Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
Hey guys, little help here please.
I had a CWS infection. After shredding using Version 1.52.1 my computer has lost the image.dll file.
Also i cannot get to the CWS sites for the dll files or any Shredder updates. Microsoft windows player seems to be broken as well , and the microsoft mediaplayer site is also offline (like the CWS site) ... which leads me to believe these sites are blocked.
Help !
forgot to add in a direct question.
=/
What do i need to do to fix this?
How can i get the image.dll file fixed, and how do i kill the thing that is keeping me from the shredder and microsoft DL sites?Thanks
0 
Did you delete (fix) the file listed as...
C:\WINDOWS\DIRECTCC.exe ?
As I read things... This file should onle be deleted if it's a random jumble of letters.
Since DIRECTCC.exe is not, you should have selected NO to the fix. Could you have deleted this in error?These sites were under attack which denies access for updates and the like. Also there is a bug that kills Anti-Spyware programs. I think I read about it on www.majorgeeks.com
0
Sorry , it is XP .
I guess i could have deleted DirectCC.exe ... must have , as a "search" of my computer doesnt bring it up.
How do i correct this?
Would that be the cause of my Image.dll loss?
Also: noone else can get to ms media player or Shredder site?
Thanks guys
0
The HijackThis site has also been attacked....
http://forums.tomcoyote.org (regulars will know this).On my scan (I have Windows ME) that message asks if I want to delete the file, I state no, but if you rush through the scan, you might click yes in error.
Anyways.....
Since you have Win XP, you can do a system restore. Select the day before you ran this ill fated scan. I don't have XP, so can't tell you how to use System Restore...
I could for Win ME.
I have this file in the Windows folder (but I don't know what it does).Google search for XP & Restore.
0
Sigh , computer are such a Royal Pain.
Thanks michael for the advice. Unfortunatly in the system restore menu the only available day is today. It wont even let me change the month. Why the hell would my system not have any restore points but today , sigh.
Oh ya , and i do have system restore turned on, i checked.
dont get it
0
Hi
Image.dll is part of the cws infection. It is not a required system file.
Are you getting startup errors regarding that file?If you had either or both varients cws.aff.tooncomics, cws.the realsearch infections....it removes wmplayer.exe (file required to run windows media player).
Did you have windows media player 9...the newest one?
I can email you the wmplayer.exe file if you want. (it belongs in c:\program files\windows media player\wmplayer.exe <-this file missing. It is 72kb in size. Click my name for email addy, use wmplayer.exe in subject matter or I will trash the email as I do with all I don't know.Or try this direct site for the windows media player9 download. Just install over top the one you have now.
Windows media player 9
_______________________________I never give up!
0
Woot , i got the Win Media player ... dont know why the site wouldnt work for me before.
Thanks.
Now will i still get the image.dll error? Does this mean there is still some part of the CWS infection on my computer that Shredder didnt get? Is there a way to get rid of the error msg if this isnt a required file ?
*end 100 questions*
btw Thanks a ton guys , i REALLY appreciate it.
Gonna restart my comp (duh) i will post if dll error is gone.
0
CWSHater
There is likely still reference in your registry telling windows to load that file...since CWShredder removed the file you will get the error. So we need to remove the registry entry.
Start regedit: start> run> type regedit> enter (the regitry editor opens)
Click the + beside each of these keys:
HKEY_LOCAL_MACHINE
Software
Microsoft
Windows
Current Version
RunRight click the run key
Click export
Export the file to say your desktop so it's easy to find.
Call it backup.regWe just made a backup in case the wrong key is deleted....no recycle bin on deleted registry entries.
When you hilight the run key...on the right side is a list of values.
You are looking for reference to image.dll
Looks something like this:[Image] rundll32 C:\WINDOWS\image.dll,Install
Right click the Image one, click delete, ok the confirmation prompt.
Close registry editor and reboot...error should be gone.If you accidently delete the wrong line...to use the backup you just made..right click the backup.reg file> choose merge> ok the confimation prompt> reboot.
Once done that...to prevent re-infection visit windows update and install all critical updates including sp1. It will take a while if you have dial-up but worth the trouble.
let me know if that fixes it.
_________________________________
I never give up!
0
Hmm , cant find one with the image.dll , here are the ones i have:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"DVDSentry"="C:\\WINDOWS\\System32\\DSentry.exe"
"CTSysVol"="C:\\Program Files\\Creative\\SBAudigy2\\Surround Mixer\\CTSysVol.exe"
"CTDVDDet"="C:\\Program Files\\Creative\\SBAudigy2\\DVDAudio\\CTDVDDet.exe"
"CTHelper"="CTHELPER.EXE"
"AsioReg"="REGSVR32.EXE /S CTASIO.DLL"
"UpdReg"="C:\\WINDOWS\\UpdReg.exe"
"AdaptecDirectCD"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"DwlClient"="C:\\Program Files\\Common Files\\Dell\\EUSW\\Support.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"P2P Networking"="C:\\WINDOWS\\System32\\P2P Networking\\P2P Networking.exe /AUTOSTART"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"So thats the file. Let me know if you see anything suspicious.
Thanks again
0
CWSHater
It must be referenced somewhere else..
Download HijackThis from here:
http://www.lurkhere.com/~nicefiles/
First one in the list.
Once downloaded, unzip it to its own permanent folder like c:\hijack\hijackthis.exe not a temp folder because it makes backups and we have no recovery options if run from temporary folder.
Start the program, click "scan", scan button changes to "save log" button, save the log to same folder, it will open up in notepad...paste its entire contents here.Unless you know what you are doing...don't fix anything yet. Most of what you see is safe or even essential.
_______________________________
I never give up!
0
I think i see it in the log,about 1/2-way down ... under "RunServices". Am i correct in this?
As always , thanks a ton !Logfile of HijackThis v1.97.7
Scan saved at 7:30:53 PM, on 3/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.exe
C:\WINDOWS\System32\CTHELPER.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Documents and Settings\David Schave\Desktop\antihack\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.exe
O4 - HKLM\..\Run: [AsioReg] REGSVR32.exe /S CTASIO.DLL
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] /L:ENG
O4 - HKCU\..\RunServices: [Image] rundll32 C:\WINDOWS\image.dll,Install
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe
O16 - DPF: {82202BE7-C56A-487E-9E55-D84BDC1A5776} (AnarkClient Class) - http://install.anark.com/client/version1/windows-ie/en/AMClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37925.5432291667
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4333/mcfscan.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
0
CWSHater
Yes you are correct...you do see it...Good spot!
Ok...
Start hijack again, run its scan and place a checkmark in front of the following entries:O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKCU\..\RunServices: [Image] rundll32 C:\WINDOWS\image.dll,Install
Close all windows except hijack and click "fix checked"
Reboot the computer and delete the following folder:
c:\windows\system32\p2p networking <-this folder
p2p networking is a useless kazaa add-on that sucks up resorces.
Error gone now?
____________________________________I never give up!
0
Hmmm , the error is still there ... Strange. That line isnt in HijackThis anymore.
Oh well. More of an annoyance than an issue.
Also P2P has been eradicated ... muahaha.
Thanks a ton man
0
CWSHater
By looking at post #11 it look like you have been in the registry before and know enough to be careful in there..
Check these locations for an entry referring to this:
start> run> regedit [enter]
C:\WINDOWS\image.dll,Install
HKEY_LOCAL_MACHINE\software\microsoft\windows\current version\run, run-, run services, run services once, run services ex.
HKEY_CURRENT_USER\software\microsoft\windows\current version\run, run-, run services, run services once, run services ex.
Sometimes hijack does not see the entry.
If you find one pointing to C:\windows\image.dll install..
First back up that key...just in case you get click happy (joke) and delete the wrong thing.
You would need to back up the whole key on the left eg: the run key...right click> export> to desktop (easy to fnd) call it backup.reg> save it.Now you can delete the value pointing to image.dll on the right....right click the value> select delete> yes at the prompt.
Don't delete anything else in there.
The run- key I refer to above is disabled items...some time along the way you may have disabled it trying to get ri of it.
I realize it isn't a huge problem bur I am sure you would like to see it go away just the same.
Also all those run...whatever keys may not be present on all systems so don't worry if it is not on yours.Close regedit and reboot.
If you did make a mistake and deleted wrong item...go to the backup you made on desktop> right click> select merge> yes at the prompt.
I never give up!
0
ok , i didnt see anything there ... i might have been looking wrong. However , i ran a search of the registry for image.dll and found this :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
-- Then a file(?) called "Image" containing:
rundll32 C:\WINDOWS\image.dll,InstallThis it perhaps? It is the only "image.dll" that came up in the search of the registry.
Thanks !
0
CWSHater
Nothing wrong with the way you are looking...If I was right on the ball I would have told you to run the search you did.
That would be the one...get rid of the value on right side.
Back it up first tho just in case...(the run key from that line)
Right click the name "image", select delete, yes at the prompt, close regedit and reboot.
If all is well after a reboot you can delete the backup.
You would get the error every time you boot up...because windows is being told to install image.dll when explorer starts. The file image.dll is now gone...so the error still comes up.
I never thought of that key...makes perfect sense....Good work!
Let me know if that takes care of the error...so I can add it to my fix it list.Thanks!
_________________________I never give up!
0
Cha-Ching! Problem officially solved!
Thank you SO much for all your help man. Gives one just a little faith in the world that there are people like you out there who are willing to help others and stand to gain nothing.
You are a credit to our often repulsive species.
Thanks again.
0
CWSHater
Glad it finally worked!
I should have added to jump up and down and cheer after you rebooted and had no error...lol.
Thanks for posting back.Take care.
___________________________I never give up!
0  |
 Two questions
|
McAfee VirusScan Update!
|
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
