted computer the desktop pic and task bar come up straight away but still takes about 3 mins to loads the desktop pics and the5 icons next to the clock

forgot to add in the last post that i dont know what D:\workflow.exe is
  • 0

#21
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Is the D: drive your cd drive?

See if this entry is still in HijackThis (if so, fix it):

O24 - Desktop Component 0: My Current Home Page - About:Home

Other than that, I'm not sure if it's just a Windows related issue. Was this a problem that was building up before?
  • 0

#22
richt

richt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
yes thats correct D is my cd drive

I did remove that once but will look again, its been ok but since i got the virus thats when its gone bad.
  • 0

#23
richt

richt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
I think i have found the problem with the computer runnning slow and on low disk space, since the virus it has created a folder called "richard.RICHARD" in C:/Documents and settings, the only folder that i should have is "Richard" and this has dupilicated windows and i think windows is reading both folders at the same time, i tried deleting richard.RICHARD but it says windows needs to use this folder to operate properly so i am transferring documents from "Richard" to "richard.RICHARD" will this be ok then?
  • 0

#24
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Hold off on that....I usually see this when an account is part of a domain.

I suggest asking in the Windows board and see what they say over there before you do anything else. Tell them you cleared the virus/malware issue and just want to see if removing that folder will help with the speed and low disk space issue.
  • 0

#25
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0

Advertisements







Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP