I was able to unregister shimgvw.dll by typing at Start, Run "regsvr32 -u %windir%\system32\shimgvw.dll"

But after running a file search I also found shimgvw.dll at these locations on my computer:
c:\I386
c:\windows\$NtservicePackUninstall$
c:\Windows\ServicePackFiles\i386

Hi AeyhHyon,

That is perfectly normal. The file in the Windows\System32 folder is the working file, the rest are copies or backups.

In particular the I386 folder is a copy of the folder from the installation CD which, amongst other things, allows Windows to be repaired without using the CD.

I actually have 5 copies on my system. The only one in use is in the Windows\System32 folder.

Try booting into Safe Mode - start your system and keep tapping the F8 key, then choose Safe Mode from the menu which eventually appears - and unregister it.

It is still unclear whether the file needs to be unregistered if you have applied the patch but I figure it's better to be safe than sorry.

Let us know if you still have problems.

Mister2

EDIT
Do you get an error message when you try to unregister the file? If so then please let us know the exact wording of the message.

Thanks.

No. No error message. I was able to unregister it from windir\server32 without a problem.

But my telephone, e-mail account and cell phone are still messed up. Just how (e.g.?) and in what manner can WMF be exploited to cause such havoc by distrubuting WMF gif files or whatnot? ANd just how can they be transmitted, and by what use or media can it possibly exploit?

AeyhHyon, can you run thru this procedure and see if we can get you cleared up?

http://wiki.castlecops.com/MRP

Hi AeyhHyon,

I misread your original post as being unable to unregister the file

Please follow the link that Paul posted. What problems with your phones / email are you experiencing?

I had received an IM from a person who shall remain nameless. He wrote that his entire apt is wired and the next time he throws a party, that I am invited. I do not even know this person well. Within a few weeks, my Dad's, my sister and brother in law's and my apartment(s) begins to receive phone service disruption, like VoIP, but it really sounds like an intercom. My old e-mail address book thru yahoo.com is stolen and also affected in the same manner. As well as my cell phone address book.

I was using McAfee, but recently switched to Verizon Security Suite. I did a spyware check and the following was pulled:

unknown trojan virus at c:\program files\Sonic\DLA\install\ssdiag.exe

PeopleOnPage.Apropos.Media

NavExcel

Viewpoint Toolbar


With Verizon Firewall, IP events include descriptions of "Virtual Audio Places"and "Virtual Video Places" as well as Audio stream trojan. Most of the unsolicited VoIP/ GAIM /SPIT whatever occers after 8pm and continues throughout the evening.

A lot of the IP events have originated from Los ANgeles, San Jose and SUnnyvale, CA. But also from places like Georgia, and Lambeth, England? THey have also included events from comcast handset cell phones from Colorado, Pennsylvania and Seattle WA. My cousin lives in Colorado. It was his voice I heard over this VoIP as that IP address occurred on my McAfee Firewall.

I think the ssdiag.exe has dialer.exe. WHomever is behind this cyberbullying, they are referencing my phone number, as well as Dad's and my sister's as part of their partyline. THey keep using this partyline to dial out to other people and harass people or tax them of their time.

I do not know how the VoIP occurs. AND...the fact the a comcast handset phone from Colorado issued an IP event, as is, on my McAfee Firewall at the same time that the unexplained VoIP/intercom like sound audio occurred, is evidence enough for me to say that somehow my phone line is being tapped, or tampered with for no apparent reason other than someone is trying to give me hard time just for not going out with him. The voIP is constant, 24 hours a day, it has harassed my friends, has messed with their phone lines, as well as the phone lines at my place of work.

I ran a netstat -an test on my computer. It revealed that ports 139, 445, 1026, 1027, 1028, 1029, and a few others are in a listening state? Just what are ports? And why is it that this VoIP, can still occur even when I am NOT on the computer, or on the internet and my phone is not even in use? I've never even signed up for VoIP, not even free trial service VoIP. A lot of people are being harassed by this VoIP partyline game. I'm not sure why this is happening. But I am convinced that there are two people who are taking advantage of it, one is a former coworker, the other is the instant messenger. They are both computer programmers and they are both, although worlds apart, very juvenile and moronic.

Hi AeyhHyon,

You certainly have problems there you could do without.

Please run through the MRP procedure as Paul suggested. After that I would advise posting a HJT log.

You will be posting the HiJackThis log in the HiJackThis forum: /f67-Hijackthis_Spyware_Viruses_Worms_Trojans_Oh_My.html

Read the HJT forum posting rules: /t102301-Hijackthis_Guidelines_Read_Before_Posting.html

Download HiJackThis from : /downloads-file-328.html

Create a folder and unzip the HiJackThis download to the folder. Do not unzip the HiJackThis download to a temp folder - it won't work.

Doubleclick "HijackThis.exe". First, update HiJackThis by pressing the "Config" button, then press "Misc Tools", followed by "Check for update online". If you downloaded an updated HJT, click "Yes" at the "Open the file?" prompt. If you did not update, press the "Back" button .

Press "Scan".When the scan is finished, use "Save Log" button and save the log as a text file. Its best to save your text file in the same folder as where you put HiJackThis.

DO NOT FIX ANYTHING YOURSELF UNTIL INSTRUCTED TO DO SO ONLY BY A CCSP EXPERT. MOST OF THE HJT LOG ENTRIES ARE NEEDED TO RUN YOUR COMPUTER. REMOVING THE NEEDED ENTRIES CAN CAUSE SERIOUS DAMAGE TO YOUR COMPUTER.

Post your log in the HiJackThis forum : /f67-Hijackthis_Spyware_Viruses_Worms_Trojans_Oh_My.html . Click "NewTopic" and simply copy/paste the HJT log into the textbox. Include the information requested in the HJT forum posting rules: /t102301-Hijackthis_Guidelines_Read_Before_Posting.html

In your post with the log please state any problems you encountered whilst running through the MRP procedure, and include a link back to this thread.

After you have posted your HJT log in the HiJackThis forum, please post, in this thread, a link back to your HJT log. (Copy the address in the address bar of your browser when you post your log, and paste it as a reply in this thread).

In the meantime I would contact your phone provider and also yahoo to inform them of your problems. Even if they do not act immediately at least your complaint will be logged.

I will request your other threads regarding this subject be closed so we can continue in this thread without confusion.

Mister2

c:\I386
c:\windows\$NtservicePackUninstall$
c:\Windows\ServicePackFiles\i386

the uninstall service pack one is ok and it being in i386 is allso ok to the best of my knolage.

i386 files are the same files as found on your xp install cd . an can be used to run sfc from if no cd presant.

they were put there when you installed system. and should be kept.
jmho

Thanks for the explanation, WaWaDave. I'm a little confused though. What is cd and what is an sfc?

Mister2:
I actually ran a Hijack This test on December 22. I would just cut and paste the hijack this log onto a quick reply, but that forum requires that a link be established to post a Hijack This Log. I do not know how to post a link for my HJT log. I do not own or run or manage a webpage. All I have is an e-mail account.

AeyhHyon, you're looking at this forum through a browser right? OK well, you should have a link bar at the top of the browser window. That bar displays the current URL you are viewing. In another instance (or tab) of your browser, browse to the HJT forum post you make. Copy that URL and paste it as a link into a post in this topic. It would be good to post the URL of this topic into your HJT forum post as a link as well. That's it.

BTW, have you tried the MRP procedure? That procedure will walk you throught the removal methods for many of of the commonly occuring malware infestations. Using it, means you don't have to wait for anyone to get to your HJT post (you could be waiting days). Also, it's very likely the assigned expert will ask you to follow much of the MRP procedure anyway. Yes you could have something that none of the steps remove but your HJT log will be much easier to read and save the expert (and you) additional delays.

My computer crashed as I tried to install the spyware removal software. I took it to Best Buy. My computer does not operate as well before. Since Jan 21, my Firewall software (Verizon Security Suite) has not been working.

But I was still receiving some odd IP addresses including descriptions of "Virtual video places", RAT, Netbus Pro Ultor, Deepthroat Invasor?

ANd somehow, my aprtment is still receiving VoIP. But I have never subscribed to it, free, or fully paid.

AeyhHyon you didn't mention what BestBuy found nor what they did. That could have a bearing here. If they didn't do a fresh install, I still think you should have your computer examined for malware.

This is what I found with anti spyware prior to my computer crashing:
PeopleOnPage.Apropos.media
NavExcel
Viewpoint Toolbar

This is what my antispyware program found after my computer was repaired:
1) WebTrends
user@statse.webtrendslive[2].txt

2) Advertising.com/Teknosurf
user@advertising[1].txt

3) Hitbox.com
user@hitbox[2].txt

4) Mediaplex.com [author]
user@mediaplex[1].txt

5) QuestionMarket.com
user@questionmarket[1].txt

6) AtlasDMT.com
user@atdmt[2].txt

7) Servedby.Advertising.com
user@servedby.advertising[1].txt

8) TribalFusion.com
user@tribalfusion[2].txt

9) 2o7.net
Onmiture Inc (author)
user@2o7[2].txt

10) Citi.Bridgetrack
user@citi.bridgetrack[1].txt

11) Edge.ru4
user@edge.ru4[1].txt

12) Server-Sys
user@server-sys[2].txt

My Firewall program has not been operating from Jan 21 till today, Jan 25.

Re your question about wawadave's post, CD = Windows installation CD, sfc = System File Checker.

Try doing this:

Go to Start, Run, type 'sfc /scannow' (without the quotes, and note the space after 'sfc') and click OK. Insert your installation disk (CD) when asked. This will repair any Windows system files which may have got corrupted.

If you need to download any malware checking/removal programs then do so on a different machine if possible and transfer them to your system on CD or USB memory stick - until you get your firewall running it is not safe to access the internet without a firewall.

Reboot into Safe Mode (turn your system on and keep tapping the F8 key until a menu appears. Choose Safe Mode from the options). See if you can install and scan in Safe Mode.

While you are in Safe Mode it would be worth seeing if you can start your firewall manually. If so then reboot as above but choose Safe Mode with Networking, then start your firewall. You should then be able to access the internet to get any downloads you need.

There are a number of IP addresses, including "Network Blackjack" on my firewall that match some of the RAT (remote access trojan) reported by Microsoft from 2002. I think someone is using my phone number, cell phone and e-mail to harass me and tax other people of their time by use of remote access trojan virus, spyware, streaming audio trojan virus and port 80 internet, to force people into a VOIP conference call, send VOIP and also internet of video recordings. FOr some reason, TV cable??? telephone, cell phone and e-mail address have all been disrupted by these spyware and trojan virus computer program exploits over the internet port 80.

This is the webpage which I found by typing "RAT" and "port 80" at www.Google.com

http://www.microsoft.com/technet/security/alerts/info/virusrat.mspx
"Types of RATs
The most popular RATs, such as Back Orifice or SubSeven, are all-in-one intruder toolshops that do everything—capture screen, sound, and video content.

SubSeven. Even more popular than Back Orifice, the SubSeven RAT is always near the top of antivirus-vendor infection statistics. This Trojan functions as a key logger, packet sniffer, port redirector, registry modifier, and microphone and WebCam-content recorder. The program can randomly change its server port and notify the intruder of the change. SubSeven has specific routines that capture AOL Instant Messenger (AIM), ICQ, RAS, and screen-saver passwords."

8:36:47 Firewall allowing LEXPPS.EXE to act as a tcp server on local port 1026 (nterm)
8:36:48 Generic Host Process for Win32 Services has passed the binary integrity check.
8:36:48 Firewall allowing Generic Host Process for Win32 Services to act as a tcp server on local port 5000 (commplex-main)
8:36:48 LSA Shell (Export Version) has passed the binary integrity check.
8:36:48 Firewall allowing Generic Host Process for Win32 Services to act as a tcp server on local port 1025 (RFS, network blackjack)
8:36:48 Messenger has passed the binary integrity check.
8:36:48 Firewall allowing Windows operating system to act as a tcp server on local port 1028 (Unknown)
8:36:48 Motive SmartBridge has passed the binary integrity check.
8:36:48 Generic Host Process for Win32 Services has passed the binary integrity check.
8:36:48 Firewall allowing Generic Host Process for Win32 Services to act as a tcp server on local port 135 (DCE endpoint resolution, RPCSS.EXE, WINS Manager, DHCP Manager, Exchange Administrator)
8:36:48 Internet Security Suite initialization complete
8:37:13 Microsoft AntiSpyware Updater has passed the binary integrity check.
8:37:24 Internet Explorer has passed the binary integrity check.
8:37:39 Internet Explorer has passed the binary integrity check.
8:37:46 Postponing service model update because there's no Internet connection. Next retry in 01 min 00 sec.
8:38:45 Firewall allowing Generic Host Process for Win32 Services to access 239.255.255.250 port 1900 (SSDP) over udp
8:38:46 Postponing service model update because there's no Internet connection. Next retry in 01 min 00 sec.
8:38:47 Starting Anti-Spyware memory scan
8:38:47 Finished Anti-Spyware memory scan
8:39:46 Postponing service model update because there's no Internet connection. Next retry in 01 min 00 sec.


Protocol Direction Src IP Src Port Dst IP Dst Port Packet Type Trojan Date
tcp Outgoing 192.168.1.101 1164(Unknown) 206.46.232.47 443(http protocol over TLS/SSL) 2/17/2006 9:13:31 AM
tcp Outgoing 192.168.1.101 1164(Unknown) 206.46.232.47 443(http protocol over TLS/SSL) 2/17/2006 9:13:39 AM
tcp Incoming 207.46.198.30 80(World Wide Web HTTP) 192.168.1.101 1243(Unknown) BackDoor-G, SubSeven, SubSeven Apocalypse, Tiles 2/17/2006 9:16:29 AM
tcp Incoming 207.46.198.30 80(World Wide Web HTTP) 192.168.1.101 1246(Unknown) 2/17/2006 9:16:30 AM
tcp Incoming 207.46.198.30 80(World Wide Web HTTP) 192.168.1.101 1243(Unknown) BackDoor-G, SubSeven, SubSeven Apocalypse, Tiles 2/17/2006 9:16:35 AM
tcp Incoming 207.46.198.30 80(World Wide Web HTTP) 192.168.1.101 1246(Unknown) 2/17/2006 9:16:36 AM
tcp Incoming 207.46.198.30 80(World Wide Web HTTP) 192.168.1.101 1243(Unknown) BackDoor-G, SubSeven, SubSeven Apocalypse, Tiles 2/17/2006 9:16:47 AM
tcp Incoming 207.46.198.30 80(World Wide Web HTTP) 192.168.1.101 1243(Unknown) BackDoor-G, SubSeven, SubSeven Apocalypse, Tiles 2/17/2006 9:16:47 AM
tcp Incoming 207.46.198.30 80(World Wide Web HTTP) 192.168.1.101 1246(Unknown) 2/17/2006 9:16:48 AM
tcp Incoming 207.46.198.30 80(World Wide Web HTTP) 192.168.1.101 1246(Unknown) 2/17/2006 9:16:49 AM
tcp Incoming 159.53.64.103 443(http protocol over TLS/SSL) 192.168.1.101 1327(Unknown) 2/17/2006 10:38:56 AM
tcp Incoming 159.53.64.103 443(http protocol over TLS/SSL) 192.168.1.101 1327(Unknown) 2/17/2006 10:39:03 AM
tcp Incoming 159.53.64.103 443(http protocol over TLS/SSL) 192.168.1.101 1327(Unknown) 2/17/2006 10:39:13 AM
tcp Incoming 159.53.64.103 443(http protocol over TLS/SSL) 192.168.1.101 1327(Unknown) 2/17/2006 10:39:23 AM
tcp Incoming 159.53.64.103 443(http protocol over TLS/SSL) 192.168.1.101 1327(Unknown) 2/17/2006 10:39:33 AM
tcp Incoming 159.53.64.103 443(http protocol over TLS/SSL) 192.168.1.101 1327(Unknown) 2/17/2006 10:39:43 AM
tcp Incoming 159.53.64.103 443(http protocol over TLS/SSL) 192.168.1.101 1327(Unknown) 2/17/2006 10:39:53 AM
tcp Incoming 159.53.64.103 443(http protocol over TLS/SSL) 192.168.1.101 1327(Unknown) 2/17/2006 10:40:03 AM
tcp Incoming 159.53.64.103 443(http protocol over TLS/SSL) 192.168.1.101 1327(Unknown) 2/17/2006 10:40:13 AM
tcp Incoming 159.53.64.103 443(http protocol over TLS/SSL) 192.168.1.101 1327(Unknown) 2/17/2006 10:40:23 AM
tcp Incoming 159.53.64.103 443(http protocol over TLS/SSL) 192.168.1.101 1327(Unknown) 2/17/2006 10:40:33 AM
tcp Incoming 159.53.64.103 443(http protocol over TLS/SSL) 192.168.1.101 1327(Unknown) 2/17/2006 10:40:43 AM
tcp Incoming 159.53.64.103 443(http protocol over TLS/SSL) 192.168.1.101 1327(Unknown) 2/17/2006 10:40:53 AM
tcp Incoming 159.53.64.103 443(http protocol over TLS/SSL) 192.168.1.101 1327(Unknown) 2/17/2006 10:50:53 AM
tcp Incoming 206.46.232.9 80(World Wide Web HTTP) 192.168.1.101 1397(Audio Active Mail) 2/17/2006 11:01:08 AM
8:36:46 Initializing 5.1.15 - Build #5.1.15.40699
8:36:46 Partner ID 26 - Request ID 1
8:36:46 Name [Ping Server] Partner [VERIZON] Url [http://updates.verizon.freedom.net] Period [180] minutes
8:36:46 Name [Socket Router] Partner [VERIZON] Url [http://updates.verizon.freedom.net] Period [10080] minutes
8:36:46 Name [Exclusion List Server] Partner [VERIZON] Url [http://updates.verizon.freedom.net] Period [180] minutes
8:36:46 Name [Anti-Spyware] Partner [VERIZON] Url [http://updates.verizon.freedom.net] Period [180] minutes
8:36:46 wsc-av
8:36:46 Name [Anti-Virus] Partner [VERIZON] Url [http://updates.verizon.freedom.net] Period [180] minutes
8:36:47 wsc-fw