[Resolved] Mass mail problem

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

nelson47

Thread Starter
Joined
Feb 9, 2003
Messages
34
Hi!

I have been encountering a problem of mass-mailing, that is my computer sends out lots of mails without me telling it to. The reason I found this out was that my Norton Antivirus gave me error messages saying "Symantec Email Proxy" and that the message to the recipient could not be sent because no connection could be made to the server.

I want help in stopping these emails to be sent from my computer. I hope you can help me! I have scanned the computer with antivirus and spybot (AdAware and SpyBot S&D)software with no result.

I am also aware that this post is somewhat similar to another post on the same subject. but I have checked the advice given there and none of them seem to correspond to my problem.

I would very much appreciate help in any way! thank you
/ Nelson

This is my hijack this log:

Logfile of HijackThis v1.95.0
Scan saved at 23:39:47, on 2003-09-19
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
D:\Temp\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL=http://www.superwebsearch.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.superwebsearch.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.superwebsearch.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.superwebsearch.com/ie/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.superwebsearch.com/ie/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\System32\blank.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\program\AcrobatReader\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [uhzrhse] rundll32 C:\WINDOWS\System32:uhzrhse.dll,Init 1
O4 - HKLM\..\Run: [ICQ Lite] D:\Program\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\System32\rmctrl.exe
O4 - HKLM\..\Run: [nbstitc] rundll32 C:\WINDOWS\System32:nbstitc.dll,Init 1
O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program\Delade filer\Symantec Shared\ccRegVfy.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://D:\Program\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java-konsol (HKLM)
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O12 - Plugin for .spop: C:\Program\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37722.4138078704
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
 
Joined
Jul 26, 2002
Messages
46,331
nelson47

Run Hijack This again and put a check by these. Close all browser windows and "Fix checked"

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL=http://www.superwebsearch.com/ie/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.superwebsearch.com/ie/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.superwebsearch.com/ie/

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.superwebsearch.com/ie/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.superwebsearch.com/ie/

O4 - HKLM\..\Run: [uhzrhse] rundll32 C:\WINDOWS\System32:uhzrhse.dll,Init 1

O4 - HKLM\..\Run: [nbstitc] rundll32 C:\WINDOWS\System32:nbstitc.dll,Init 1

Restart your computer.

Go here http://housecall.trendmicro.com/ and do an online virus scan.
 

nelson47

Thread Starter
Joined
Feb 9, 2003
Messages
34
Hi again!

I have done what you said, and it took care of the "superwebsearch" stuff.

However, the entries:

O4 - HKLM\..\Run: [uhzrhse] rundll32 C:\WINDOWS\System32:uhzrhse.dll,Init 1

O4 - HKLM\..\Run: [nbstitc] rundll32 C:\WINDOWS\System32:nbstitc.dll,Init 1

returns when I restart my computer. I have done further scanning of the harddrive using Trojan Remover 6.07 as well as fix-tools for SWEN, SOBIG.F, KLEZ and MIMAIL, but none of these solve the problem. So I am all out of ideas.

Hope anyone out there can give me a hand!
/ Nelson
 
Joined
Jul 26, 2002
Messages
46,331
Did you do the online Virus scan?

I have PMed someone else to look in on this thread.
 

nelson47

Thread Starter
Joined
Feb 9, 2003
Messages
34
I have already performed an online scan, at trendmicro, of my harddrive. It did not find anything. It was one of the first things I did once I discovered this problem.

Appreciate it!
/ Nelson
 
Joined
Jul 26, 2002
Messages
46,331
Let's try this.

Navigate to C:\WINDOWS\System32

and locate these two files:

uhzrhse.dll and nbstitc.dll

Copy both of those files and put them in a Zipped folder and send them to me and I will send them for analysis:

Click here to email me



After sending them to me:

Run Hijack This again and put a check by these. Close all browser windows and "Fix checked"

O4 - HKLM\..\Run: [uhzrhse] rundll32 C:\WINDOWS\System32:uhzrhse.dll,Init 1

O4 - HKLM\..\Run: [nbstitc] rundll32 C:\WINDOWS\System32:nbstitc.dll,Init 1

Reboot to safe mode and delete those files.
 

nelson47

Thread Starter
Joined
Feb 9, 2003
Messages
34
I tried that, and there are no files with these names on the entire C-drive. Which I find odd. So I cant email them to you...

I have investigated further into the matter, using a packet sniffer, a port scanner and a trace route. Here are some results and conculsions.

This is a logging session using the program Diamond CS Port Explorer:

--[Session Started at 23/09/2003 - 00:13:06]--
23/09/2003 00:13:20am OPEN TCP 0.0.0.0:0 0.0.0.0:0 Success 0 C:\WINDOWS\Explorer.EXE:1344

23/09/2003 00:13:20am ACCEPT TCP 127.0.0.1:1028 127.0.0.1:1096 Success C:\Program\Norton Internet Security\ccPxySvc.exe:188

23/09/2003 00:13:20am RECEIVE TCP 127.0.0.1:1028 127.0.0.1:1096 Success 121 C:\Program\Norton Internet Security\ccPxySvc.exe:188

23/09/2003 00:13:20am CONNECT TCP 127.0.0.1:1096 66.221.215.1:80 Success C:\WINDOWS\Explorer.EXE:1344 United States

Before all this begins I get a question from Norton Internet Security whether or not I will allow a remote process to access my computer (from Microsoft Corporation). If I allow this, the above will occur. It seems like Explorer.exe opens and TCP-connection to the IP-adress: 66.221.215.1:80.

The trace-route did not give me much but it could resolve the host name: davidtims.propagation.net, but a full trace could not be completed.

I hope this can be useful to you!
/ Nelson
 
Joined
Dec 9, 2000
Messages
45,855
In Folder Options > View, do you have "show hidden files" checked? Make sure it is.

now open a command shell (start, run, enter cmd)

at the command prompt enter:

dir /s nbstitc.dll

Is it found?

also do:

dir /s uhzrhse.dll

If they are found, boot up in Safe Mode. First shutdown completely for a few seconds, then press f8 promptly on restart and select Safe Mode.

Try to find the files again. If found, you can copy them someplace else and delete them from the system32 directory.

If you still have trouble finding them, run cmd again and just try entering these two lines (careful with the spelling)

del c:\windows\system32\uhzrhse.dll

del c:\windows\system32\nbstitc.dll


Run HijackThis again and delete the two entries you see there.

If no joy after that, post a Startuplist instead of the Scanlog:

in HijackThis click Config > Misc Tools, put a check in "list minor sections", and click Generate Startuplist. Post that instead
 

nelson47

Thread Starter
Joined
Feb 9, 2003
Messages
34
I have found a couple of files with the names

iacpnig
uhzrhse

with no file extensions!

I think the first file has replaced the one called "nbstitc" previously. It might do so on system-reboot.

They were not found in c:/windows/system32 but in
c:/documents and settings/user/local settings/temp

I could not locate any file with these names and the .dll-extension. I will send the files I've found to you for analysis.

/ Nelson
 
Joined
Dec 9, 2000
Messages
45,855
Boot up in Safe Mode again and open a CMD shell as before.

enter each line:

cd "c:\documents and settings\user\local settings"

you should now be at that prompt if you've reported the path correctly. Make sure you use backslashes and not forward slashes in that line and include the quotes..

enter:

rd /s temp

enter 'y' when prompted to remove temp and all its sub directories.

Run HijackThis from Safe Mode and verify the currently reported names of the dll's. Try to delete the registry entries for them again in Safe Mode.

Reboot and post a Startuplist as instructed previously (list minor sections is important)
 

nelson47

Thread Starter
Joined
Feb 9, 2003
Messages
34
I have now tried to remove the files, but with no success. They cannot be removed because they are used by another process.

The filenames still are:
iacnipg
uhzrhse

Anyway, here's my startup-list from Hijack-this:

StartupList report, 2003-09-23, 02:28:51
StartupList version: 1.52
Started from : D:\Temp\hijackthis\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
D:\Temp\hijackthis\HijackThis.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
nwiz = nwiz.exe /install
IMJPMIG8.1 = "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
ICQ Lite = D:\Program\ICQLite\ICQLite.exe -minimize
RemoteControl = C:\WINDOWS\System32\rmctrl.exe
ccApp = "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
ccRegVfy = "C:\Program\Delade filer\Symantec Shared\ccRegVfy.exe"
QD FastAndSafe =
iacnipg = rundll32 C:\WINDOWS\System32:iacnipg.dll,Init 1
uhzrhse = rundll32 C:\WINDOWS\System32:uhzrhse.dll,Init 1

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*iacnipg = rundll32 C:\WINDOWS\System32:iacnipg.dll,Init 1
*uhzrhse = rundll32 C:\WINDOWS\System32:uhzrhse.dll,Init 1

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

CTFMON.EXE = C:\WINDOWS\System32\ctfmon.exe
NVIEW = rundll32.exe nview.dll,nViewLoadHook

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

ICQ Lite = D:\Program\ICQLite\ICQLite.exe -trayboot

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\INF\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{306D6C21-C1B6-4629-986C-E59E1875B8AF}]
StubPath = "C:\WINDOWS\System32\rundll32.exe" "C:\Program\Messenger\msgsc.dll",ShowIconsUser

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\scrnsave.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - d:\program\AcrobatReader\Acrobat\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - D:\Program\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
NAV Helper - C:\Program\Norton SystemWorks\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Norton AntiVirus - Scan my computer.job
Norton SystemWorks One Button Checkup.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[Update Class]
InProcServer32 = C:\WINDOWS\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37886.4834375

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\swflash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating Windows NT/2000/XP services

AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Symantec Event Manager: "C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe" (autostart)
Symantec Proxy Service: C:\Program\Norton Internet Security\ccPxySvc.exe (autostart)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
ElbyCDIO Driver: System32\Drivers\ElbyCDIO.sys (autostart)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
GhostStartService: C:\Program\NORTON~1\NORTON~2\GHOSTS~2.EXE (autostart)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Norton AntiVirus Auto Protect Service: "C:\Program\Norton SystemWorks\Norton AntiVirus\navapsvc.exe" (autostart)
Norton Internet Security Accounts Manager: C:\Program\Norton Internet Security\NISUM.EXE (autostart)
Norton Unerase Protection: "C:\Program\Norton SystemWorks\Norton Utilities\NPROTECT.EXE" (autostart)
NVIDIA Driver Helper Service: %SystemRoot%\System32\nvsvc32.exe (autostart)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
SAVRTPEL: \??\C:\WINDOWS\System32\Drivers\SAVRTPEL.SYS (autostart)
ScriptBlocking Service: C:\Program\DELADE~1\SYMANT~1\SCRIPT~1\SBServ.exe (autostart)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secondary Logon Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Speed Disk service: C:\Program\NORTON~1\SPEEDD~1\nopdb.exe (autostart)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Automatic Updates: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)


--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 10_620 bytes
Report generated in 0,170 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
 
Joined
Dec 9, 2000
Messages
45,855
Ok, I see you have been using an old version of HijackThis, so not all the related regitstry entries were shown in the Scanlog.

Second did you attempt to delete them in Safe Mode? I can't emphasize enough that any attempt to do so must be done there. If you didn't, that is why you are blocked by the "in use"

Download a new copy of HijackThis and use it in the future:

http://www.tomcoyote.org/hjt/

Shutdown completely for 20 seconds before rebooting to make sure all memory is cleared. In Safe Mode run HijackThis and delete

all references to those files you find. Then try to delete the files themselves again.

Run regedit and navigate to:

Hkey_Local_Machine\Software\Microsoft\Windows\CurrentVersion\RunOnce

And right click on and delete any entries in the right hand pane that you see except "default".

Post another Scanlog using the new version of HijackThis
 

nelson47

Thread Starter
Joined
Feb 9, 2003
Messages
34
Ok, I will try using the newer version of Hijack this.

I tried to delete the files in safemode, and it did not work.
Be back in a while

/ Nelson
 
Joined
Dec 9, 2000
Messages
45,855
Here is something else to try. Before doing it verify that the names of the dll's have not changed.

From Start, run enter each line:

rundll32 C:\WINDOWS\System32:iacnipg.dll,uninstall

rundll32 C:\WINDOWS\System32:uhzrhse.dll,uninstall
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top