?
Solved

DLL Initialization failed because windows is shutting down.  also say something about the failure is due to a viughl.exe

Posted on 2006-04-16
14
Medium Priority
?
5,072 Views
Last Modified: 2007-12-19
DLL Initialization failed because windows is shutting down.  also say something about the failure is due to a viughl.exe   this is real urgent, someone in MSN Zone (gaming zone) got angry and said they were going to do something via my ip address, none the less my computer is acting mad crazy and won't allow me to use the restore points saying:  DLL failed to initialize because Windows is shutting down,  The another Window pops up and says something about failed to initialize due to viughl.exe  HELP HAVE TO USE MY COMPUTER TO COMPLETE A WORK PROJECT!
0
Comment
Question by:reyeuro
14 Comments
 

Author Comment

by:reyeuro
ID: 16466829
Sorry correction:  it is  viugh.exe
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 16466934
What virus software have you used to check this PC? If possible, remove the HD, place in another computer back-up all data you need, scan the HD with an up2date virus scanner.
http://www.mcse.ms/archive55-2004-7-914511.html (not exactly your error message)

Hopefully you had/have your Firewall turned on: http://www.sarc.com/avcenter/venc/data/w32.looked.html and or did not accept a Dl from someone you didn't know...
http://vil.nai.com/vil/content/v_130551.htm

To see if you have open shares, visit GRC.com and run the Sheilds UP tests... http://www.grc.com/x/ne.dll?rh1dkyd2
If they ever ask for your IP give them 127.0.0.1 as your ip, actually 127.0.0.xxx (anything you want can be in xxx, well 1-254 anyway)

Also in the future it's best to observer best practices, especially when dealing with IE: http://xinn.org/win_bestpractices.html
-rich
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16466996
Can we look at your Hijackthis log?

Please download HijackThis 1.99.1
http://www.cyberanswers.org/forum/uploads/HijackThis1991.exe
Open Hijackthis, click "scan and save a logfile" don't fix anything yet, just upload the logfile created, go here and paste your Hijackthis log, http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here:

Or copy and paste the log at;
http://www.hijackthis.de/ 
and click "Analyse", click "Save".  Post the link to the saved list here.
0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 

Author Comment

by:reyeuro
ID: 16467034
I can't get on line in order to ontain the hijack log or to run the program, my browser times out, I am using another computer to post these.

Norton is my anti-virus and it can't cure, quarantine or otherwise rid me of the following identified as infected files:

WinATS.dll
elitemediapop.exe
dwdsregt.exe
WinNB57.dll
WinDmy.dll
WinATS[1].cab
WinATS.dll

gdckqcy.exe virus was found and deleted


0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 16467132
turn off your system restore first, then boot your system in safemode, and run Norton scan there to clean the system.
if it cannot delete the files in safemode too, then manully search for the files, and then delete them yourself one by one!

with it, dont forget to clean the system using an Anti-Malware program also, like Ewido.
How to clean your system from Malware & Viruses
http://www.alaynah.net/shehar/clean_system.htm
0
 

Author Comment

by:reyeuro
ID: 16467151
Logfile of HijackThis v1.99.1

Scan saved at 10:07:22 PM, on 4/16/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Norton Internet Security\ISSVC.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\sdpasvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe

C:\WINDOWS\system32\LVCOMSX.EXE

C:\Program Files\Logitech\Video\LogiTray.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Print Server\PTP\PSDiagnostic.exe

C:\Program Files\Macrogaming\SweetIM\SweetIM.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\elitemediapop.exe

C:\windows\system32\dwdsregt.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

C:\Program Files\HPQ\SHARED\HPQWMI.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Logitech\Video\FxSvr2.exe

C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE

C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\HijackThis 1.99.1\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/?


page=1&refresh=4

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =


http://yahoo.sbc.com/dial

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =


http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydial/*http://www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =


http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydial/*http://www.yahoo.com/sear


ch/ie.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =


http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydial/*http://www.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dial

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =


http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydial/*http://www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =


http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=laptop

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\viuhg.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,gdckqcy.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program


Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: web compressor - {23FB5ADD-DA37-4a40-9FC0-B0E2384CDE92} - C:\WINDOWS\system32


\nshF30.dll

O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program


Files\Yahoo!\Common\yiesrvc.dll

O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program


Files\Yahoo!\Common\YIeTagBm.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program


Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: Related Page - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32


\WinNB57.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program


files\google\googletoolbar2.dll

O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program


Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program


Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program


Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program


Files\Canon\Easy-WebPrint\Toolband.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program


files\google\googletoolbar2.dll

O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32


\WinNB57.dll

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP


Wireless Assistant.exe

O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe


/Start

O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe

O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe

O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE

O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe

O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe

O4 - HKLM\..\Run: [SBC Yahoo! Connection Manager] "C:\Program Files\SBC Yahoo!\Connection


Manager\ConnectionManager.exe"

O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP


InSight\IPMon32.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  


-osboot

O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -


startup

O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common


Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [PrintServer Diagnostic] C:\Program Files\Print


Server\PTP\PSDiagnostic.exe

O4 - HKLM\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [elitemedia] C:\WINDOWS\elitemediapop.exe

O4 - HKLM\..\Run: [{D7-71-1A-AC-ZN}] C:\windows\system32\dwdsregt.exe FI002

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program


Files\Logitech\Video\ManifestEngine.exe" boot

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft


ActiveSync\WCESCOMM.EXE"

O4 - HKCU\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe

O4 - Startup: Z_Start.lnk = C:\WINDOWS\ZIFI002.exe

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common


Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0


\Reader\reader_sl.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hp\Digital


Imaging\bin\hpqtra08.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10


\OSA.EXE

O8 - Extra context menu item: &Google Search - res://c:\program


files\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://c:\program


files\google\GoogleToolbar2.dll/cmwordtrans.html

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!


\Common/ycsrch.htm

O8 - Extra context menu item: Backward Links - res://c:\program


files\google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program


files\google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4


\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program


Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html

O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program


Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html

O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-


WebPrint\Resource.dll/RC_Preview.html

O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-


WebPrint\Resource.dll/RC_Print.html

O8 - Extra context menu item: Similar Pages - res://c:\program


files\google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://c:\program


files\google\GoogleToolbar2.dll/cmtrans.html

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!


\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!


\Common/ycmap.htm

O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm

O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!


\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!


\Common/ycsrch.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program


Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -


C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} -


C:\Program Files\Microsoft ActiveSync\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program


Files\Microsoft ActiveSync\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-


00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program


Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4


\OFFICE11\REFIEBAR.DLL

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program


Files\PartyPoker\PartyPoker.exe (file missing)

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} -


C:\Program Files\PartyPoker\PartyPoker.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program


Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -


C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?


TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=laptop

O15 - Trusted Zone: *.elitemediagroup.net

O15 - Trusted Zone: http://click.getmirar.com (HKLM)

O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)

O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)

O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)

O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) -


http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab

O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) -


http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab

O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) -


http://zone.msn.com/binFrameWork/v10/StagingUI.cab40641.cab

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) -


http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services)


- http://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB

O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} -


http://w4s2.work4sure.com/c/ge/w4sgeen10.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation


Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-


secure.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab

O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program


Files\Yahoo!\common\yucconfig.dll

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) -


http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program


Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) -


http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab

O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) -


http://www.tbcode.com/ist/softwares/v4.0/ysb_regular.cab

O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) -


http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) -


http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) -


http://zone.msn.com/bingame/luxr/default/mjolauncher.cab

O16 - DPF: {809A6301-7B40-4436-A02C-87B8D3D7D9E3} (ZPA_DMNO Object) -


http://zone.msn.com/bingame/zpagames/zpa_dmno.cab42341.cab

O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) -


http://awbeta.net-nucleus.com/FIX/WinATS.cab

O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} (MediaGatewayX) -


http://static.zangocash.com/cab/Zango/ie/bridge-c18.cab

O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) -


http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/PhtPkMSN.cab

O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} (elitectl.DemoCtl) -


http://cabs.elitemediagroup.net/cabs/mediaview.cab

O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (ZPA_TexasHoldem Object) -


http://zone.msn.com/bingame/zpagames/zpa_txhe.cab43895.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) -


http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) -


http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab

O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) -


http://zone.msn.com/bingame/zpagames/zpa_pool.cab42858.cab

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-


secure.symantec.com/techsupp/asa/ctrl/SymAData.cab

O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) -


http://zone.msn.com/bingame/gold/default/gf.cab

O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) -


http://zone.msn.com/binframework/v10/StProxy.cab41227.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) -


http://zone.msn.com/bingame/zuma/default/popcaploader_v6.cab

O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) -


http://fdl.msn.com/zone/datafiles/heartbeat.cab

O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) -


http://www.streamload.com/Upload/XUpload.ocx

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1


\msgrapp.dll" (file missing)

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program


Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program


Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program


Files\Common Files\Symantec Shared\ccProxy.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program


Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program


Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. -


C:\Program Files\HPQ\SHARED\HPQWMI.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program


Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program


Files\iPod\bin\iPodService.exe

O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet


Security\ISSVC.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) -


Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1


\LUCOMS~1.EXE

O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation -


C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet


Security\Norton AntiVirus\SAVScan.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1


\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: SDPAUMS server service (SDPASVC) -  Matsushita Electric Industrial Co.,Ltd. -


C:\WINDOWS\system32\sdpasvc.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation -


C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common


Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common


Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common


Files\Symantec Shared\Security Center\SymWSC.exe

 
0
 

Author Comment

by:reyeuro
ID: 16467161
http://www.rafb.net/paste/results/qSXsiN69.html

Sorry here is the url requested by rpggamergirl
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 2000 total points
ID: 16467574
reyeuro,
You have a narrator/qoologic infection there.

Uninstall "Zeno Browser enhancer" if listed in Add/Remove programs list.

Fix these entries in Hijackthis, some of them will come back till qoologic infection is gone.
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\viuhg.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,gdckqcy.exe
O2 - BHO: web compressor - {23FB5ADD-DA37-4a40-9FC0-B0E2384CDE92} - C:\WINDOWS\system32\nshF30.dll
O2 - BHO: Related Page - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB57.dll
O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB57.dll
O4 - HKLM\..\Run: [elitemedia] C:\WINDOWS\elitemediapop.exe
O4 - HKLM\..\Run: [{D7-71-1A-AC-ZN}] C:\windows\system32\dwdsregt.exe FI002
O4 - Startup: Z_Start.lnk = C:\WINDOWS\ZIFI002.exe
O9 - Extra button: Party Poker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing) G
O9 - Extra 'Tools' menuitem: Party Poker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O15 - Trusted Zone: *.elitemediagroup.net  
O15 - Trusted Zone: http://click.getmirar.com (HKLM)  
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)  
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)  
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://w4s2.work4sure.com/c/ge/w4sgeen10.exe
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.tbcode.com/ist/softwares/v4.0/ysb_regular.cab
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) - http://awbeta.net-nucleus.com/FIX/WinATS.cab G
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} (MediaGatewayX) - http://static.zangocash.com/cab/Zango/ie/bridge-c18.cab 
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} (elitectl.DemoCtl) - http://cabs.elitemediagroup.net/cabs/mediaview.cab

Delete these files:
c:\windows\system32\dwdsregt.exe
C:\WINDOWS\system32\WinNB57.dll
C:\WINDOWS\elitemediapop.exe
C:\WINDOWS\ZIFI002.exe

Download Brute Force Uninstaller to your C:\
http://www.merijn.org/files/bfu.zip
Unzip it to a folder of its own, (C:\BFU). So BFU should be on your root directory.

Also, download qoofix.bat
http://downloads.subratam.org/Lon/qooFix.bat
Place qoofix.bat in your C:\BFU - folder. (Important!)
Doubleclick "qooFix.bat", Close all browsers and explorer folders.
Choose option 1 (Qoolfix autofix) and follow the prompts.
Please be patient, it will take about five minutes.

After the PC has restarted please post another link to your new hijackthis log


You may also, Download and install the free version of Ewido anti-malware.
http://www.ewido.net/en/download/
Update first then scan in safe mode.

0
 

Author Comment

by:reyeuro
ID: 16474549
Well we were given other alternatives, but this was the one individual who solved the whole enchilada for us...start to finish followed these guidelines and am virus free....Thanks rpggamergirl
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16474735
reyeuro,

Thank you very much!

Now is your chance to flush your restore points, just incase system restore happened to backup the viruses that you had.

Viruses in System Restore are inactive, they will only become active if you ever used any particular point where a virus was backed up by system restore process.
To clean any viruses in system restore is by turning system restore off.

Righclick My computer > Properties > System Restore
put a check next to "Turn off System Restore on all drives"
Reboot.
After you've done that, turn back on System Restore by removing the checkmark next to "Turn off System Restore on all Drives" box.
Then immediately create a new restore point.

Now you'll have a clean system restore point ready.

Thanks and happy computing! :)
0
 

Author Comment

by:reyeuro
ID: 16474984
Here is the updated file links you asked for, and I couldn't find some things I listed below:

Please download HijackThis 1.99.1
http://www.cyberanswers.org/forum/uploads/HijackThis1991.exe
Open Hijackthis, click "scan and save a logfile" don't fix anything yet, just upload the logfile created, go here and paste your Hijackthis log, http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here: http://www.rafb.net/paste/results/ONRHzT47.html

Or copy and paste the log at;
http://www.hijackthis.de/ 
and click "Analyse", click "Save".  Post the link to the saved list here. http://www.hijackthis.de/logfiles/fb5ea2cf3436fcd6bce6cb6c7e51fe6e.html

I could not find the file to delete: C:\WINDOWS\system32\WinNB57.dll

Could not find “Zero Browser enhancer” in Add/Remove program list

 
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16475316
Qoologic is gone from your Hijackthis log.

>>I could not find the file to delete: C:\WINDOWS\system32\WinNB57.dll<<
Don't worry hijackthis took care of it.
I auto-pasted it because it was an 03 line,(not realizing it's the same file as the 02 line) Hijackthis takes care of 02 registry entry and file.

>>Could not find “Zero Browser enhancer” in Add/Remove program list<<
Was there an entry called "Zeno" ?

In your first HJT log, you had an Adware.Zenosearch which is this entry below, that's why I asked to check for its related entry in Add/Remove. Don't worry if it didn't put an entry there.
O4 - HKLM\..\Run: [{D7-71-1A-AC-ZN}] C:\windows\system32\dwdsregt.exe FI002


All those activex objects in your 016 HJT lines are okay to fix if you like, especially if you don't intend to visit those url anymore or if you only rarely visit them.
They will be downloaded again as needed, or whenever you visit those sites.
Actually is it better to fix 016 entries if you have too many because they all load when IE opens.
0
 

Author Comment

by:reyeuro
ID: 16484853
Thanks RPG I finished everything you suggested and my laptop is humming smoothly once again, could that virus have been intentionally sent to me?  Someone threatened sending me something through my ip address, is that possible?  It was someone who play Spades with a bunch of people in MSN Zone.  I am just curious to know if he actually could have sent this to me or is it something normally picked up while surfing the web?
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16484970
reyuro,

Those nasties you have, could've been easily picked up surfing to sites like; crack sites, casino sites, porno sites, or you could've accidentally click a link while chatting on MSN or any messenger.
Or maybe someone did sent it. We'll it's gone now, and it wasn't like a rootkit. Qoologic is  low risk so your computer wasn't compromised.
Just be careful and tighten your security, if you used IE a lot, then it's a good idea to have SpywareBlaster installed, its free and doesn't need any recources to protect you from activex-based malware.
Those 016 bad entries that you have in your hijackthis log are the ones SpywareBlaster can protect you with.

Check out Tony Klein's article "How Did I Get Infected in the First Place?"
http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I

If you ever get infected again, just come right back here at EE, we'll be here to help :)
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes Administrators rights are not enough. These cases call for the SYSTEM account. The process in this article outlines the steps required to execute commands using the SYSTEM account.
Considering today’s continual security threats, which affect Information technology networks and systems worldwide, it is very important to practice basic security awareness. A normal system user can secure himself or herself by following these simp…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question