Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.

[Resolved] Mass mail problem

2K views 25 replies 4 participants last post by  Rollin' Rog 
#1 ·
Hi!

I have been encountering a problem of mass-mailing, that is my computer sends out lots of mails without me telling it to. The reason I found this out was that my Norton Antivirus gave me error messages saying "Symantec Email Proxy" and that the message to the recipient could not be sent because no connection could be made to the server.

I want help in stopping these emails to be sent from my computer. I hope you can help me! I have scanned the computer with antivirus and spybot (AdAware and SpyBot S&D)software with no result.

I am also aware that this post is somewhat similar to another post on the same subject. but I have checked the advice given there and none of them seem to correspond to my problem.

I would very much appreciate help in any way! thank you
/ Nelson

This is my hijack this log:

Logfile of HijackThis v1.95.0
Scan saved at 23:39:47, on 2003-09-19
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
D:\Temp\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL=http://www.superwebsearch.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.superwebsearch.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.superwebsearch.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.superwebsearch.com/ie/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.superwebsearch.com/ie/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\System32\blank.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\program\AcrobatReader\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [uhzrhse] rundll32 C:\WINDOWS\System32:uhzrhse.dll,Init 1
O4 - HKLM\..\Run: [ICQ Lite] D:\Program\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\System32\rmctrl.exe
O4 - HKLM\..\Run: [nbstitc] rundll32 C:\WINDOWS\System32:nbstitc.dll,Init 1
O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program\Delade filer\Symantec Shared\ccRegVfy.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://D:\Program\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java-konsol (HKLM)
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O12 - Plugin for .spop: C:\Program\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37722.4138078704
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
 
See less See more
#3 ·
nelson47

Run Hijack This again and put a check by these. Close all browser windows and "Fix checked"

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL=http://www.superwebsearch.com/ie/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.superwebsearch.com/ie/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.superwebsearch.com/ie/

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.superwebsearch.com/ie/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.superwebsearch.com/ie/

O4 - HKLM\..\Run: [uhzrhse] rundll32 C:\WINDOWS\System32:uhzrhse.dll,Init 1

O4 - HKLM\..\Run: [nbstitc] rundll32 C:\WINDOWS\System32:nbstitc.dll,Init 1

Restart your computer.

Go here http://housecall.trendmicro.com/ and do an online virus scan.
 
#4 ·
Hi again!

I have done what you said, and it took care of the "superwebsearch" stuff.

However, the entries:

O4 - HKLM\..\Run: [uhzrhse] rundll32 C:\WINDOWS\System32:uhzrhse.dll,Init 1

O4 - HKLM\..\Run: [nbstitc] rundll32 C:\WINDOWS\System32:nbstitc.dll,Init 1

returns when I restart my computer. I have done further scanning of the harddrive using Trojan Remover 6.07 as well as fix-tools for SWEN, SOBIG.F, KLEZ and MIMAIL, but none of these solve the problem. So I am all out of ideas.

Hope anyone out there can give me a hand!
/ Nelson
 
#7 ·
Let's try this.

Navigate to C:\WINDOWS\System32

and locate these two files:

uhzrhse.dll and nbstitc.dll

Copy both of those files and put them in a Zipped folder and send them to me and I will send them for analysis:

Click here to email me

After sending them to me:

Run Hijack This again and put a check by these. Close all browser windows and "Fix checked"

O4 - HKLM\..\Run: [uhzrhse] rundll32 C:\WINDOWS\System32:uhzrhse.dll,Init 1

O4 - HKLM\..\Run: [nbstitc] rundll32 C:\WINDOWS\System32:nbstitc.dll,Init 1

Reboot to safe mode and delete those files.
 
#8 ·
I tried that, and there are no files with these names on the entire C-drive. Which I find odd. So I cant email them to you...

I have investigated further into the matter, using a packet sniffer, a port scanner and a trace route. Here are some results and conculsions.

This is a logging session using the program Diamond CS Port Explorer:

--[Session Started at 23/09/2003 - 00:13:06]--
23/09/2003 00:13:20am OPEN TCP 0.0.0.0:0 0.0.0.0:0 Success 0 C:\WINDOWS\Explorer.EXE:1344

23/09/2003 00:13:20am ACCEPT TCP 127.0.0.1:1028 127.0.0.1:1096 Success C:\Program\Norton Internet Security\ccPxySvc.exe:188

23/09/2003 00:13:20am RECEIVE TCP 127.0.0.1:1028 127.0.0.1:1096 Success 121 C:\Program\Norton Internet Security\ccPxySvc.exe:188

23/09/2003 00:13:20am CONNECT TCP 127.0.0.1:1096 66.221.215.1:80 Success C:\WINDOWS\Explorer.EXE:1344 United States

Before all this begins I get a question from Norton Internet Security whether or not I will allow a remote process to access my computer (from Microsoft Corporation). If I allow this, the above will occur. It seems like Explorer.exe opens and TCP-connection to the IP-adress: 66.221.215.1:80.

The trace-route did not give me much but it could resolve the host name: davidtims.propagation.net, but a full trace could not be completed.

I hope this can be useful to you!
/ Nelson
 
#9 ·
In Folder Options > View, do you have "show hidden files" checked? Make sure it is.

now open a command shell (start, run, enter cmd)

at the command prompt enter:

dir /s nbstitc.dll

Is it found?

also do:

dir /s uhzrhse.dll

If they are found, boot up in Safe Mode. First shutdown completely for a few seconds, then press f8 promptly on restart and select Safe Mode.

Try to find the files again. If found, you can copy them someplace else and delete them from the system32 directory.

If you still have trouble finding them, run cmd again and just try entering these two lines (careful with the spelling)

del c:\windows\system32\uhzrhse.dll

del c:\windows\system32\nbstitc.dll


Run HijackThis again and delete the two entries you see there.

If no joy after that, post a Startuplist instead of the Scanlog:

in HijackThis click Config > Misc Tools, put a check in "list minor sections", and click Generate Startuplist. Post that instead
 
#10 ·
I have found a couple of files with the names

iacpnig
uhzrhse

with no file extensions!

I think the first file has replaced the one called "nbstitc" previously. It might do so on system-reboot.

They were not found in c:/windows/system32 but in
c:/documents and settings/user/local settings/temp

I could not locate any file with these names and the .dll-extension. I will send the files I've found to you for analysis.

/ Nelson
 
#11 ·
Boot up in Safe Mode again and open a CMD shell as before.

enter each line:

cd "c:\documents and settings\user\local settings"

you should now be at that prompt if you've reported the path correctly. Make sure you use backslashes and not forward slashes in that line and include the quotes..

enter:

rd /s temp

enter 'y' when prompted to remove temp and all its sub directories.

Run HijackThis from Safe Mode and verify the currently reported names of the dll's. Try to delete the registry entries for them again in Safe Mode.

Reboot and post a Startuplist as instructed previously (list minor sections is important)
 
#12 ·
I have now tried to remove the files, but with no success. They cannot be removed because they are used by another process.

The filenames still are:
iacnipg
uhzrhse

Anyway, here's my startup-list from Hijack-this:

StartupList report, 2003-09-23, 02:28:51
StartupList version: 1.52
Started from : D:\Temp\hijackthis\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
D:\Temp\hijackthis\HijackThis.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
nwiz = nwiz.exe /install
IMJPMIG8.1 = "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
ICQ Lite = D:\Program\ICQLite\ICQLite.exe -minimize
RemoteControl = C:\WINDOWS\System32\rmctrl.exe
ccApp = "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
ccRegVfy = "C:\Program\Delade filer\Symantec Shared\ccRegVfy.exe"
QD FastAndSafe =
iacnipg = rundll32 C:\WINDOWS\System32:iacnipg.dll,Init 1
uhzrhse = rundll32 C:\WINDOWS\System32:uhzrhse.dll,Init 1

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*iacnipg = rundll32 C:\WINDOWS\System32:iacnipg.dll,Init 1
*uhzrhse = rundll32 C:\WINDOWS\System32:uhzrhse.dll,Init 1

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

CTFMON.EXE = C:\WINDOWS\System32\ctfmon.exe
NVIEW = rundll32.exe nview.dll,nViewLoadHook

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

ICQ Lite = D:\Program\ICQLite\ICQLite.exe -trayboot

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\INF\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{306D6C21-C1B6-4629-986C-E59E1875B8AF}]
StubPath = "C:\WINDOWS\System32\rundll32.exe" "C:\Program\Messenger\msgsc.dll",ShowIconsUser

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\scrnsave.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - d:\program\AcrobatReader\Acrobat\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - D:\Program\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
NAV Helper - C:\Program\Norton SystemWorks\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Norton AntiVirus - Scan my computer.job
Norton SystemWorks One Button Checkup.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[Update Class]
InProcServer32 = C:\WINDOWS\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37886.4834375

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\swflash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating Windows NT/2000/XP services

AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Symantec Event Manager: "C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe" (autostart)
Symantec Proxy Service: C:\Program\Norton Internet Security\ccPxySvc.exe (autostart)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
ElbyCDIO Driver: System32\Drivers\ElbyCDIO.sys (autostart)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
GhostStartService: C:\Program\NORTON~1\NORTON~2\GHOSTS~2.EXE (autostart)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Norton AntiVirus Auto Protect Service: "C:\Program\Norton SystemWorks\Norton AntiVirus\navapsvc.exe" (autostart)
Norton Internet Security Accounts Manager: C:\Program\Norton Internet Security\NISUM.EXE (autostart)
Norton Unerase Protection: "C:\Program\Norton SystemWorks\Norton Utilities\NPROTECT.EXE" (autostart)
NVIDIA Driver Helper Service: %SystemRoot%\System32\nvsvc32.exe (autostart)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
SAVRTPEL: \??\C:\WINDOWS\System32\Drivers\SAVRTPEL.SYS (autostart)
ScriptBlocking Service: C:\Program\DELADE~1\SYMANT~1\SCRIPT~1\SBServ.exe (autostart)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secondary Logon Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Speed Disk service: C:\Program\NORTON~1\SPEEDD~1\nopdb.exe (autostart)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Automatic Updates: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 10_620 bytes
Report generated in 0,170 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
 
#13 ·
Ok, I see you have been using an old version of HijackThis, so not all the related regitstry entries were shown in the Scanlog.

Second did you attempt to delete them in Safe Mode? I can't emphasize enough that any attempt to do so must be done there. If you didn't, that is why you are blocked by the "in use"

Download a new copy of HijackThis and use it in the future:

http://www.tomcoyote.org/hjt/

Shutdown completely for 20 seconds before rebooting to make sure all memory is cleared. In Safe Mode run HijackThis and delete

all references to those files you find. Then try to delete the files themselves again.

Run regedit and navigate to:

Hkey_Local_Machine\Software\Microsoft\Windows\CurrentVersion\RunOnce

And right click on and delete any entries in the right hand pane that you see except "default".

Post another Scanlog using the new version of HijackThis
 
#16 ·
I tried to remove the files after fixing them in Hijack-this, but it didn't work (used by other process). I wa able to remove the from the registry, but one I started regedit once more they were back.

I will try the latest tip!

This is the new scanlog:
Logfile of HijackThis v1.97.2
Scan saved at 03:08:36, on 2003-09-23
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Suction Lord\Skrivbord\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\program\AcrobatReader\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [ICQ Lite] D:\Program\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\System32\rmctrl.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program\Delade filer\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [iacnipg] rundll32 C:\WINDOWS\System32:iacnipg.dll,Init 1
O4 - HKLM\..\Run: [uhzrhse] rundll32 C:\WINDOWS\System32:uhzrhse.dll,Init 1
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKLM\..\RunOnce: [*iacnipg] rundll32 C:\WINDOWS\System32:iacnipg.dll,Init 1
O4 - HKLM\..\RunOnce: [*uhzrhse] rundll32 C:\WINDOWS\System32:uhzrhse.dll,Init 1
O4 - HKCU\..\RunOnce: [ICQ Lite] D:\Program\ICQLite\ICQLite.exe -trayboot
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://D:\Program\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java-konsol (HKLM)
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O12 - Plugin for .spop: C:\Program\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37886.4834375
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
 
#17 ·
Now I've tried

rundll32 c:\windows\system32:iacpnig.dll,uninstall
and
rundll32 c:\windows\system32:uhzrhse.dll,uninstall

both gave me the same error message:
"Error in c:\windows\system32:iacpnig.dll Post missing: Uninstall"
except that the filename wasnät the same in the other error message.

I have considered booting from a floppy and deleting them, but my drive is using NTFS which makes it impossible to detect the drive when booting in this mode.

Do you have more ideas how to solve this problem?
/ Nelson
 
#18 ·
Well, a couple of things. It would help to know what bloody process these are running under even in Safe Mode that is preventing them from being deleted. Never quite seen anything like it.

Assuming that it is Explorer, which is about the only thing I can think of that would run in Safe Mode and do this, we can try booting to a Safe Mode Command Prompt which does not load Explorer and deleting these files there. You will need to copy these command lines or print them exactly. When you have booted to the Safe Mode Command prompt type and enter each, acccepting the prompts if the target is correct. First verify that the files exist under the same names by entering:

dir /s iacnipg
dir /s uhzrhse

(you won't be able to run HijackThis here to verify.)

Now assuming they are still there enter each line and accept the confirmation when prompted.

del c:\windows\system32\iacnipg
del c:\windows\system32\uhzrhse
reg delete hklm\software\microsoft\windows\currentversion\run /v iacnipg
reg delete hklm\software\microsoft\windows\currentversion\run /v uhzrhse
reg delete hklm\software\microsoft\windows\currentversion\runonce /v *iacnipg
reg delete hklm\software\microsoft\windows\currentversion\runonce /v *uhzrhse


Back at the ranch, after rebooting, download and run Process Explorer

Click on Search and enter those dll names and see what processes they associate with if they are still there.

http://www.sysinternals.com/ntw2k/utilities.shtml

be sure to get the spelling correct, I'm not sure you did in the last post.

>>> And remember Safe Mode Command Prompt is an entirely different boot option than Safe Mode.
 
#19 ·
By starting the computer in safe mode with a command prompt, opening the task manager and killing two rundll32 processes, I was finally able to delete the files and the registry entries. I have rebooted the system and they have not returned!

Thank you so very much for your help! I will now restart the system, connect to the internet and see if the spam-problem remains.

Regardless of the results I would like to thank you for your time and commitment!

/ Nelson

I post the latest Hijack this log as a bonus : )

Logfile of HijackThis v1.97.2
Scan saved at 04:09:08, on 2003-09-23
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
C:\Program\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program\Norton Internet Security\NISUM.EXE
C:\Program\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program\Norton Internet Security\ccPxySvc.exe
C:\WINDOWS\System32\rmctrl.exe
C:\Program\Delade filer\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\regedit.exe
C:\Program\Messenger\msmsgs.exe
C:\Documents and Settings\Suction Lord\Skrivbord\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\program\AcrobatReader\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [ICQ Lite] D:\Program\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\System32\rmctrl.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program\Delade filer\Symantec Shared\ccRegVfy.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\RunOnce: [ICQ Lite] D:\Program\ICQLite\ICQLite.exe -trayboot
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://D:\Program\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java-konsol (HKLM)
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O12 - Plugin for .spop: C:\Program\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37886.4834375
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
 
#20 ·
Outstanding. You say that in Safe Mode command prompt you could see the processes that weren't showing in the HijackThis Startuplist or Scanlog as Running Tasks?

By the way, I'd still recommend getting a hold of Process Explorer and learning its usages; quite a handy tool and free too, along with many others on that site.

We'll wait to put a resolved on this so as not to jinks you, but give us a final follow-up when you are confident we have seen the last of it.

And of course your welcome for all our efforts here.
 
#21 ·
I think this was the case. I never saw any rundll32 processes when booting the system in "normal" mode. Maybe it was a case of the worm hiding the process so that it wouldn't be removed from the system. I dont know.

I have downloaded process viewer and I must say it seems like a great tool to have. I also like the Diamond CS Port Explorer, which is great for seeing network activity.

I have now been connected for about 30 minutes and I have not yet received a single warning message, so it all seems clear! Yeeee-hah!

Do you have any idea what lies behind this problem? I would be very much interested in the cause of all my misery. If there's anything I can do in helping out to understand this problem I'll do it!

Thank you again!
/ Nelson
 
#22 ·
I suspect you picked it up through ICQ somehow.

I'm still without an understanding of how the rundll32 process started even in Safe Mode Command prompt.

You might want to do some registry searches for those dlls and see what turns up. You can ignore anything associated with "mru" keys, they just represent old searches.

Also I would check the registry location:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment

>> look in the right hand pane for PATHEXT

You should not see dll listed there; typically these are the only executable file extensions:

.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH

When doing registry searches always start with the file tree completely collapsed and My Computer selected.
 
Status
Not open for further replies.
You have insufficient privileges to reply here.
Top