March 22, 2008

How to remove Spyware.OsMonitor ?

Spyware.OsMonitor removal procedure


1. Follow standard procedure for virus removal

2. Delete these values and subkeys added to registry.


HKEY_CURRENT_USER\Software\newskydev

HKEY_CURRENT_USER\Software\newskydev\workwin2

HKEY_CURRENT_USER\Software\newskydev\workwin2\Main

HKEY_CURRENT_USER\Software\VB and VBA Program Settings

HKEY_CURRENT_USER\Software\VB and VBA Program Settings\workwin

HKEY_CURRENT_USER\Software\VB and VBA Program Settings\workwin\shell

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8E2FCC55-D7C9-4766-1F80-F5E164610974}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8E2FCC55-D7C9-4766-1F80-F5E164610974}\LocalServer32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8E2FCC55-D7C9-4766-1F80-F5E164610974}\ProgID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8E2FCC55-D7C9-4766-1F80-F5E164610974}\TypeLib

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8E2FCC55-D7C9-4766-1F80-F5E164610974}\VersionIndependentProgID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{4A7CE1FD-3BEA-EC3B-3196-F7EB112EA791}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{4A7CE1FD-3BEA-EC3B-3196-F7EB112EA791}\1.0

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{4A7CE1FD-3BEA-EC3B-3196-F7EB112EA791}\1.0\0

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{4A7CE1FD-3BEA-EC3B-3196-F7EB112EA791}\1.0\0\win32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{4A7CE1FD-3BEA-EC3B-3196-F7EB112EA791}\1.0\FLAGS

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{4A7CE1FD-3BEA-EC3B-3196-F7EB112EA791}\1.0\HELPDIR

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OsMonitor Server_is1

HKEY_CURRENT_USER\Software\ASProtect

HKEY_CURRENT_USER\Software\ASProtect\SpecData

HKEY_CURRENT_USER\Software\VB and VBA Program Settings

HKEY_CURRENT_USER\Software\VB and VBA Program Settings\DiskWin

HKEY_CURRENT_USER\Software\VB and VBA Program Settings\DiskWin\server

HKEY_CURRENT_USER\Software\VB and VBA Program Settings\msgetinfo37

HKEY_CURRENT_USER\Software\VB and VBA Program Settings\msgetinfo37\Run816

HKEY_CURRENT_USER\Software\VB and VBA Program Settings\MSInternetinfo1

HKEY_CURRENT_USER\Software\VB and VBA Program Settings\MSInternetinfo1\run816

HKEY_CURRENT_USER\Software\VB and VBA Program Settings\njwangya

HKEY_CURRENT_USER\Software\VB and VBA Program Settings\njwangya\m


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"MsWWinLm" = "43 00 3A 00 5C 00 50 00 72 00 6F 00 67 00 72 00 61 00 6D 00 20 00 46 00 69 00 6C 00 65 00 73 00 5C 00 77 00 72 00 6B 00 77 00 6E 00 38 00 30 00 5C 00 4F 00 73 00 4D 00 6F 00 6E 00 69 00 74 00 6F 00 72 00 4C 00 6D 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 07 00 00 00 07 00 00 00 AC 00 01 00 0F 00 00 00 00 00 00 00 00 00 00 00 72 00 6F 00 67 00 72 00 61 00 6D 00 20 00 46 00 69 00 6C 00 65 00 73 00 5C 00 77 00 72 00 6B 00 77 00 6E 00 38 00 30 00 5C 00 4F 00 73 00 4D 00 6F 00 6E 00 69 00 74 00 6F 00"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"MsWWinLm" = "43 00 3A 00 5C 00 50 00 72 00 6F 00 67 00 72 00 61 00 6D 00 20 00 46 00 69 00 6C 00 65 00 73 00 5C 00 77 00 72 00 6B 00 77 00 6E 00 38 00 30 00 5C 00 4F 00 73 00 4D 00 6F 00 6E 00 69 00 74 00 6F 00 72 00 4C 00 6D 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 07 00 00 00 07 00 00 00 AC 00 01 00 0F 00 00 00 00 00 00 00 00 00 00 00 72 00 6F 00 67 00 72 00 61 00 6D 00 20 00 46 00 69 00 6C 00 65 00 73 00 5C 00 77 00 72 00 6B 00 77 00 6E 00 38 00 30 00 5C 00 4F 00 73 00 4D 00 6F 00 6E 00 69 00"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"workwinserver" = "43 00 3A 00 5C 00 50 00 72 00 6F 00 67 00 72 00 61 00 6D 00 20 00 46 00 69 00 6C 00 65 00 73 00 5C 00 4F 00 73 00 4D 00 6F 00 6E 00 69 00 74 00 6F 00 72 00 20 00 53 00 65 00 72 00 76 00 65 00 72 00 5C 00 4F 00 73 00 4D 00 6F 00 6E 00 69 00 74 00 6F 00 72 00 53 00 65 00 72 00 76 00 65 00 72 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 A7 00 02 00 09 00 00 00 48 00 01 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"



Restore these values ,if required:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr
Posted by Vidhu at 5:44 AM
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)