Answers
Oct 02, 2007 - 07:39 AM
As well it shouldn't. The Divo/3wplayer codec isn't a codec at all, it's malware.
The program that worked for me was something from wildman productions. it was a little app downloaded from http://wildman-productions.org/ (I have nothing to do with the site, nor am I trying to endorse it) Note that the file downloaded that displayed the divo codec is NEVER the intended file.
Anyway, I'm not sure if it was the binary or the installer (nothing to install really, it's just an exe file) but the links were swapped last time, anyway, one of the two links contains a rar file which has a very simple executable that decompresses 3w files into their playable counterparts.
Since the divo codec isn't a codec at all, you want to remove it just as any other app. since it is a piece of $#%! malware ridden application, our friends at symantec have documented it's removal
http://www.symantec.com/en/uk/norton/...
hope this helps
The program that worked for me was something from wildman productions. it was a little app downloaded from http://wildman-productions.org/ (I have nothing to do with the site, nor am I trying to endorse it) Note that the file downloaded that displayed the divo codec is NEVER the intended file.
Anyway, I'm not sure if it was the binary or the installer (nothing to install really, it's just an exe file) but the links were swapped last time, anyway, one of the two links contains a rar file which has a very simple executable that decompresses 3w files into their playable counterparts.
Since the divo codec isn't a codec at all, you want to remove it just as any other app. since it is a piece of $#%! malware ridden application, our friends at symantec have documented it's removal
http://www.symantec.com/en/uk/norton/...
hope this helps
Nov 20, 2007 - 11:38 AM
I have tried to install the divo codec, but during the process my anti-virus alerted me to the fact that this was malware. Then with the antivirus I erased the all the installed files. But I'm not sure if I'm still infected since I've noticed there have changed in a shell file. How can i fix this?
Nov 20, 2007 - 05:23 PM
3w player does the following:
C:\Documents and Settings\All Users\Start Menu\Programs\3wPlayer\Uninstall 3wPlayer.lnk
%ProgramFiles%\3wPlayer\settings.ini
%ProgramFiles%\3wPlayer\settings.stp
%ProgramFiles%\3wPlayer\SkinCrafterDll.dll
%ProgramFiles%\3wPlayer\skins\Stylish.skf
%ProgramFiles%\3wPlayer\test.gif
%ProgramFiles%\3wPlayer\unins000.dat
%ProgramFiles%\3wPlayer\unins000.exe
C:\Documents and Settings\All Users\Start Menu\Programs\3wPlayer\3wPlayer.lnk
%ProgramFiles%\3wPlayer\3wPlayer.exe
%ProgramFiles%\3wPlayer\minime.exe
Next, the program creates the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\3wPlayer
_is1
HKEY_ALL_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Sta
rt Menu\Programs\3wPlayer
HKEY_ALL_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Sta
rt Menu2\Programs\3wPlayer
these files in turn install adware.lop which does the following:
C:\Documents and Settings\All Users\Start Menu\Programs\3wPlayer\Uninstall 3wPlayer.lnk
%ProgramFiles%\3wPlayer\settings.ini
%ProgramFiles%\3wPlayer\settings.stp
%ProgramFiles%\3wPlayer\SkinCrafterDll.dll
%ProgramFiles%\3wPlayer\skins\Stylish.skf
%ProgramFiles%\3wPlayer\test.gif
%ProgramFiles%\3wPlayer\unins000.dat
%ProgramFiles%\3wPlayer\unins000.exe
C:\Documents and Settings\All Users\Start Menu\Programs\3wPlayer\3wPlayer.lnk
%ProgramFiles%\3wPlayer\3wPlayer.exe
%ProgramFiles%\3wPlayer\minime.exe
Next, the program creates the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\3wPlayer
_is1
HKEY_ALL_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Sta
rt Menu\Programs\3wPlayer
HKEY_ALL_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Sta
rt Menu2\Programs\3wPlayer
these files in turn install adware.lop which does the following:
Nov 20, 2007 - 05:25 PM
May create the file %UserProfile%\Application Data\[RANDOM CHARACTERS].dll.
May create multiple copies of the following file:
%ProgramFiles%\[RANDOM FOLDER NAME]\[RANDOM FILE NAME]
Note:
[RANDOM FOLDER NAME] and [RANDOM FILE NAME] are composed of random English words, such as the following:
team pure
bolt date book
OozeBind
Hold way amok
KEEP AXIS
Adds the .dll file as a Browser Helper Object in the registry.
May create multiple copies of the following files:
%Windir%\[RANDOM FILE NAME].htm
%Windir%\[RANDOM FILE NAME].gif
May create the following files:
%Temp%\Delete.me\Xpp.idx
%Temp%\Delete.me\Tbt.idx
Adds a toolbar and search button to Internet Explorer.
Adds one of the values:
"(Default)" = "%ProgramFiles%\[RANDOM FOLDER NAME]\[RANDOM FILE NAME]"
"(Default)" = "%UserProfile%\Application Data\[RANDOM CHARACTERS].dll"
to one of the following registry subkeys:
HKEY_CLASSES_ROOT\CLSID\[RANDOM CLSID]\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\[RANDOM CLSID]\InprocServer32
May create multiple copies of the following file:
%ProgramFiles%\[RANDOM FOLDER NAME]\[RANDOM FILE NAME]
Note:
[RANDOM FOLDER NAME] and [RANDOM FILE NAME] are composed of random English words, such as the following:
team pure
bolt date book
OozeBind
Hold way amok
KEEP AXIS
Adds the .dll file as a Browser Helper Object in the registry.
May create multiple copies of the following files:
%Windir%\[RANDOM FILE NAME].htm
%Windir%\[RANDOM FILE NAME].gif
May create the following files:
%Temp%\Delete.me\Xpp.idx
%Temp%\Delete.me\Tbt.idx
Adds a toolbar and search button to Internet Explorer.
Adds one of the values:
"(Default)" = "%ProgramFiles%\[RANDOM FOLDER NAME]\[RANDOM FILE NAME]"
"(Default)" = "%UserProfile%\Application Data\[RANDOM CHARACTERS].dll"
to one of the following registry subkeys:
HKEY_CLASSES_ROOT\CLSID\[RANDOM CLSID]\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\[RANDOM CLSID]\InprocServer32
Nov 20, 2007 - 05:34 PM
lastly, you need to check your registry under
hklm->software->microsoft->winnt->winlogon->notify
for random generated dll file subkeys. do not delete anything unless you really know what you're doing. just note the dll files listed.
once you've identified the dll files that shouldn't be there, boot your computer into the recovery console (safe mode won't work) mode using your windows XP disk and rename the previously mentionded dll files. restart the computer normally. if everything is working then go ahead and delete the problem registry keys, if they come back, you're still infected. You'll know if everything is working almost immediately because if you've renamed a file you shouldn't have, you won't be able to boot properly.
hklm->software->microsoft->winnt->winlogon->notify
for random generated dll file subkeys. do not delete anything unless you really know what you're doing. just note the dll files listed.
once you've identified the dll files that shouldn't be there, boot your computer into the recovery console (safe mode won't work) mode using your windows XP disk and rename the previously mentionded dll files. restart the computer normally. if everything is working then go ahead and delete the problem registry keys, if they come back, you're still infected. You'll know if everything is working almost immediately because if you've renamed a file you shouldn't have, you won't be able to boot properly.
Mar 04, 2009 - 05:58 AM
The question looks to be abandoned by the user who asked it. If no action is taken within 2 days, a Quomon Moderator will consider closing the question and distributing the points.
The Quomon Team
The Quomon Team
Dec 25, 2010 - 04:08 AM
Hey, are you bothered with the slow internet connection, here is an easy to solve your problem, to install a PC protector or cleaning, according to my personal experience, Tuneup360 is good choice, and your computer takes only 30 sec to start up if you have it!!!
Add New Comment