1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

[Resolved] Mass mail problem

Discussion in 'Virus & Other Malware Removal' started by nelson47, Sep 19, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. nelson47

    nelson47 Thread Starter

    Joined:
    Feb 9, 2003
    Messages:
    34
    Hi!

    I have been encountering a problem of mass-mailing, that is my computer sends out lots of mails without me telling it to. The reason I found this out was that my Norton Antivirus gave me error messages saying "Symantec Email Proxy" and that the message to the recipient could not be sent because no connection could be made to the server.

    I want help in stopping these emails to be sent from my computer. I hope you can help me! I have scanned the computer with antivirus and spybot (AdAware and SpyBot S&D)software with no result.

    I am also aware that this post is somewhat similar to another post on the same subject. but I have checked the advice given there and none of them seem to correspond to my problem.

    I would very much appreciate help in any way! thank you
    / Nelson

    This is my hijack this log:

    Logfile of HijackThis v1.95.0
    Scan saved at 23:39:47, on 2003-09-19
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    D:\Temp\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL=http://www.superwebsearch.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.superwebsearch.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.superwebsearch.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.superwebsearch.com/ie/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.superwebsearch.com/ie/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\System32\blank.htm
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\program\AcrobatReader\Acrobat\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [uhzrhse] rundll32 C:\WINDOWS\System32:uhzrhse.dll,Init 1
    O4 - HKLM\..\Run: [ICQ Lite] D:\Program\ICQLite\ICQLite.exe -minimize
    O4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\System32\rmctrl.exe
    O4 - HKLM\..\Run: [nbstitc] rundll32 C:\WINDOWS\System32:nbstitc.dll,Init 1
    O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program\Delade filer\Symantec Shared\ccRegVfy.exe"
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: E&xportera till Microsoft Excel - res://D:\Program\MICROS~1\Office10\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Sun Java-konsol (HKLM)
    O9 - Extra button: ICQ Lite (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
    O12 - Plugin for .spop: C:\Program\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37722.4138078704
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  2. Fuzzy Gnome

    Fuzzy Gnome

    Joined:
    Jun 8, 2003
    Messages:
    78
  3. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    nelson47

    Run Hijack This again and put a check by these. Close all browser windows and "Fix checked"

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL=http://www.superwebsearch.com/ie/

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.superwebsearch.com/ie/

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.superwebsearch.com/ie/

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.superwebsearch.com/ie/

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.superwebsearch.com/ie/

    O4 - HKLM\..\Run: [uhzrhse] rundll32 C:\WINDOWS\System32:uhzrhse.dll,Init 1

    O4 - HKLM\..\Run: [nbstitc] rundll32 C:\WINDOWS\System32:nbstitc.dll,Init 1

    Restart your computer.

    Go here http://housecall.trendmicro.com/ and do an online virus scan.
     
  4. nelson47

    nelson47 Thread Starter

    Joined:
    Feb 9, 2003
    Messages:
    34
    Hi again!

    I have done what you said, and it took care of the "superwebsearch" stuff.

    However, the entries:

    O4 - HKLM\..\Run: [uhzrhse] rundll32 C:\WINDOWS\System32:uhzrhse.dll,Init 1

    O4 - HKLM\..\Run: [nbstitc] rundll32 C:\WINDOWS\System32:nbstitc.dll,Init 1

    returns when I restart my computer. I have done further scanning of the harddrive using Trojan Remover 6.07 as well as fix-tools for SWEN, SOBIG.F, KLEZ and MIMAIL, but none of these solve the problem. So I am all out of ideas.

    Hope anyone out there can give me a hand!
    / Nelson
     
  5. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Did you do the online Virus scan?

    I have PMed someone else to look in on this thread.
     
  6. nelson47

    nelson47 Thread Starter

    Joined:
    Feb 9, 2003
    Messages:
    34
    I have already performed an online scan, at trendmicro, of my harddrive. It did not find anything. It was one of the first things I did once I discovered this problem.

    Appreciate it!
    / Nelson
     
  7. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Let's try this.

    Navigate to C:\WINDOWS\System32

    and locate these two files:

    uhzrhse.dll and nbstitc.dll

    Copy both of those files and put them in a Zipped folder and send them to me and I will send them for analysis:

    Click here to email me



    After sending them to me:

    Run Hijack This again and put a check by these. Close all browser windows and "Fix checked"

    O4 - HKLM\..\Run: [uhzrhse] rundll32 C:\WINDOWS\System32:uhzrhse.dll,Init 1

    O4 - HKLM\..\Run: [nbstitc] rundll32 C:\WINDOWS\System32:nbstitc.dll,Init 1

    Reboot to safe mode and delete those files.
     
  8. nelson47

    nelson47 Thread Starter

    Joined:
    Feb 9, 2003
    Messages:
    34
    I tried that, and there are no files with these names on the entire C-drive. Which I find odd. So I cant email them to you...

    I have investigated further into the matter, using a packet sniffer, a port scanner and a trace route. Here are some results and conculsions.

    This is a logging session using the program Diamond CS Port Explorer:

    --[Session Started at 23/09/2003 - 00:13:06]--
    23/09/2003 00:13:20am OPEN TCP 0.0.0.0:0 0.0.0.0:0 Success 0 C:\WINDOWS\Explorer.EXE:1344

    23/09/2003 00:13:20am ACCEPT TCP 127.0.0.1:1028 127.0.0.1:1096 Success C:\Program\Norton Internet Security\ccPxySvc.exe:188

    23/09/2003 00:13:20am RECEIVE TCP 127.0.0.1:1028 127.0.0.1:1096 Success 121 C:\Program\Norton Internet Security\ccPxySvc.exe:188

    23/09/2003 00:13:20am CONNECT TCP 127.0.0.1:1096 66.221.215.1:80 Success C:\WINDOWS\Explorer.EXE:1344 United States

    Before all this begins I get a question from Norton Internet Security whether or not I will allow a remote process to access my computer (from Microsoft Corporation). If I allow this, the above will occur. It seems like Explorer.exe opens and TCP-connection to the IP-adress: 66.221.215.1:80.

    The trace-route did not give me much but it could resolve the host name: davidtims.propagation.net, but a full trace could not be completed.

    I hope this can be useful to you!
    / Nelson
     
  9. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    In Folder Options > View, do you have "show hidden files" checked? Make sure it is.

    now open a command shell (start, run, enter cmd)

    at the command prompt enter:

    dir /s nbstitc.dll

    Is it found?

    also do:

    dir /s uhzrhse.dll

    If they are found, boot up in Safe Mode. First shutdown completely for a few seconds, then press f8 promptly on restart and select Safe Mode.

    Try to find the files again. If found, you can copy them someplace else and delete them from the system32 directory.

    If you still have trouble finding them, run cmd again and just try entering these two lines (careful with the spelling)

    del c:\windows\system32\uhzrhse.dll

    del c:\windows\system32\nbstitc.dll


    Run HijackThis again and delete the two entries you see there.

    If no joy after that, post a Startuplist instead of the Scanlog:

    in HijackThis click Config > Misc Tools, put a check in "list minor sections", and click Generate Startuplist. Post that instead
     
  10. nelson47

    nelson47 Thread Starter

    Joined:
    Feb 9, 2003
    Messages:
    34
    I have found a couple of files with the names

    iacpnig
    uhzrhse

    with no file extensions!

    I think the first file has replaced the one called "nbstitc" previously. It might do so on system-reboot.

    They were not found in c:/windows/system32 but in
    c:/documents and settings/user/local settings/temp

    I could not locate any file with these names and the .dll-extension. I will send the files I've found to you for analysis.

    / Nelson
     
  11. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Boot up in Safe Mode again and open a CMD shell as before.

    enter each line:

    cd "c:\documents and settings\user\local settings"

    you should now be at that prompt if you've reported the path correctly. Make sure you use backslashes and not forward slashes in that line and include the quotes..

    enter:

    rd /s temp

    enter 'y' when prompted to remove temp and all its sub directories.

    Run HijackThis from Safe Mode and verify the currently reported names of the dll's. Try to delete the registry entries for them again in Safe Mode.

    Reboot and post a Startuplist as instructed previously (list minor sections is important)
     
  12. nelson47

    nelson47 Thread Starter

    Joined:
    Feb 9, 2003
    Messages:
    34
    I have now tried to remove the files, but with no success. They cannot be removed because they are used by another process.

    The filenames still are:
    iacnipg
    uhzrhse

    Anyway, here's my startup-list from Hijack-this:

    StartupList report, 2003-09-23, 02:28:51
    StartupList version: 1.52
    Started from : D:\Temp\hijackthis\HijackThis.EXE
    Detected: Windows XP SP1 (WinNT 5.01.2600)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    * Showing rarely important sections
    ==================================================

    Running processes:

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    D:\Temp\hijackthis\HijackThis.exe

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    nwiz = nwiz.exe /install
    IMJPMIG8.1 = "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    ICQ Lite = D:\Program\ICQLite\ICQLite.exe -minimize
    RemoteControl = C:\WINDOWS\System32\rmctrl.exe
    ccApp = "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
    ccRegVfy = "C:\Program\Delade filer\Symantec Shared\ccRegVfy.exe"
    QD FastAndSafe =
    iacnipg = rundll32 C:\WINDOWS\System32:iacnipg.dll,Init 1
    uhzrhse = rundll32 C:\WINDOWS\System32:uhzrhse.dll,Init 1

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

    *iacnipg = rundll32 C:\WINDOWS\System32:iacnipg.dll,Init 1
    *uhzrhse = rundll32 C:\WINDOWS\System32:uhzrhse.dll,Init 1

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    CTFMON.EXE = C:\WINDOWS\System32\ctfmon.exe
    NVIEW = rundll32.exe nview.dll,nViewLoadHook

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

    ICQ Lite = D:\Program\ICQLite\ICQLite.exe -trayboot

    --------------------------------------------------

    File association entry for .SCR:
    HKEY_CLASSES_ROOT\scrfile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    Enumerating Active Setup stub paths:
    HKLM\Software\Microsoft\Active Setup\Installed Components
    (* = disabled by HKCU twin)

    [>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
    StubPath = C:\WINDOWS\INF\unregmp2.exe /ShowWMP

    [>{26923b43-4d38-484f-9b9e-de460746276c}] *
    StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

    [>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
    StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

    [{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
    StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

    [{306D6C21-C1B6-4629-986C-E59E1875B8AF}]
    StubPath = "C:\WINDOWS\System32\rundll32.exe" "C:\Program\Messenger\msgsc.dll",ShowIconsUser

    [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
    StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

    [{7790769C-0471-11d2-AF11-00C04FA35D02}] *
    StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

    [{89820200-ECBD-11cf-8B85-00AA005B4340}] *
    StubPath = regsvr32.exe /s /n /i:U shell32.dll

    [{89820200-ECBD-11cf-8B85-00AA005B4383}] *
    StubPath = %SystemRoot%\system32\ie4uinit.exe

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*

    Shell & screensaver key from Registry:

    Shell=Explorer.exe
    SCRNSAVE.EXE=C:\WINDOWS\System32\scrnsave.scr
    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry key not found*
    HKLM\..\Policies: Shell=*Registry value not found*

    --------------------------------------------------

    Checking for EXPLORER.EXE instances:

    C:\WINDOWS\Explorer.exe: PRESENT!

    C:\Explorer.exe: not present
    C:\WINDOWS\Explorer\Explorer.exe: not present
    C:\WINDOWS\System\Explorer.exe: not present
    C:\WINDOWS\System32\Explorer.exe: not present
    C:\WINDOWS\Command\Explorer.exe: not present
    C:\WINDOWS\Fonts\Explorer.exe: not present

    --------------------------------------------------

    Checking for superhidden extensions:

    .lnk: HIDDEN! (arrow overlay: yes)
    .pif: HIDDEN! (arrow overlay: yes)
    .exe: not hidden
    .com: not hidden
    .bat: not hidden
    .hta: not hidden
    .scr: not hidden
    .shs: HIDDEN!
    .shb: HIDDEN!
    .vbs: not hidden
    .vbe: not hidden
    .wsh: not hidden
    .scf: HIDDEN! (arrow overlay: NO!)
    .url: HIDDEN! (arrow overlay: yes)
    .js: not hidden
    .jse: not hidden

    --------------------------------------------------

    Enumerating Browser Helper Objects:

    (no name) - d:\program\AcrobatReader\Acrobat\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    (no name) - D:\Program\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
    NAV Helper - C:\Program\Norton SystemWorks\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    Norton AntiVirus - Scan my computer.job
    Norton SystemWorks One Button Checkup.job
    Symantec NetDetect.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [Update Class]
    InProcServer32 = C:\WINDOWS\System32\iuctl.dll
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37886.4834375

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\System32\macromed\flash\swflash.ocx
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    --------------------------------------------------

    Enumerating Windows NT/2000/XP services

    AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
    Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Symantec Event Manager: "C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe" (autostart)
    Symantec Proxy Service: C:\Program\Norton Internet Security\ccPxySvc.exe (autostart)
    Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
    ElbyCDIO Driver: System32\Drivers\ElbyCDIO.sys (autostart)
    Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Event Log: %SystemRoot%\system32\services.exe (autostart)
    GhostStartService: C:\Program\NORTON~1\NORTON~2\GHOSTS~2.EXE (autostart)
    Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
    Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Norton AntiVirus Auto Protect Service: "C:\Program\Norton SystemWorks\Norton AntiVirus\navapsvc.exe" (autostart)
    Norton Internet Security Accounts Manager: C:\Program\Norton Internet Security\NISUM.EXE (autostart)
    Norton Unerase Protection: "C:\Program\Norton SystemWorks\Norton Utilities\NPROTECT.EXE" (autostart)
    NVIDIA Driver Helper Service: %SystemRoot%\System32\nvsvc32.exe (autostart)
    Plug and Play: %SystemRoot%\system32\services.exe (autostart)
    IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
    Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
    Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
    Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
    Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
    SAVRTPEL: \??\C:\WINDOWS\System32\Drivers\SAVRTPEL.SYS (autostart)
    ScriptBlocking Service: C:\Program\DELADE~1\SYMANT~1\SCRIPT~1\SBServ.exe (autostart)
    Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Secondary Logon Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Speed Disk service: C:\Program\NORTON~1\SPEEDD~1\nopdb.exe (autostart)
    Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
    System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
    Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
    Automatic Updates: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)


    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
    CDBurn: C:\WINDOWS\system32\SHELL32.dll
    WebCheck: C:\WINDOWS\System32\webcheck.dll
    SysTray: C:\WINDOWS\System32\stobject.dll

    --------------------------------------------------
    End of report, 10_620 bytes
    Report generated in 0,170 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
  13. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Ok, I see you have been using an old version of HijackThis, so not all the related regitstry entries were shown in the Scanlog.

    Second did you attempt to delete them in Safe Mode? I can't emphasize enough that any attempt to do so must be done there. If you didn't, that is why you are blocked by the "in use"

    Download a new copy of HijackThis and use it in the future:

    http://www.tomcoyote.org/hjt/

    Shutdown completely for 20 seconds before rebooting to make sure all memory is cleared. In Safe Mode run HijackThis and delete

    all references to those files you find. Then try to delete the files themselves again.

    Run regedit and navigate to:

    Hkey_Local_Machine\Software\Microsoft\Windows\CurrentVersion\RunOnce

    And right click on and delete any entries in the right hand pane that you see except "default".

    Post another Scanlog using the new version of HijackThis
     
  14. nelson47

    nelson47 Thread Starter

    Joined:
    Feb 9, 2003
    Messages:
    34
    Ok, I will try using the newer version of Hijack this.

    I tried to delete the files in safemode, and it did not work.
    Be back in a while

    / Nelson
     
  15. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Here is something else to try. Before doing it verify that the names of the dll's have not changed.

    From Start, run enter each line:

    rundll32 C:\WINDOWS\System32:iacnipg.dll,uninstall

    rundll32 C:\WINDOWS\System32:uhzrhse.dll,uninstall
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/166004

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice